You are currently offline, waiting for your internet to reconnect

BUG: ReadEventLog Fails with Error 87

This article was previously published under Q177199
The ReadEventLog() Win32 API function might fail and GetLastError() returns87 (ERROR_INVALID_PARAMETERS) while having all valid parameters passed toReadEventLog().
The Event Logging Service fails to process the read operation when anapplication uses the ReadEventLog() function with the EVENTLOG_SEEK_READflag to read large event log file.
The calling application should not use the EVENTLOG_SEEK_READ flag withReadEventLog if the size of the event log file is not determined. Instead,use the EVENTLOG_SEQUENTIAL_READ flag and use repeated calls toReadEventLog to implement code to scan to the record of interest.
Microsoft has confirmed this to be a bug in the Microsoft products listedat the beginning of this article. We are researching this bug and will postnew information here in the Microsoft Knowledge Base as it becomesavailable.
This problem is only encountered when the .EVT file is 2MB in size orlarger. The event log file is found in the %SystemRoot%\system32\configdirectory. For example, the .EVT file for the Application log isAppEvent.evt.

If the log file has been configured not to exceed 2MB - 64K, an applicationcan expect the EVENTLOG_SEEK_READ flag to work properly without anyproblem. To configure the log file size, use Event Viewer and select theLog Settings menu item from the Log Menu.

If the log file is 2MB or larger, the seek method of reading the event logwill fail to read the earlier records in the file. For example, expectReadEventLog to fail when reading records with the dwRecordOffset parameterset to 1 or 2 or maybe 11 or 12, depending on how full the log file is.ReadEventLog may continue to succeed and work properly for seeking to laterrecords, for example dwRecordOffset set to 100 or 200.

The problem with ReadEventLog using the EVENTLOG_SEEK_READ flag is relatedto the file size and not the number of records.
For more information about ReadEventLog see:

Platform SDK: Windows Base Services; Debugging and Error Handling; EventLogging; Event Logging Reference

Article ID: 177199 - Last Review: 11/21/2006 15:43:00 - Revision: 2.1

  • Microsoft Win32 Application Programming Interface
  • kbbug kbapi kbeventlog kbkernbase kbpending KB177199