How can I use EventLog to read from an arbitrary evtx file?
EventLogQuery is able to open evtx files, but it is not available in .NET 2.0.
可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效,请关闭广告屏蔽插件后再试):
问题:
回答1:
Let's assume the log file is LogA.evtx.
Copy LogA.evtx to C:\Windows\System32\winevt\Logs.
Add a new registry key to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog
called LogA. E.g. in PowerShell:
Set-Location HKLM:
New-Item .\SYSTEM\CurrentControlSet\services\eventlog -Name LogA
Open Event Viewer to verify that LogA shows up under Applications and Services Logs.
You can now open LogA using EventLog:
using System;
using System.Diagnostics;
namespace EventLogTest
{
class Program
{
static void Main(string[] args)
{
var log = new EventLog("LogA");
Console.WriteLine(log.Entries.Count);
}
}
}
You can delete LogA via PowerShell:
[System.Diagnostics.EventLog]::Delete("LogA")
