Microsoft KB Archive/177199

{|
 * width="100%"|

BUG: ReadEventLog Fails with Error 87

 * }

Q177199

-

The information in this article applies to:


 * Microsoft Win32 Application Programming Interface (API), used with:
 * the operating system: Microsoft Windows NT, versions 3.5, 3.51, 4.0

-

SYMPTOMS
The ReadEventLog Win32 API function might fail and GetLastError returns 87 (ERROR_INVALID_PARAMETERS) while having all valid parameters passed to ReadEventLog.

CAUSE
The Event Logging Service fails to process the read operation when an application uses the ReadEventLog function with the EVENTLOG_SEEK_READ flag to read large event log file.

RESOLUTION
The calling application should not use the EVENTLOG_SEEK_READ flag with ReadEventLog if the size of the event log file is not determined. Instead, use the EVENTLOG_SEQUENTIAL_READ flag and use repeated calls to ReadEventLog to implement code to scan to the record of interest.

STATUS
Microsoft has confirmed this to be a bug in the Microsoft products listed at the beginning of this article. We are researching this bug and will post new information here in the Microsoft Knowledge Base as it becomes available.

MORE INFORMATION
This problem is only encountered when the .EVT file is 2MB in size or larger. The event log file is found in the %SystemRoot%\system32\config directory. For example, the .EVT file for the Application log is AppEvent.evt.

If the log file has been configured not to exceed 2MB - 64K, an application can expect the EVENTLOG_SEEK_READ flag to work properly without any problem. To configure the log file size, use Event Viewer and select the Log Settings menu item from the Log Menu.

If the log file is 2MB or larger, the seek method of reading the event log will fail to read the earlier records in the file. For example, expect ReadEventLog to fail when reading records with the dwRecordOffset parameter set to 1 or 2 or maybe 11 or 12, depending on how full the log file is. ReadEventLog may continue to succeed and work properly for seeking to later records, for example dwRecordOffset set to 100 or 200.

The problem with ReadEventLog using the EVENTLOG_SEEK_READ flag is related to the file size and not the number of records.