BUG: Application May Not Receive Events from NotifyChangeEventLog() Function (245609)
The information in this article applies to:
- Microsoft Platform Software Development Kit (SDK) 1.0, when used with:
- the operating system: Microsoft Windows NT 4.0
This article was previously published under Q245609 SYMPTOMS
The event handle passed to the NotifyChangeEventLog function may not be signaled when expected in the application waiting to be notified when changes occur to an event log. The event handle may be signaled at a later time when another change occurs.
CAUSE
The event logging service is responsible for signaling the event handle passed to it by the NotifyChangeEventLog function. There is a problem when the event logging service is busy handling client requests to post event records to other (System or Security) event logs.
RESOLUTION
An application can work around the problem by polling the event log to learn whether a change has occurred, rather than by using the NotifyChangeEventLog function. The GetNumberOfEventLogRecords function returns the current number of event log records in the specified event log.
STATUSMicrosoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article. This bug was corrected in Windows 2000. MORE INFORMATION
Typically, the event log does not receive a large number of events within a short period of time. The event log is not a general tracing utility, and should receive event records only when a critical activity has occurred, such as a service failing to start.
The NotifyChangeEventLog function is designed so that an application can monitor changes that occur to an event log without periodically polling the event logging service. For example, an application may be designed to forward only events it is interested in by waiting on an event handle. Once signaled, it can read the new records added to the log and post the relevant event information in a log in a remote system.
Unfortunately, the event logging service does not always signal an application when an event log change occurs. Because of this, an application that relies on this function instead of polling the event log, will not work correctly.
The problem may occur if the event logging service is processing event log records to be posted to one of the other event logs. For example, consider the case where an application is waiting for a change to the System log. If the Application log or Security log receives too many events while one event is added to the System log, then the event logging service may fail to signal the event handle for changes in the System log. Then, at a later time, the event handle in the application may be signaled when yet another event log record is posted to the System log.
Because of this problem, it is suggested that you use the GetNumberOfEventLogRecords function to periodically determine if any new records have been added to a log, rather than use the NotifyChangeEventLog function on Windows NT 4.0. Do not call this function very frequently, such as once per 50 milliseconds, or even once per second. The function uses Remote Procedure Call (RPC) to communicate with the event logging service to obtain the number of records in the event log. A better interval to poll the event log in this way is either once a minute or once every five minutes.
REFERENCES
For more information about the event logging functions, see the Platform SDK documentation; Base Services; Debugging and Error Handling; Event Logging.
| Modification Type: | Minor | Last Reviewed: | 7/11/2005 |
|---|
| Keywords: | kbAPI kbbug kbEventLog kbfix kbKernBase KB245609 |
|---|
|