How to log a crimson event to the custom log (for parental controls)

  • Article

Now that you have setup a custom event using WMI, you can log to it.  Remember that you need to be elevated to register a custom event, but you do not need to be elevated to log to the channel.  The Windows Parental Controls channel is write only for limited users and only readable when logged in as an admin.

Here is the C++ code to log a custom event.

#include <wpcevents.h>

#include <winevt.h>

#ifndef ARRAYSIZE

#define ARRAYSIZE(x)  (sizeof(x)/sizeof(x[0]))

#endif

inline ULONG GetStringByteLength(__in PCWSTR pcsz)
{
    if (!pcsz)
    {
        return 0;
    }
    return (ULONG)((wcslen(pcsz)+1)*sizeof(WCHAR));
}

HRESULT LogCustomEvent(
   &nbspLPCWSTR pszPublisher,

   &nbspLPCWSTR pszApp,

   &nbspLPCWSTR pszAppVersion,

   &nbspLPCWSTR pszEvent,

   &nbspLPCWSTR pszColumn1,

   &nbspLPCWSTR pszColumn2,

   &nbspLPCWSTR pszColumn3,

   &nbspDWORD dwBLocked,

   &nbspLPCWSTR pszReason
)
{
   &nbspHRESULT hr = E_INVALIDARG;

    if (pszPublisher != NULL &&

        pszApp != NULL &&

        pszAppVersion != NULL &&

        pszEvent != NULL &&

        pszColumn1 != NULL &&

        pszCOlumn2 != NULL &&

        pszColumn3 != NULL)
    {
       &nbspREGHANDLE hProvider;

        // Register us with the crimson system, so we can log to it.

       &nbspULONG res = EventRegister(&WPCPROV, NULL, NULL, &hProvider);

        if (res == ERROR_SUCCESS)
        {
         // Array to handle all the data descriptors.

         EVENT_DATA_DESCRIPTOR eventData[WPC_ARGS_CUSTOMEVENT_CARGS];

         EventDataDescCreate(&eventData[WPC_ARGS_CUSTOMEVENT_PUBLISHER], (const PVOID)pszPublisher, GetStringByteLength(pszPublisher));
         EventDataDescCreate(&eventData[WPC_ARGS_CUSTOMEVENT_APPNAME], (const PVOID)pszApp, GetStringByteLength(pszApp));
         EventDataDescCreate(&eventData[WPC_ARGS_CUSTOMEVENT_APPVERSION], (const PVOID)pszAppVersion, GetStringByteLength(pszAppVersion));
         EventDataDescCreate(&eventData[WPC_ARGS_CUSTOMEVENT_EVENT], (const PVOID)pszEvent, GetStringByteLength(pszEvent));
         EventDataDescCreate(&eventData[WPC_ARGS_CUSTOMEVENT_VALUE1], (const PVOID)pszColumn1, GetStringByteLength(pszColumn1));
         EventDataDescCreate(&eventData[WPC_ARGS_CUSTOMEVENT_VALUE2], (const PVOID)pszColumn2, GetStringByteLength(pszColumn2));
         EventDataDescCreate(&eventData[WPC_ARGS_CUSTOMEVENT_VALUE3], (const PVOID)pszColumn3, GetStringByteLength(pszColumn3));
         EventDataDescCreate(&eventData[WPC_ARGS_CUSTOMEVENT_BLOCKED], (const PVOID)&dwBlocked, sizeof(dwBlocked));
         EventDataDescCreate(&eventData[WPC_ARGS_CUSTOMEVENT_REASON], (const PVOID)pszReason, GetStringByteLength(pszReason));
         res = EventWrite(hProvider, &WPCEVENT_CUSTOMEVENT, ARRAYSIZE(eventData), eventData);
         if (res == ERROR_SUCCESS)
         {
             hr = S_OK;
         }
         else
         {
             hr = HRESULT_FROM_WIN32(GetLastError());
         }
         EventUnregister(hProvider);
        }
        else
        {
         hr = HRESULT_FROM_WIN32(GetLastError());
        }
    }
    return hr;
}

Now that you have logged your event, you should be able to see it in the activity viewer of the windows parental controls controls panel.  You can also see it by looking at the Event Viewer in the control panel.  You want to look at the channel called Microsoft-Windows-ParentalControls/Operational. The event will be logged with an id of 13.