The following example retrieves the name of the user for an event. The function parameters are a pointer to the EVENTLOGRECORD structure, a pointer to a buffer to receive the user name, and a pointer to the size of the allocated buffer. If the function succeeds, it returns TRUE; otherwise, it returns FALSE. To get extended error information, call GetLastError.
BOOL
GetEventUserName(EVENTLOGRECORD *pelr, LPSTR pszUser, LPDWORD pcbUser)
{
PSID lpSid;
char szName[256];
char szDomain[256];
SID_NAME_USE snu;
DWORD dwLen;
DWORD cbName = 256;
DWORD cbDomain = 256;
// Point to the SID.
lpSid = (PSID)((LPBYTE) pelr + pelr->UserSidOffset);
if (LookupAccountSid(NULL, lpSid, szName, &cbName, szDomain,
&cbDomain, &snu))
{
// Determine whether the buffer is large enough.
dwLen = lstrlen(lpszUser) + 1;
if (dwLen > *lpcbUser)
{
SetLastError( ERROR_INSUFFICIENT_BUFFER );
*lpcbUser = dwLen;
return FALSE;
}
// Return the user's name.
lstrcpy( lpszUser, szName );
}
else
{
// Use the error status from LookupAccountSid.
return FALSE;
}
SetLastError(0);
return TRUE;
}