program Project1;

{$APPTYPE CONSOLE}

uses
  SysUtils,
  Windows;

const
  BUFFER_SIZE = 1024*128;
// Defines for the READ flags for Eventlogging
  EVENTLOG_SEQUENTIAL_READ = $0001;
  EVENTLOG_SEEK_READ = $0002;
  EVENTLOG_FORWARDS_READ = $0004;
  EVENTLOG_BACKWARDS_READ = $0008;

// The types of events that can be logged.
  EVENTLOG_SUCCESS = $0000;
  EVENTLOG_ERROR_TYPE = $0001;
  EVENTLOG_WARNING_TYPE = $0002;
  EVENTLOG_INFORMATION_TYPE = $0004;
  EVENTLOG_AUDIT_SUCCESS = $0008;
  EVENTLOG_AUDIT_FAILURE = $0010;

// Defines for the WRITE flags used by Auditing for paired events
// These are not implemented in Product 1
  EVENTLOG_START_PAIRED_EVENT = $0001;
  EVENTLOG_END_PAIRED_EVENT = $0002;
  EVENTLOG_END_ALL_PAIRED_EVENTS = $0004;
  EVENTLOG_PAIRED_EVENT_ACTIVE = $0008;
  EVENTLOG_PAIRED_EVENT_INACTIVE = $0010;

  servicekey = 'SYSTEM\CurrentControlSet\Services\Eventlog';

type
//
// Structure that defines the header of the Eventlog record. This is the
// fixed-sized portion before all the variable-length strings, binary
// data and pad bytes.
//
// TimeGenerated is the time it was generated at the client.
// TimeWritten is the time it was put into the log at the server end.
//
  PEVENTLOGRECORD = ^EVENTLOGRECORD;
  EVENTLOGRECORD = packed record
    Length,
      Reserved,
      RecordNumber,
      TimeGenerated,
      TimeWritten,
      EventID: DWORD;
      EventType,
      NumStrings,
      EventCategory,
      ReservedFlags: Word;
      ClosingRecordNumber,
      StringOffset,
      UserSidLength,
      UserSidOffset,
      DataLength,
      DataOffset: DWORD;
  end;
var
  idx: Integer;
  hReg: HKEY;
  readed, needed, oldrec, numrecs, bufsize, err, pos: DWORD;
  ft: FILETIME;
  buffer: array[0..BUFFER_SIZE-1] of char;
  log: THandle;
  elr: EVENTLOGRECORD;
  pelr: PEVENTLOGRECORD;
  begin
  idx := 0;
  err := 128;
  log := OpenEventLog(nil, 'system');
  repeat
  if ReadEventLog(log, EVENTLOG_SEQUENTIAL_READ or EVENTLOG_FORWARDS_READ, err, @buffer, BUFFER_SIZE, readed, needed) then
  begin
   pos   := 0;
   repeat
    move  (buffer[pos], elr, sizeof(EVENTLOGRecord));
    if (elr.EventType <> 255) then
    begin
     write ('Error        = ' );
     case elr.EventType of
      EVENTLOG_ERROR_TYPE: writeln('Error');
      EVENTLOG_WARNING_TYPE: writeln('Warning');
      EVENTLOG_INFORMATION_TYPE: writeln('Information');
      EVENTLOG_AUDIT_SUCCESS: writeln('AUDIT Success');
      EVENTLOG_AUDIT_FAILURE: writeln('AUDIT Failure');
     else
      writeln('Unknow');
     end;
     writeln('Length       = ',elr.Length);
     writeln('EventID      = ',elr.EventID);
     writeln('String Offset = ',elr.StringOffset);
     writeln('Data Offset  = ',elr.DataOffset);
     writeln('Data Length  = ',elr.DataLength);
     writeln('NumStrings   = ',elr.NumStrings);
     if (elr.NumStrings > 0) then
     begin
      write('String [');
      for idx := elr.StringOffset to elr.DataOffset-1 do
       write(buffer[pos+idx]);
      writeln(']');
     end;

     if (elr.DataLength > 0) then
     begin
      write('Data [');
      for idx := 0 to elr.DataLength-1 do
       write(inttohex(byte(buffer[pos+(elr.DataOffset+idx)]), 2),' ');
      writeln(']');
     end;
    end;
//    writeln('Next Entry = ',pos+elr.Length,' (',readed,')');
    inc(pos, elr.Length);
   until (pos >= readed);
   end else begin
    err := GetLastError;
    if (err <> 38) then writeln(SysErrorMessage(err),' (',err,')');
   break;
  end;
  until false;
  CloseEventlog(log);

  readln;
end.

createprocesswithlogonW