typedef struct _EVENTLOGRECORD {
  DWORD Length;
  DWORD Reserved;
  DWORD RecordNumber;
  DWORD TimeGenerated;
  DWORD TimeWritten;
  DWORD EventID;
  WORD EventType;
  WORD NumStrings;
  WORD EventCategory;
  WORD ReservedFlags;
  DWORD ClosingRecordNumber;
  DWORD StringOffset;
  DWORD UserSidLength;
  DWORD UserSidOffset;
  DWORD DataLength;
  DWORD DataOffset;
}EVENTLOGRECORD, *PEVENTLOGRECORD;

  PEventLogRecord = ^TEventLogRecord;
  TEventLogRecord = packed record
    length : DWORD;
    reserved : DWORD;
    recordNumber : DWORD;
    timeGenerated : DWORD;
    timeWritten : DWORD;
    eventID : DWORD;
    eventType : Word;
    numString : Word;
    eventCategory : Word;
    reservedFlag : Word;
    closingRecordNumber : DWORD;
    stringOffset : DWORD;
    userSidLength : DWORD;
    userSidOffset : DWORD;
    dataLength : DWORD;
    dataOffset : DWORD;
  end;

procedure TThreadMonEventLog.execute;
const
  EVENTLOG_SEQUENTIAL_READ = 1;
  EVENTLOG_SEEK_READ = 2;
  EVENTLOG_FORWARDS_READ = 4;
  EVENTLOG_BACKWARDS_READ = 8;
var
  hEventLog: THandle;
  lastRecNo: DWORD;
  event: TEventLogrecord;
  pEvent : PEventLogRecord;
  byteCount: Cardinal;
  minByteCount: Cardinal;
  i: Byte;
  errorCode: Boolean;
begin
  for i:=0 to high(eventLogList) do
    begin
      hEventLog:=openEventLog(nil,pchar(eventLogList[i].name));
      if hEventLog > 0 then
        begin
          getNumberOfEventLogRecords(hEventLog,lastRecNo);
          WriteLn(eventLogList[i].name);
          WriteLn(lastRecNo);
          if lastRecNo > 0 then
            begin
              if not readEventLog(hEventLog,EVENTLOG_SEQUENTIAL_READ or
                                            EVENTLOG_BACKWARDS_READ,lastRecNo,@event,0,byteCount,minByteCount) then
                if GetLastError = ERROR_INSUFFICIENT_BUFFER then
                  begin
                    GetMem(pEvent,minByteCount);
                    if readEventLog(hEventLog,EVENTLOG_SEQUENTIAL_READ or
                                              EVENTLOG_BACKWARDS_READ,0,pEvent,minByteCount,byteCount,minByteCount) then
                      begin
                        WriteLn(pEvent^.eventID);
                        WriteLn(pEvent^.eventType);
                      end
                    else
                      WriteLn(GetLastError);
                    FreeMem(pEvent);
                  end;
            end;
          closeEventLog(hEventLog);
        end
      else
        closeEventLog(hEventLog);
    end;
end;

 eventLogList : Array of TEventLog;

function TThreadMonEventLog.getNumEventLogs:Byte;
const
  HKEY_LOCAL_MACHINE = $80000002;
var
  reg : TRegistry;
  i : Byte;
  nameList : TStringList;
begin
  result:=0;
  reg := TRegistry.Create;
  nameList := TStringList.Create;
  reg.RootKey:=HKEY_LOCAL_MACHINE;
  if reg.OpenKeyReadOnly('SYSTEM\CurrentControlSet\Services\EventLog') then
    begin
      reg.GetKeyNames(nameList);
      result:=nameList.count;
      setLength(eventLogList,result);
      for i:=0 to nameList.count -1 do
        begin
          eventLogList[i].name := nameList[i];
        end;
      nameList.Free;
    end;
  reg.CloseKey;
  reg.Free;
end;

pEvent^.eventID:=pEvent^.eventID and $0000FFFF;