EvtArchiveExportedLog fails with ERROR_DIRECTORY

Question

I need to export some events from Windows Event Log to XML on Windows Server 2008 R2. To achieve it I export these events to a file using EvtExportLog and then try to use EvtArchiveExportedLog to get localized descriptions for events. Here's the sample:

EvtExportLog( 0, 0, query, logFileName, EvtExportLogChannelPath );
EvtArchiveExportedLog( 0, logFileName, 0, 0 );

EvtExportLog function succeeds and creates .evtx file but EvtArchiveExportedLog constantly fails with ERROR_DIRECTORY error code. I have no idea what the reason of such behaviour is.

score 3 · Accepted Answer · answered Feb 24 '11 at 21:21

3

It seems that I've found the reason. EvtArchiveExportedLog makes an RPC call to svchost.exe which hosts eventlog service. This service tries to create a file in "%windir%\ServiceProfiles\LocalService\AppData\Local\Temp" folder, fails with ERROR_ACCESS_DENIED code and returns ERROR_DIRECTORY to RPC client. So far as RPC server impersonates client, the solution is to grant access privileges to the calling thread.

answered Feb 24 '11 at 21:21

Michael

53,859
22
133
139

**Warning:** These temp files, with patterns pub*.tmp, msg*.tmp, and evt*.tmp are created and will not be deleted by the call to `EvtArchiveExportedLog`. [Japanese Reference](https://support.microsoft.com/ja-jp/help/2780916) indicates the path is actually %systemroot%\ServiceProfiles\LocalService\AppData\Local\Temp [For most folks C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp] – Steven Bone May 30 '18 at 14:29

EvtArchiveExportedLog fails with ERROR_DIRECTORY

1 Answers1

Linked