I am using the Windows API to get recent events from the Windows Event Viewer. Everything is working great so far but I am confused as to how I determine the StringOffset field. I iterated through and created an array of the strings that exist in that buffer but there is no context associated with each string.
Having a look at the Windows Event Viewer, I see in raw XML that there is a field name that you don't get in the API (at least none that I am aware of).
<EventData>
<Data Name="ProcessID">4</Data>
<Data Name="Application">System</Data>
<Data Name="Direction">%%14592</Data>
<Data Name="SourceAddress">192.168.22.232</Data>
<Data Name="SourcePort">137</Data>
<Data Name="DestAddress">192.168.22.255</Data>
<Data Name="DestPort">137</Data>
<Data Name="Protocol">17</Data>
<Data Name="FilterRTID">71247</Data>
<Data Name="LayerName">%%14610</Data>
<Data Name="LayerRTID">44</Data>
<Data Name="RemoteUserID">S-1-0-0</Data>
<Data Name="RemoteMachineID">S-1-0-0</Data>
</EventData>
The documentation begins here: