вот примерно мой код
stek.clear();

Memo1->Clear();
Memo2->Clear();
if( OpenDialog1->Execute())
{ Form1->Caption=OpenDialog1->FileName;
HANDLE h;

EVENTLOGRECORD *pevlr;
BYTE bBuffer[BUFFER_SIZE];
//char lpMsgBuf1[BUFFER_SIZE];
// LPVOID lpMsgBuf1[BUFFER_SIZE];

DWORD dwRead, dwNeeded, cRecords, dwThisRecord;
char LogName[15]; //els.dll");// SYSTEM32\\

// Application->MessageBoxA("2","ерор");


TDateTime t1,t2,t3;
t1=StrToDateTime("01.01.1970 00:00:00");
double con=3600*24;

strcpy(LogName, (OpenDialog1->FileName). c_str());
try{
h=OpenBackupEventLog(NULL,LogName);
}
catch ( ... )
{
}


if (h == NULL)
{
Application->MessageBoxA("Неудачное подключение файла *.evt","ерор");

}
else
{
pevlr = (EVENTLOGRECORD *) &bBuffer;
GetOldestEventLogRecord(h, &dwThisRecord);
int i=0;
while (
ReadEventLog(h, // event log handle
EVENTLOG_FORWARDS_READ | // reads forward
EVENTLOG_SEQUENTIAL_READ, // sequential read
0, // ignored for sequential reads
pevlr, // pointer to buffer
BUFFER_SIZE, // size of buffer
&dwRead, // number of bytes read
&dwNeeded)) // bytes in next record
{

while (dwRead > 0)
{ i++;
t2=double(pevlr->TimeWritten)/con;
t3=t1+t2;

_Data D;
LPCTSTR lpSourceName;
wchar_t *sourceName=L"MsiInstaller";
D.DT=t3;
// PChar(FCurrentRecord) + PEventLogRecord(FCurrentRecord)^.StringOffset;
D.str=(LPSTR) ((LPBYTE) pevlr + sizeof(EVENTLOGRECORD));
D.type_error=pevlr->EventType;
D.EvID=pevlr->EventID;// & 0xFFFF;
D.str_messag="не найдено";


{

va_list *Arguments;
CHAR lpMsgBuf1[BUFFER_SIZE];
CHAR* Args;

// /*зона повышенного риска

AnsiString aaaa=dll_point(0,D.str);
//Application->MessageBoxA(aaaa.c_str(),"");
HANDLE ghResDll=LoadLibrary(aaaa.c_str());//"C:\\windows\\System32\\netevent.dll");
if(!ghResDll)
{ AnsiString ss="Неудачное подключение файла dll"+aaaa+"\n "+D.str ;
//Application->MessageBoxA(ss.c_str(),"ерор");
}
else
{
FormatMessage(
FORMAT_MESSAGE_FROM_HMODULE
|FORMAT_MESSAGE_FROM_SYSTEM
// |FORMAT_MESSAGE_ALLOCATE_BUFFER
|FORMAT_MESSAGE_ARGUMENT_ARRAY,

/*
FORMAT_MESSAGE_FROM_HMODULE
| FORMAT_MESSAGE_FROM_SYSTEM
| FORMAT_MESSAGE_ARGUMENT_ARRAY
,*/
(LPCVOID)ghResDll,
pevlr->EventID,
MAKELANGID(LANG_RUSSIAN,SUBLANG_ENGLISH_US ),
(LPTSTR) &lpMsgBuf1,
sizeof(lpMsgBuf1),
NULL);
D.str_messag= (LPTSTR) lpMsgBuf1;

}


FreeLibrary(ghResDll);

}
stek.push_back(D);

dwRead -= pevlr->Length;
pevlr = (EVENTLOGRECORD *)((LPBYTE) pevlr + pevlr->Length);
}
Label5->Caption="Колличество событий:"+IntToStr(i) ;
pevlr = (EVENTLOGRECORD *) &bBuffer;

}

CloseEventLog(h);


}
}



а это я цепляю dll

AnsiString dll_point(bool flag,AnsiString name_res)

{ TRegistry *reg = new(TRegistry);
AnsiString str_;
try
{

reg->RootKey = HKEY_LOCAL_MACHINE;

str_="System\\CurrentControlSet\\Services\\EventLog\\System\\" + name_res;
char wd[15];
GetWindowsDirectory(wd,15);


reg->OpenKey(str_.c_str(),false);//)

AnsiString str1=wd;


str_=reg->ReadString("EventMessageFile") ;
int kk=str_.Pos(";");
if(str_.Pos(";")!=0)
str_=str_.SubString(0,str_.Pos(";")-1);

str_=wd+str_.SubString(13,str_.Length()-12);
//Application->MessageBoxA(str_.c_str(),"");


}
catch ( ... )
{
Application->MessageBoxA("","");
}
reg->Free();
// delete reg;
return str_;

}