Reading Windows Event Payload Including Complex Data

[zomer86]

In my previous question here I posted the xml I am trying to serialize.Here is another XML example:\[code\]<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="XXXXXXXXXX" Guid="{YYYYYYYY}" /> <EventID>XYZ</EventID> <Version>0</Version> <Level>L</Level> <Task>A</Task> <Opcode>0</Opcode> <Keywords>0x000xyzh</Keywords> <TimeCreated SystemTime="2012-06-28T15:44:04.997837000Z" /> <EventRecordID>153</EventRecordID> <Correlation ActivityID="{DDDDDDDDD}" /> <Execution ProcessID="199999" ThreadID="90990" /> <Channel>Microsoft-Windows-ABCDEFG/Admin</Channel> <Computer>myPC</Computer> <Security UserID="ABCABC" /> </System> <EventData> <Data Name="name1">data1</Data> <Data Name="name2">data2</Data> <Data Name="name3">data3</Data> <ComplexData Name="XYZXYZ">0C004300310022002D004400460053005400450053002200310003004E0053003200230041002D00570041002D00320045004400000047006C002900620061006C0048006900670068005000720069006F007200240074006600120044006100730087000000000000000000000000000000</ComplexData> </EventData> <RenderingInfo Culture="en-US"> <Message>some message </Message> <Level>Information</Level> <Task>XYZ</Task> <Opcode>Info</Opcode> <Channel /> <Provider /> <Keywords> <Keyword>XYZ</Keyword> </Keywords> </RenderingInfo> </Event> \[/code\]One difference is that it has Complex Data which is a struct that defines an array of integer values (lengths of following strings ...etc) and string unicodes. I figured out a way to decode that string by byte by byte but I need a cleaner way to do that. If EventRecord.ToXml() is not the best way to get the event payload including complex data / structs/ arrays then what is the best way to get that. There are a lot of Windows Event related classes on msdn and I do not know which one to use.ThanksEDIT:Here is some sample of what I knwo about ComplexData:\[code\] <data inType="win:UInt16" name="XYZLength" /> <data inType="win:UnicodeString" length="XYZLength" name="XYZ" /> \[/code\]Which means that the first two bytes (lower endian format) are the length of the following unicode string and so on. And for the ones that have no length, I need to find the null termination which is 16 bits of zeros (2 bytes of zeros).