diff --git a/pandora_agents/win32/ChangeLog b/pandora_agents/win32/ChangeLog index 756f8d52dc..1bf2691408 100644 --- a/pandora_agents/win32/ChangeLog +++ b/pandora_agents/win32/ChangeLog @@ -1,3 +1,13 @@ +2013-06-20 Ramon Novoa + + * windows/winevt.h: Added to repository. Headers for Wevtapi.dll. + + * modules/pandora_module_logevent.cc, + modules/pandora_module_logevent.h, + pandora_strutils.cc, + pandora_strutils.h: Added support for the new XML based eventing model + introduced in Windows Vista. + 2013-06-14 Ramon Novoa * modules/pandora_module_logevent.h, diff --git a/pandora_agents/win32/modules/pandora_module_logevent.cc b/pandora_agents/win32/modules/pandora_module_logevent.cc index 117f773586..7556ca0bc4 100755 --- a/pandora_agents/win32/modules/pandora_module_logevent.cc +++ b/pandora_agents/win32/modules/pandora_module_logevent.cc @@ -27,9 +27,22 @@ #include "pandora_module_logevent.h" #include "../windows/pandora_wmi.h" #include "../pandora_windows_service.h" +#include "pandora_module_logevent.h" +#include "pandora_strutils.h" using namespace Pandora; using namespace Pandora_Modules; +using namespace Pandora_Strutils; + +// Pointers to Wevtapi.dll functions +static HINSTANCE WINEVENT = NULL; +static EvtQueryT EvtQueryF = NULL; +static EvtNextT EvtNextF = NULL; +static EvtCreateRenderContextT EvtCreateRenderContextF = NULL; +static EvtRenderT EvtRenderF = NULL; +static EvtCloseT EvtCloseF = NULL; +static EvtFormatMessageT EvtFormatMessageF = NULL; +static EvtOpenPublisherMetadataT EvtOpenPublisherMetadataF = NULL; /** * Creates a Pandora_Module_Logevent object. @@ -75,6 +88,67 @@ Pandora_Module_Logevent::Pandora_Module_Logevent (string name, string source, st this->log_event = NULL; this->first_run = 1; this->setKind (module_logevent_str); + + // Load Wevtapi.dll and some functions + if (WINEVENT == NULL) { + WINEVENT = LoadLibrary("Wevtapi.dll"); + if (WINEVENT == NULL) { + + // Log to the bedug log, since this is not an error + pandoraDebug ("Error loading library Wevtapi.dll"); + return; + } + + EvtQueryF = (EvtQueryT) GetProcAddress (WINEVENT, "EvtQuery"); + if (EvtQueryF == NULL) { + pandoraLog ("Error loading function EvtQuery from Wevtapi.dll"); + FreeLibrary (WINEVENT); + WINEVENT = NULL; + return; + } + EvtNextF = (EvtNextT) GetProcAddress (WINEVENT, "EvtNext"); + if (EvtNextF == NULL) { + pandoraLog ("Error loading function EvtNext from Wevtapi.dll"); + FreeLibrary (WINEVENT); + WINEVENT = NULL; + return; + } + EvtCreateRenderContextF = (EvtCreateRenderContextT) GetProcAddress (WINEVENT, "EvtCreateRenderContext"); + if (EvtCreateRenderContextF == NULL) { + pandoraLog ("Error loading function EvtCreateRenderContext from Wevtapi.dll"); + FreeLibrary (WINEVENT); + WINEVENT = NULL; + return; + } + EvtRenderF = (EvtRenderT) GetProcAddress (WINEVENT, "EvtRender"); + if (EvtRenderF == NULL) { + pandoraLog ("Error loading function EvtRender from Wevtapi.dll"); + FreeLibrary (WINEVENT); + WINEVENT = NULL; + return; + } + EvtCloseF = (EvtCloseT) GetProcAddress (WINEVENT, "EvtClose"); + if (EvtCloseF == NULL) { + pandoraLog ("Error loading function EvtClose from Wevtapi.dll"); + FreeLibrary (WINEVENT); + WINEVENT = NULL; + return; + } + EvtFormatMessageF = (EvtFormatMessageT) GetProcAddress (WINEVENT, "EvtFormatMessage"); + if (EvtFormatMessageF == NULL) { + pandoraLog ("Error loading function EvtFormatMessage from Wevtapi.dll"); + FreeLibrary (WINEVENT); + WINEVENT = NULL; + return; + } + EvtOpenPublisherMetadataF = (EvtOpenPublisherMetadataT) GetProcAddress (WINEVENT, "EvtOpenPublisherMetadata"); + if (EvtOpenPublisherMetadataF == NULL) { + pandoraLog ("Error loading function EvtOpenPublisherMetadata from Wevtapi.dll"); + FreeLibrary (WINEVENT); + WINEVENT = NULL; + return; + } + } } void @@ -166,7 +240,7 @@ Pandora_Module_Logevent::closeLogEvent () { */ int Pandora_Module_Logevent::getLogEvents (list &event_list, unsigned char discard) { - char description[BUFFER_SIZE], timestamp[TIMESTAMP_LEN + 1]; + char message[BUFFER_SIZE], timestamp[TIMESTAMP_LEN + 1]; struct tm *time_info = NULL; time_t epoch; BYTE *buffer = NULL, *new_buffer = NULL; @@ -181,6 +255,7 @@ Pandora_Module_Logevent::getLogEvents (list &event_list, unsigned char d TCHAR lp_referenced_domain_name[_MAX_PATH + 1]; DWORD cch_referenced_domain_name = _MAX_PATH + 1; SID_NAME_USE pe_use; + string description; if (this->log_event == NULL) { return -1; @@ -246,12 +321,19 @@ Pandora_Module_Logevent::getLogEvents (list &event_list, unsigned char d while (read > 0) { // Retrieve the event description (LOAD_LIBRARY_AS_IMAGE_RESOURCE | LOAD_LIBRARY_AS_DATAFILE) - getEventDescription (pevlr, description, 0x20 | 0x02); - if (description[0] == '\0') { - // Retrieve the event description (DONT_RESOLVE_DLL_REFERENCES) - getEventDescription (pevlr, description, DONT_RESOLVE_DLL_REFERENCES); - if (description[0] == '\0') { - strcpy (description, "N/A"); + description = getEventDescriptionXPATH (pevlr); + if (description == "") { + getEventDescription (pevlr, message, 0x20 | 0x02); + if (message[0] == '\0') { + // Retrieve the event description (DONT_RESOLVE_DLL_REFERENCES) + getEventDescription (pevlr, message, DONT_RESOLVE_DLL_REFERENCES); + if (message[0] == '\0') { + description = "N/A"; + } else { + description = message; + } + } else { + description = message; } } @@ -350,7 +432,6 @@ Pandora_Module_Logevent::timestampToSystemtime (string timestamp, SYSTEMTIME *sy * * @param event Event log record. * @param message Buffer to store the description (at least _MAX_PATH + 1). - * @return 0 if the description could be retrieved, -1 otherwise. */ void Pandora_Module_Logevent::getEventDescription (PEVENTLOGRECORD pevlr, char *message, DWORD flags) { @@ -448,6 +529,170 @@ Pandora_Module_Logevent::getEventDescription (PEVENTLOGRECORD pevlr, char *messa RegCloseKey(hk); } +/** + * Retrieves the description of the given event via XPATH. + * + * @param event Event log record. + * @param message Buffer to store the description (at least _MAX_PATH + 1). + */ +string +Pandora_Module_Logevent::getEventDescriptionXPATH (PEVENTLOGRECORD pevlr) { + DWORD status = ERROR_SUCCESS; + EVT_HANDLE hResults = NULL; + wstring pwsQuery; + wstring pwsPath; + EVT_HANDLE hEvents[1]; + DWORD dwReturned = 0; + LPWSTR ppValues[] = {L"Event/System/Provider/@Name"}; + DWORD count = sizeof(ppValues)/sizeof(LPWSTR); + EVT_HANDLE hContext = NULL; + PEVT_VARIANT pRenderedValues = NULL; + DWORD dwBufferSize = 0; + DWORD dwBufferUsed = 0; + DWORD dwPropertyCount = 0; + LPWSTR pwsMessage = NULL; + EVT_HANDLE hProviderMetadata = NULL; + string query, path, description; + + // Wevtapi.dll not available + if (WINEVENT == NULL) { + return description; + } + + // Build the XPATH query + query = "Event/System[EventID=" + inttostr(pevlr->EventID & EVENT_ID_MASK) + "]"; + pwsQuery = strAnsiToUnicode (query.c_str()); + pwsPath = strAnsiToUnicode (this->source.c_str()); + + // Query for the event + hResults = EvtQueryF (NULL, pwsPath.c_str(), pwsQuery.c_str(), EvtQueryChannelPath | EvtQueryReverseDirection); + if (hResults == NULL) { + pandoraDebug ("EvtQuery error: %d", GetLastError()); + return description; + } + + // Event not found + if (! EvtNextF(hResults, 1, hEvents, INFINITE, 0, &dwReturned)) { + pandoraDebug ("EvtNext error: %d", GetLastError()); + EvtCloseF(hResults); + return description; + } + + // Extract data from the event + hContext = EvtCreateRenderContextF(count, (LPCWSTR*)ppValues, EvtRenderContextValues); + if (NULL == hContext) { + pandoraDebug ("EvtCreateRenderContext error: %d", GetLastError()); + EvtCloseF(hEvents[0]); + EvtCloseF(hResults); + return description; + } + + if (! EvtRenderF(hContext, hEvents[0], EvtRenderEventValues, dwBufferSize, pRenderedValues, &dwBufferUsed, &dwPropertyCount)) { + if ((status = GetLastError()) == ERROR_INSUFFICIENT_BUFFER) { + dwBufferSize = dwBufferUsed; + pRenderedValues = (PEVT_VARIANT)malloc(dwBufferSize); + if (pRenderedValues) { + EvtRenderF(hContext, hEvents[0], EvtRenderEventValues, dwBufferSize, pRenderedValues, &dwBufferUsed, &dwPropertyCount); + } + else { + pandoraDebug ("EvtRender error: %d", status); + EvtCloseF(hContext); + EvtCloseF(hEvents[0]); + EvtCloseF(hResults); + return description; + } + } + + if (ERROR_SUCCESS != (status = GetLastError())) { + pandoraDebug ("EvtRender error: %d", status); + EvtCloseF(hContext); + EvtCloseF(hEvents[0]); + EvtCloseF(hResults); + return description; + } + } + + // Get the handle to the provider's metadata that contains the message strings + hProviderMetadata = EvtOpenPublisherMetadataF(NULL, pRenderedValues[0].StringVal, NULL, 0, 0); + if (hProviderMetadata == NULL) { + pandoraDebug ("EvtOpenPublisherMetadata error: %d", GetLastError()); + free(pRenderedValues); + EvtCloseF(hContext); + EvtCloseF(hEvents[0]); + EvtCloseF(hResults); + return description; + } + + // Read the event message + pwsMessage = GetMessageString(hProviderMetadata, hEvents[0], EvtFormatMessageEvent); + if (pwsMessage == NULL) { + free(pRenderedValues); + EvtCloseF(hProviderMetadata); + EvtCloseF(hContext); + EvtCloseF(hEvents[0]); + EvtCloseF(hResults); + return description; + } + + // Save the event message + description = strUnicodeToAnsi (pwsMessage); + + // Cleanup + free(pRenderedValues); + EvtCloseF(hProviderMetadata); + EvtCloseF(hContext); + EvtCloseF(hEvents[0]); + EvtCloseF(hResults); + return description; +} + +// Gets the specified message string from the event. If the event does not +// contain the specified message, the function returns NULL. +// See http://msdn.microsoft.com/en-us/library/windows/desktop/dd996923(v=vs.85).aspx +LPWSTR +Pandora_Module_Logevent::GetMessageString(EVT_HANDLE hMetadata, EVT_HANDLE hEvent, EVT_FORMAT_MESSAGE_FLAGS FormatId) { + LPWSTR pBuffer = NULL; + DWORD dwBufferSize = 0; + DWORD dwBufferUsed = 0; + DWORD status = 0; + + if (!EvtFormatMessageF(hMetadata, hEvent, 0, 0, NULL, FormatId, dwBufferSize, pBuffer, &dwBufferUsed)) { + status = GetLastError(); + if (ERROR_INSUFFICIENT_BUFFER == status) { + // An event can contain one or more keywords. The function returns keywords + // as a list of keyword strings. To process the list, you need to know the + // size of the buffer, so you know when you have read the last string, or you + // can terminate the list of strings with a second null terminator character + // as this example does. + if ((EvtFormatMessageKeyword == FormatId)) { + pBuffer[dwBufferSize-1] = L'\0'; + } + else { + dwBufferSize = dwBufferUsed; + } + pBuffer = (LPWSTR)malloc(dwBufferSize * sizeof(WCHAR)); + + if (pBuffer) { + EvtFormatMessageF(hMetadata, hEvent, 0, 0, NULL, FormatId, dwBufferSize, pBuffer, &dwBufferUsed); + + // Add the second null terminator character. + if ((EvtFormatMessageKeyword == FormatId)) { + pBuffer[dwBufferUsed-1] = L'\0'; + } + } + else { + return NULL; + } + } + else { + pandoraDebug ("EvtFormatMessage error: %d", status); + return NULL; + } + } + + return pBuffer; +} + /** * Filters the given event according to the module parameters. * @@ -460,7 +705,7 @@ Pandora_Module_Logevent::filterEvent (PEVENTLOGRECORD pevlr, string description) LPCSTR source_name; // Event ID filter - if (this->id > 0 && this->id != (pevlr->EventID & 0x3FFFFFFF)) { + if (this->id > 0 && this->id != (pevlr->EventID & EVENT_ID_MASK)) { return -1; } diff --git a/pandora_agents/win32/modules/pandora_module_logevent.h b/pandora_agents/win32/modules/pandora_module_logevent.h index f0e4a759bc..810448c22f 100755 --- a/pandora_agents/win32/modules/pandora_module_logevent.h +++ b/pandora_agents/win32/modules/pandora_module_logevent.h @@ -24,6 +24,7 @@ #include "pandora_module.h" #include "boost/regex.h" +#include "../windows/winevt.h" // Log event read buffer size #define BUFFER_SIZE 1024 @@ -31,6 +32,19 @@ // Length of a timestamp string YYYY-MM-DD HH:MM:SS #define TIMESTAMP_LEN 19 +// The EventID property equals the InstanceId with the top two bits masked off. +// See: http://msdn.microsoft.com/en-us/library/system.diagnostics.eventlogentry.eventid.aspx +#define EVENT_ID_MASK 0x3FFFFFFF + +// Types for pointers to Wevtapi.dll functions +typedef EVT_HANDLE WINAPI (*EvtQueryT) (EVT_HANDLE Session, LPCWSTR Path, LPCWSTR Query, DWORD Flags); +typedef WINBOOL WINAPI (*EvtNextT) (EVT_HANDLE ResultSet, DWORD EventArraySize, EVT_HANDLE* EventArray, DWORD Timeout, DWORD Flags, PDWORD Returned); +typedef EVT_HANDLE WINAPI (*EvtCreateRenderContextT) (DWORD ValuePathsCount, LPCWSTR *ValuePaths, DWORD Flags); +typedef WINBOOL WINAPI (*EvtRenderT) (EVT_HANDLE Context, EVT_HANDLE Fragment, DWORD Flags, DWORD BufferSize, PVOID Buffer, PDWORD BufferUsed, PDWORD PropertyCount); +typedef WINBOOL WINAPI (*EvtCloseT) (EVT_HANDLE Object); +typedef WINBOOL WINAPI (*EvtFormatMessageT) (EVT_HANDLE PublisherMetadata, EVT_HANDLE Event, DWORD MessageId, DWORD ValueCount, PEVT_VARIANT Values, DWORD Flags, DWORD BufferSize, LPWSTR Buffer, PDWORD BufferUsed); +typedef EVT_HANDLE WINAPI (*EvtOpenPublisherMetadataT) (EVT_HANDLE Session, LPCWSTR PublisherIdentity, LPCWSTR LogFilePath, LCID Locale, DWORD Flags); + namespace Pandora_Modules { /** @@ -55,7 +69,9 @@ namespace Pandora_Modules { int getLogEvents (list &event_list, unsigned char discard); void timestampToSystemtime (string timestamp, SYSTEMTIME *system_time); void getEventDescription (PEVENTLOGRECORD pevlr, char *message, DWORD flags); + string getEventDescriptionXPATH (PEVENTLOGRECORD pevlr); int filterEvent (PEVENTLOGRECORD pevlr, string description); + LPWSTR GetMessageString(EVT_HANDLE hMetadata, EVT_HANDLE hEvent, EVT_FORMAT_MESSAGE_FLAGS FormatId); public: Pandora_Module_Logevent (string name, string source, string type, string id, string pattern, string application); diff --git a/pandora_agents/win32/pandora_strutils.cc b/pandora_agents/win32/pandora_strutils.cc index ba9651e9ce..28f85d5088 100644 --- a/pandora_agents/win32/pandora_strutils.cc +++ b/pandora_agents/win32/pandora_strutils.cc @@ -63,32 +63,61 @@ Pandora_Strutils::trim (const string str) { * * @return String converted into ANSI code */ -LPSTR +string Pandora_Strutils::strUnicodeToAnsi (LPCWSTR s) { + string output; + if (s == NULL) return NULL; int cw = lstrlenW (s); if (cw == 0) { - CHAR *psz = new CHAR[1]; - *psz='\0'; - return psz; + return output; } int cc = WideCharToMultiByte (CP_ACP,0, s, cw, NULL, 0, NULL, NULL); - if (cc==0) - return NULL; + if (cc==0) { + return output; + } CHAR *psz = new CHAR[cc+1]; cc = WideCharToMultiByte (CP_ACP, 0, s, cw, psz, cc, NULL, NULL); - if (cc == 0) { delete[] psz; - return NULL; + return output; } psz[cc]='\0'; + output = psz; + delete[] psz; + + return output; +} + + +/** + * Convert an ANSI string to a unicode string. Do not forget to + * delete the returned string! + * + * @param s String to convert + * + * @return String converted to Unicode + */ +wstring +Pandora_Strutils::strAnsiToUnicode (LPCSTR s) { + LPWSTR output; + wstring w_output; - return psz; + int lenW = MultiByteToWideChar(CP_ACP, 0, s, -1, NULL, 0); + if (lenW <= 0) { + return NULL; + } + output = new wchar_t[lenW]; + MultiByteToWideChar(CP_ACP, 0, s, -1, output, lenW); + + w_output = output; + delete[] output; + + return w_output; } /** diff --git a/pandora_agents/win32/pandora_strutils.h b/pandora_agents/win32/pandora_strutils.h index 8f9408431b..b8db7363be 100644 --- a/pandora_agents/win32/pandora_strutils.h +++ b/pandora_agents/win32/pandora_strutils.h @@ -44,8 +44,8 @@ namespace Pandora_Strutils { string trim (const string str); - LPSTR strUnicodeToAnsi (LPCWSTR s); - + string strUnicodeToAnsi (LPCWSTR s); + wstring strAnsiToUnicode (LPCSTR s); string inttostr (const int i); string longtostr (const long i); string longtohex (const long i); diff --git a/pandora_agents/win32/windows/winevt.h b/pandora_agents/win32/windows/winevt.h new file mode 100644 index 0000000000..4391cfc00b --- /dev/null +++ b/pandora_agents/win32/windows/winevt.h @@ -0,0 +1,576 @@ +/** + * This file has no copyright assigned and is placed in the Public Domain. + * This file is part of the mingw-w64 runtime package. + * No warranty is given; refer to the file DISCLAIMER.PD within this package. + */ +#ifndef _INC_WINEVT +#define _INC_WINEVT +//#if (_WIN32_WINNT >= 0x0600) + +#ifdef __cplusplus +extern "C" { +#endif + +typedef enum _EVT_CHANNEL_CLOCK_TYPE { + EvtChannelClockTypeSystemTime = 0, + EvtChannelClockTypeQPC = 1 +} EVT_CHANNEL_CLOCK_TYPE; + +typedef enum _EVT_CHANNEL_CONFIG_PROPERTY_ID { + EvtChannelConfigEnabled = 0, + EvtChannelConfigIsolation = 1, + EvtChannelConfigType = 2, + EvtChannelConfigOwningPublisher = 3, + EvtChannelConfigClassicEventlog = 4, + EvtChannelConfigAccess = 5, + EvtChannelLoggingConfigRetention = 6, + EvtChannelLoggingConfigAutoBackup = 7, + EvtChannelLoggingConfigMaxSize = 8, + EvtChannelLoggingConfigLogFilePath = 9, + EvtChannelPublishingConfigLevel = 10, + EvtChannelPublishingConfigKeywords = 11, + EvtChannelPublishingConfigControlGuid = 12, + EvtChannelPublishingConfigBufferSize = 13, + EvtChannelPublishingConfigMinBuffers = 14, + EvtChannelPublishingConfigMaxBuffers = 15, + EvtChannelPublishingConfigLatency = 16, + EvtChannelPublishingConfigClockType = 17, + EvtChannelPublishingConfigSidType = 18, + EvtChannelPublisherList = 19, + EvtChannelPublishingConfigFileMax = 20, + EvtChannelConfigPropertyIdEND = 21 +} EVT_CHANNEL_CONFIG_PROPERTY_ID; + +typedef enum _EVT_CHANNEL_ISOLATION_TYPE { + EvtChannelIsolationTypeApplication = 0, + EvtChannelIsolationTypeSystem = 1, + EvtChannelIsolationTypeCustom = 2 +} EVT_CHANNEL_ISOLATION_TYPE; + +typedef enum _EVT_CHANNEL_REFERENCE_FLAGS { + EvtChannelReferenceImported = 0x1 +} EVT_CHANNEL_REFERENCE_FLAGS; + +typedef enum _EVT_CHANNEL_SID_TYPE { + EvtChannelSidTypeNone = 0, + EvtChannelSidTypePublishing = 1 +} EVT_CHANNEL_SID_TYPE; + +typedef enum _EVT_CHANNEL_TYPE { + EvtChannelTypeAdmin = 0, + EvtChannelTypeOperational = 1, + EvtChannelTypeAnalytic = 2, + EvtChannelTypeDebug = 3 +} EVT_CHANNEL_TYPE; + +typedef enum _EVT_EVENT_METADATA_PROPERTY_ID { + EventMetadataEventID = 0, + EventMetadataEventVersion = 1, + EventMetadataEventChannel = 2, + EventMetadataEventLevel = 3, + EventMetadataEventOpcode = 4, + EventMetadataEventTask = 5, + EventMetadataEventKeyword = 6, + EventMetadataEventMessageID = 7, + EventMetadataEventTemplate = 8, + EvtEventMetadataPropertyIdEND = 9 +} EVT_EVENT_METADATA_PROPERTY_ID; + +typedef enum _EVT_EVENT_PROPERTY_ID { + EvtEventQueryIDs = 0, + EvtEventPath = 1, + EvtEventPropertyIdEND = 2 +} EVT_EVENT_PROPERTY_ID; + +typedef enum _EVT_EXPORTLOG_FLAGS { + EvtExportLogChannelPath = 0x1, + EvtExportLogFilePath = 0x2, + EvtExportLogTolerateQueryErrors = 0x1000 +} EVT_EXPORTLOG_FLAGS; + +typedef enum _EVT_FORMAT_MESSAGE_FLAGS { + EvtFormatMessageEvent = 1, + EvtFormatMessageLevel = 2, + EvtFormatMessageTask = 3, + EvtFormatMessageOpcode = 4, + EvtFormatMessageKeyword = 5, + EvtFormatMessageChannel = 6, + EvtFormatMessageProvider = 7, + EvtFormatMessageId = 8, + EvtFormatMessageXml = 9 +} EVT_FORMAT_MESSAGE_FLAGS; + +typedef enum _EVT_LOG_PROPERTY_ID { + EvtLogCreationTime = 0, + EvtLogLastAccessTime = 1, + EvtLogLastWriteTime = 2, + EvtLogFileSize = 3, + EvtLogAttributes = 4, + EvtLogNumberOfLogRecords = 5, + EvtLogOldestRecordNumber = 6, + EvtLogFull = 7 +} EVT_LOG_PROPERTY_ID; + +typedef enum _EVT_LOGIN_CLASS { + EvtRpcLogin = 1 +} EVT_LOGIN_CLASS; + +typedef enum _EVT_OPEN_LOG_FLAGS { + EvtOpenChannelPath = 0x1, + EvtOpenFilePath = 0x2 +} EVT_OPEN_LOG_FLAGS; + +typedef enum _EVT_PUBLISHER_METADATA_PROPERTY_ID { + EvtPublisherMetadataPublisherGuid = 0, + EvtPublisherMetadataResourceFilePath, + EvtPublisherMetadataParameterFilePath, + EvtPublisherMetadataMessageFilePath, + EvtPublisherMetadataHelpLink, + EvtPublisherMetadataPublisherMessageID, + EvtPublisherMetadataChannelReferences, + EvtPublisherMetadataChannelReferencePath, + EvtPublisherMetadataChannelReferenceIndex, + EvtPublisherMetadataChannelReferenceID, + EvtPublisherMetadataChannelReferenceFlags, + EvtPublisherMetadataChannelReferenceMessageID, + EvtPublisherMetadataLevels, + EvtPublisherMetadataLevelName, + EvtPublisherMetadataLevelValue, + EvtPublisherMetadataLevelMessageID, + EvtPublisherMetadataTasks, + EvtPublisherMetadataTaskName, + EvtPublisherMetadataTaskEventGuid, + EvtPublisherMetadataTaskValue, + EvtPublisherMetadataTaskMessageID, + EvtPublisherMetadataOpcodes, + EvtPublisherMetadataOpcodeName, + EvtPublisherMetadataOpcodeValue, + EvtPublisherMetadataOpcodeMessageID, + EvtPublisherMetadataKeywords, + EvtPublisherMetadataKeywordName, + EvtPublisherMetadataKeywordValue, + EvtPublisherMetadataKeywordMessageID, + EvtPublisherMetadataPropertyIdEND +} EVT_PUBLISHER_METADATA_PROPERTY_ID; + +typedef enum _EVT_QUERY_FLAGS { + EvtQueryChannelPath = 0x1, + EvtQueryFilePath = 0x2, + EvtQueryForwardDirection = 0x100, + EvtQueryReverseDirection = 0x200, + EvtQueryTolerateQueryErrors = 0x1000 +} EVT_QUERY_FLAGS; + +typedef enum _EVT_QUERY_PROPERTY_ID { + EvtQueryNames = 0, + EvtQueryStatuses = 1, + EvtQueryPropertyIdEND = 2 +} EVT_QUERY_PROPERTY_ID; + +typedef enum _EVT_RENDER_CONTEXT_FLAGS { + EvtRenderContextValues = 0, + EvtRenderContextSystem = 1, + EvtRenderContextUser = 2 +} EVT_RENDER_CONTEXT_FLAGS; + +typedef enum _EVT_RENDER_FLAGS { + EvtRenderEventValues = 0, + EvtRenderEventXml = 1, + EvtRenderBookmark = 2 +} EVT_RENDER_FLAGS; + +typedef struct _EVT_RPC_LOGIN { + LPWSTR Server; + LPWSTR User; + LPWSTR Domain; + LPWSTR Password; + DWORD Flags; +} EVT_RPC_LOGIN; + +typedef enum _EVT_RPC_LOGIN_FLAGS { + EvtRpcLoginAuthDefault = 0, + EvtRpcLoginAuthNegotiate = 1, + EvtRpcLoginAuthKerberos = 2, + EvtRpcLoginAuthNTLM = 3 +} EVT_RPC_LOGIN_FLAGS; + +typedef enum _EVT_SEEK_FLAGS { + EvtSeekRelativeToFirst = 1, + EvtSeekRelativeToLast = 2, + EvtSeekRelativeToCurrent = 3, + EvtSeekRelativeToBookmark = 4, + EvtSeekOriginMask = 7, + EvtSeekStrict = 0x10000 +} EVT_SEEK_FLAGS; + +typedef enum _EVT_SUBSCRIBE_FLAGS { + EvtSubscribeToFutureEvents = 1, + EvtSubscribeStartAtOldestRecord = 2, + EvtSubscribeStartAfterBookmark = 3, + EvtSubscribeOriginMask = 0x3, + EvtSubscribeTolerateQueryErrors = 0x1000, + EvtSubscribeStrict = 0x10000 +} EVT_SUBSCRIBE_FLAGS; + +typedef enum _EVT_SUBSCRIBE_NOTIFY_ACTION { + EvtSubscribeActionError = 0, + EvtSubscribeActionDeliver = 1 +} EVT_SUBSCRIBE_NOTIFY_ACTION; + +typedef enum _EVT_SYSTEM_PROPERTY_ID { + EvtSystemProviderName = 0, + EvtSystemProviderGuid, + EvtSystemEventID, + EvtSystemQualifiers, + EvtSystemLevel, + EvtSystemTask, + EvtSystemOpcode, + EvtSystemKeywords, + EvtSystemTimeCreated, + EvtSystemEventRecordId, + EvtSystemActivityID, + EvtSystemRelatedActivityID, + EvtSystemProcessID, + EvtSystemThreadID, + EvtSystemChannel, + EvtSystemComputer, + EvtSystemUserID, + EvtSystemVersion, + EvtSystemPropertyIdEND +} EVT_SYSTEM_PROPERTY_ID; + +typedef enum _EVT_VARIANT_TYPE { + EvtVarTypeNull = 0, + EvtVarTypeString = 1, + EvtVarTypeAnsiString = 2, + EvtVarTypeSByte = 3, + EvtVarTypeByte = 4, + EvtVarTypeInt16 = 5, + EvtVarTypeUInt16 = 6, + EvtVarTypeInt32 = 7, + EvtVarTypeUInt32 = 8, + EvtVarTypeInt64 = 9, + EvtVarTypeUInt64 = 10, + EvtVarTypeSingle = 11, + EvtVarTypeDouble = 12, + EvtVarTypeBoolean = 13, + EvtVarTypeBinary = 14, + EvtVarTypeGuid = 15, + EvtVarTypeSizeT = 16, + EvtVarTypeFileTime = 17, + EvtVarTypeSysTime = 18, + EvtVarTypeSid = 19, + EvtVarTypeHexInt32 = 20, + EvtVarTypeHexInt64 = 21, + EvtVarTypeEvtHandle = 32, + EvtVarTypeEvtXml = 35 +} EVT_VARIANT_TYPE; + +typedef HANDLE EVT_HANDLE; +typedef HANDLE EVT_OBJECT_ARRAY_PROPERTY_HANDLE; + +typedef struct _EVT_VARIANT { + union { + WINBOOL BooleanVal; + INT8 SByteVal; + INT16 Int16Val; + INT32 Int32Val; + INT64 Int64Val; + UINT8 ByteVal; + UINT16 UInt16Val; + UINT32 UInt32Val; + UINT64 UInt64Val; + float SingleVal; + double DoubleVal; + ULONGLONG FileTimeVal; + SYSTEMTIME *SysTimeVal; + GUID *GuidVal; + LPCWSTR StringVal; + LPCSTR AnsiStringVal; + PBYTE BinaryVal; + PSID SidVal; + size_t SizeTVal; + EVT_HANDLE EvtHandleVal; + BOOL *BooleanArr; + INT8 *SByteArr; + INT16 *Int16Arr; + INT32 *Int32Arr; + INT64 *Int64Arr; + UINT8 *ByteArr; + UINT16 *UInt16Arr; + UINT32 *UInt32Arr; + UINT64 *UInt64Arr; + float *SingleArr; + double *DoubleArr; + FILETIME *FileTimeArr; + SYSTEMTIME *SysTimeArr; + GUID *GuidArr; + LPWSTR *StringArr; + LPSTR *AnsiStringArr; + PSID *SidArr; + size_t *SizeTArr; + LPCWSTR XmlVal; + LPCWSTR* XmlValArr; + }; + DWORD Count; + DWORD Type; +} EVT_VARIANT, *PEVT_VARIANT; + +typedef DWORD ( WINAPI *EVT_SUBSCRIBE_CALLBACK )( + EVT_SUBSCRIBE_NOTIFY_ACTION Action, + PVOID UserContext, + EVT_HANDLE Event +); + +WINBOOL WINAPI EvtArchiveExportedLog( + EVT_HANDLE Session, + LPCWSTR LogFilePath, + LCID Locale, + DWORD Flags +); + +WINBOOL WINAPI EvtCancel( + EVT_HANDLE Object +); + +WINBOOL WINAPI EvtClearLog( + EVT_HANDLE Session, + LPCWSTR ChannelPath, + LPCWSTR TargetFilePath, + DWORD Flags +); + +WINBOOL WINAPI EvtClose( + EVT_HANDLE Object +); + +EVT_HANDLE WINAPI EvtCreateBookmark( + LPCWSTR BookmarkXml +); + +EVT_HANDLE WINAPI EvtCreateRenderContext( + DWORD ValuePathsCount, + LPCWSTR *ValuePaths, + DWORD Flags +); + +WINBOOL WINAPI EvtExportLog( + EVT_HANDLE Session, + LPCWSTR Path, + LPCWSTR Query, + LPCWSTR TargetFilePath, + DWORD Flags +); + +WINBOOL WINAPI EvtFormatMessage( + EVT_HANDLE PublisherMetadata, + EVT_HANDLE Event, + DWORD MessageId, + DWORD ValueCount, + PEVT_VARIANT Values, + DWORD Flags, + DWORD BufferSize, + LPWSTR Buffer, + PDWORD BufferUsed +); + +WINBOOL WINAPI EvtGetChannelConfigProperty( + EVT_HANDLE ChannelConfig, + EVT_CHANNEL_CONFIG_PROPERTY_ID PropertyId, + DWORD Flags, + DWORD PropertyValueBufferSize, + PEVT_VARIANT PropertyValueBuffer, + PDWORD PropertyValueBufferUsed +); + +WINBOOL WINAPI EvtGetEventInfo( + EVT_HANDLE Event, + EVT_EVENT_PROPERTY_ID PropertyId, + DWORD PropertyValueBufferSize, + PEVT_VARIANT PropertyValueBuffer, + PDWORD PropertyValueBufferUsed +); + +WINBOOL WINAPI EvtGetEventMetadataProperty( + EVT_HANDLE EventMetadata, + EVT_EVENT_METADATA_PROPERTY_ID PropertyId, + DWORD Flags, + DWORD EventMetadataPropertyBufferSize, + PEVT_VARIANT EventMetadataPropertyBuffer, + PDWORD EventMetadataPropertyBufferUsed +); + +DWORD WINAPI EvtGetExtendedStatus( + DWORD BufferSize, + LPWSTR Buffer, + PDWORD BufferUsed +); + +WINBOOL WINAPI EvtGetLogInfo( + EVT_HANDLE Log, + EVT_LOG_PROPERTY_ID PropertyId, + DWORD PropertyValueBufferSize, + PEVT_VARIANT PropertyValueBuffer, + PDWORD PropertyValueBufferUsed +); + +WINBOOL WINAPI EvtGetObjectArrayProperty( + EVT_OBJECT_ARRAY_PROPERTY_HANDLE ObjectArray, + DWORD PropertyId, + DWORD ArrayIndex, + DWORD Flags, + DWORD PropertyValueBufferSize, + PEVT_VARIANT PropertyValueBuffer, + PDWORD PropertyValueBufferUsed +); + +WINBOOL WINAPI EvtGetObjectArraySize( + EVT_OBJECT_ARRAY_PROPERTY_HANDLE ObjectArray, + PDWORD ObjectArraySize +); + +WINBOOL WINAPI EvtGetPublisherMetadataProperty( + EVT_HANDLE PublisherMetadata, + EVT_PUBLISHER_METADATA_PROPERTY_ID PropertyId, + DWORD Flags, + DWORD PublisherMetadataPropertyBufferSize, + PEVT_VARIANT PublisherMetadataPropertyBuffer, + PDWORD PublisherMetadataPropertyBufferUsed +); + +WINBOOL WINAPI EvtGetQueryInfo( + EVT_HANDLE QueryOrSubscription, + EVT_QUERY_PROPERTY_ID PropertyId, + DWORD PropertyValueBufferSize, + PEVT_VARIANT PropertyValueBuffer, + PDWORD PropertyValueBufferUsed +); + +WINBOOL WINAPI EvtNext( + EVT_HANDLE ResultSet, + DWORD EventArraySize, + EVT_HANDLE* EventArray, + DWORD Timeout, + DWORD Flags, + PDWORD Returned +); + +WINBOOL WINAPI EvtNextChannelPath( + EVT_HANDLE ChannelEnum, + DWORD ChannelPathBufferSize, + LPWSTR ChannelPathBuffer, + PDWORD ChannelPathBufferUsed +); + +EVT_HANDLE WINAPI EvtNextEventMetadata( + EVT_HANDLE EventMetadataEnum, + DWORD Flags +); + +WINBOOL WINAPI EvtNextPublisherId( + EVT_HANDLE PublisherEnum, + DWORD PublisherIdBufferSize, + LPWSTR PublisherIdBuffer, + PDWORD PublisherIdBufferUsed +); + +EVT_HANDLE WINAPI EvtOpenChannelConfig( + EVT_HANDLE Session, + LPCWSTR ChannelPath, + DWORD Flags +); + +EVT_HANDLE WINAPI EvtOpenChannelEnum( + EVT_HANDLE Session, + DWORD Flags +); + +EVT_HANDLE WINAPI EvtOpenEventMetadataEnum( + EVT_HANDLE PublisherMetadata, + DWORD Flags +); + +EVT_HANDLE WINAPI EvtOpenLog( + EVT_HANDLE Session, + LPCWSTR Path, + DWORD Flags +); + +EVT_HANDLE WINAPI EvtOpenPublisherEnum( + EVT_HANDLE Session, + DWORD Flags +); + +EVT_HANDLE WINAPI EvtOpenPublisherMetadata( + EVT_HANDLE Session, + LPCWSTR PublisherIdentity, + LPCWSTR LogFilePath, + LCID Locale, + DWORD Flags +); + +EVT_HANDLE WINAPI EvtOpenSession( + EVT_LOGIN_CLASS LoginClass, + PVOID Login, + DWORD Timeout, + DWORD Flags +); + +EVT_HANDLE WINAPI EvtQuery( + EVT_HANDLE Session, + LPCWSTR Path, + LPCWSTR Query, + DWORD Flags +); + +WINBOOL WINAPI EvtRender( + EVT_HANDLE Context, + EVT_HANDLE Fragment, + DWORD Flags, + DWORD BufferSize, + PVOID Buffer, + PDWORD BufferUsed, + PDWORD PropertyCount +); + +WINBOOL WINAPI EvtSaveChannelConfig( + EVT_HANDLE ChannelConfig, + DWORD Flags +); + +WINBOOL WINAPI EvtSeek( + EVT_HANDLE ResultSet, + LONGLONG Position, + EVT_HANDLE Bookmark, + DWORD Timeout, + DWORD Flags +); + +WINBOOL WINAPI EvtSetChannelConfigProperty( + EVT_HANDLE ChannelConfig, + EVT_CHANNEL_CONFIG_PROPERTY_ID PropertyId, + DWORD Flags, + PEVT_VARIANT PropertyValue +); + +EVT_HANDLE WINAPI EvtSubscribe( + EVT_HANDLE Session, + HANDLE SignalEvent, + LPCWSTR ChannelPath, + LPCWSTR Query, + EVT_HANDLE Bookmark, + PVOID context, + EVT_SUBSCRIBE_CALLBACK Callback, + DWORD Flags +); + +WINBOOL WINAPI EvtUpdateBookmark( + EVT_HANDLE Bookmark, + EVT_HANDLE Event +); + +#ifdef __cplusplus +} +#endif +//#endif /*(_WIN32_WINNT >= 0x0600)*/ +#endif /*_INC_TDH*/