2005-06-01 21:57:52 +00:00
|
|
|
/*
|
2016-10-25 23:32:20 +00:00
|
|
|
* PROJECT: ReactOS EventLog Service
|
|
|
|
* LICENSE: GPL - See COPYING in the top level directory
|
|
|
|
* FILE: base/services/eventlog/eventlog.c
|
|
|
|
* PURPOSE: Event logging service
|
|
|
|
* COPYRIGHT: Copyright 2002 Eric Kohl
|
|
|
|
* Copyright 2005 Saveliy Tretiakov
|
|
|
|
* Hermes Belusca-Maito
|
2002-06-25 21:10:14 +00:00
|
|
|
*/
|
|
|
|
|
2006-06-30 14:53:24 +00:00
|
|
|
/* INCLUDES *****************************************************************/
|
2002-06-25 21:10:14 +00:00
|
|
|
|
|
|
|
#include "eventlog.h"
|
2014-01-13 12:46:06 +00:00
|
|
|
#include <stdio.h>
|
|
|
|
#include <netevent.h>
|
|
|
|
|
2013-12-21 13:45:16 +00:00
|
|
|
#define NDEBUG
|
|
|
|
#include <debug.h>
|
|
|
|
|
2006-06-30 14:53:24 +00:00
|
|
|
/* GLOBALS ******************************************************************/
|
2002-06-25 21:10:14 +00:00
|
|
|
|
2016-08-16 21:08:15 +00:00
|
|
|
static VOID CALLBACK ServiceMain(DWORD, LPWSTR*);
|
2010-02-20 12:59:53 +00:00
|
|
|
static WCHAR ServiceName[] = L"EventLog";
|
|
|
|
static SERVICE_TABLE_ENTRYW ServiceTable[2] =
|
2005-06-01 21:57:52 +00:00
|
|
|
{
|
2010-02-20 12:59:53 +00:00
|
|
|
{ ServiceName, ServiceMain },
|
2007-05-03 07:47:12 +00:00
|
|
|
{ NULL, NULL }
|
2005-06-01 21:57:52 +00:00
|
|
|
};
|
2002-06-25 21:10:14 +00:00
|
|
|
|
2010-03-14 12:26:49 +00:00
|
|
|
SERVICE_STATUS ServiceStatus;
|
|
|
|
SERVICE_STATUS_HANDLE ServiceStatusHandle;
|
|
|
|
|
2016-08-16 21:08:15 +00:00
|
|
|
BOOL onLiveCD = FALSE; // On LiveCD events will go to debug output only
|
2006-06-30 14:53:24 +00:00
|
|
|
|
2016-08-12 19:14:55 +00:00
|
|
|
PEVENTSOURCE EventLogSource = NULL;
|
|
|
|
|
2006-06-30 14:53:24 +00:00
|
|
|
/* FUNCTIONS ****************************************************************/
|
2006-06-29 17:36:04 +00:00
|
|
|
|
2010-03-14 12:26:49 +00:00
|
|
|
static VOID
|
|
|
|
UpdateServiceStatus(DWORD dwState)
|
|
|
|
{
|
|
|
|
ServiceStatus.dwServiceType = SERVICE_WIN32_OWN_PROCESS;
|
|
|
|
ServiceStatus.dwCurrentState = dwState;
|
|
|
|
ServiceStatus.dwControlsAccepted = 0;
|
|
|
|
ServiceStatus.dwWin32ExitCode = 0;
|
|
|
|
ServiceStatus.dwServiceSpecificExitCode = 0;
|
|
|
|
ServiceStatus.dwCheckPoint = 0;
|
|
|
|
|
|
|
|
if (dwState == SERVICE_START_PENDING ||
|
|
|
|
dwState == SERVICE_STOP_PENDING ||
|
|
|
|
dwState == SERVICE_PAUSE_PENDING ||
|
|
|
|
dwState == SERVICE_CONTINUE_PENDING)
|
|
|
|
ServiceStatus.dwWaitHint = 10000;
|
|
|
|
else
|
|
|
|
ServiceStatus.dwWaitHint = 0;
|
|
|
|
|
|
|
|
SetServiceStatus(ServiceStatusHandle,
|
|
|
|
&ServiceStatus);
|
|
|
|
}
|
|
|
|
|
2010-02-20 12:59:53 +00:00
|
|
|
static DWORD WINAPI
|
|
|
|
ServiceControlHandler(DWORD dwControl,
|
|
|
|
DWORD dwEventType,
|
|
|
|
LPVOID lpEventData,
|
|
|
|
LPVOID lpContext)
|
|
|
|
{
|
2010-03-14 12:26:49 +00:00
|
|
|
DPRINT("ServiceControlHandler() called\n");
|
|
|
|
|
|
|
|
switch (dwControl)
|
|
|
|
{
|
|
|
|
case SERVICE_CONTROL_STOP:
|
|
|
|
DPRINT(" SERVICE_CONTROL_STOP received\n");
|
2011-12-04 10:53:43 +00:00
|
|
|
|
|
|
|
LogfReportEvent(EVENTLOG_INFORMATION_TYPE,
|
|
|
|
0,
|
|
|
|
EVENT_EventlogStopped, 0, NULL, 0, NULL);
|
|
|
|
|
2011-08-15 20:55:07 +00:00
|
|
|
/* Stop listening to incoming RPC messages */
|
|
|
|
RpcMgmtStopServerListening(NULL);
|
2010-03-14 12:26:49 +00:00
|
|
|
UpdateServiceStatus(SERVICE_STOPPED);
|
|
|
|
return ERROR_SUCCESS;
|
|
|
|
|
|
|
|
case SERVICE_CONTROL_PAUSE:
|
|
|
|
DPRINT(" SERVICE_CONTROL_PAUSE received\n");
|
|
|
|
UpdateServiceStatus(SERVICE_PAUSED);
|
|
|
|
return ERROR_SUCCESS;
|
|
|
|
|
|
|
|
case SERVICE_CONTROL_CONTINUE:
|
|
|
|
DPRINT(" SERVICE_CONTROL_CONTINUE received\n");
|
|
|
|
UpdateServiceStatus(SERVICE_RUNNING);
|
|
|
|
return ERROR_SUCCESS;
|
|
|
|
|
|
|
|
case SERVICE_CONTROL_INTERROGATE:
|
|
|
|
DPRINT(" SERVICE_CONTROL_INTERROGATE received\n");
|
|
|
|
SetServiceStatus(ServiceStatusHandle,
|
|
|
|
&ServiceStatus);
|
|
|
|
return ERROR_SUCCESS;
|
|
|
|
|
|
|
|
case SERVICE_CONTROL_SHUTDOWN:
|
|
|
|
DPRINT(" SERVICE_CONTROL_SHUTDOWN received\n");
|
2011-12-04 10:53:43 +00:00
|
|
|
|
|
|
|
LogfReportEvent(EVENTLOG_INFORMATION_TYPE,
|
|
|
|
0,
|
|
|
|
EVENT_EventlogStopped, 0, NULL, 0, NULL);
|
|
|
|
|
2010-03-14 12:26:49 +00:00
|
|
|
UpdateServiceStatus(SERVICE_STOPPED);
|
|
|
|
return ERROR_SUCCESS;
|
|
|
|
|
2014-09-15 12:16:46 +00:00
|
|
|
default:
|
2013-03-14 16:51:39 +00:00
|
|
|
DPRINT1(" Control %lu received\n", dwControl);
|
2010-03-14 12:26:49 +00:00
|
|
|
return ERROR_CALL_NOT_IMPLEMENTED;
|
|
|
|
}
|
2010-02-20 12:59:53 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static DWORD
|
|
|
|
ServiceInit(VOID)
|
2002-06-25 21:10:14 +00:00
|
|
|
{
|
2005-09-20 07:58:28 +00:00
|
|
|
HANDLE hThread;
|
|
|
|
|
|
|
|
hThread = CreateThread(NULL,
|
|
|
|
0,
|
2016-08-12 19:14:55 +00:00
|
|
|
(LPTHREAD_START_ROUTINE)PortThreadRoutine,
|
2005-09-20 07:58:28 +00:00
|
|
|
NULL,
|
|
|
|
0,
|
|
|
|
NULL);
|
2007-05-03 07:47:12 +00:00
|
|
|
if (!hThread)
|
2010-02-20 12:59:53 +00:00
|
|
|
{
|
2016-08-12 19:14:55 +00:00
|
|
|
DPRINT("Cannot create PortThread\n");
|
2010-02-20 12:59:53 +00:00
|
|
|
return GetLastError();
|
|
|
|
}
|
2007-05-03 07:47:12 +00:00
|
|
|
else
|
|
|
|
CloseHandle(hThread);
|
|
|
|
|
2005-09-20 07:58:28 +00:00
|
|
|
hThread = CreateThread(NULL,
|
|
|
|
0,
|
2016-08-12 19:14:55 +00:00
|
|
|
RpcThreadRoutine,
|
2005-09-20 07:58:28 +00:00
|
|
|
NULL,
|
|
|
|
0,
|
|
|
|
NULL);
|
|
|
|
|
2007-05-03 07:47:12 +00:00
|
|
|
if (!hThread)
|
2010-02-20 12:59:53 +00:00
|
|
|
{
|
2016-08-12 19:14:55 +00:00
|
|
|
DPRINT("Cannot create RpcThread\n");
|
2010-02-20 12:59:53 +00:00
|
|
|
return GetLastError();
|
|
|
|
}
|
2007-05-03 07:47:12 +00:00
|
|
|
else
|
|
|
|
CloseHandle(hThread);
|
2010-02-20 12:59:53 +00:00
|
|
|
|
|
|
|
return ERROR_SUCCESS;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2011-05-10 20:19:14 +00:00
|
|
|
static VOID
|
|
|
|
ReportProductInfoEvent(VOID)
|
|
|
|
{
|
|
|
|
OSVERSIONINFOW versionInfo;
|
|
|
|
WCHAR szBuffer[512];
|
2016-08-16 21:08:15 +00:00
|
|
|
PWSTR str;
|
|
|
|
size_t cchRemain;
|
2011-05-10 20:19:14 +00:00
|
|
|
HKEY hKey;
|
|
|
|
DWORD dwValueLength;
|
|
|
|
DWORD dwType;
|
|
|
|
LONG lResult = ERROR_SUCCESS;
|
|
|
|
|
2016-08-12 19:14:55 +00:00
|
|
|
ZeroMemory(&versionInfo, sizeof(versionInfo));
|
|
|
|
versionInfo.dwOSVersionInfoSize = sizeof(versionInfo);
|
2011-05-10 20:19:14 +00:00
|
|
|
|
|
|
|
/* Get version information */
|
|
|
|
if (!GetVersionExW(&versionInfo))
|
|
|
|
return;
|
|
|
|
|
2016-08-12 19:14:55 +00:00
|
|
|
ZeroMemory(szBuffer, sizeof(szBuffer));
|
2016-08-16 21:08:15 +00:00
|
|
|
str = szBuffer;
|
|
|
|
cchRemain = ARRAYSIZE(szBuffer);
|
|
|
|
|
|
|
|
/* Write the version number into the buffer */
|
|
|
|
StringCchPrintfExW(str, cchRemain,
|
|
|
|
&str, &cchRemain, 0,
|
|
|
|
L"%lu.%lu",
|
|
|
|
versionInfo.dwMajorVersion,
|
|
|
|
versionInfo.dwMinorVersion);
|
|
|
|
str++;
|
|
|
|
cchRemain++;
|
|
|
|
|
|
|
|
/* Write the build number into the buffer */
|
|
|
|
StringCchPrintfExW(str, cchRemain,
|
|
|
|
&str, &cchRemain, 0,
|
|
|
|
L"%lu",
|
|
|
|
versionInfo.dwBuildNumber);
|
|
|
|
str++;
|
|
|
|
cchRemain++;
|
|
|
|
|
|
|
|
/* Write the service pack info into the buffer */
|
|
|
|
StringCchCopyExW(str, cchRemain,
|
|
|
|
versionInfo.szCSDVersion,
|
|
|
|
&str, &cchRemain, 0);
|
|
|
|
str++;
|
|
|
|
cchRemain++;
|
2011-05-10 20:19:14 +00:00
|
|
|
|
|
|
|
/* Read 'CurrentType' from the registry and write it into the buffer */
|
2016-10-25 23:32:20 +00:00
|
|
|
lResult = RegOpenKeyExW(HKEY_LOCAL_MACHINE,
|
|
|
|
L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
|
|
|
|
0,
|
|
|
|
KEY_QUERY_VALUE,
|
|
|
|
&hKey);
|
2011-05-10 20:19:14 +00:00
|
|
|
if (lResult == ERROR_SUCCESS)
|
|
|
|
{
|
2016-08-16 21:08:15 +00:00
|
|
|
dwValueLength = cchRemain;
|
2016-10-25 23:32:20 +00:00
|
|
|
lResult = RegQueryValueExW(hKey,
|
|
|
|
L"CurrentType",
|
|
|
|
NULL,
|
|
|
|
&dwType,
|
|
|
|
(LPBYTE)str,
|
|
|
|
&dwValueLength);
|
2011-05-10 20:19:14 +00:00
|
|
|
|
|
|
|
RegCloseKey(hKey);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Log the product information */
|
|
|
|
LogfReportEvent(EVENTLOG_INFORMATION_TYPE,
|
|
|
|
0,
|
|
|
|
EVENT_EventLogProductInfo,
|
|
|
|
4,
|
|
|
|
szBuffer,
|
|
|
|
0,
|
|
|
|
NULL);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2010-02-20 12:59:53 +00:00
|
|
|
static VOID CALLBACK
|
|
|
|
ServiceMain(DWORD argc,
|
2016-08-16 21:08:15 +00:00
|
|
|
LPWSTR* argv)
|
2010-02-20 12:59:53 +00:00
|
|
|
{
|
|
|
|
DWORD dwError;
|
|
|
|
|
|
|
|
UNREFERENCED_PARAMETER(argc);
|
|
|
|
UNREFERENCED_PARAMETER(argv);
|
|
|
|
|
|
|
|
DPRINT("ServiceMain() called\n");
|
|
|
|
|
|
|
|
ServiceStatusHandle = RegisterServiceCtrlHandlerExW(ServiceName,
|
|
|
|
ServiceControlHandler,
|
|
|
|
NULL);
|
|
|
|
if (!ServiceStatusHandle)
|
|
|
|
{
|
|
|
|
dwError = GetLastError();
|
|
|
|
DPRINT1("RegisterServiceCtrlHandlerW() failed! (Error %lu)\n", dwError);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2010-03-14 12:26:49 +00:00
|
|
|
UpdateServiceStatus(SERVICE_START_PENDING);
|
2010-02-20 12:59:53 +00:00
|
|
|
|
|
|
|
dwError = ServiceInit();
|
|
|
|
if (dwError != ERROR_SUCCESS)
|
|
|
|
{
|
2010-03-14 12:26:49 +00:00
|
|
|
DPRINT("Service stopped (dwError: %lu\n", dwError);
|
|
|
|
UpdateServiceStatus(SERVICE_START_PENDING);
|
2010-02-20 12:59:53 +00:00
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
2010-03-14 12:26:49 +00:00
|
|
|
DPRINT("Service started\n");
|
|
|
|
UpdateServiceStatus(SERVICE_RUNNING);
|
2011-05-01 13:35:51 +00:00
|
|
|
|
2011-05-10 20:19:14 +00:00
|
|
|
ReportProductInfoEvent();
|
|
|
|
|
2011-05-01 13:35:51 +00:00
|
|
|
LogfReportEvent(EVENTLOG_INFORMATION_TYPE,
|
|
|
|
0,
|
2011-05-10 20:19:14 +00:00
|
|
|
EVENT_EventlogStarted,
|
|
|
|
0,
|
|
|
|
NULL,
|
|
|
|
0,
|
|
|
|
NULL);
|
2010-02-20 12:59:53 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
DPRINT("ServiceMain() done\n");
|
2005-09-20 07:58:28 +00:00
|
|
|
}
|
2002-06-25 21:10:14 +00:00
|
|
|
|
2010-02-20 12:59:53 +00:00
|
|
|
|
2016-08-12 19:14:55 +00:00
|
|
|
static PLOGFILE
|
2016-08-16 21:08:15 +00:00
|
|
|
LoadLogFile(HKEY hKey, PWSTR LogName)
|
2005-09-20 07:58:28 +00:00
|
|
|
{
|
2007-05-03 07:47:12 +00:00
|
|
|
DWORD MaxValueLen, ValueLen, Type, ExpandedLen;
|
2016-08-16 21:08:15 +00:00
|
|
|
PWSTR Buf = NULL, Expanded = NULL;
|
2007-05-03 07:47:12 +00:00
|
|
|
LONG Result;
|
2012-01-16 23:23:29 +00:00
|
|
|
PLOGFILE pLogf = NULL;
|
|
|
|
UNICODE_STRING FileName;
|
2014-09-15 12:16:46 +00:00
|
|
|
ULONG ulMaxSize, ulRetention;
|
2012-01-16 23:23:29 +00:00
|
|
|
NTSTATUS Status;
|
2007-05-03 07:47:12 +00:00
|
|
|
|
2016-10-25 23:32:20 +00:00
|
|
|
DPRINT("LoadLogFile: `%S'\n", LogName);
|
2007-05-03 07:47:12 +00:00
|
|
|
|
2016-08-12 19:14:55 +00:00
|
|
|
Result = RegQueryInfoKeyW(hKey, NULL, NULL, NULL, NULL, NULL, NULL,
|
|
|
|
NULL, NULL, &MaxValueLen, NULL, NULL);
|
2015-03-03 21:03:21 +00:00
|
|
|
if (Result != ERROR_SUCCESS)
|
|
|
|
{
|
2016-08-12 19:14:55 +00:00
|
|
|
DPRINT1("RegQueryInfoKeyW failed: %lu\n", Result);
|
2015-03-03 21:03:21 +00:00
|
|
|
return NULL;
|
|
|
|
}
|
2007-05-03 07:47:12 +00:00
|
|
|
|
2016-08-12 19:14:55 +00:00
|
|
|
MaxValueLen = ROUND_DOWN(MaxValueLen, sizeof(WCHAR));
|
2016-08-16 21:08:15 +00:00
|
|
|
Buf = HeapAlloc(GetProcessHeap(), 0, MaxValueLen);
|
2007-05-03 07:47:12 +00:00
|
|
|
if (!Buf)
|
|
|
|
{
|
2016-08-12 19:14:55 +00:00
|
|
|
DPRINT1("Cannot allocate heap!\n");
|
2011-04-30 22:33:53 +00:00
|
|
|
return NULL;
|
2007-05-03 07:47:12 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
ValueLen = MaxValueLen;
|
2016-08-12 19:14:55 +00:00
|
|
|
Result = RegQueryValueExW(hKey,
|
|
|
|
L"File",
|
|
|
|
NULL,
|
|
|
|
&Type,
|
|
|
|
(LPBYTE)Buf,
|
|
|
|
&ValueLen);
|
|
|
|
/*
|
|
|
|
* If we failed, because the registry value was inexistent
|
|
|
|
* or the value type was incorrect, create a new "File" value
|
|
|
|
* that holds the default event log path.
|
|
|
|
*/
|
|
|
|
if ((Result != ERROR_SUCCESS) || (Type != REG_EXPAND_SZ && Type != REG_SZ))
|
2007-05-03 07:47:12 +00:00
|
|
|
{
|
2016-08-12 19:14:55 +00:00
|
|
|
MaxValueLen = (wcslen(L"%SystemRoot%\\System32\\Config\\") +
|
|
|
|
wcslen(LogName) + wcslen(L".evt") + 1) * sizeof(WCHAR);
|
2007-05-03 07:47:12 +00:00
|
|
|
|
2016-08-16 21:08:15 +00:00
|
|
|
Expanded = HeapReAlloc(GetProcessHeap(), 0, Buf, MaxValueLen);
|
2016-08-12 19:14:55 +00:00
|
|
|
if (!Expanded)
|
|
|
|
{
|
|
|
|
DPRINT1("Cannot reallocate heap!\n");
|
2016-08-16 21:08:15 +00:00
|
|
|
HeapFree(GetProcessHeap(), 0, Buf);
|
2016-08-12 19:14:55 +00:00
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
Buf = Expanded;
|
|
|
|
|
|
|
|
StringCbCopyW(Buf, MaxValueLen, L"%SystemRoot%\\System32\\Config\\");
|
|
|
|
StringCbCatW(Buf, MaxValueLen, LogName);
|
|
|
|
StringCbCatW(Buf, MaxValueLen, L".evt");
|
|
|
|
|
|
|
|
ValueLen = MaxValueLen;
|
|
|
|
Result = RegSetValueExW(hKey,
|
|
|
|
L"File",
|
|
|
|
0,
|
|
|
|
REG_EXPAND_SZ,
|
|
|
|
(LPBYTE)Buf,
|
|
|
|
ValueLen);
|
|
|
|
if (Result != ERROR_SUCCESS)
|
|
|
|
{
|
2016-10-25 23:32:20 +00:00
|
|
|
DPRINT1("RegSetValueExW failed: %lu\n", Result);
|
2016-08-16 21:08:15 +00:00
|
|
|
HeapFree(GetProcessHeap(), 0, Buf);
|
2016-08-12 19:14:55 +00:00
|
|
|
return NULL;
|
|
|
|
}
|
2007-05-03 07:47:12 +00:00
|
|
|
}
|
|
|
|
|
2016-08-12 19:14:55 +00:00
|
|
|
ExpandedLen = ExpandEnvironmentStringsW(Buf, NULL, 0);
|
2016-08-16 21:08:15 +00:00
|
|
|
Expanded = HeapAlloc(GetProcessHeap(), 0, ExpandedLen * sizeof(WCHAR));
|
2007-05-03 07:47:12 +00:00
|
|
|
if (!Expanded)
|
|
|
|
{
|
2016-08-12 19:14:55 +00:00
|
|
|
DPRINT1("Cannot allocate heap!\n");
|
2016-08-16 21:08:15 +00:00
|
|
|
HeapFree(GetProcessHeap(), 0, Buf);
|
2011-04-30 22:33:53 +00:00
|
|
|
return NULL;
|
2007-05-03 07:47:12 +00:00
|
|
|
}
|
|
|
|
|
2016-08-12 19:14:55 +00:00
|
|
|
ExpandEnvironmentStringsW(Buf, Expanded, ExpandedLen);
|
2007-05-03 07:47:12 +00:00
|
|
|
|
2016-08-12 19:14:55 +00:00
|
|
|
if (!RtlDosPathNameToNtPathName_U(Expanded, &FileName, NULL, NULL))
|
2012-01-16 23:23:29 +00:00
|
|
|
{
|
2016-08-12 19:14:55 +00:00
|
|
|
DPRINT1("Cannot convert path!\n");
|
2016-08-16 21:08:15 +00:00
|
|
|
HeapFree(GetProcessHeap(), 0, Expanded);
|
|
|
|
HeapFree(GetProcessHeap(), 0, Buf);
|
2012-01-16 23:23:29 +00:00
|
|
|
return NULL;
|
|
|
|
}
|
2007-05-03 07:47:12 +00:00
|
|
|
|
2012-01-16 23:23:29 +00:00
|
|
|
DPRINT("%S -> %S\n", Buf, Expanded);
|
2007-05-03 07:47:12 +00:00
|
|
|
|
2016-08-12 19:14:55 +00:00
|
|
|
ValueLen = sizeof(ulMaxSize);
|
|
|
|
Result = RegQueryValueExW(hKey,
|
|
|
|
L"MaxSize",
|
|
|
|
NULL,
|
|
|
|
&Type,
|
|
|
|
(LPBYTE)&ulMaxSize,
|
|
|
|
&ValueLen);
|
|
|
|
if ((Result != ERROR_SUCCESS) || (Type != REG_DWORD))
|
|
|
|
{
|
2014-09-15 12:16:46 +00:00
|
|
|
ulMaxSize = 512 * 1024; /* 512 kBytes */
|
|
|
|
|
2016-08-12 19:14:55 +00:00
|
|
|
Result = RegSetValueExW(hKey,
|
|
|
|
L"MaxSize",
|
|
|
|
0,
|
|
|
|
REG_DWORD,
|
|
|
|
(LPBYTE)&ulMaxSize,
|
|
|
|
sizeof(ulMaxSize));
|
|
|
|
}
|
|
|
|
|
|
|
|
ValueLen = sizeof(ulRetention);
|
|
|
|
Result = RegQueryValueExW(hKey,
|
|
|
|
L"Retention",
|
|
|
|
NULL,
|
|
|
|
&Type,
|
|
|
|
(LPBYTE)&ulRetention,
|
|
|
|
&ValueLen);
|
|
|
|
if ((Result != ERROR_SUCCESS) || (Type != REG_DWORD))
|
|
|
|
{
|
|
|
|
/* On Windows 2003 it is 604800 (secs) == 7 days */
|
2014-09-15 12:16:46 +00:00
|
|
|
ulRetention = 0;
|
|
|
|
|
2016-08-12 19:14:55 +00:00
|
|
|
Result = RegSetValueExW(hKey,
|
|
|
|
L"Retention",
|
|
|
|
0,
|
|
|
|
REG_DWORD,
|
|
|
|
(LPBYTE)&ulRetention,
|
|
|
|
sizeof(ulRetention));
|
|
|
|
}
|
|
|
|
|
|
|
|
// TODO: Add, or use, default values for "AutoBackupLogFiles" (REG_DWORD)
|
|
|
|
// and "CustomSD" (REG_SZ).
|
|
|
|
|
2014-09-15 12:16:46 +00:00
|
|
|
Status = LogfCreate(&pLogf, LogName, &FileName, ulMaxSize, ulRetention, TRUE, FALSE);
|
2012-01-16 23:23:29 +00:00
|
|
|
if (!NT_SUCCESS(Status))
|
2007-05-03 07:47:12 +00:00
|
|
|
{
|
2012-01-16 23:23:29 +00:00
|
|
|
DPRINT1("Failed to create %S! (Status %08lx)\n", Expanded, Status);
|
2007-05-03 07:47:12 +00:00
|
|
|
}
|
|
|
|
|
2016-08-16 21:08:15 +00:00
|
|
|
HeapFree(GetProcessHeap(), 0, Expanded);
|
|
|
|
HeapFree(GetProcessHeap(), 0, Buf);
|
2011-04-30 22:33:53 +00:00
|
|
|
return pLogf;
|
2006-06-30 14:53:24 +00:00
|
|
|
}
|
2007-05-03 07:47:12 +00:00
|
|
|
|
2016-08-12 19:14:55 +00:00
|
|
|
static BOOL
|
|
|
|
LoadLogFiles(HKEY eventlogKey)
|
2006-06-30 14:53:24 +00:00
|
|
|
{
|
2015-03-03 21:03:21 +00:00
|
|
|
LONG Result;
|
2007-05-03 07:47:12 +00:00
|
|
|
DWORD MaxLognameLen, LognameLen;
|
2016-08-12 19:14:55 +00:00
|
|
|
DWORD dwIndex;
|
2016-10-25 23:32:20 +00:00
|
|
|
PWSTR Buf = NULL;
|
2011-04-30 22:33:53 +00:00
|
|
|
PLOGFILE pLogFile;
|
2007-05-03 07:47:12 +00:00
|
|
|
|
2016-08-12 19:14:55 +00:00
|
|
|
Result = RegQueryInfoKeyW(eventlogKey, NULL, NULL, NULL, NULL, &MaxLognameLen,
|
|
|
|
NULL, NULL, NULL, NULL, NULL, NULL);
|
2015-03-03 21:03:21 +00:00
|
|
|
if (Result != ERROR_SUCCESS)
|
|
|
|
{
|
2016-08-12 19:14:55 +00:00
|
|
|
DPRINT1("RegQueryInfoKeyW failed: %lu\n", Result);
|
2015-03-03 21:03:21 +00:00
|
|
|
return FALSE;
|
|
|
|
}
|
2007-05-03 07:47:12 +00:00
|
|
|
|
|
|
|
MaxLognameLen++;
|
|
|
|
|
2016-08-16 21:08:15 +00:00
|
|
|
Buf = HeapAlloc(GetProcessHeap(), 0, MaxLognameLen * sizeof(WCHAR));
|
2007-05-03 07:47:12 +00:00
|
|
|
if (!Buf)
|
|
|
|
{
|
2016-08-12 19:14:55 +00:00
|
|
|
DPRINT1("Error: cannot allocate heap!\n");
|
2007-05-03 07:47:12 +00:00
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
|
|
|
|
LognameLen = MaxLognameLen;
|
2016-08-12 19:14:55 +00:00
|
|
|
dwIndex = 0;
|
|
|
|
while (RegEnumKeyExW(eventlogKey,
|
|
|
|
dwIndex,
|
|
|
|
Buf,
|
|
|
|
&LognameLen,
|
|
|
|
NULL, NULL, NULL, NULL) == ERROR_SUCCESS)
|
2007-05-03 07:47:12 +00:00
|
|
|
{
|
|
|
|
HKEY SubKey;
|
|
|
|
|
|
|
|
DPRINT("%S\n", Buf);
|
|
|
|
|
2016-10-25 23:32:20 +00:00
|
|
|
Result = RegOpenKeyExW(eventlogKey, Buf, 0, KEY_ALL_ACCESS, &SubKey);
|
2015-03-03 21:03:21 +00:00
|
|
|
if (Result != ERROR_SUCCESS)
|
2007-05-03 07:47:12 +00:00
|
|
|
{
|
|
|
|
DPRINT1("Failed to open %S key.\n", Buf);
|
2016-08-16 21:08:15 +00:00
|
|
|
HeapFree(GetProcessHeap(), 0, Buf);
|
2007-05-03 07:47:12 +00:00
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
|
2011-04-30 22:33:53 +00:00
|
|
|
pLogFile = LoadLogFile(SubKey, Buf);
|
|
|
|
if (pLogFile != NULL)
|
|
|
|
{
|
2007-05-03 07:47:12 +00:00
|
|
|
DPRINT("Loaded %S\n", Buf);
|
2011-04-30 22:33:53 +00:00
|
|
|
LoadEventSources(SubKey, pLogFile);
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
DPRINT1("Failed to load %S\n", Buf);
|
|
|
|
}
|
2007-05-03 07:47:12 +00:00
|
|
|
|
|
|
|
RegCloseKey(SubKey);
|
2016-08-12 19:14:55 +00:00
|
|
|
|
2007-05-03 07:47:12 +00:00
|
|
|
LognameLen = MaxLognameLen;
|
2016-08-12 19:14:55 +00:00
|
|
|
dwIndex++;
|
2007-05-03 07:47:12 +00:00
|
|
|
}
|
|
|
|
|
2016-08-16 21:08:15 +00:00
|
|
|
HeapFree(GetProcessHeap(), 0, Buf);
|
2007-05-03 07:47:12 +00:00
|
|
|
return TRUE;
|
2006-06-30 14:53:24 +00:00
|
|
|
}
|
2006-03-04 17:04:42 +00:00
|
|
|
|
2016-08-12 19:14:55 +00:00
|
|
|
|
|
|
|
int wmain(int argc, WCHAR* argv[])
|
2006-06-30 14:53:24 +00:00
|
|
|
{
|
2007-05-03 07:47:12 +00:00
|
|
|
INT RetCode = 0;
|
2015-03-03 21:03:21 +00:00
|
|
|
LONG Result;
|
2007-05-03 07:47:12 +00:00
|
|
|
HKEY elogKey;
|
2016-10-25 23:32:20 +00:00
|
|
|
WCHAR LogPath[MAX_PATH];
|
2007-05-03 07:47:12 +00:00
|
|
|
|
|
|
|
LogfListInitialize();
|
2011-04-30 22:33:53 +00:00
|
|
|
InitEventSourceList();
|
2007-05-03 07:47:12 +00:00
|
|
|
|
2016-10-25 23:32:20 +00:00
|
|
|
GetSystemWindowsDirectoryW(LogPath, ARRAYSIZE(LogPath));
|
2007-05-03 07:47:12 +00:00
|
|
|
|
2016-08-12 19:14:55 +00:00
|
|
|
if (GetDriveTypeW(LogPath) == DRIVE_CDROM)
|
2007-05-03 07:47:12 +00:00
|
|
|
{
|
|
|
|
DPRINT("LiveCD detected\n");
|
|
|
|
onLiveCD = TRUE;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
2016-10-25 23:32:20 +00:00
|
|
|
Result = RegOpenKeyExW(HKEY_LOCAL_MACHINE,
|
|
|
|
L"SYSTEM\\CurrentControlSet\\Services\\EventLog",
|
|
|
|
0,
|
|
|
|
KEY_ALL_ACCESS,
|
|
|
|
&elogKey);
|
2015-03-03 21:03:21 +00:00
|
|
|
if (Result != ERROR_SUCCESS)
|
2007-05-03 07:47:12 +00:00
|
|
|
{
|
2016-08-12 19:14:55 +00:00
|
|
|
DPRINT1("Fatal error: cannot open eventlog registry key.\n");
|
2007-05-03 07:47:12 +00:00
|
|
|
RetCode = 1;
|
|
|
|
goto bye_bye;
|
|
|
|
}
|
|
|
|
|
|
|
|
LoadLogFiles(elogKey);
|
|
|
|
}
|
|
|
|
|
2016-08-12 19:14:55 +00:00
|
|
|
EventLogSource = GetEventSourceByName(L"EventLog");
|
|
|
|
if (!EventLogSource)
|
|
|
|
{
|
2016-10-25 23:32:20 +00:00
|
|
|
DPRINT1("The 'EventLog' source is unavailable. The EventLog service will not be able to log its own events.\n");
|
2016-08-12 19:14:55 +00:00
|
|
|
}
|
|
|
|
|
2007-05-03 07:47:12 +00:00
|
|
|
StartServiceCtrlDispatcher(ServiceTable);
|
|
|
|
|
2016-08-12 19:14:55 +00:00
|
|
|
bye_bye:
|
2007-05-03 07:47:12 +00:00
|
|
|
LogfCloseAll();
|
|
|
|
|
|
|
|
return RetCode;
|
2002-06-25 21:10:14 +00:00
|
|
|
}
|
|
|
|
|
2005-09-20 07:58:28 +00:00
|
|
|
VOID PRINT_RECORD(PEVENTLOGRECORD pRec)
|
|
|
|
{
|
2007-05-03 07:47:12 +00:00
|
|
|
UINT i;
|
2016-08-16 21:08:15 +00:00
|
|
|
PWSTR str;
|
2016-08-12 19:14:55 +00:00
|
|
|
LARGE_INTEGER SystemTime;
|
|
|
|
TIME_FIELDS Time;
|
2007-05-03 07:47:12 +00:00
|
|
|
|
2016-11-07 13:29:09 +00:00
|
|
|
DPRINT1("PRINT_RECORD(0x%p)\n", pRec);
|
|
|
|
|
|
|
|
DbgPrint("Length = %lu\n", pRec->Length);
|
|
|
|
DbgPrint("Reserved = 0x%x\n", pRec->Reserved);
|
|
|
|
DbgPrint("RecordNumber = %lu\n", pRec->RecordNumber);
|
2007-05-03 07:47:12 +00:00
|
|
|
|
2016-08-12 19:14:55 +00:00
|
|
|
RtlSecondsSince1970ToTime(pRec->TimeGenerated, &SystemTime);
|
|
|
|
RtlTimeToTimeFields(&SystemTime, &Time);
|
2016-11-07 13:29:09 +00:00
|
|
|
DbgPrint("TimeGenerated = %hu.%hu.%hu %hu:%hu:%hu\n",
|
|
|
|
Time.Day, Time.Month, Time.Year,
|
|
|
|
Time.Hour, Time.Minute, Time.Second);
|
2007-05-03 07:47:12 +00:00
|
|
|
|
2016-08-12 19:14:55 +00:00
|
|
|
RtlSecondsSince1970ToTime(pRec->TimeWritten, &SystemTime);
|
|
|
|
RtlTimeToTimeFields(&SystemTime, &Time);
|
2016-11-07 13:29:09 +00:00
|
|
|
DbgPrint("TimeWritten = %hu.%hu.%hu %hu:%hu:%hu\n",
|
|
|
|
Time.Day, Time.Month, Time.Year,
|
|
|
|
Time.Hour, Time.Minute, Time.Second);
|
2007-05-03 07:47:12 +00:00
|
|
|
|
2016-11-07 13:29:09 +00:00
|
|
|
DbgPrint("EventID = %lu\n", pRec->EventID);
|
2007-05-03 07:47:12 +00:00
|
|
|
|
|
|
|
switch (pRec->EventType)
|
|
|
|
{
|
|
|
|
case EVENTLOG_ERROR_TYPE:
|
2016-11-07 13:29:09 +00:00
|
|
|
DbgPrint("EventType = EVENTLOG_ERROR_TYPE\n");
|
2007-05-03 07:47:12 +00:00
|
|
|
break;
|
|
|
|
case EVENTLOG_WARNING_TYPE:
|
2016-11-07 13:29:09 +00:00
|
|
|
DbgPrint("EventType = EVENTLOG_WARNING_TYPE\n");
|
2007-05-03 07:47:12 +00:00
|
|
|
break;
|
|
|
|
case EVENTLOG_INFORMATION_TYPE:
|
2016-11-07 13:29:09 +00:00
|
|
|
DbgPrint("EventType = EVENTLOG_INFORMATION_TYPE\n");
|
2007-05-03 07:47:12 +00:00
|
|
|
break;
|
|
|
|
case EVENTLOG_AUDIT_SUCCESS:
|
2016-11-07 13:29:09 +00:00
|
|
|
DbgPrint("EventType = EVENTLOG_AUDIT_SUCCESS\n");
|
2007-05-03 07:47:12 +00:00
|
|
|
break;
|
|
|
|
case EVENTLOG_AUDIT_FAILURE:
|
2016-11-07 13:29:09 +00:00
|
|
|
DbgPrint("EventType = EVENTLOG_AUDIT_FAILURE\n");
|
2007-05-03 07:47:12 +00:00
|
|
|
break;
|
|
|
|
default:
|
2016-11-07 13:29:09 +00:00
|
|
|
DbgPrint("EventType = %hu\n", pRec->EventType);
|
2007-05-03 07:47:12 +00:00
|
|
|
}
|
|
|
|
|
2016-11-07 13:29:09 +00:00
|
|
|
DbgPrint("NumStrings = %hu\n", pRec->NumStrings);
|
|
|
|
DbgPrint("EventCategory = %hu\n", pRec->EventCategory);
|
|
|
|
DbgPrint("ReservedFlags = 0x%x\n", pRec->ReservedFlags);
|
|
|
|
DbgPrint("ClosingRecordNumber = %lu\n", pRec->ClosingRecordNumber);
|
|
|
|
DbgPrint("StringOffset = %lu\n", pRec->StringOffset);
|
|
|
|
DbgPrint("UserSidLength = %lu\n", pRec->UserSidLength);
|
|
|
|
DbgPrint("UserSidOffset = %lu\n", pRec->UserSidOffset);
|
|
|
|
DbgPrint("DataLength = %lu\n", pRec->DataLength);
|
|
|
|
DbgPrint("DataOffset = %lu\n", pRec->DataOffset);
|
2007-05-03 07:47:12 +00:00
|
|
|
|
2016-11-07 13:29:09 +00:00
|
|
|
i = sizeof(EVENTLOGRECORD);
|
|
|
|
DbgPrint("SourceName: %S\n", (PWSTR)((ULONG_PTR)pRec + i));
|
2007-05-03 07:47:12 +00:00
|
|
|
|
2016-11-07 13:29:09 +00:00
|
|
|
i += (wcslen((PWSTR)((ULONG_PTR)pRec + i)) + 1) * sizeof(WCHAR);
|
|
|
|
DbgPrint("ComputerName: %S\n", (PWSTR)((ULONG_PTR)pRec + i));
|
2007-05-03 07:47:12 +00:00
|
|
|
|
|
|
|
if (pRec->StringOffset < pRec->Length && pRec->NumStrings)
|
|
|
|
{
|
2016-11-07 13:29:09 +00:00
|
|
|
DbgPrint("Strings:\n");
|
2016-08-16 21:08:15 +00:00
|
|
|
str = (PWSTR)((ULONG_PTR)pRec + pRec->StringOffset);
|
2007-05-03 07:47:12 +00:00
|
|
|
for (i = 0; i < pRec->NumStrings; i++)
|
|
|
|
{
|
2016-11-07 13:29:09 +00:00
|
|
|
DbgPrint("[%u] %S\n", i, str);
|
2016-08-16 21:08:15 +00:00
|
|
|
str += wcslen(str) + 1;
|
2007-05-03 07:47:12 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-11-07 13:29:09 +00:00
|
|
|
DbgPrint("Length2 = %lu\n", *(PULONG)((ULONG_PTR)pRec + pRec->Length - 4));
|
2005-09-20 07:58:28 +00:00
|
|
|
}
|