VOID LogfReportEvent(USHORT wType, USHORT wCategory, ULONG dwEventId, USHORT wNumStrings, PWSTR pStrings, ULONG dwDataSize, PVOID pRawData) { NTSTATUS Status; UNICODE_STRING SourceName, ComputerName; PEVENTLOGRECORD LogBuffer; LARGE_INTEGER SystemTime; ULONG Time; SIZE_T RecSize; DWORD dwComputerNameLength; WCHAR szComputerName[MAX_COMPUTERNAME_LENGTH + 1]; if (!EventLogSource) return; RtlInitUnicodeString(&SourceName, EventLogSource->szName); dwComputerNameLength = ARRAYSIZE(szComputerName); if (!GetComputerNameW(szComputerName, &dwComputerNameLength)) szComputerName[0] = L'\0'; RtlInitUnicodeString(&ComputerName, szComputerName); NtQuerySystemTime(&SystemTime); RtlTimeToSecondsSince1970(&SystemTime, &Time); LogBuffer = LogfAllocAndBuildNewRecord(&RecSize, Time, wType, wCategory, dwEventId, &SourceName, &ComputerName, 0, NULL, wNumStrings, pStrings, dwDataSize, pRawData); if (LogBuffer == NULL) { DPRINT1("LogfAllocAndBuildNewRecord failed!\n"); return; } Status = LogfWriteRecord(EventLogSource->LogFile, LogBuffer, RecSize); if (!NT_SUCCESS(Status)) { DPRINT1("ERROR writing to event log `%S' (Status 0x%08lx)\n", EventLogSource->LogFile->LogName, Status); } LogfFreeRecord(LogBuffer); }
VOID LogfReportEvent(WORD wType, WORD wCategory, DWORD dwEventId, WORD wNumStrings, WCHAR *lpStrings, DWORD dwDataSize, LPVOID lpRawData) { WCHAR szComputerName[MAX_COMPUTERNAME_LENGTH + 1]; DWORD dwComputerNameLength = MAX_COMPUTERNAME_LENGTH + 1; PEVENTSOURCE pEventSource = NULL; PBYTE logBuffer; DWORD lastRec; DWORD recSize; DWORD dwError; if (!GetComputerNameW(szComputerName, &dwComputerNameLength)) { szComputerName[0] = 0; } pEventSource = GetEventSourceByName(L"EventLog"); if (pEventSource == NULL) { return; } lastRec = LogfGetCurrentRecord(pEventSource->LogFile); logBuffer = LogfAllocAndBuildNewRecord(&recSize, lastRec, wType, wCategory, dwEventId, pEventSource->szName, (LPCWSTR)szComputerName, 0, NULL, wNumStrings, lpStrings, dwDataSize, lpRawData); dwError = LogfWriteData(pEventSource->LogFile, recSize, logBuffer); if (!dwError) { DPRINT1("ERROR WRITING TO EventLog %S\n", pEventSource->LogFile->FileName); } LogfFreeRecord(logBuffer); }
/* Function 11 */ NTSTATUS ElfrReportEventW( IELF_HANDLE LogHandle, DWORD Time, USHORT EventType, USHORT EventCategory, DWORD EventID, USHORT NumStrings, DWORD DataSize, PRPC_UNICODE_STRING ComputerName, PRPC_SID UserSID, PRPC_UNICODE_STRING Strings[], BYTE *Data, USHORT Flags, DWORD *RecordNumber, DWORD *TimeWritten) { USHORT i; PBYTE LogBuffer; PLOGHANDLE lpLogHandle; DWORD lastRec; DWORD recSize; DWORD dwStringsSize = 0; DWORD dwUserSidLength = 0; DWORD dwError = ERROR_SUCCESS; WCHAR *lpStrings; int pos = 0; lpLogHandle = ElfGetLogHandleEntryByHandle(LogHandle); if (!lpLogHandle) { return STATUS_INVALID_HANDLE; } /* Flags must be 0 */ if (Flags) { return STATUS_INVALID_PARAMETER; } lastRec = LogfGetCurrentRecord(lpLogHandle->LogFile); for (i = 0; i < NumStrings; i++) { switch (EventType) { case EVENTLOG_SUCCESS: DPRINT("Success: %wZ\n", Strings[i]); break; case EVENTLOG_ERROR_TYPE: DPRINT("Error: %wZ\n", Strings[i]); break; case EVENTLOG_WARNING_TYPE: DPRINT("Warning: %wZ\n", Strings[i]); break; case EVENTLOG_INFORMATION_TYPE: DPRINT("Info: %wZ\n", Strings[i]); break; default: DPRINT1("Type %hu: %wZ\n", EventType, Strings[i]); break; } dwStringsSize += Strings[i]->Length + sizeof UNICODE_NULL; } lpStrings = HeapAlloc(GetProcessHeap(), 0, dwStringsSize); if (!lpStrings) { DPRINT1("Failed to allocate heap\n"); return STATUS_NO_MEMORY; } for (i = 0; i < NumStrings; i++) { CopyMemory(lpStrings + pos, Strings[i]->Buffer, Strings[i]->Length); pos += Strings[i]->Length / sizeof(WCHAR); lpStrings[pos] = UNICODE_NULL; pos += sizeof UNICODE_NULL / sizeof(WCHAR); } if (UserSID) dwUserSidLength = FIELD_OFFSET(SID, SubAuthority[UserSID->SubAuthorityCount]); LogBuffer = LogfAllocAndBuildNewRecord(&recSize, lastRec, EventType, EventCategory, EventID, lpLogHandle->szName, ComputerName->Buffer, dwUserSidLength, UserSID, NumStrings, lpStrings, DataSize, Data); dwError = LogfWriteData(lpLogHandle->LogFile, recSize, LogBuffer); if (!dwError) { DPRINT1("ERROR WRITING TO EventLog %S\n", lpLogHandle->LogFile->FileName); } LogfFreeRecord(LogBuffer); HeapFree(GetProcessHeap(), 0, lpStrings); return I_RpcMapWin32Status(dwError); }
/* Helper function for ElfrReportEventW/A and ElfrReportEventAndSourceW */ NTSTATUS ElfrIntReportEventW( IELF_HANDLE LogHandle, ULONG Time, USHORT EventType, USHORT EventCategory, ULONG EventID, PRPC_UNICODE_STRING SourceName OPTIONAL, USHORT NumStrings, ULONG DataSize, PRPC_UNICODE_STRING ComputerName, PRPC_SID UserSID, PRPC_UNICODE_STRING Strings[], PBYTE Data, USHORT Flags, PULONG RecordNumber, PULONG TimeWritten) { NTSTATUS Status; PLOGHANDLE pLogHandle; UNICODE_STRING LocalSourceName, LocalComputerName; PEVENTLOGRECORD LogBuffer; USHORT i; SIZE_T RecSize; ULONG dwStringsSize = 0; ULONG dwUserSidLength = 0; PWSTR lpStrings, str; pLogHandle = ElfGetLogHandleEntryByHandle(LogHandle); if (!pLogHandle) return STATUS_INVALID_HANDLE; /* Flags must be 0 */ if (Flags) return STATUS_INVALID_PARAMETER; for (i = 0; i < NumStrings; i++) { switch (EventType) { case EVENTLOG_SUCCESS: DPRINT("Success: %wZ\n", Strings[i]); break; case EVENTLOG_ERROR_TYPE: DPRINT("Error: %wZ\n", Strings[i]); break; case EVENTLOG_WARNING_TYPE: DPRINT("Warning: %wZ\n", Strings[i]); break; case EVENTLOG_INFORMATION_TYPE: DPRINT("Info: %wZ\n", Strings[i]); break; case EVENTLOG_AUDIT_SUCCESS: DPRINT("Audit Success: %wZ\n", Strings[i]); break; case EVENTLOG_AUDIT_FAILURE: DPRINT("Audit Failure: %wZ\n", Strings[i]); break; default: DPRINT1("Type %hu: %wZ\n", EventType, Strings[i]); break; } dwStringsSize += Strings[i]->Length + sizeof(UNICODE_NULL); } lpStrings = HeapAlloc(GetProcessHeap(), 0, dwStringsSize); if (!lpStrings) { DPRINT1("Failed to allocate heap\n"); return STATUS_NO_MEMORY; } str = lpStrings; for (i = 0; i < NumStrings; i++) { RtlCopyMemory(str, Strings[i]->Buffer, Strings[i]->Length); str += Strings[i]->Length / sizeof(WCHAR); *str = UNICODE_NULL; str++; } if (UserSID) dwUserSidLength = FIELD_OFFSET(SID, SubAuthority[UserSID->SubAuthorityCount]); if (SourceName && SourceName->Buffer) LocalSourceName = *(PUNICODE_STRING)SourceName; else RtlInitUnicodeString(&LocalSourceName, pLogHandle->szName); LocalComputerName = *(PUNICODE_STRING)ComputerName; LogBuffer = LogfAllocAndBuildNewRecord(&RecSize, Time, EventType, EventCategory, EventID, &LocalSourceName, &LocalComputerName, dwUserSidLength, UserSID, NumStrings, lpStrings, DataSize, Data); if (LogBuffer == NULL) { DPRINT1("LogfAllocAndBuildNewRecord failed!\n"); HeapFree(GetProcessHeap(), 0, lpStrings); return STATUS_NO_MEMORY; } Status = LogfWriteRecord(pLogHandle->LogFile, LogBuffer, RecSize); if (!NT_SUCCESS(Status)) { DPRINT1("ERROR writing to event log `%S' (Status 0x%08lx)\n", pLogHandle->LogFile->LogName, Status); } if (NT_SUCCESS(Status)) { /* Retrieve the two fields that were set by LogfWriteRecord into the record */ if (RecordNumber) *RecordNumber = LogBuffer->RecordNumber; if (TimeWritten) *TimeWritten = LogBuffer->TimeWritten; } LogfFreeRecord(LogBuffer); HeapFree(GetProcessHeap(), 0, lpStrings); return Status; }