/****
* CreateRemoteSession
*
* DESC:
* Creates a remote context
*
* ARGS:
* server - IP or host to connect to
* domain - domain within the host (empty string for none)
* username - username within the domain
* password - password for above user
*
* REMARKS:
* Set the domain, user, and password to NULL for current user
*
* Note: This just creates the session context. A connection
* is not actually made until we attempt to use the context
*/
EVT_HANDLE CreateRemoteSession(LPWSTR server, LPWSTR domain, LPWSTR username, LPWSTR password)
{
EVT_RPC_LOGIN rpcLogin;
// Allocate required memory for our credentials buffer
RtlZeroMemory(&rpcLogin, sizeof(EVT_RPC_LOGIN));
// Initialize our credentials with the supplied machine, username and password
rpcLogin.Domain = domain;
rpcLogin.User = username;
rpcLogin.Password = password;
rpcLogin.Server = server;
rpcLogin.Flags = EvtRpcLoginAuthNegotiate;
// Create session context for remote machine
EVT_HANDLE hRemote = EvtOpenSession(EvtRpcLogin, &rpcLogin, 0, 0);
// Release memory used for our credentails buffer as it's no longer required
SecureZeroMemory(&rpcLogin, sizeof(EVT_RPC_LOGIN));
// Return the session context handle
return hRemote;
}
EVT_HANDLE
CperOpenWheaLogQuery (
__in_opt PWSTR ComputerName,
__in_opt PWSTR UserName,
__in_opt PWSTR Domain,
__in_opt PWSTR Password,
__in_opt PWSTR FileName,
__out EVT_HANDLE *Session
)
/*++
Routine Description:
This routine will initialize an event log query that may be used to
enumerate any WHEA error records contained in the WHEA event log.
Arguments:
ComputerName - Supplies an optional computer name for remote queries. This
should be NULL for the local event log query or if an exported event log
is to be queried.
UserName - Supplies the username to be used to authenticate to the remote
computer.
Domain - Supplies the username to be used to authenticate to the remote
computer.
Password - Supplies the password to be used to authenticate to the remote
computer.
FileName - Supplies an optional filename for an exported event log. This
should be NULL for a live (local or remote) event log query.
Session - Supplies a variable in which a handle to the session is returned,
but only if the query is for events on a remote computer.
Return Value:
A handle to the ETW query if successful, NULL otherwise.
--*/
{
DWORD Error;
DWORD Flags;
EVT_RPC_LOGIN Login;
PCWSTR Path;
EVT_HANDLE QueryHandle;
EVT_HANDLE SessionHandle;
QueryHandle = NULL;
SessionHandle = NULL;
Error = ERROR_SUCCESS;
//
// If a computer name is specified, then an event log session to that
// computer must be opened. It is invalid to specify a remote computer as
// well as a filename.
//
if (ComputerName != NULL) {
if (FileName != NULL) {
Error = ERROR_INVALID_PARAMETER;
goto OpenWheaLogQueryEnd;
}
RtlZeroMemory(&Login, sizeof(EVT_RPC_LOGIN));
Login.Server = ComputerName;
Login.User = UserName;
Login.Domain = Domain;
Login.Password = Password;
Login.Flags = EvtRpcLoginAuthDefault;
SessionHandle = EvtOpenSession(EvtRpcLogin, &Login, 0, 0);
if (SessionHandle == NULL) {
Error = GetLastError();
goto OpenWheaLogQueryEnd;
}
}
if (FileName == NULL) {
Path = WHEA_CHANNEL;
Flags = EvtQueryChannelPath | EvtQueryForwardDirection;
} else {
Path = (PCWSTR)FileName;
Flags = EvtQueryFilePath | EvtQueryForwardDirection;
}
//
// Open the query. If this is not a file query and the open fails, try the
// legacy log name.
//
QueryHandle = EvtQuery(SessionHandle, Path, WHEA_LOG_QUERY, Flags);
if (QueryHandle == NULL) {
Error = GetLastError();
if (FileName == NULL) {
Path = WHEA_CHANNEL_LEGACY;
QueryHandle = EvtQuery(SessionHandle, Path, WHEA_LOG_QUERY, Flags);
if (QueryHandle == NULL) {
Error = GetLastError();
goto OpenWheaLogQueryEnd;
}
}
}
*Session = SessionHandle;
OpenWheaLogQueryEnd:
if (QueryHandle == NULL) {
if (SessionHandle != NULL) {
EvtClose(SessionHandle);
}
SetLastError(Error);
}
return QueryHandle;
}
