/**** * CreateRemoteSession * * DESC: * Creates a remote context * * ARGS: * server - IP or host to connect to * domain - domain within the host (empty string for none) * username - username within the domain * password - password for above user * * REMARKS: * Set the domain, user, and password to NULL for current user * * Note: This just creates the session context. A connection * is not actually made until we attempt to use the context */ EVT_HANDLE CreateRemoteSession(LPWSTR server, LPWSTR domain, LPWSTR username, LPWSTR password) { EVT_RPC_LOGIN rpcLogin; // Allocate required memory for our credentials buffer RtlZeroMemory(&rpcLogin, sizeof(EVT_RPC_LOGIN)); // Initialize our credentials with the supplied machine, username and password rpcLogin.Domain = domain; rpcLogin.User = username; rpcLogin.Password = password; rpcLogin.Server = server; rpcLogin.Flags = EvtRpcLoginAuthNegotiate; // Create session context for remote machine EVT_HANDLE hRemote = EvtOpenSession(EvtRpcLogin, &rpcLogin, 0, 0); // Release memory used for our credentails buffer as it's no longer required SecureZeroMemory(&rpcLogin, sizeof(EVT_RPC_LOGIN)); // Return the session context handle return hRemote; }
EVT_HANDLE CperOpenWheaLogQuery ( __in_opt PWSTR ComputerName, __in_opt PWSTR UserName, __in_opt PWSTR Domain, __in_opt PWSTR Password, __in_opt PWSTR FileName, __out EVT_HANDLE *Session ) /*++ Routine Description: This routine will initialize an event log query that may be used to enumerate any WHEA error records contained in the WHEA event log. Arguments: ComputerName - Supplies an optional computer name for remote queries. This should be NULL for the local event log query or if an exported event log is to be queried. UserName - Supplies the username to be used to authenticate to the remote computer. Domain - Supplies the username to be used to authenticate to the remote computer. Password - Supplies the password to be used to authenticate to the remote computer. FileName - Supplies an optional filename for an exported event log. This should be NULL for a live (local or remote) event log query. Session - Supplies a variable in which a handle to the session is returned, but only if the query is for events on a remote computer. Return Value: A handle to the ETW query if successful, NULL otherwise. --*/ { DWORD Error; DWORD Flags; EVT_RPC_LOGIN Login; PCWSTR Path; EVT_HANDLE QueryHandle; EVT_HANDLE SessionHandle; QueryHandle = NULL; SessionHandle = NULL; Error = ERROR_SUCCESS; // // If a computer name is specified, then an event log session to that // computer must be opened. It is invalid to specify a remote computer as // well as a filename. // if (ComputerName != NULL) { if (FileName != NULL) { Error = ERROR_INVALID_PARAMETER; goto OpenWheaLogQueryEnd; } RtlZeroMemory(&Login, sizeof(EVT_RPC_LOGIN)); Login.Server = ComputerName; Login.User = UserName; Login.Domain = Domain; Login.Password = Password; Login.Flags = EvtRpcLoginAuthDefault; SessionHandle = EvtOpenSession(EvtRpcLogin, &Login, 0, 0); if (SessionHandle == NULL) { Error = GetLastError(); goto OpenWheaLogQueryEnd; } } if (FileName == NULL) { Path = WHEA_CHANNEL; Flags = EvtQueryChannelPath | EvtQueryForwardDirection; } else { Path = (PCWSTR)FileName; Flags = EvtQueryFilePath | EvtQueryForwardDirection; } // // Open the query. If this is not a file query and the open fails, try the // legacy log name. // QueryHandle = EvtQuery(SessionHandle, Path, WHEA_LOG_QUERY, Flags); if (QueryHandle == NULL) { Error = GetLastError(); if (FileName == NULL) { Path = WHEA_CHANNEL_LEGACY; QueryHandle = EvtQuery(SessionHandle, Path, WHEA_LOG_QUERY, Flags); if (QueryHandle == NULL) { Error = GetLastError(); goto OpenWheaLogQueryEnd; } } } *Session = SessionHandle; OpenWheaLogQueryEnd: if (QueryHandle == NULL) { if (SessionHandle != NULL) { EvtClose(SessionHandle); } SetLastError(Error); } return QueryHandle; }