char *get_property_value(PEVT_VARIANT value) { if (value->Type == EvtVarTypeNull) return(NULL); return(convert_windows_string(value->StringVal)); }
char *get_message(EVT_HANDLE evt, LPCWSTR provider_name, DWORD flags) { char *message = NULL; EVT_HANDLE publisher = NULL; DWORD size = 0; wchar_t *buffer = NULL; int result = 0; publisher = EvtOpenPublisherMetadata(NULL, provider_name, NULL, 0, 0); if (publisher == NULL) { log2file( "%s: ERROR: Could not EvtOpenPublisherMetadata() with flags (%lu) which returned (%lu)", ARGV0, flags, GetLastError()); goto cleanup; } /* Make initial call to determine buffer size */ result = EvtFormatMessage(publisher, evt, 0, 0, NULL, flags, 0, NULL, &size); if (result != FALSE || GetLastError() != ERROR_INSUFFICIENT_BUFFER) { log2file( "%s: ERROR: Could not EvtFormatMessage() to determine buffer size with flags (%lu) which returned (%lu)", ARGV0, flags, GetLastError()); goto cleanup; } if ((buffer = calloc(size, sizeof(wchar_t))) == NULL) { log2file( "%s: ERROR: Could not calloc() memory which returned [(%d)-(%s)]", ARGV0, errno, strerror(errno)); goto cleanup; } result = EvtFormatMessage(publisher, evt, 0, 0, NULL, flags, size, buffer, &size); if (result == FALSE) { log2file( "%s: ERROR: Could not EvtFormatMessage() with flags (%lu) which returned (%lu)", ARGV0, flags, GetLastError()); goto cleanup; } message = convert_windows_string(buffer); cleanup: free(buffer); if (publisher != NULL) { EvtClose(publisher); } return (message); }