#include "eventvwr.h"
#include "evtdetctl.h"
#include <sddl.h>
#include <shellapi.h>
#include <shlwapi.h>

Include dependency graph for eventvwr.c:

Classes
struct	_SETTINGS

struct	param_strings_format_data

Macros
#define	LVM_PROGRESS (WM_APP + 1)

#define	EVENT_MESSAGE_EVENTTEXT_BUFFER 1024*10

#define	EVENT_MESSAGE_FILE_BUFFER 1024*10

#define	EVENT_DLL_SEPARATOR L";"

#define	EVENT_CATEGORY_MESSAGE_FILE L"CategoryMessageFile"

#define	EVENT_MESSAGE_FILE L"EventMessageFile"

#define	EVENT_PARAMETER_MESSAGE_FILE L"ParameterMessageFile"

#define	MAX_LOADSTRING 255

#define	SPLIT_WIDTH 4

Typedefs
typedef struct _SETTINGS	SETTINGS

typedef struct _SETTINGS *	PSETTINGS

Functions
static DWORD WINAPI	StartStopEnumEventsThread (IN LPVOID lpParameter)

VOID	OpenUserEventLogFile (IN LPCWSTR lpszFileName)

VOID	BuildLogListAndFilterList (IN LPCWSTR lpComputerName)

VOID	FreeLogList (VOID)

VOID	FreeLogFilterList (VOID)

ATOM	MyRegisterClass (HINSTANCE)

BOOL	InitInstance (HINSTANCE)

LRESULT CALLBACK	WndProc (HWND, UINT, WPARAM, LPARAM)

INT_PTR	EventLogProperties (HINSTANCE, HWND, PEVENTLOGFILTER)

INT_PTR CALLBACK	EventDetails (HWND, UINT, WPARAM, LPARAM)

VOID	ShowWin32Error (IN DWORD dwError)

VOID	DisplayUsage (VOID)

BOOL	ProcessCmdLine (IN LPWSTR lpCmdLine)

BOOL	LoadSettings (int nDefCmdShow)

BOOL	SaveSettings (VOID)

int APIENTRY	wWinMain (HINSTANCE hInstance, HINSTANCE hPrevInstance, LPWSTR lpCmdLine, int nCmdShow)

VOID	EventTimeToSystemTime (IN DWORD EventTime, OUT PSYSTEMTIME pSystemTime)

LPWSTR	GetMessageStringFromDll (IN LPCWSTR lpMessageDll, IN DWORD dwFlags, IN DWORD dwMessageId, IN DWORD nSize, IN va_list *Arguments OPTIONAL)

LPWSTR	GetMessageStringFromDllList (IN LPCWSTR lpMessageDllList, IN DWORD dwFlags, IN DWORD dwMessageId, IN DWORD nSize, IN va_list *Arguments OPTIONAL)

DWORD	ApplyParameterStringsToMessage (IN LPCWSTR lpMessageDllList, IN BOOL bMessagePreFormatted, IN CONST LPCWSTR pMessage, OUT LPWSTR *pFinalMessage)

UINT	FormatInteger (LONGLONG Num, LPWSTR pwszResult, UINT cchResultMax)

UINT	FormatByteSize (LONGLONG cbSize, LPWSTR pwszResult, UINT cchResultMax)

LPWSTR	FormatFileSizeWithBytes (const PULARGE_INTEGER lpQwSize, LPWSTR pwszResult, UINT cchResultMax)

BOOL	GetFileTimeString (LPFILETIME lpFileTime, LPWSTR pwszResult, UINT cchResult)

HTREEITEM	TreeViewAddItem (IN HWND hTreeView, IN HTREEITEM hParent, IN LPWSTR lpText, IN INT Image, IN INT SelectedImage, IN LPARAM lParam)

PEVENTLOG	AllocEventLog (IN PCWSTR ComputerName OPTIONAL, IN PCWSTR LogName, IN BOOL Permanent)

VOID	EventLog_Free (IN PEVENTLOG EventLog)

PWSTR	AllocAndCopyMultiStr (IN PCWSTR MultiStr OPTIONAL)

PEVENTLOGFILTER	AllocEventLogFilter (IN BOOL Information, IN BOOL Warning, IN BOOL Error, IN BOOL AuditSuccess, IN BOOL AuditFailure, IN PCWSTR Sources OPTIONAL, IN PCWSTR Users OPTIONAL, IN PCWSTR ComputerNames OPTIONAL, IN ULONG NumOfEventLogs, IN PEVENTLOG *EventLogs)

VOID	EventLogFilter_Free (IN PEVENTLOGFILTER EventLogFilter)

LONG	EventLogFilter_AddRef (IN PEVENTLOGFILTER EventLogFilter)

LONG	EventLogFilter_Release (IN PEVENTLOGFILTER EventLogFilter)

void	TrimNulls (LPWSTR s)

DWORD	GetExpandedFilePathName (IN LPCWSTR ComputerName OPTIONAL, IN LPCWSTR lpFileName, OUT LPWSTR lpFullFileName OPTIONAL, IN DWORD nSize)

BOOL	GetEventMessageFileDLL (IN LPCWSTR lpLogName, IN LPCWSTR SourceName, IN LPCWSTR EntryName, OUT PWCHAR lpModuleName)

BOOL	GetEventCategory (IN LPCWSTR KeyName, IN LPCWSTR SourceName, IN PEVENTLOGRECORD pevlr, OUT PWCHAR CategoryName)

BOOL	GetEventMessage (IN LPCWSTR KeyName, IN LPCWSTR SourceName, IN PEVENTLOGRECORD pevlr, OUT PWCHAR EventText)

VOID	GetEventType (IN WORD dwEventType, OUT PWCHAR eventTypeText)

BOOL	GetEventUserName (IN PEVENTLOGRECORD pelr, IN OUT PSID *pLastSid, OUT PWCHAR pszUser)

static VOID	FreeRecords (VOID)

BOOL	FilterByType (IN PEVENTLOGFILTER EventLogFilter, IN PEVENTLOGRECORD pevlr)

BOOL	FilterByString (IN PCWSTR FilterString, IN PWSTR String)

static DWORD WINAPI	EnumEventsThread (IN LPVOID lpParameter)

VOID	EnumEvents (IN PEVENTLOGFILTER EventLogFilter)

PEVENTLOGFILTER	GetSelectedFilter (OUT HTREEITEM *phti OPTIONAL)

VOID	OpenUserEventLog (VOID)

VOID	SaveEventLog (IN PEVENTLOGFILTER EventLogFilter)

VOID	CloseUserEventLog (IN PEVENTLOGFILTER EventLogFilter, IN HTREEITEM hti)

BOOL	ClearEvents (IN PEVENTLOGFILTER EventLogFilter)

VOID	Refresh (IN PEVENTLOGFILTER EventLogFilter)

BOOL	GetDisplayNameFileAndID (IN LPCWSTR lpLogName, OUT PWCHAR lpModuleName, OUT PDWORD pdwMessageID)

VOID	ResizeWnd (INT cx, INT cy)

static VOID	InitPropertiesDlg (HWND hDlg, PEVENTLOG EventLog)

INT_PTR CALLBACK	EventLogPropProc (HWND hDlg, UINT uMsg, WPARAM wParam, LPARAM lParam)

Variables
static const LPCWSTR	EVENTVWR_WNDCLASS = L"EVENTVWR"

static const LPCWSTR	EVENTLOG_BASE_KEY = L"SYSTEM\\CurrentControlSet\\Services\\EventLog\\"

static const LPCWSTR	EVNTVWR_PARAM_KEY = L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Event Viewer"

static const LPCWSTR	SystemLogs []

HINSTANCE	hInst

WCHAR	szTitle [MAX_LOADSTRING]

WCHAR	szTitleTemplate [MAX_LOADSTRING]

WCHAR	szStatusBarTemplate [MAX_LOADSTRING]

WCHAR	szLoadingWait [MAX_LOADSTRING]

WCHAR	szEmptyList [MAX_LOADSTRING]

WCHAR	szSaveFilter [MAX_LOADSTRING]

INT	nVSplitPos

INT	nHSplitPos

BYTE	bSplit = 0

HWND	hwndMainWindow = NULL

HWND	hwndTreeView

HWND	hwndListView

HWND	hwndEventDetails

HWND	hwndStatus

HWND	hwndStatusProgress

HMENU	hMainMenu

HTREEITEM	htiSystemLogs = NULL

HTREEITEM	htiAppLogs = NULL

HTREEITEM	htiUserLogs = NULL

LPWSTR	lpComputerName = NULL

LPWSTR	lpszzUserLogsToLoad = NULL

SIZE_T	cbUserLogsSize = 0

HKEY	hkMachine = NULL

DWORD	g_TotalRecords = 0

PEVENTLOGRECORD *	g_RecordPtrs = NULL

LIST_ENTRY	EventLogList

LIST_ENTRY	EventLogFilterList

PEVENTLOGFILTER	ActiveFilter = NULL

HANDLE	hEnumEventsThread = NULL

HANDLE	hStopEnumEvent = NULL

PEVENTLOGFILTER	EnumFilter = NULL

HANDLE	hStartStopEnumEvent = NULL

HANDLE	hStartEnumEvent = NULL

OPENFILENAMEW	sfn

SETTINGS	Settings

static HWND	hWndDetailsCtrl = NULL

static HWND	hWndGrip = NULL

static INT	cxMin

static INT	cyMin

static INT	cxOld

static INT	cyOld

Macro Definition Documentation

◆ EVENT_CATEGORY_MESSAGE_FILE

#define EVENT_CATEGORY_MESSAGE_FILE L"CategoryMessageFile"

Definition at line 56 of file eventvwr.c.

◆ EVENT_DLL_SEPARATOR

#define EVENT_DLL_SEPARATOR L";"

Definition at line 55 of file eventvwr.c.

◆ EVENT_MESSAGE_EVENTTEXT_BUFFER

#define EVENT_MESSAGE_EVENTTEXT_BUFFER 1024*10

Definition at line 53 of file eventvwr.c.

◆ EVENT_MESSAGE_FILE

#define EVENT_MESSAGE_FILE L"EventMessageFile"

Definition at line 57 of file eventvwr.c.

◆ EVENT_MESSAGE_FILE_BUFFER

#define EVENT_MESSAGE_FILE_BUFFER 1024*10

Definition at line 54 of file eventvwr.c.

◆ EVENT_PARAMETER_MESSAGE_FILE

#define EVENT_PARAMETER_MESSAGE_FILE L"ParameterMessageFile"

Definition at line 58 of file eventvwr.c.

◆ LVM_PROGRESS

#define LVM_PROGRESS (WM_APP + 1)

Definition at line 38 of file eventvwr.c.

◆ MAX_LOADSTRING

#define MAX_LOADSTRING 255

Definition at line 60 of file eventvwr.c.

◆ SPLIT_WIDTH

#define SPLIT_WIDTH 4

Definition at line 62 of file eventvwr.c.

Typedef Documentation

◆ PSETTINGS

typedef struct _SETTINGS * PSETTINGS

◆ SETTINGS

typedef struct _SETTINGS SETTINGS

Function Documentation

◆ AllocAndCopyMultiStr()

PWSTR AllocAndCopyMultiStr ( IN PCWSTR MultiStr OPTIONAL )

Definition at line 1347 of file eventvwr.c.

 {
     PWSTR pStr;
     ULONG Length;
 
     if (!MultiStr)
         return NULL;
 
     pStr = (PWSTR)MultiStr;
     while (*pStr) pStr += (wcslen(pStr) + 1);
     Length = MultiStr - pStr + 2;
 
     pStr = HeapAlloc(GetProcessHeap(), 0, Length * sizeof(WCHAR));
     // NOTE: If we failed allocating the string, then fall back into no filter!
     if (pStr)
         RtlCopyMemory(pStr, MultiStr, Length * sizeof(WCHAR));
 
     return pStr;
 }

Referenced by AllocEventLogFilter().

◆ AllocEventLog()

PEVENTLOG AllocEventLog	(	IN PCWSTR ComputerName	OPTIONAL,
		IN PCWSTR	LogName,
		IN BOOL	Permanent
	)

Definition at line 1292 of file eventvwr.c.

 {
     PEVENTLOG EventLog;
     UINT cchName;
 
     /* Allocate a new event log entry */
     EventLog = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(*EventLog));
     if (!EventLog)
         return NULL;
 
     /* Allocate the computer name string (optional) and copy it */
     if (ComputerName)
     {
         cchName = wcslen(ComputerName) + 1;
         EventLog->ComputerName = HeapAlloc(GetProcessHeap(), 0, cchName * sizeof(WCHAR));
         if (EventLog->ComputerName)
             StringCchCopyW(EventLog->ComputerName, cchName, ComputerName);
     }
 
     /* Allocate the event log name string and copy it */
     cchName = wcslen(LogName) + 1;
     EventLog->LogName = HeapAlloc(GetProcessHeap(), 0, cchName * sizeof(WCHAR));
     if (!EventLog->LogName)
     {
         if (EventLog->ComputerName)
             HeapFree(GetProcessHeap(), 0, EventLog->ComputerName);
         HeapFree(GetProcessHeap(), 0, EventLog);
         return NULL;
     }
     StringCchCopyW(EventLog->LogName, cchName, LogName);
 
     EventLog->Permanent = Permanent;
 
     return EventLog;
 }

Referenced by BuildLogListAndFilterList(), and OpenUserEventLogFile().

◆ AllocEventLogFilter()

PEVENTLOGFILTER AllocEventLogFilter	(	IN BOOL	Information,
		IN BOOL	Warning,
		IN BOOL	Error,
		IN BOOL	AuditSuccess,
		IN BOOL	AuditFailure,
		IN PCWSTR Sources	OPTIONAL,
		IN PCWSTR Users	OPTIONAL,
		IN PCWSTR ComputerNames	OPTIONAL,
		IN ULONG	NumOfEventLogs,
		IN PEVENTLOG *	EventLogs
	)

Definition at line 1368 of file eventvwr.c.

 {
     PEVENTLOGFILTER EventLogFilter;
 
     /* Allocate a new event log filter entry, big enough to accommodate the list of logs */
     EventLogFilter = HeapAlloc(GetProcessHeap(),
                                HEAP_ZERO_MEMORY,
                                FIELD_OFFSET(EVENTLOGFILTER, EventLogs[NumOfEventLogs]));
     if (!EventLogFilter)
         return NULL;
 
     EventLogFilter->Information  = Information;
     EventLogFilter->Warning      = Warning;
     EventLogFilter->Error        = Error;
     EventLogFilter->AuditSuccess = AuditSuccess;
     EventLogFilter->AuditFailure = AuditFailure;
 
     /* Allocate and copy the sources, users, and computers multi-strings */
     EventLogFilter->Sources = AllocAndCopyMultiStr(Sources);
     EventLogFilter->Users   = AllocAndCopyMultiStr(Users);
     EventLogFilter->ComputerNames = AllocAndCopyMultiStr(ComputerNames);
 
     /* Copy the list of event logs */
     EventLogFilter->NumOfEventLogs = NumOfEventLogs;
     RtlCopyMemory(EventLogFilter->EventLogs, EventLogs, NumOfEventLogs * sizeof(PEVENTLOG));
 
     /* Initialize the filter reference count */
     EventLogFilter->ReferenceCount = 1;
 
     return EventLogFilter;
 }

Referenced by BuildLogListAndFilterList(), and OpenUserEventLogFile().

◆ ApplyParameterStringsToMessage()

DWORD ApplyParameterStringsToMessage	(	IN LPCWSTR	lpMessageDllList,
		IN BOOL	bMessagePreFormatted,
		IN CONST LPCWSTR	pMessage,
		OUT LPWSTR *	pFinalMessage
	)

Definition at line 916 of file eventvwr.c.

 {
     /*
      * This code is heavily adapted from the MSDN example:
      * https://msdn.microsoft.com/en-us/library/windows/desktop/bb427356.aspx
      * with bugs removed.
      */
 
     DWORD Status = ERROR_SUCCESS;
     DWORD dwParamCount = 0; // Number of insertion strings found in pMessage
     size_t cchBuffer = 0;   // Size of the buffer in characters
     size_t cchParams = 0;   // Number of characters in all the parameter strings
     size_t cch = 0;
     DWORD i = 0;
     param_strings_format_data* pParamData = NULL; // Array of pointers holding information about each parameter string in pMessage
     LPWSTR pTempMessage = (LPWSTR)pMessage;
     LPWSTR pTempFinalMessage = NULL;
 
     *pFinalMessage = NULL;
 
     /* Determine the number of parameter insertion strings in pMessage */
     if (bMessagePreFormatted)
     {
         while ((pTempMessage = wcschr(pTempMessage, L'%')))
         {
             pTempMessage++;
             if (iswdigit(*pTempMessage))
             {
                 dwParamCount++;
                 while (iswdigit(*++pTempMessage)) ;
             }
         }
     }
     else
     {
         while ((pTempMessage = wcsstr(pTempMessage, L"%%")))
         {
             pTempMessage += 2;
             if (iswdigit(*pTempMessage))
             {
                 dwParamCount++;
                 while (iswdigit(*++pTempMessage)) ;
             }
         }
     }
 
     /* If there are no parameter insertion strings in pMessage, just return */
     if (dwParamCount == 0)
     {
         // *pFinalMessage = NULL;
         goto Cleanup;
     }
 
     /* Allocate the array of parameter string format data */
     pParamData = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwParamCount * sizeof(param_strings_format_data));
     if (!pParamData)
     {
         Status = ERROR_OUTOFMEMORY;
         goto Cleanup;
     }
 
     /*
      * Retrieve each parameter in pMessage and the beginning and end of the
      * insertion string, as well as the message identifier of the parameter.
      */
     pTempMessage = (LPWSTR)pMessage;
     if (bMessagePreFormatted)
     {
         while ((pTempMessage = wcschr(pTempMessage, L'%')) && (i < dwParamCount))
         {
             pTempMessage++;
             if (iswdigit(*pTempMessage))
             {
                 pParamData[i].pStartingAddress = pTempMessage-1;
                 pParamData[i].pParameterID = (DWORD)_wtol(pTempMessage);
 
                 while (iswdigit(*++pTempMessage)) ;
 
                 pParamData[i].pEndingAddress = pTempMessage;
                 i++;
             }
         }
     }
     else
     {
         while ((pTempMessage = wcsstr(pTempMessage, L"%%")) && (i < dwParamCount))
         {
             pTempMessage += 2;
             if (iswdigit(*pTempMessage))
             {
                 pParamData[i].pStartingAddress = pTempMessage-2;
                 pParamData[i].pParameterID = (DWORD)_wtol(pTempMessage);
 
                 while (iswdigit(*++pTempMessage)) ;
 
                 pParamData[i].pEndingAddress = pTempMessage;
                 i++;
             }
         }
     }
 
     /* Retrieve each parameter string */
     for (i = 0; i < dwParamCount; i++)
     {
         // pParamData[i].pParameter = GetMessageString(pParamData[i].pParameterID, 0, NULL);
         pParamData[i].pParameter =
             GetMessageStringFromDllList(lpMessageDllList,
                                         FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_HMODULE |
                                         FORMAT_MESSAGE_IGNORE_INSERTS | FORMAT_MESSAGE_MAX_WIDTH_MASK,
                                         pParamData[i].pParameterID,
                                         0, NULL);
         if (!pParamData[i].pParameter)
         {
             /* Skip the insertion string */
             continue;
         }
 
         cchParams += wcslen(pParamData[i].pParameter);
     }
 
     /*
      * Allocate the final message buffer, the size of which is based on the
      * length of the original message and the length of each parameter string.
      */
     cchBuffer = wcslen(pMessage) + cchParams + 1;
     *pFinalMessage = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, cchBuffer * sizeof(WCHAR));
     if (!*pFinalMessage)
     {
         Status = ERROR_OUTOFMEMORY;
         goto Cleanup;
     }
 
     pTempFinalMessage = *pFinalMessage;
 
     /* Build the final message string */
     pTempMessage = (LPWSTR)pMessage;
     for (i = 0; i < dwParamCount; i++)
     {
         /* Append the segment from pMessage */
         cch = pParamData[i].pStartingAddress - pTempMessage;
         StringCchCopyNW(pTempFinalMessage, cchBuffer, pTempMessage, cch);
         pTempMessage = pParamData[i].pEndingAddress;
         cchBuffer -= cch;
         pTempFinalMessage += cch;
 
         /* Append the parameter string */
         if (pParamData[i].pParameter)
         {
             StringCchCopyW(pTempFinalMessage, cchBuffer, pParamData[i].pParameter);
             cch = wcslen(pParamData[i].pParameter); // pTempFinalMessage
         }
         else
         {
             /*
              * We failed to retrieve the parameter string before, so just
              * place back the original string placeholder.
              */
             cch = pParamData[i].pEndingAddress /* == pTempMessage */ - pParamData[i].pStartingAddress;
             StringCchCopyNW(pTempFinalMessage, cchBuffer, pParamData[i].pStartingAddress, cch);
             // cch = wcslen(pTempFinalMessage);
         }
         cchBuffer -= cch;
         pTempFinalMessage += cch;
     }
 
     /* Append the last segment from pMessage */
     StringCchCopyW(pTempFinalMessage, cchBuffer, pTempMessage);
 
 Cleanup:
 
     // if (Status != ERROR_SUCCESS)
         // *pFinalMessage = NULL;
 
     if (pParamData)
     {
         for (i = 0; i < dwParamCount; i++)
         {
             if (pParamData[i].pParameter)
                 LocalFree(pParamData[i].pParameter);
         }
 
         HeapFree(GetProcessHeap(), 0, pParamData);
     }
 
     return Status;
 }

Referenced by GetEventMessage().

◆ BuildLogListAndFilterList()

VOID BuildLogListAndFilterList ( IN LPCWSTR lpComputerName )

Definition at line 2792 of file eventvwr.c.

 {
     LONG Result;
     HKEY hEventLogKey, hLogKey;
     DWORD dwNumLogs = 0;
     DWORD dwIndex, dwMaxKeyLength;
     DWORD dwType;
     PEVENTLOG EventLog;
     PEVENTLOGFILTER EventLogFilter;
     LPWSTR LogName = NULL;
     WCHAR szModuleName[MAX_PATH];
     DWORD lpcName;
     DWORD dwMessageID;
     LPWSTR lpDisplayName;
     HTREEITEM hRootNode = NULL, hItem = NULL, hItemDefault = NULL;
 
     if (hkMachine && hkMachine != HKEY_LOCAL_MACHINE)
     {
         /* We are connected to some other computer, close the old connection */
         RegCloseKey(hkMachine);
         hkMachine = NULL;
     }
     if (!lpComputerName || !*lpComputerName)
     {
         /* Use the local computer registry */
         hkMachine = HKEY_LOCAL_MACHINE;
     }
     else
     {
         /* Connect to the remote computer registry */
         Result = RegConnectRegistry(lpComputerName, HKEY_LOCAL_MACHINE, &hkMachine);
         if (Result != ERROR_SUCCESS)
         {
             /* Connection failed, display a message and bail out */
             hkMachine = NULL;
             ShowWin32Error(GetLastError());
             return;
         }
     }
 
     /* Open the EventLog key */
     Result = RegOpenKeyExW(hkMachine, EVENTLOG_BASE_KEY, 0, KEY_READ, &hEventLogKey);
     if (Result != ERROR_SUCCESS)
     {
         return;
     }
 
     /* Retrieve the number of event logs enumerated as registry keys */
     Result = RegQueryInfoKeyW(hEventLogKey, NULL, NULL, NULL, &dwNumLogs, &dwMaxKeyLength,
                               NULL, NULL, NULL, NULL, NULL, NULL);
     if (Result != ERROR_SUCCESS)
     {
         goto Quit;
     }
     if (!dwNumLogs)
         goto Quit;
 
     /* Take the NULL terminator into account */
     ++dwMaxKeyLength;
 
     /* Allocate the temporary buffer */
     LogName = HeapAlloc(GetProcessHeap(), 0, dwMaxKeyLength * sizeof(WCHAR));
     if (!LogName)
         goto Quit;
 
     /* Enumerate and retrieve each event log name */
     for (dwIndex = 0; dwIndex < dwNumLogs; dwIndex++)
     {
         lpcName = dwMaxKeyLength;
         Result = RegEnumKeyExW(hEventLogKey, dwIndex, LogName, &lpcName, NULL, NULL, NULL, NULL);
         if (Result != ERROR_SUCCESS)
             continue;
 
         /* Take the NULL terminator into account */
         ++lpcName;
 
         /* Allocate a new event log entry */
         EventLog = AllocEventLog(lpComputerName, LogName, TRUE);
         if (EventLog == NULL)
             continue;
 
         /* Allocate a new event log filter entry for this event log */
         EventLogFilter = AllocEventLogFilter(// LogName,
                                              TRUE, TRUE, TRUE, TRUE, TRUE,
                                              NULL, NULL, NULL,
                                              1, &EventLog);
         if (EventLogFilter == NULL)
         {
             EventLog_Free(EventLog);
             continue;
         }
 
         /* Add the event log and the filter into their lists */
         InsertTailList(&EventLogList, &EventLog->ListEntry);
         InsertTailList(&EventLogFilterList, &EventLogFilter->ListEntry);
 
         EventLog->FileName = NULL;
 
         /* Retrieve and cache the event log file */
         Result = RegOpenKeyExW(hEventLogKey,
                                LogName,
                                0,
                                KEY_QUERY_VALUE,
                                &hLogKey);
         if (Result == ERROR_SUCCESS)
         {
             lpcName = 0;
             Result = RegQueryValueExW(hLogKey,
                                       L"File",
                                       NULL,
                                       &dwType,
                                       NULL,
                                       &lpcName);
             if ((Result != ERROR_SUCCESS) || (dwType != REG_EXPAND_SZ && dwType != REG_SZ))
             {
                 // Windows' EventLog uses some kind of default value, we do not.
                 EventLog->FileName = NULL;
             }
             else
             {
                 lpcName = ROUND_DOWN(lpcName, sizeof(WCHAR));
                 EventLog->FileName = HeapAlloc(GetProcessHeap(), 0, lpcName);
                 if (EventLog->FileName)
                 {
                     Result = RegQueryValueExW(hLogKey,
                                               L"File",
                                               NULL,
                                               &dwType,
                                               (LPBYTE)EventLog->FileName,
                                               &lpcName);
                     if (Result != ERROR_SUCCESS)
                     {
                         HeapFree(GetProcessHeap(), 0, EventLog->FileName);
                         EventLog->FileName = NULL;
                     }
                     else
                     {
                         EventLog->FileName[lpcName / sizeof(WCHAR) - 1] = UNICODE_NULL;
                     }
                 }
             }
 
             RegCloseKey(hLogKey);
         }
 
         /* Get the display name for the event log */
         lpDisplayName = NULL;
 
         ZeroMemory(szModuleName, sizeof(szModuleName));
         if (GetDisplayNameFileAndID(LogName, szModuleName, &dwMessageID))
         {
             /* Retrieve the message string without appending extra newlines */
             lpDisplayName =
             GetMessageStringFromDll(szModuleName,
                                     FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_HMODULE |
                                     FORMAT_MESSAGE_IGNORE_INSERTS | FORMAT_MESSAGE_MAX_WIDTH_MASK,
                                     dwMessageID,
                                     0,
                                     NULL);
         }
 
         /*
          * Select the correct tree root node, whether the log is a System
          * or an Application log. Default to Application log otherwise.
          */
         hRootNode = htiAppLogs;
         for (lpcName = 0; lpcName < ARRAYSIZE(SystemLogs); ++lpcName)
         {
             /* Check whether the log name is part of the system logs */
             if (wcsicmp(LogName, SystemLogs[lpcName]) == 0)
             {
                 hRootNode = htiSystemLogs;
                 break;
             }
         }
 
         hItem = TreeViewAddItem(hwndTreeView, hRootNode,
                                 (lpDisplayName ? lpDisplayName : LogName),
                                 2, 3, (LPARAM)EventLogFilter);
 
         /* Try to get the default event log: "Application" */
         if ((hItemDefault == NULL) && (wcsicmp(LogName, SystemLogs[0]) == 0))
         {
             hItemDefault = hItem;
         }
 
         /* Free the buffer allocated by FormatMessage */
         if (lpDisplayName)
             LocalFree(lpDisplayName);
     }
 
     HeapFree(GetProcessHeap(), 0, LogName);
 
 Quit:
     RegCloseKey(hEventLogKey);
 
     /* Select the default event log */
     if (hItemDefault)
     {
         // TreeView_Expand(hwndTreeView, hRootNode, TVE_EXPAND);
         TreeView_SelectItem(hwndTreeView, hItemDefault);
         TreeView_EnsureVisible(hwndTreeView, hItemDefault);
     }
     InvalidateRect(hwndTreeView, NULL, FALSE);
     SetFocus(hwndTreeView);
 
     return;
 }

Referenced by wWinMain().

◆ ClearEvents()

BOOL ClearEvents ( IN PEVENTLOGFILTER EventLogFilter )

Definition at line 2621 of file eventvwr.c.

 {
     BOOL Success;
     PEVENTLOG EventLog;
     HANDLE hEventLog;
     WCHAR szFileName[MAX_PATH];
     WCHAR szMessage[MAX_LOADSTRING];
 
     /* Bail out if there is no available filter */
     if (!EventLogFilter)
         return FALSE;
 
     ZeroMemory(szFileName, sizeof(szFileName));
     ZeroMemory(szMessage, sizeof(szMessage));
 
     LoadStringW(hInst, IDS_CLEAREVENTS_MSG, szMessage, ARRAYSIZE(szMessage));
 
     sfn.lpstrFile = szFileName;
     sfn.nMaxFile  = ARRAYSIZE(szFileName);
 
     switch (MessageBoxW(hwndMainWindow, szMessage, szTitle, MB_YESNOCANCEL | MB_ICONINFORMATION))
     {
         case IDCANCEL:
             return FALSE;
 
         case IDNO:
             sfn.lpstrFile = NULL;
             break;
 
         case IDYES:
             if (!GetSaveFileNameW(&sfn))
                 return FALSE;
             break;
     }
 
     EventLogFilter_AddRef(EventLogFilter);
 
     EventLog = EventLogFilter->EventLogs[0];
     hEventLog = OpenEventLogW(EventLog->ComputerName, EventLog->LogName);
 
     EventLogFilter_Release(EventLogFilter);
 
     if (!hEventLog)
     {
         ShowWin32Error(GetLastError());
         return FALSE;
     }
 
     Success = ClearEventLogW(hEventLog, sfn.lpstrFile);
     if (!Success)
         ShowWin32Error(GetLastError());
 
     CloseEventLog(hEventLog);
     return Success;
 }

Referenced by WndProc().

◆ CloseUserEventLog()

VOID CloseUserEventLog	(	IN PEVENTLOGFILTER	EventLogFilter,
		IN HTREEITEM	hti
	)

Definition at line 2586 of file eventvwr.c.

 {
     /* Bail out if there is no available filter */
     if (!EventLogFilter)
         return;
 
     if (InterlockedCompareExchangePointer((PVOID*)&ActiveFilter, NULL, NULL) == EventLogFilter)
     {
         /* Signal the enumerator thread we want to stop enumerating events */
         // EnumEvents(NULL);
         InterlockedExchangePointer((PVOID*)&EnumFilter, NULL);
         SetEvent(hStartEnumEvent);
     }
 
     /*
      * The deletion of the item automatically triggers a TVN_SELCHANGED
      * notification, that will reset the ActiveFilter (in case the item
      * selected is a filter). Otherwise we reset it there.
      */
     TreeView_DeleteItem(hwndTreeView, hti);
 
     /* Remove the filter from the list */
     RemoveEntryList(&EventLogFilter->ListEntry);
     EventLogFilter_Release(EventLogFilter);
 
     // /* Select the default event log */
     // // TreeView_Expand(hwndTreeView, htiUserLogs, TVE_EXPAND);
     // TreeView_SelectItem(hwndTreeView, hItem);
     // TreeView_EnsureVisible(hwndTreeView, hItem);
     InvalidateRect(hwndTreeView, NULL, FALSE);
     SetFocus(hwndTreeView);
 }

Referenced by WndProc().

◆ DisplayUsage()

VOID DisplayUsage ( VOID )

Definition at line 181 of file eventvwr.c.

 {
     LPWSTR lpBuffer;
     LPCWSTR lpUsage;
     INT iUsageLen = LoadStringW(hInst, IDS_USAGE, (LPWSTR)&lpUsage, 0);
 
     if (iUsageLen == 0)
         return;
 
     lpBuffer = HeapAlloc(GetProcessHeap(), 0, (iUsageLen + 1) * sizeof(WCHAR));
     if (!lpBuffer)
         return;
 
     StringCchCopyNW(lpBuffer, iUsageLen + 1, lpUsage, iUsageLen);
     MessageBoxW(NULL, lpBuffer, szTitle, MB_OK | MB_ICONINFORMATION);
 
     HeapFree(GetProcessHeap(), 0, lpBuffer);
 }

Referenced by ProcessCmdLine().

◆ EnumEvents()

VOID EnumEvents ( IN PEVENTLOGFILTER EventLogFilter )

Definition at line 2431 of file eventvwr.c.

 {
     /* Signal the enumerator thread we want to enumerate events */
     InterlockedExchangePointer((PVOID*)&EnumFilter, EventLogFilter);
     SetEvent(hStartEnumEvent);
     return;
 }

Referenced by Refresh(), and WndProc().

◆ EnumEventsThread()

static DWORD WINAPI EnumEventsThread ( IN LPVOID lpParameter )

static

HACK!!

Definition at line 1971 of file eventvwr.c.

 {
     PEVENTLOGFILTER EventLogFilter = (PEVENTLOGFILTER)lpParameter;
     PEVENTLOG EventLog;
 
     ULONG LogIndex;
     HANDLE hEventLog;
     PEVENTLOGRECORD pEvlr = NULL;
     PBYTE pEvlrEnd;
     PBYTE pEvlrBuffer;
     DWORD dwWanted, dwRead, dwNeeded, dwStatus = ERROR_SUCCESS;
     DWORD dwTotalRecords = 0, dwCurrentRecord = 0;
     DWORD dwFlags, dwMaxLength;
     size_t cchRemaining;
     LPWSTR lpszSourceName;
     LPWSTR lpszComputerName;
     BOOL bResult = TRUE; /* Read succeeded */
     HANDLE hProcessHeap = GetProcessHeap();
     PSID pLastSid = NULL;
 
     UINT uStep = 0, uStepAt = 0, uPos = 0;
 
     WCHAR szWindowTitle[MAX_PATH];
     WCHAR szStatusText[MAX_PATH];
     WCHAR szLocalDate[MAX_PATH];
     WCHAR szLocalTime[MAX_PATH];
     WCHAR szEventID[MAX_PATH];
     WCHAR szEventTypeText[MAX_LOADSTRING];
     WCHAR szCategoryID[MAX_PATH];
     WCHAR szUsername[MAX_PATH];
     WCHAR szNoUsername[MAX_PATH];
     WCHAR szCategory[MAX_PATH];
     WCHAR szNoCategory[MAX_PATH];
     PWCHAR lpTitleTemplateEnd;
 
     SYSTEMTIME time;
     LVITEMW lviEventItem;
 
     /* Save the current event log filter globally */
     EventLogFilter_AddRef(EventLogFilter);
     ActiveFilter = EventLogFilter;
 
 
     EventLog = EventLogFilter->EventLogs[0];
 
     // FIXME: Use something else instead of EventLog->LogName !!
 
     /*
      * Use a different formatting, whether the event log filter holds
      * only one log, or many logs (the latter case is WIP TODO!)
      */
     if (EventLogFilter->NumOfEventLogs <= 1)
     {
         StringCchPrintfExW(szWindowTitle,
                            ARRAYSIZE(szWindowTitle),
                            &lpTitleTemplateEnd,
                            &cchRemaining,
                            0,
                            szTitleTemplate, szTitle, EventLog->LogName); /* i = number of characters written */
         dwMaxLength = (DWORD)cchRemaining;
         if (!EventLog->ComputerName)
             GetComputerNameW(lpTitleTemplateEnd, &dwMaxLength);
         else
             StringCchCopyW(lpTitleTemplateEnd, dwMaxLength, EventLog->ComputerName);
 
         StringCbPrintfW(szStatusText,
                         sizeof(szStatusText),
                         szStatusBarTemplate,
                         EventLog->LogName,
                         0,
                         0);
     }
     else
     {
         // TODO: Use a different title & implement filtering for multi-log filters !!
         // (EventLogFilter->NumOfEventLogs > 1)
         MessageBoxW(hwndMainWindow,
                     L"Many-logs filtering is not implemented yet!!",
                     L"Event Log",
                     MB_OK | MB_ICONINFORMATION);
     }
 
     /* Set the window title */
     SetWindowTextW(hwndMainWindow, szWindowTitle);
 
     /* Update the status bar */
     StatusBar_SetText(hwndStatus, 0, szStatusText);
 
 
     /* Disable list view redraw */
     SendMessageW(hwndListView, WM_SETREDRAW, FALSE, 0);
 
     /* Clear the list view and free the cached records */
     ListView_DeleteAllItems(hwndListView);
     FreeRecords();
 
     SendMessageW(hwndListView, LVM_PROGRESS, 0, TRUE);
     ProgressBar_SetRange(hwndStatusProgress, 0);
     StatusBar_SetText(hwndStatus, 0, NULL);
     ShowWindow(hwndStatusProgress, SW_SHOW);
 
     /* Do a loop over the logs enumerated in the filter */
     // FIXME: For now we only support 1 event log per filter!
     LogIndex = 0;
     // for (LogIndex = 0; LogIndex < EventLogFilter->NumOfEventLogs; ++LogIndex)
     {
 
     EventLog = EventLogFilter->EventLogs[LogIndex];
 
     /* Open the event log */
     if (EventLog->Permanent)
         hEventLog = OpenEventLogW(EventLog->ComputerName, EventLog->LogName);
     else
         hEventLog = OpenBackupEventLogW(EventLog->ComputerName, EventLog->LogName); // FileName
 
     if (hEventLog == NULL)
     {
         ShowWin32Error(GetLastError());
         goto Cleanup;
     }
 
     // GetOldestEventLogRecord(hEventLog, &dwThisRecord);
 
     /* Get the total number of event log records */
     GetNumberOfEventLogRecords(hEventLog, &dwTotalRecords);
 
     if (dwTotalRecords > 0)
     {
         EnableMenuItem(hMainMenu, IDM_CLEAR_EVENTS, MF_BYCOMMAND | MF_ENABLED);
         EnableMenuItem(hMainMenu, IDM_SAVE_EVENTLOG, MF_BYCOMMAND | MF_ENABLED);
     }
     else
     {
         EnableMenuItem(hMainMenu, IDM_CLEAR_EVENTS, MF_BYCOMMAND | MF_GRAYED);
         EnableMenuItem(hMainMenu, IDM_SAVE_EVENTLOG, MF_BYCOMMAND | MF_GRAYED);
     }
 
     /* Set up the event records cache */
     g_RecordPtrs = HeapAlloc(hProcessHeap, HEAP_ZERO_MEMORY, dwTotalRecords * sizeof(*g_RecordPtrs));
     if (!g_RecordPtrs)
     {
         // ShowWin32Error(GetLastError());
         goto Quit;
     }
     g_TotalRecords = dwTotalRecords;
 
     if (WaitForSingleObject(hStopEnumEvent, 0) == WAIT_OBJECT_0)
         goto Quit;
 
     LoadStringW(hInst, IDS_NOT_AVAILABLE, szNoUsername, ARRAYSIZE(szNoUsername));
     LoadStringW(hInst, IDS_NONE, szNoCategory, ARRAYSIZE(szNoCategory));
 
     ProgressBar_SetRange(hwndStatusProgress, MAKELPARAM(0, 100));
     uStepAt = (dwTotalRecords / 100) + 1;
 
     dwFlags = EVENTLOG_SEQUENTIAL_READ | (Settings.bNewestEventsFirst ? EVENTLOG_FORWARDS_READ : EVENTLOG_BACKWARDS_READ);
 
     /* 0x7ffff is the maximum buffer size ReadEventLog will accept */
     dwWanted = 0x7ffff;
     pEvlr = HeapAlloc(hProcessHeap, 0, dwWanted);
 
     if (!pEvlr)
         goto Quit;
 
     while (dwStatus == ERROR_SUCCESS)
     {
         bResult =  ReadEventLogW(hEventLog, dwFlags, 0, pEvlr, dwWanted, &dwRead, &dwNeeded);
         dwStatus = GetLastError();
 
         if (!bResult && dwStatus == ERROR_INSUFFICIENT_BUFFER)
         {
             pEvlr = HeapReAlloc(hProcessHeap, 0, pEvlr, dwNeeded);
             dwWanted = dwNeeded;
 
             if (!pEvlr)
                 break;
 
             bResult =  ReadEventLogW(hEventLog, dwFlags, 0, pEvlr, dwNeeded, &dwRead, &dwNeeded);
 
             if (!bResult)
                 break;
         }
         else if (!bResult)
         {
             /* Exit on other errors (ERROR_HANDLE_EOF) */
             break;
         }
 
         pEvlrBuffer = (LPBYTE)pEvlr;
         pEvlrEnd = pEvlrBuffer + dwRead;
 
         while (pEvlrBuffer < pEvlrEnd)
         {
             PEVENTLOGRECORD pEvlrTmp = (PEVENTLOGRECORD)pEvlrBuffer;
             PWSTR lpszUsername, lpszCategoryName;
             g_RecordPtrs[dwCurrentRecord] = NULL;
 
             // ProgressBar_StepIt(hwndStatusProgress);
             uStep++;
             if (uStep % uStepAt == 0)
             {
                 ++uPos;
                 ProgressBar_SetPos(hwndStatusProgress, uPos);
             }
 
            if (WaitForSingleObject(hStopEnumEvent, 0) == WAIT_OBJECT_0)
                 goto Quit;
 
             /* Filter by event type */
             if (!FilterByType(EventLogFilter, pEvlrTmp))
                 goto SkipEvent;
 
             /* Get the event source name and filter it */
             lpszSourceName = (LPWSTR)(pEvlrBuffer + sizeof(EVENTLOGRECORD));
             if (!FilterByString(EventLogFilter->Sources, lpszSourceName))
                 goto SkipEvent;
 
             /* Get the computer name and filter it */
             lpszComputerName = (LPWSTR)(pEvlrBuffer + sizeof(EVENTLOGRECORD) + (wcslen(lpszSourceName) + 1) * sizeof(WCHAR));
             if (!FilterByString(EventLogFilter->ComputerNames, lpszComputerName))
                 goto SkipEvent;
 
             /* Compute the event time */
             EventTimeToSystemTime(pEvlrTmp->TimeWritten, &time);
             GetDateFormatW(LOCALE_USER_DEFAULT, DATE_SHORTDATE, &time, NULL, szLocalDate, ARRAYSIZE(szLocalDate));
             GetTimeFormatW(LOCALE_USER_DEFAULT, 0, &time, NULL, szLocalTime, ARRAYSIZE(szLocalTime));
 
             /* Get the username that generated the event, and filter it */
             lpszUsername = GetEventUserName(pEvlrTmp, &pLastSid, szUsername) ? szUsername : szNoUsername;
 
             if (!FilterByString(EventLogFilter->Users, lpszUsername))
                 goto SkipEvent;
 
             // TODO: Filter by event ID and category
             GetEventType(pEvlrTmp->EventType, szEventTypeText);
 
             lpszCategoryName = GetEventCategory(EventLog->LogName, lpszSourceName, pEvlrTmp, szCategory) ? szCategory : szNoCategory;
 
             StringCbPrintfW(szEventID, sizeof(szEventID), L"%u", (pEvlrTmp->EventID & 0xFFFF));
             StringCbPrintfW(szCategoryID, sizeof(szCategoryID), L"%u", pEvlrTmp->EventCategory);
 
             g_RecordPtrs[dwCurrentRecord] = HeapAlloc(hProcessHeap, 0, pEvlrTmp->Length);
             RtlCopyMemory(g_RecordPtrs[dwCurrentRecord], pEvlrTmp, pEvlrTmp->Length);
 
             lviEventItem.mask = LVIF_IMAGE | LVIF_TEXT | LVIF_PARAM;
             lviEventItem.iItem = 0;
             lviEventItem.iSubItem = 0;
             lviEventItem.lParam = (LPARAM)g_RecordPtrs[dwCurrentRecord];
             lviEventItem.pszText = szEventTypeText;
 
             switch (pEvlrTmp->EventType)
             {
                 case EVENTLOG_SUCCESS:
                 case EVENTLOG_INFORMATION_TYPE:
                     lviEventItem.iImage = 0;
                     break;
 
                 case EVENTLOG_WARNING_TYPE:
                     lviEventItem.iImage = 1;
                     break;
 
                 case EVENTLOG_ERROR_TYPE:
                     lviEventItem.iImage = 2;
                     break;
 
                 case EVENTLOG_AUDIT_SUCCESS:
                     lviEventItem.iImage = 3;
                     break;
 
                 case EVENTLOG_AUDIT_FAILURE:
                     lviEventItem.iImage = 4;
                     break;
             }
 
             lviEventItem.iItem = ListView_InsertItem(hwndListView, &lviEventItem);
 
             ListView_SetItemText(hwndListView, lviEventItem.iItem, 1, szLocalDate);
             ListView_SetItemText(hwndListView, lviEventItem.iItem, 2, szLocalTime);
             ListView_SetItemText(hwndListView, lviEventItem.iItem, 3, lpszSourceName);
             ListView_SetItemText(hwndListView, lviEventItem.iItem, 4, lpszCategoryName);
             ListView_SetItemText(hwndListView, lviEventItem.iItem, 5, szEventID);
             ListView_SetItemText(hwndListView, lviEventItem.iItem, 6, lpszUsername);
             ListView_SetItemText(hwndListView, lviEventItem.iItem, 7, lpszComputerName);
 
 SkipEvent:
             pEvlrBuffer += pEvlrTmp->Length;
             dwCurrentRecord++;
         }
     }
 
 Quit:
 
     if (pEvlr)
         HeapFree(hProcessHeap, 0, pEvlr);
 
     /* Close the event log */
     CloseEventLog(hEventLog);
 
     } // end-for (LogIndex)
 
     /* All events loaded */
 
 Cleanup:
 
     ShowWindow(hwndStatusProgress, SW_HIDE);
     SendMessageW(hwndListView, LVM_PROGRESS, 0, FALSE);
 
     // FIXME: Use something else instead of EventLog->LogName !!
 
     /*
      * Use a different formatting, whether the event log filter holds
      * only one log, or many logs (the latter case is WIP TODO!)
      */
     if (EventLogFilter->NumOfEventLogs <= 1)
     {
         StringCbPrintfW(szStatusText,
                         sizeof(szStatusText),
                         szStatusBarTemplate,
                         EventLog->LogName,
                         dwTotalRecords,
                         ListView_GetItemCount(hwndListView));
     }
     else
     {
         // TODO: Use a different title & implement filtering for multi-log filters !!
         // (EventLogFilter->NumOfEventLogs > 1)
     }
 
     /* Update the status bar */
     StatusBar_SetText(hwndStatus, 0, szStatusText);
 
     /* Resume list view redraw */
     SendMessageW(hwndListView, WM_SETREDRAW, TRUE, 0);
 
     EventLogFilter_Release(EventLogFilter);
 
     CloseHandle(hStopEnumEvent);
     InterlockedExchangePointer((PVOID*)&hStopEnumEvent, NULL);
 
     return 0;
 }

Referenced by StartStopEnumEventsThread().

◆ EventDetails()

INT_PTR CALLBACK EventDetails	(	HWND	hDlg,
		UINT	uMsg,
		WPARAM	wParam,
		LPARAM	lParam
	)

Definition at line 4145 of file eventvwr.c.

 {
     switch (uMsg)
     {
         case WM_INITDIALOG:
         {
             LONG_PTR dwStyle;
             INT sbVXSize, sbHYSize;
             RECT rcWnd, rect;
 
             hWndDetailsCtrl = CreateEventDetailsCtrl(hInst, hDlg, lParam);
             if (!hWndDetailsCtrl)
             {
                 EndDialog(hDlg, 0);
                 return (INT_PTR)TRUE;
             }
 
             /* Create a size grip if the dialog has a sizing border */
             GetClientRect(hDlg, &rcWnd);
             dwStyle  = GetWindowLongPtrW(hDlg, GWL_STYLE);
             sbVXSize = GetSystemMetrics(SM_CXVSCROLL);
             sbHYSize = GetSystemMetrics(SM_CYHSCROLL);
             if (dwStyle & WS_THICKFRAME /* == WS_SIZEBOX */)
             {
                 hWndGrip = CreateWindowW(WC_SCROLLBARW,
                                          NULL,
                                          WS_CHILD | WS_VISIBLE |  WS_CLIPSIBLINGS |  SBS_SIZEGRIP | SBS_SIZEBOXBOTTOMRIGHTALIGN,
                                          rcWnd.right - sbVXSize,
                                          rcWnd.bottom - sbHYSize,
                                          sbVXSize, sbHYSize,
                                          hDlg,
                                          NULL,
                                          hInst,
                                          NULL);
             }
 
             // SetWindowLongPtrW(hDlg, DWLP_USER, (LONG_PTR)hWndDetailsCtrl);
 
             /*
              * Compute the minimum window size (in window coordinates) by
              * adding the widths/heights of the "Help" and "Close" buttons,
              * together with the margins, and add some minimal spacing
              * between the buttons.
              */
             GetWindowRect(hDlg, &rcWnd);
             cxMin = cyMin = 0;
 
             GetWindowRect(GetDlgItem(hDlg, IDHELP), &rect);
             cxMin += (rect.right - rect.left) + (rect.left - rcWnd.left); // == (rect.right - rcWnd.left);
             cyMin += (rect.bottom - rect.top) + (rcWnd.bottom - rect.bottom); // == (rcWnd.bottom - rect.top);
 
             GetWindowRect(GetDlgItem(hDlg, IDOK), &rect);
             cxMin += (rect.right - rect.left) + (rcWnd.right - rect.right); // == (rcWnd.right - rect.left);
             cyMin += (rect.bottom - rect.top) + (rcWnd.bottom - rect.bottom); // == (rcWnd.bottom - rect.top);
 
             /*
              * Convert the window rect from window to client coordinates
              * in order to retrieve the sizes of the left and top margins,
              * and add some extra space.
              */
             MapWindowPoints(HWND_DESKTOP /*NULL*/, hDlg, (LPPOINT)&rcWnd, sizeof(RECT)/sizeof(POINT));
 
             cxMin += -2*rcWnd.left;   // Minimal spacing between the buttons == 2 * left margin
             cyMin += -rcWnd.top + 12; // Add some space on top
 
             GetClientRect(hDlg, &rcWnd);
             cxOld = rcWnd.right - rcWnd.left;
             cyOld = rcWnd.bottom - rcWnd.top;
 
             /* Show event info on dialog control */
             SendMessageW(hWndDetailsCtrl, EVT_DISPLAY, 0, 0);
 
             // SetWindowPos(hWndDetailsCtrl, NULL,
                          // 0, 0,
                          // (rcWnd.right - rcWnd.left),
                          // (rcWnd.bottom - rcWnd.top),
                          // SWP_NOZORDER | SWP_NOACTIVATE | SWP_SHOWWINDOW);
 
             /*
              * Hide the placeholder static control and show the event details
              * control instead. Note that the placeholder is here so far just
              * to get the dimensions right in the dialog resource editor.
              * I plan to remove it and use a custom control with a suitable
              * window class for it, that would create the event details control
              * instead.
              */
             ShowWindow(GetDlgItem(hDlg, IDC_STATIC), SW_HIDE);
             ShowWindow(hWndDetailsCtrl, SW_SHOW);
             return (INT_PTR)TRUE;
         }
 
         case WM_DESTROY:
             if (IsWindow(hWndDetailsCtrl))
                 DestroyWindow(hWndDetailsCtrl);
             hWndDetailsCtrl = NULL;
             return (INT_PTR)TRUE;
 
         case WM_COMMAND:
             switch (LOWORD(wParam))
             {
                 case IDOK:
                 case IDCANCEL:
                     EndDialog(hDlg, LOWORD(wParam));
                     return (INT_PTR)TRUE;
 
                 case IDHELP:
                     MessageBoxW(hDlg,
                                 L"Help not implemented yet!",
                                 L"Event Log",
                                 MB_OK | MB_ICONINFORMATION);
                     return (INT_PTR)TRUE;
 
                 default:
                     break;
             }
             break;
 
         case WM_SETCURSOR:
             if (((HWND)wParam == hWndGrip) && (LOWORD(lParam) == HTCLIENT))
             {
                 SetCursor(LoadCursorW(NULL, IDC_SIZENWSE));
                 SetWindowLongPtrW(hDlg, DWLP_MSGRESULT, TRUE);
                 return (INT_PTR)TRUE;
             }
             break;
 
         case WM_SIZING:
         {
             /* Forbid resizing the dialog smaller than its minimal size */
             PRECT dragRect = (PRECT)lParam;
 
             if ((wParam == WMSZ_LEFT) || (wParam == WMSZ_TOPLEFT) || (wParam == WMSZ_BOTTOMLEFT))
             {
                 if (dragRect->right - dragRect->left < cxMin)
                     dragRect->left = dragRect->right - cxMin;
             }
 
             if ((wParam == WMSZ_RIGHT) || (wParam == WMSZ_TOPRIGHT) || (wParam == WMSZ_BOTTOMRIGHT))
             {
                 if (dragRect->right - dragRect->left < cxMin)
                     dragRect->right = dragRect->left + cxMin;
             }
 
             if ((wParam == WMSZ_TOP) || (wParam == WMSZ_TOPLEFT) || (wParam == WMSZ_TOPRIGHT))
             {
                 if (dragRect->bottom - dragRect->top < cyMin)
                     dragRect->top = dragRect->bottom - cyMin;
             }
 
             if ((wParam == WMSZ_BOTTOM) || (wParam == WMSZ_BOTTOMLEFT) || (wParam == WMSZ_BOTTOMRIGHT))
             {
                 if (dragRect->bottom - dragRect->top < cyMin)
                     dragRect->bottom = dragRect->top + cyMin;
             }
 
             SetWindowLongPtrW(hDlg, DWLP_MSGRESULT, TRUE);
             return (INT_PTR)TRUE;
         }
 
         case WM_SIZE:
         {
             INT cx = LOWORD(lParam);
             INT cy = HIWORD(lParam);
 
             HDWP hdwp;
             HWND hItemWnd;
             RECT rect;
 
             hdwp = BeginDeferWindowPos(4);
 
             /* Resize the event details control window */
 
             hItemWnd = hWndDetailsCtrl;
             GetWindowRect(hItemWnd, &rect);
             MapWindowPoints(HWND_DESKTOP /*NULL*/, hDlg, (LPPOINT)&rect, sizeof(RECT)/sizeof(POINT));
 
             if (hdwp)
                 hdwp = DeferWindowPos(hdwp,
                                       hItemWnd,
                                       HWND_TOP,
                                       0, 0,
                                       (rect.right - rect.left) + (cx - cxOld),
                                       (rect.bottom - rect.top) + (cy - cyOld),
                                       SWP_NOMOVE | SWP_NOZORDER | SWP_NOACTIVATE);
 
             /* Move the buttons */
 
             hItemWnd = GetDlgItem(hDlg, IDHELP);
             GetWindowRect(hItemWnd, &rect);
             MapWindowPoints(HWND_DESKTOP /*NULL*/, hDlg, (LPPOINT)&rect, sizeof(RECT)/sizeof(POINT));
 
             if (hdwp)
                 hdwp = DeferWindowPos(hdwp,
                                       hItemWnd,
                                       HWND_TOP,
                                       rect.left,
                                       rect.top + (cy - cyOld),
                                       0, 0,
                                       SWP_NOSIZE | SWP_NOZORDER | SWP_NOACTIVATE);
 
             hItemWnd = GetDlgItem(hDlg, IDOK);
             GetWindowRect(hItemWnd, &rect);
             MapWindowPoints(HWND_DESKTOP /*NULL*/, hDlg, (LPPOINT)&rect, sizeof(RECT)/sizeof(POINT));
 
             if (hdwp)
                 hdwp = DeferWindowPos(hdwp,
                                       hItemWnd,
                                       HWND_TOP,
                                       rect.left + (cx - cxOld),
                                       rect.top  + (cy - cyOld),
                                       0, 0,
                                       SWP_NOSIZE | SWP_NOZORDER | SWP_NOACTIVATE);
 
             /* Move the size grip */
             if (hWndGrip && hdwp)
             {
                 GetWindowRect(hWndGrip, &rect);
                 MapWindowPoints(HWND_DESKTOP /*NULL*/, hDlg, (LPPOINT)&rect, sizeof(RECT)/sizeof(POINT));
 
                 hdwp = DeferWindowPos(hdwp,
                                       hWndGrip,
                                       HWND_TOP,
                                       rect.left + (cx - cxOld),
                                       rect.top  + (cy - cyOld),
                                       0, 0,
                                       SWP_NOSIZE | SWP_NOZORDER | SWP_NOACTIVATE);
             }
 
             if (hdwp)
                 EndDeferWindowPos(hdwp);
 
             /* Hide the size grip if we are in maximized mode */
             if (hWndGrip)
                 ShowWindow(hWndGrip, (wParam == SIZE_MAXIMIZED) ? SW_HIDE : SW_SHOW);
 
             cxOld = cx;
             cyOld = cy;
 
             SetWindowLongPtrW(hDlg, DWLP_MSGRESULT, 0);
             return (INT_PTR)TRUE;
         }
     }
 
     return (INT_PTR)FALSE;
 }

Referenced by WndProc().

◆ EventLog_Free()

VOID EventLog_Free ( IN PEVENTLOG EventLog )

Definition at line 1331 of file eventvwr.c.

 {
     if (EventLog->LogName)
         HeapFree(GetProcessHeap(), 0, EventLog->LogName);
 
     if (EventLog->ComputerName)
         HeapFree(GetProcessHeap(), 0, EventLog->ComputerName);
 
     if (EventLog->FileName)
         HeapFree(GetProcessHeap(), 0, EventLog->FileName);
 
     HeapFree(GetProcessHeap(), 0, EventLog);
 }

Referenced by BuildLogListAndFilterList(), FreeLogList(), and OpenUserEventLogFile().

◆ EventLogFilter_AddRef()

LONG EventLogFilter_AddRef ( IN PEVENTLOGFILTER EventLogFilter )

Definition at line 1425 of file eventvwr.c.

 {
     ASSERT(EventLogFilter);
     return InterlockedIncrement(&EventLogFilter->ReferenceCount);
 }

Referenced by ClearEvents(), EnumEventsThread(), EventLogProperties(), SaveEventLog(), and WndProc().

◆ EventLogFilter_Free()

VOID EventLogFilter_Free ( IN PEVENTLOGFILTER EventLogFilter )

Definition at line 1411 of file eventvwr.c.

 {
     if (EventLogFilter->Sources)
         HeapFree(GetProcessHeap(), 0, EventLogFilter->Sources);
 
     if (EventLogFilter->Users)
         HeapFree(GetProcessHeap(), 0, EventLogFilter->Users);
 
     if (EventLogFilter->ComputerNames)
         HeapFree(GetProcessHeap(), 0, EventLogFilter->ComputerNames);
 
     HeapFree(GetProcessHeap(), 0, EventLogFilter);
 }

Referenced by EventLogFilter_Release(), and FreeLogFilterList().

◆ EventLogFilter_Release()

LONG EventLogFilter_Release ( IN PEVENTLOGFILTER EventLogFilter )

RemoveEntryList(&EventLogFilter->ListEntry);

Definition at line 1431 of file eventvwr.c.

 {
     LONG RefCount;
 
     ASSERT(EventLogFilter);
 
     /* When the reference count reaches zero, delete the filter */
     RefCount = InterlockedDecrement(&EventLogFilter->ReferenceCount);
     if (RefCount <= 0)
     {
         /* Remove the filter from the list */
         EventLogFilter_Free(EventLogFilter);
     }
 
     return RefCount;
 }

Referenced by ClearEvents(), CloseUserEventLog(), EnumEventsThread(), EventLogProperties(), SaveEventLog(), and WndProc().

◆ EventLogProperties()

INT_PTR EventLogProperties	(	HINSTANCE	hInstance,
		HWND	hWndParent,
		PEVENTLOGFILTER	EventLogFilter
	)

Definition at line 4079 of file eventvwr.c.

 {
     INT_PTR ret = 0;
     PROPSHEETHEADERW psh;
     PROPSHEETPAGEW   psp[1]; // 2
 
     /*
      * Bail out if there is no available filter, or if the filter
      * contains more than one log.
      */
     if (!EventLogFilter)
         return 0;
 
     EventLogFilter_AddRef(EventLogFilter);
 
     if (EventLogFilter->NumOfEventLogs > 1 ||
         EventLogFilter->EventLogs[0] == NULL)
     {
         goto Quit;
     }
 
     /* Header */
     psh.dwSize      = sizeof(psh);
     psh.dwFlags     = PSH_PROPSHEETPAGE /*| PSH_USEICONID */ | PSH_PROPTITLE | PSH_HASHELP /*| PSH_NOCONTEXTHELP */ /*| PSH_USECALLBACK */;
     psh.hInstance   = hInstance;
     psh.hwndParent  = hWndParent;
     // psh.pszIcon     = MAKEINTRESOURCEW(IDI_APPICON); // Disabled because it only sets the small icon; the big icon is a stretched version of the small one.
     psh.pszCaption  = EventLogFilter->EventLogs[0]->LogName;
     psh.nStartPage  = 0;
     psh.ppsp        = psp;
     psh.nPages      = ARRAYSIZE(psp);
     // psh.pfnCallback = PropSheetCallback;
 
     /* Log properties page */
     psp[0].dwSize      = sizeof(psp[0]);
     psp[0].dwFlags     = PSP_HASHELP;
     psp[0].hInstance   = hInstance;
     psp[0].pszTemplate = MAKEINTRESOURCEW(IDD_LOGPROPERTIES_GENERAL);
     psp[0].pfnDlgProc  = EventLogPropProc;
     psp[0].lParam      = (LPARAM)EventLogFilter->EventLogs[0];
 
 #if 0
     /* TODO: Log sources page */
     psp[1].dwSize      = sizeof(psp[1]);
     psp[1].dwFlags     = PSP_HASHELP;
     psp[1].hInstance   = hInstance;
     psp[1].pszTemplate = MAKEINTRESOURCEW(IDD_GENERAL_PAGE);
     psp[1].pfnDlgProc  = GeneralPageWndProc;
     psp[0].lParam      = (LPARAM)EventLogFilter->EventLogs[0];
 #endif
 
     /* Create the property sheet */
     ret = PropertySheetW(&psh);
 
 Quit:
     EventLogFilter_Release(EventLogFilter);
     return ret;
 }

Referenced by WndProc().

◆ EventLogPropProc()

INT_PTR CALLBACK EventLogPropProc	(	HWND	hDlg,
		UINT	uMsg,
		WPARAM	wParam,
		LPARAM	lParam
	)

Definition at line 4008 of file eventvwr.c.

 {
     PEVENTLOG EventLog;
 
     EventLog = (PEVENTLOG)GetWindowLongPtrW(hDlg, DWLP_USER);
 
     switch (uMsg)
     {
         case WM_INITDIALOG:
         {
             EventLog = (PEVENTLOG)((LPPROPSHEETPAGE)lParam)->lParam;
             SetWindowLongPtrW(hDlg, DWLP_USER, (LONG_PTR)EventLog);
 
             InitPropertiesDlg(hDlg, EventLog);
 
             PropSheet_UnChanged(GetParent(hDlg), hDlg);
             return (INT_PTR)TRUE;
         }
 
         case WM_DESTROY:
             return (INT_PTR)TRUE;
 
         case WM_COMMAND:
             switch (LOWORD(wParam))
             {
                 case IDOK:
                 case IDCANCEL:
                     EndDialog(hDlg, LOWORD(wParam));
                     return (INT_PTR)TRUE;
 
                 case IDC_OVERWRITE_AS_NEEDED:
                 {
                     CheckRadioButton(hDlg, IDC_OVERWRITE_AS_NEEDED, IDC_NO_OVERWRITE, IDC_OVERWRITE_AS_NEEDED);
                     EnableDlgItem(hDlg, IDC_EDIT_EVENTS_AGE, FALSE);
                     EnableDlgItem(hDlg, IDC_UPDOWN_EVENTS_AGE, FALSE);
                     break;
                 }
 
                 case IDC_OVERWRITE_OLDER_THAN:
                 {
                     CheckRadioButton(hDlg, IDC_OVERWRITE_AS_NEEDED, IDC_NO_OVERWRITE, IDC_OVERWRITE_OLDER_THAN);
                     EnableDlgItem(hDlg, IDC_EDIT_EVENTS_AGE, TRUE);
                     EnableDlgItem(hDlg, IDC_UPDOWN_EVENTS_AGE, TRUE);
                     break;
                 }
 
                 case IDC_NO_OVERWRITE:
                 {
                     CheckRadioButton(hDlg, IDC_OVERWRITE_AS_NEEDED, IDC_NO_OVERWRITE, IDC_NO_OVERWRITE);
                     EnableDlgItem(hDlg, IDC_EDIT_EVENTS_AGE, FALSE);
                     EnableDlgItem(hDlg, IDC_UPDOWN_EVENTS_AGE, FALSE);
                     break;
                 }
 
                 case IDHELP:
                     MessageBoxW(hDlg,
                                 L"Help not implemented yet!",
                                 L"Event Log",
                                 MB_OK | MB_ICONINFORMATION);
                     return (INT_PTR)TRUE;
 
                 default:
                     break;
             }
             break;
     }
 
     return (INT_PTR)FALSE;
 }

Referenced by EventLogProperties().

◆ EventTimeToSystemTime()

VOID EventTimeToSystemTime	(	IN DWORD	EventTime,
		OUT PSYSTEMTIME	pSystemTime
	)

Definition at line 726 of file eventvwr.c.

 {
     SYSTEMTIME st1970 = { 1970, 1, 0, 1, 0, 0, 0, 0 };
     FILETIME ftLocal;
     union
     {
         FILETIME ft;
         ULONGLONG ll;
     } u1970, uUCT;
 
     uUCT.ft.dwHighDateTime = 0;
     uUCT.ft.dwLowDateTime = EventTime;
     SystemTimeToFileTime(&st1970, &u1970.ft);
     uUCT.ll = uUCT.ll * 10000000 + u1970.ll;
     FileTimeToLocalFileTime(&uUCT.ft, &ftLocal);
     FileTimeToSystemTime(&ftLocal, pSystemTime);
 }

Referenced by EnumEventsThread().

◆ FilterByString()

BOOL FilterByString	(	IN PCWSTR	FilterString,
		IN PWSTR	String
	)

Definition at line 1914 of file eventvwr.c.

 {
     PCWSTR pStr;
 
     /* The filter string is NULL so it does not filter anything */
     if (!FilterString)
         return TRUE;
 
     /*
      * If the filter string filters for an empty string AND the source string
      * is an empty string, we have a match (particular case of the last one).
      */
     if (!*FilterString && !*String)
         return TRUE;
 
     // if (*FilterString || *String)
 
     /*
      * If the filter string is empty BUT the source string is not empty,
      * OR vice-versa, we cannot have a match.
      */
     if ( (!*FilterString && *String) || (*FilterString && !*String) )
         return FALSE;
 
     /*
      * If the filter string filters for at least a non-empty string,
      * browse it and search for a string that matches the source string.
      */
     // else if (*FilterString && *String)
     {
         pStr = FilterString;
         while (*pStr)
         {
             if (wcsicmp(pStr, String) == 0)
             {
                 /* We have a match, break the loop */
                 break;
             }
 
             pStr += (wcslen(pStr) + 1);
         }
         if (!*pStr) // && *String
         {
             /* We do not have a match */
             return FALSE;
         }
     }
 
     /* We have a match */
     return TRUE;
 }

Referenced by EnumEventsThread().

◆ FilterByType()

BOOL FilterByType	(	IN PEVENTLOGFILTER	EventLogFilter,
		IN PEVENTLOGRECORD	pevlr
	)

Definition at line 1898 of file eventvwr.c.

 {
     if ((pevlr->EventType == EVENTLOG_SUCCESS          && !EventLogFilter->Information ) ||
         (pevlr->EventType == EVENTLOG_INFORMATION_TYPE && !EventLogFilter->Information ) ||
         (pevlr->EventType == EVENTLOG_WARNING_TYPE     && !EventLogFilter->Warning     ) ||
         (pevlr->EventType == EVENTLOG_ERROR_TYPE       && !EventLogFilter->Error       ) ||
         (pevlr->EventType == EVENTLOG_AUDIT_SUCCESS    && !EventLogFilter->AuditSuccess) ||
         (pevlr->EventType == EVENTLOG_AUDIT_FAILURE    && !EventLogFilter->AuditFailure))
     {
         return FALSE;
     }
     return TRUE;
 }

Referenced by EnumEventsThread().

◆ FormatByteSize()

UINT FormatByteSize	(	LONGLONG	cbSize,
		LPWSTR	pwszResult,
		UINT	cchResultMax
	)

Definition at line 1174 of file eventvwr.c.

 {
     INT cchWritten;
     LPWSTR pwszEnd;
     size_t cchRemaining;
 
     /* Write formated bytes count */
     cchWritten = FormatInteger(cbSize, pwszResult, cchResultMax);
     if (!cchWritten)
         return 0;
 
     /* Copy " bytes" to buffer */
     pwszEnd = pwszResult + cchWritten;
     cchRemaining = cchResultMax - cchWritten;
     StringCchCopyExW(pwszEnd, cchRemaining, L" ", &pwszEnd, &cchRemaining, 0);
     cchWritten = LoadStringW(hInst, IDS_BYTES_FORMAT, pwszEnd, cchRemaining);
     cchRemaining -= cchWritten;
 
     return cchResultMax - cchRemaining;
 }

Referenced by FormatFileSizeWithBytes().

◆ FormatFileSizeWithBytes()

LPWSTR FormatFileSizeWithBytes	(	const PULARGE_INTEGER	lpQwSize,
		LPWSTR	pwszResult,
		UINT	cchResultMax
	)

Definition at line 1196 of file eventvwr.c.

 {
     UINT cchWritten;
     LPWSTR pwszEnd;
     size_t cchRemaining;
 
     /* Format bytes in KBs, MBs etc */
     if (StrFormatByteSizeW(lpQwSize->QuadPart, pwszResult, cchResultMax) == NULL)
         return NULL;
 
     /* If there is less bytes than 1KB, we have nothing to do */
     if (lpQwSize->QuadPart < 1024)
         return pwszResult;
 
     /* Concatenate " (" */
     cchWritten = wcslen(pwszResult);
     pwszEnd = pwszResult + cchWritten;
     cchRemaining = cchResultMax - cchWritten;
     StringCchCopyExW(pwszEnd, cchRemaining, L" (", &pwszEnd, &cchRemaining, 0);
 
     /* Write formated bytes count */
     cchWritten = FormatByteSize(lpQwSize->QuadPart, pwszEnd, cchRemaining);
     pwszEnd += cchWritten;
     cchRemaining -= cchWritten;
 
     /* Copy ")" to the buffer */
     StringCchCopyW(pwszEnd, cchRemaining, L")");
 
     return pwszResult;
 }

Referenced by InitPropertiesDlg().

◆ FormatInteger()

UINT FormatInteger	(	LONGLONG	Num,
		LPWSTR	pwszResult,
		UINT	cchResultMax
	)

Definition at line 1114 of file eventvwr.c.

 {
     WCHAR wszNumber[24];
     WCHAR wszDecimalSep[8], wszThousandSep[8];
     NUMBERFMTW nf;
     WCHAR wszGrouping[12];
     INT cchGrouping;
     INT cchResult;
     INT i;
 
     // Print the number in uniform mode
     swprintf(wszNumber, L"%I64u", Num);
 
     // Get system strings for decimal and thousand separators.
     GetLocaleInfoW(LOCALE_USER_DEFAULT, LOCALE_SDECIMAL, wszDecimalSep, _countof(wszDecimalSep));
     GetLocaleInfoW(LOCALE_USER_DEFAULT, LOCALE_STHOUSAND, wszThousandSep, _countof(wszThousandSep));
 
     // Initialize format for printing the number in bytes
     ZeroMemory(&nf, sizeof(nf));
     nf.lpDecimalSep = wszDecimalSep;
     nf.lpThousandSep = wszThousandSep;
 
     // Get system string for groups separator
     cchGrouping = GetLocaleInfoW(LOCALE_USER_DEFAULT,
                                  LOCALE_SGROUPING,
                                  wszGrouping,
                                  _countof(wszGrouping));
 
     // Convert grouping specs from string to integer
     for (i = 0; i < cchGrouping; i++)
     {
         WCHAR wch = wszGrouping[i];
 
         if (wch >= L'0' && wch <= L'9')
             nf.Grouping = nf.Grouping * 10 + (wch - L'0');
         else if (wch != L';')
             break;
     }
 
     if ((nf.Grouping % 10) == 0)
         nf.Grouping /= 10;
     else
         nf.Grouping *= 10;
 
     // Format the number
     cchResult = GetNumberFormatW(LOCALE_USER_DEFAULT,
                                  0,
                                  wszNumber,
                                  &nf,
                                  pwszResult,
                                  cchResultMax);
 
     if (!cchResult)
         return 0;
 
     // GetNumberFormatW returns number of characters including UNICODE_NULL
     return cchResult - 1;
 }

Referenced by FormatByteSize().

◆ FreeLogFilterList()

VOID FreeLogFilterList ( VOID )

Definition at line 3018 of file eventvwr.c.

 {
     PLIST_ENTRY Entry;
     PEVENTLOGFILTER EventLogFilter;
 
     while (!IsListEmpty(&EventLogFilterList))
     {
         Entry = RemoveHeadList(&EventLogFilterList);
         EventLogFilter = (PEVENTLOGFILTER)CONTAINING_RECORD(Entry, EVENTLOGFILTER, ListEntry);
         EventLogFilter_Free(EventLogFilter);
     }
 
     ActiveFilter = NULL;
 
     return;
 }

Referenced by wWinMain().

◆ FreeLogList()

VOID FreeLogList ( VOID )

Definition at line 3002 of file eventvwr.c.

 {
     PLIST_ENTRY Entry;
     PEVENTLOG EventLog;
 
     while (!IsListEmpty(&EventLogList))
     {
         Entry = RemoveHeadList(&EventLogList);
         EventLog = (PEVENTLOG)CONTAINING_RECORD(Entry, EVENTLOG, ListEntry);
         EventLog_Free(EventLog);
     }
 
     return;
 }

Referenced by wWinMain().

◆ FreeRecords()

static VOID FreeRecords ( VOID )

static

Definition at line 1880 of file eventvwr.c.

 {
     DWORD iIndex;
 
     if (!g_RecordPtrs)
         return;
 
     for (iIndex = 0; iIndex < g_TotalRecords; iIndex++)
     {
         if (g_RecordPtrs[iIndex])
             HeapFree(GetProcessHeap(), 0, g_RecordPtrs[iIndex]);
     }
     HeapFree(GetProcessHeap(), 0, g_RecordPtrs);
     g_RecordPtrs = NULL;
     g_TotalRecords = 0;
 }

Referenced by EnumEventsThread(), and StartStopEnumEventsThread().

◆ GetDisplayNameFileAndID()

BOOL GetDisplayNameFileAndID	(	IN LPCWSTR	lpLogName,
		OUT PWCHAR	lpModuleName,
		OUT PDWORD	pdwMessageID
	)

Definition at line 2718 of file eventvwr.c.

 {
     BOOL Success = FALSE;
     LONG Result;
     HKEY hLogKey;
     WCHAR *KeyPath;
     SIZE_T cbKeyPath;
     DWORD dwType, cbData;
     DWORD dwMessageID = 0;
     WCHAR szModuleName[MAX_PATH];
 
     /* Use a default value for the message ID */
     *pdwMessageID = 0;
 
     cbKeyPath = (wcslen(EVENTLOG_BASE_KEY) + wcslen(lpLogName) + 1) * sizeof(WCHAR);
     KeyPath = HeapAlloc(GetProcessHeap(), 0, cbKeyPath);
     if (!KeyPath)
         return FALSE;
 
     StringCbCopyW(KeyPath, cbKeyPath, EVENTLOG_BASE_KEY);
     StringCbCatW(KeyPath, cbKeyPath, lpLogName);
 
     Result = RegOpenKeyExW(hkMachine, KeyPath, 0, KEY_QUERY_VALUE, &hLogKey);
     HeapFree(GetProcessHeap(), 0, KeyPath);
     if (Result != ERROR_SUCCESS)
         return FALSE;
 
     cbData = sizeof(szModuleName);
     Result = RegQueryValueExW(hLogKey,
                               L"DisplayNameFile",
                               NULL,
                               &dwType,
                               (LPBYTE)szModuleName,
                               &cbData);
     if ((Result != ERROR_SUCCESS) || (dwType != REG_EXPAND_SZ && dwType != REG_SZ))
     {
         szModuleName[0] = UNICODE_NULL;
     }
     else
     {
         /* NULL-terminate the string and expand it */
         szModuleName[cbData / sizeof(WCHAR) - 1] = UNICODE_NULL;
         GetExpandedFilePathName(lpComputerName, szModuleName, lpModuleName, ARRAYSIZE(szModuleName));
         Success = TRUE;
     }
 
     /*
      * If we have a 'DisplayNameFile', query for 'DisplayNameID';
      * otherwise it's not really useful. 'DisplayNameID' is optional.
      */
     if (Success)
     {
         cbData = sizeof(dwMessageID);
         Result = RegQueryValueExW(hLogKey,
                                   L"DisplayNameID",
                                   NULL,
                                   &dwType,
                                   (LPBYTE)&dwMessageID,
                                   &cbData);
         if ((Result != ERROR_SUCCESS) || (dwType != REG_DWORD))
             dwMessageID = 0;
 
         *pdwMessageID = dwMessageID;
     }
 
     RegCloseKey(hLogKey);
 
     return Success;
 }

Referenced by BuildLogListAndFilterList().

◆ GetEventCategory()

BOOL GetEventCategory	(	IN LPCWSTR	KeyName,
		IN LPCWSTR	SourceName,
		IN PEVENTLOGRECORD	pevlr,
		OUT PWCHAR	CategoryName
	)

Definition at line 1598 of file eventvwr.c.

 {
     BOOL Success = FALSE;
     WCHAR szMessageDLL[MAX_PATH];
     LPWSTR lpMsgBuf = NULL;
 
     if (!GetEventMessageFileDLL(KeyName, SourceName, EVENT_CATEGORY_MESSAGE_FILE, szMessageDLL))
         goto Quit;
 
     /* Retrieve the message string without appending extra newlines */
     lpMsgBuf =
     GetMessageStringFromDllList(szMessageDLL,
                                 FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_HMODULE |
                                 FORMAT_MESSAGE_IGNORE_INSERTS | FORMAT_MESSAGE_MAX_WIDTH_MASK,
                                 pevlr->EventCategory,
                                 EVENT_MESSAGE_FILE_BUFFER,
                                 NULL);
     if (lpMsgBuf)
     {
         /* Trim the string */
         TrimNulls(lpMsgBuf);
 
         /* Copy the category name */
         StringCchCopyW(CategoryName, MAX_PATH, lpMsgBuf);
 
         /* Free the buffer allocated by FormatMessage */
         LocalFree(lpMsgBuf);
 
         /* The ID was found and the message was formatted */
         Success = TRUE;
     }
 
 Quit:
     if (!Success)
     {
         if (pevlr->EventCategory != 0)
         {
             StringCchPrintfW(CategoryName, MAX_PATH, L"(%lu)", pevlr->EventCategory);
             Success = TRUE;
         }
     }
 
     return Success;
 }

Referenced by EnumEventsThread().

◆ GetEventMessage()

BOOL GetEventMessage	(	IN LPCWSTR	KeyName,
		IN LPCWSTR	SourceName,
		IN PEVENTLOGRECORD	pevlr,
		OUT PWCHAR	EventText
	)

Definition at line 1648 of file eventvwr.c.

 {
     BOOL Success = FALSE;
     DWORD i;
     size_t cch;
     WCHAR SourceModuleName[1024];
     WCHAR ParameterModuleName[1024];
     BOOL IsParamModNameCached = FALSE;
     LPWSTR lpMsgBuf = NULL;
     LPWSTR szStringArray, szMessage;
     LPWSTR *szArguments;
 
     /* Get the event string array */
     szStringArray = (LPWSTR)((LPBYTE)pevlr + pevlr->StringOffset);
 
     /* NOTE: GetEventMessageFileDLL can return a comma-separated list of DLLs */
     if (!GetEventMessageFileDLL(KeyName, SourceName, EVENT_MESSAGE_FILE, SourceModuleName))
         goto Quit;
 
     /* Allocate space for insertion strings */
     szArguments = HeapAlloc(GetProcessHeap(), 0, pevlr->NumStrings * sizeof(LPVOID));
     if (!szArguments)
         goto Quit;
 
     if (!IsParamModNameCached)
     {
         /* Now that the parameter file list is loaded, no need to reload it at the next run! */
         IsParamModNameCached = GetEventMessageFileDLL(KeyName, SourceName, EVENT_PARAMETER_MESSAGE_FILE, ParameterModuleName);
         // FIXME: If the string loading failed the first time, no need to retry it just after???
     }
 
     if (IsParamModNameCached)
     {
         /* Not yet support for reading messages from parameter message DLL */
     }
 
     szMessage = szStringArray;
     /*
      * HACK:
      * We do some hackish preformatting of the cached event strings...
      * That's because after we pass the string to FormatMessage
      * (via GetMessageStringFromDllList) with the FORMAT_MESSAGE_ARGUMENT_ARRAY
      * flag, instead of ignoring the insertion parameters and do the formatting
      * by ourselves. Therefore, the resulting string should have the parameter
      * string placeholders starting with a single '%' instead of a mix of one
      * and two '%'.
      */
     /* HACK part 1: Compute the full length of the string array */
     cch = 0;
     for (i = 0; i < pevlr->NumStrings; i++)
     {
         szMessage += wcslen(szMessage) + 1;
     }
     cch = szMessage - szStringArray;
 
     /* HACK part 2: Now do the HACK proper! */
     szMessage = szStringArray;
     for (i = 0; i < pevlr->NumStrings; i++)
     {
         lpMsgBuf = szMessage;
         while ((lpMsgBuf = wcsstr(lpMsgBuf, L"%%")))
         {
             if (iswdigit(lpMsgBuf[2]))
             {
                 RtlMoveMemory(lpMsgBuf, lpMsgBuf+1, ((szStringArray + cch) - lpMsgBuf - 1) * sizeof(WCHAR));
             }
         }
 
         szArguments[i] = szMessage;
         szMessage += wcslen(szMessage) + 1;
     }
 
     /* Retrieve the message string without appending extra newlines */
     lpMsgBuf =
     GetMessageStringFromDllList(SourceModuleName,
                                 FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_HMODULE |
                                 FORMAT_MESSAGE_ARGUMENT_ARRAY | FORMAT_MESSAGE_MAX_WIDTH_MASK,
                                 pevlr->EventID,
                                 0,
                                 (va_list*)szArguments);
     if (lpMsgBuf)
     {
         /* Trim the string */
         TrimNulls(lpMsgBuf);
 
         szMessage = NULL;
         Success = (ApplyParameterStringsToMessage(ParameterModuleName,
                                                   TRUE,
                                                   lpMsgBuf,
                                                   &szMessage) == ERROR_SUCCESS);
         if (Success && szMessage)
         {
             /* Free the buffer allocated by FormatMessage */
             LocalFree(lpMsgBuf);
             lpMsgBuf = szMessage;
         }
 
         /* Copy the event text */
         StringCchCopyW(EventText, EVENT_MESSAGE_EVENTTEXT_BUFFER, lpMsgBuf);
 
         /* Free the buffer allocated by FormatMessage */
         LocalFree(lpMsgBuf);
     }
 
     HeapFree(GetProcessHeap(), 0, szArguments);
 
 Quit:
     if (!Success)
     {
         /* Get a read-only pointer to the "event-not-found" string */
         lpMsgBuf = HeapAlloc(GetProcessHeap(), 0, EVENT_MESSAGE_EVENTTEXT_BUFFER * sizeof(WCHAR));
         LoadStringW(hInst, IDS_EVENTSTRINGIDNOTFOUND, lpMsgBuf, EVENT_MESSAGE_EVENTTEXT_BUFFER);
         StringCchPrintfW(EventText, EVENT_MESSAGE_EVENTTEXT_BUFFER, lpMsgBuf, (pevlr->EventID & 0xFFFF), SourceName);
 
         /* Append the strings */
         szMessage = szStringArray;
         for (i = 0; i < pevlr->NumStrings; i++)
         {
             StringCchCatW(EventText, EVENT_MESSAGE_EVENTTEXT_BUFFER, szMessage);
             StringCchCatW(EventText, EVENT_MESSAGE_EVENTTEXT_BUFFER, L"\n");
             szMessage += wcslen(szMessage) + 1;
         }
     }
 
     return Success;
 }

Referenced by DisplayEvent().

◆ GetEventMessageFileDLL()

BOOL GetEventMessageFileDLL	(	IN LPCWSTR	lpLogName,
		IN LPCWSTR	SourceName,
		IN LPCWSTR	EntryName,
		OUT PWCHAR	lpModuleName
	)

Definition at line 1537 of file eventvwr.c.

 {
     BOOL Success = FALSE;
     LONG Result;
     DWORD dwType, dwSize;
     WCHAR szModuleName[MAX_PATH];
     WCHAR szKeyName[MAX_PATH];
     HKEY hLogKey = NULL;
     HKEY hSourceKey = NULL;
 
     StringCbCopyW(szKeyName, sizeof(szKeyName), EVENTLOG_BASE_KEY);
     StringCbCatW(szKeyName, sizeof(szKeyName), lpLogName);
 
     Result = RegOpenKeyExW(hkMachine,
                            szKeyName,
                            0,
                            KEY_READ,
                            &hLogKey);
     if (Result != ERROR_SUCCESS)
         return FALSE;
 
     Result = RegOpenKeyExW(hLogKey,
                            SourceName,
                            0,
                            KEY_QUERY_VALUE,
                            &hSourceKey);
     if (Result != ERROR_SUCCESS)
     {
         RegCloseKey(hLogKey);
         return FALSE;
     }
 
     dwSize = sizeof(szModuleName);
     Result = RegQueryValueExW(hSourceKey,
                               EntryName,
                               NULL,
                               &dwType,
                               (LPBYTE)szModuleName,
                               &dwSize);
     if ((Result != ERROR_SUCCESS) || (dwType != REG_EXPAND_SZ && dwType != REG_SZ))
     {
         szModuleName[0] = UNICODE_NULL;
     }
     else
     {
         /* NULL-terminate the string and expand it */
         szModuleName[dwSize / sizeof(WCHAR) - 1] = UNICODE_NULL;
         GetExpandedFilePathName(lpComputerName, szModuleName, lpModuleName, ARRAYSIZE(szModuleName));
         Success = TRUE;
     }
 
     RegCloseKey(hSourceKey);
     RegCloseKey(hLogKey);
 
     return Success;
 }

Referenced by GetEventCategory(), and GetEventMessage().

◆ GetEventType()

VOID GetEventType	(	IN WORD	dwEventType,
		OUT PWCHAR	eventTypeText
	)

Definition at line 1779 of file eventvwr.c.

 {
     switch (dwEventType)
     {
         case EVENTLOG_ERROR_TYPE:
             LoadStringW(hInst, IDS_EVENTLOG_ERROR_TYPE, eventTypeText, MAX_LOADSTRING);
             break;
         case EVENTLOG_WARNING_TYPE:
             LoadStringW(hInst, IDS_EVENTLOG_WARNING_TYPE, eventTypeText, MAX_LOADSTRING);
             break;
         case EVENTLOG_INFORMATION_TYPE:
             LoadStringW(hInst, IDS_EVENTLOG_INFORMATION_TYPE, eventTypeText, MAX_LOADSTRING);
             break;
         case EVENTLOG_SUCCESS:
             LoadStringW(hInst, IDS_EVENTLOG_SUCCESS, eventTypeText, MAX_LOADSTRING);
             break;
         case EVENTLOG_AUDIT_SUCCESS:
             LoadStringW(hInst, IDS_EVENTLOG_AUDIT_SUCCESS, eventTypeText, MAX_LOADSTRING);
             break;
         case EVENTLOG_AUDIT_FAILURE:
             LoadStringW(hInst, IDS_EVENTLOG_AUDIT_FAILURE, eventTypeText, MAX_LOADSTRING);
             break;
         default:
             LoadStringW(hInst, IDS_EVENTLOG_UNKNOWN_TYPE, eventTypeText, MAX_LOADSTRING);
             break;
     }
 }

Referenced by EnumEventsThread().

◆ GetEventUserName()

BOOL GetEventUserName	(	IN PEVENTLOGRECORD	pelr,
		IN OUT PSID *	pLastSid,
		OUT PWCHAR	pszUser
	)

Definition at line 1809 of file eventvwr.c.

 {
     PSID pCurrentSid;
     PWSTR StringSid;
     WCHAR szName[1024];
     WCHAR szDomain[1024];
     SID_NAME_USE peUse;
     DWORD cchName = ARRAYSIZE(szName);
     DWORD cchDomain = ARRAYSIZE(szDomain);
     BOOL Success = FALSE;
 
     /* Point to the SID */
     pCurrentSid = (PSID)((LPBYTE)pelr + pelr->UserSidOffset);
 
     if (!IsValidSid(pCurrentSid))
     {
         *pLastSid = NULL;
         return FALSE;
     }
     else if (*pLastSid && EqualSid(*pLastSid, pCurrentSid))
     {
         return TRUE;
     }
 
     /* User SID */
     if (pelr->UserSidLength > 0)
     {
         /*
          * Try to retrieve the user account name and domain name corresponding
          * to the SID. If it cannot be retrieved, try to convert the SID to a
          * string-form. It should not be bigger than the user-provided buffer
          * 'pszUser', otherwise we return an error.
          */
         if (LookupAccountSidW(lpComputerName,
                               pCurrentSid,
                               szName,
                               &cchName,
                               szDomain,
                               &cchDomain,
                               &peUse))
         {
             StringCchCopyW(pszUser, MAX_PATH, szName);
             Success = TRUE;
         }
         else if (ConvertSidToStringSidW(pCurrentSid, &StringSid))
         {
             /* Copy the string only if the user-provided buffer is big enough */
             if (wcslen(StringSid) + 1 <= MAX_PATH) // + 1 for NULL-terminator
             {
                 StringCchCopyW(pszUser, MAX_PATH, StringSid);
                 Success = TRUE;
             }
             else
             {
                 SetLastError(ERROR_NOT_ENOUGH_MEMORY);
                 Success = FALSE;
             }
 
             /* Free the allocated buffer */
             LocalFree(StringSid);
         }
     }
 
     *pLastSid = Success ? pCurrentSid : NULL;
 
     return Success;
 }

Referenced by EnumEventsThread().

◆ GetExpandedFilePathName()

DWORD GetExpandedFilePathName	(	IN LPCWSTR ComputerName	OPTIONAL,
		IN LPCWSTR	lpFileName,
		OUT LPWSTR lpFullFileName	OPTIONAL,
		IN DWORD	nSize
	)

Definition at line 1464 of file eventvwr.c.

 {
     DWORD dwLength;
 
     /* Determine the needed size after expansion of any environment strings */
     dwLength = ExpandEnvironmentStringsW(lpFileName, NULL, 0);
     if (dwLength == 0)
     {
         /* We failed, bail out */
         return 0;
     }
 
     /* If the file path is on a remote computer, estimate its length */
     // FIXME: Use WNetGetUniversalName instead?
     if (ComputerName && *ComputerName)
     {
         /* Skip any leading backslashes */
         while (*ComputerName == L'\\')
             ++ComputerName;
 
         if (*ComputerName)
         {
             /* Count 2 backslashes plus the computer name and one backslash separator */
             dwLength += 2 + wcslen(ComputerName) + 1;
         }
     }
 
     /* Check whether we have enough space */
     if (dwLength > nSize)
     {
         /* No, return the needed size in characters (includes NULL-terminator) */
         return dwLength;
     }
 
 
     /* Now expand the file path */
     ASSERT(dwLength <= nSize);
 
     /* Expand any existing environment strings */
     if (ExpandEnvironmentStringsW(lpFileName, lpFullFileName, dwLength) == 0)
     {
         /* We failed, bail out */
         return 0;
     }
 
     /* If the file path is on a remote computer, retrieve the network share form of the file name */
     // FIXME: Use WNetGetUniversalName instead?
     if (ComputerName && *ComputerName)
     {
         /* Note that we previously skipped any potential leading backslashes */
 
         /* Replace ':' by '$' in the drive letter */
         if (*lpFullFileName && lpFullFileName[1] == L':')
             lpFullFileName[1] = L'$';
 
         /* Prepend the computer name */
         RtlMoveMemory(lpFullFileName + 2 + wcslen(ComputerName) + 1,
                       lpFullFileName, dwLength * sizeof(WCHAR) - (2 + wcslen(ComputerName) + 1) * sizeof(WCHAR));
         lpFullFileName[0] = L'\\';
         lpFullFileName[1] = L'\\';
         wcsncpy(lpFullFileName + 2, ComputerName, wcslen(ComputerName));
         lpFullFileName[2 + wcslen(ComputerName)] = L'\\';
     }
 
     /* Return the number of stored characters (includes NULL-terminator) */
     return dwLength;
 }

Referenced by GetDisplayNameFileAndID(), GetEventMessageFileDLL(), and InitPropertiesDlg().

◆ GetFileTimeString()

BOOL GetFileTimeString	(	LPFILETIME	lpFileTime,
		LPWSTR	pwszResult,
		UINT	cchResult
	)

Definition at line 1229 of file eventvwr.c.

 {
     FILETIME ft;
     SYSTEMTIME st;
     int cchWritten;
     size_t cchRemaining = cchResult;
     LPWSTR pwszEnd = pwszResult;
 
     if (!FileTimeToLocalFileTime(lpFileTime, &ft) || !FileTimeToSystemTime(&ft, &st))
         return FALSE;
 
     cchWritten = GetDateFormatW(LOCALE_USER_DEFAULT, DATE_LONGDATE, &st, NULL, pwszEnd, cchRemaining);
     if (cchWritten)
         --cchWritten; // GetDateFormatW returns count with terminating zero
     // else
         // ERR("GetDateFormatW failed\n");
 
     cchRemaining -= cchWritten;
     pwszEnd += cchWritten;
 
     StringCchCopyExW(pwszEnd, cchRemaining, L", ", &pwszEnd, &cchRemaining, 0);
 
     cchWritten = GetTimeFormatW(LOCALE_USER_DEFAULT, 0, &st, NULL, pwszEnd, cchRemaining);
     if (cchWritten)
         --cchWritten; // GetTimeFormatW returns count with terminating zero
     // else
         // ERR("GetTimeFormatW failed\n");
 
     return TRUE;
 }

Referenced by InitPropertiesDlg().

◆ GetMessageStringFromDll()

LPWSTR GetMessageStringFromDll	(	IN LPCWSTR	lpMessageDll,
		IN DWORD	dwFlags,
		IN DWORD	dwMessageId,
		IN DWORD	nSize,
		IN va_list *Arguments	OPTIONAL
	)

Definition at line 751 of file eventvwr.c.

 {
     HMODULE hLibrary;
     DWORD dwLength;
     LPWSTR lpMsgBuf = NULL;
 
     hLibrary = LoadLibraryExW(lpMessageDll, NULL,
                               /* LOAD_LIBRARY_AS_IMAGE_RESOURCE | */ LOAD_LIBRARY_AS_DATAFILE);
     if (hLibrary == NULL)
         return NULL;
 
     /* Sanitize dwFlags */
     dwFlags &= ~FORMAT_MESSAGE_FROM_STRING;
     dwFlags |= FORMAT_MESSAGE_FROM_HMODULE;
 
     _SEH2_TRY
     {
         /*
          * Retrieve the message string without appending extra newlines.
          * Wrap in SEH to protect from invalid string parameters.
          */
         _SEH2_TRY
         {
             dwLength = FormatMessageW(dwFlags,
                                    /* FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_HMODULE |
                                       FORMAT_MESSAGE_IGNORE_INSERTS | FORMAT_MESSAGE_MAX_WIDTH_MASK, */
                                       hLibrary,
                                       dwMessageId,
                                       LANG_USER_DEFAULT,
                                       (LPWSTR)&lpMsgBuf,
                                       nSize,
                                       Arguments);
         }
         _SEH2_EXCEPT(EXCEPTION_EXECUTE_HANDLER)
         {
             dwLength = 0;
 
             /*
              * An exception occurred while calling FormatMessage, this is usually
              * the sign that a parameter was invalid, either 'lpMsgBuf' was NULL
              * but we did not pass the flag FORMAT_MESSAGE_ALLOCATE_BUFFER, or the
              * array pointer 'Arguments' was NULL or did not contain enough elements,
              * and we did not pass the flag FORMAT_MESSAGE_IGNORE_INSERTS, and the
              * message string expected too many inserts.
              * In this last case only, we can call again FormatMessage but ignore
              * explicitly the inserts. The string that we will return to the user
              * will not be pre-formatted.
              */
             if (((dwFlags & FORMAT_MESSAGE_ALLOCATE_BUFFER) || lpMsgBuf) &&
                 !(dwFlags & FORMAT_MESSAGE_IGNORE_INSERTS))
             {
                 /* Remove any possible harmful flags and always ignore inserts */
                 dwFlags &= ~FORMAT_MESSAGE_ARGUMENT_ARRAY;
                 dwFlags |=  FORMAT_MESSAGE_IGNORE_INSERTS;
 
                 /* If this call also throws an exception, we are really dead */
                 dwLength = FormatMessageW(dwFlags,
                                           hLibrary,
                                           dwMessageId,
                                           LANG_USER_DEFAULT,
                                           (LPWSTR)&lpMsgBuf,
                                           nSize,
                                           NULL /* Arguments */);
             }
         }
         _SEH2_END;
     }
     _SEH2_FINALLY
     {
         FreeLibrary(hLibrary);
     }
     _SEH2_END;
 
     if (dwLength == 0)
     {
         ASSERT(lpMsgBuf == NULL);
         lpMsgBuf = NULL;
     }
     else
     {
         LPWSTR ptr;
 
         ASSERT(lpMsgBuf);
 
         /* Trim any trailing whitespace */
         ptr = lpMsgBuf + dwLength - 1;
         while (iswspace(*ptr))
             *ptr-- = UNICODE_NULL;
     }
 
     return lpMsgBuf;
 }

Referenced by BuildLogListAndFilterList(), and GetMessageStringFromDllList().

◆ GetMessageStringFromDllList()

LPWSTR GetMessageStringFromDllList	(	IN LPCWSTR	lpMessageDllList,
		IN DWORD	dwFlags,
		IN DWORD	dwMessageId,
		IN DWORD	nSize,
		IN va_list *Arguments	OPTIONAL
	)

Definition at line 855 of file eventvwr.c.

 {
     BOOL Success = FALSE;
     SIZE_T cbLength;
     LPWSTR szMessageDllList;
     LPWSTR szDll;
     LPWSTR lpMsgBuf = NULL;
 
     /* Allocate a local buffer for the DLL list that can be tokenized */
     // TODO: Optimize that!! Maybe we can cleverly use lpMessageDllList in read/write mode
     // and cleverly temporarily replace the ';' by UNICODE_NULL, do our job, then reverse the change.
     cbLength = (wcslen(lpMessageDllList) + 1) * sizeof(WCHAR);
     szMessageDllList = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, cbLength);
     if (!szMessageDllList)
         return NULL;
     RtlCopyMemory(szMessageDllList, lpMessageDllList, cbLength);
 
     /* Loop through the list of message DLLs */
     szDll = wcstok(szMessageDllList, EVENT_DLL_SEPARATOR);
     while ((szDll != NULL) && !Success)
     {
         // Uses LANG_USER_DEFAULT
         lpMsgBuf = GetMessageStringFromDll(szDll,
                                            dwFlags,
                                            dwMessageId,
                                            nSize,
                                            Arguments);
         if (lpMsgBuf)
         {
             /* The ID was found and the message was formatted */
             Success = TRUE;
             break;
         }
 
         /*
          * The DLL could not be loaded, or the message could not be found,
          * try the next DLL, if any.
          */
         szDll = wcstok(NULL, EVENT_DLL_SEPARATOR);
     }
 
     HeapFree(GetProcessHeap(), 0, szMessageDllList);
 
     return lpMsgBuf;
 }

Referenced by ApplyParameterStringsToMessage(), GetEventCategory(), and GetEventMessage().

◆ GetSelectedFilter()

PEVENTLOGFILTER GetSelectedFilter ( OUT HTREEITEM *phti OPTIONAL )

Definition at line 2441 of file eventvwr.c.

 {
     TVITEMEXW tvItemEx;
     HTREEITEM hti;
 
     if (phti)
         *phti = NULL;
 
     /* Get index of selected item */
     hti = TreeView_GetSelection(hwndTreeView);
     if (hti == NULL)
         return NULL; // No filter
 
     tvItemEx.mask = TVIF_PARAM;
     tvItemEx.hItem = hti;
 
     TreeView_GetItem(hwndTreeView, &tvItemEx);
 
     if (phti)
         *phti = tvItemEx.hItem;
 
     return (PEVENTLOGFILTER)tvItemEx.lParam;
 }

Referenced by WndProc().

◆ InitInstance()

BOOL InitInstance ( HINSTANCE hInstance )

Definition at line 3036 of file eventvwr.c.

 {
     RECT rcClient, rs;
     LONG StatusHeight;
     HIMAGELIST hSmall;
     LVCOLUMNW lvc = {0};
     WCHAR szTemp[256];
 
     /* Create the main window */
     rs = Settings.wpPos.rcNormalPosition;
     hwndMainWindow = CreateWindowW(EVENTVWR_WNDCLASS,
                                    szTitle,
                                    WS_OVERLAPPEDWINDOW | WS_CLIPCHILDREN,
                                    rs.left, rs.top,
                                    (rs.right  != CW_USEDEFAULT && rs.left != CW_USEDEFAULT) ? rs.right - rs.left : CW_USEDEFAULT,
                                    (rs.bottom != CW_USEDEFAULT && rs.top  != CW_USEDEFAULT) ? rs.bottom - rs.top : CW_USEDEFAULT,
                                    NULL,
                                    NULL,
                                    hInstance,
                                    NULL);
     if (!hwndMainWindow)
         return FALSE;
 
     /* Create the status bar */
     hwndStatus = CreateWindowExW(0,                                  // no extended styles
                                  STATUSCLASSNAMEW,                   // status bar
                                  L"",                                // no text
                                  WS_CHILD | WS_VISIBLE | CCS_BOTTOM | SBARS_SIZEGRIP, // styles
                                  0, 0, 0, 0,                         // x, y, cx, cy
                                  hwndMainWindow,                     // parent window
                                  (HMENU)100,                         // window ID
                                  hInstance,                          // instance
                                  NULL);                              // window data
 
     GetClientRect(hwndMainWindow, &rcClient);
     GetWindowRect(hwndStatus, &rs);
     StatusHeight = rs.bottom - rs.top;
 
     /* Create a progress bar in the status bar (hidden by default) */
     StatusBar_GetItemRect(hwndStatus, 0, &rs);
     hwndStatusProgress = CreateWindowExW(0,                          // no extended styles
                                          PROGRESS_CLASSW,            // status bar
                                          NULL,                       // no text
                                          WS_CHILD | PBS_SMOOTH,      // styles
                                          rs.left, rs.top,            // x, y
                                          rs.right - rs.left, rs.bottom - rs.top, // cx, cy
                                          hwndStatus,                 // parent window
                                          NULL,                       // window ID
                                          hInstance,                  // instance
                                          NULL);                      // window data
     /* Remove its static edge */
     SetWindowLongPtrW(hwndStatusProgress, GWL_EXSTYLE,
                       GetWindowLongPtrW(hwndStatusProgress, GWL_EXSTYLE) & ~WS_EX_STATICEDGE);
     ProgressBar_SetStep(hwndStatusProgress, 1);
 
     /* Initialize the splitter default positions */
     nVSplitPos = Settings.nVSplitPos;
     nHSplitPos = Settings.nHSplitPos;
 
     /* Create the TreeView */
     hwndTreeView = CreateWindowExW(WS_EX_CLIENTEDGE,
                                    WC_TREEVIEWW,
                                    NULL,
                                    // WS_CHILD | WS_VISIBLE | TVS_HASLINES | TVS_SHOWSELALWAYS,
                                    WS_CHILD | WS_VISIBLE | /* WS_TABSTOP | */ TVS_HASLINES | TVS_HASBUTTONS | TVS_LINESATROOT | TVS_EDITLABELS | TVS_SHOWSELALWAYS,
                                    0, 0,
                                    nVSplitPos - SPLIT_WIDTH/2,
                                    (rcClient.bottom - rcClient.top) - StatusHeight,
                                    hwndMainWindow,
                                    NULL,
                                    hInstance,
                                    NULL);
 
     /* Create the ImageList */
     hSmall = ImageList_Create(GetSystemMetrics(SM_CXSMICON),
                               GetSystemMetrics(SM_CYSMICON),
                               ILC_COLOR32 | ILC_MASK, // ILC_COLOR24
                               1, 1);
 
     /* Add event type icons to the ImageList: closed/opened folder, event log (normal/viewed) */
     ImageList_AddIcon(hSmall, LoadIconW(hInstance, MAKEINTRESOURCEW(IDI_CLOSED_CATEGORY)));
     ImageList_AddIcon(hSmall, LoadIconW(hInstance, MAKEINTRESOURCEW(IDI_OPENED_CATEGORY)));
     ImageList_AddIcon(hSmall, LoadIconW(hInstance, MAKEINTRESOURCEW(IDI_EVENTLOG)));
     ImageList_AddIcon(hSmall, LoadIconW(hInstance, MAKEINTRESOURCEW(IDI_EVENTVWR)));
 
     /* Assign the ImageList to the Tree View */
     TreeView_SetImageList(hwndTreeView, hSmall, TVSIL_NORMAL);
 
     /* Add the event logs nodes */
     // "System Logs"
     LoadStringW(hInstance, IDS_EVENTLOG_SYSTEM, szTemp, ARRAYSIZE(szTemp));
     htiSystemLogs = TreeViewAddItem(hwndTreeView, NULL, szTemp, 0, 1, (LPARAM)NULL);
     // "Application Logs"
     LoadStringW(hInstance, IDS_EVENTLOG_APP, szTemp, ARRAYSIZE(szTemp));
     htiAppLogs = TreeViewAddItem(hwndTreeView, NULL, szTemp, 0, 1, (LPARAM)NULL);
     // "User Logs"
     LoadStringW(hInstance, IDS_EVENTLOG_USER, szTemp, ARRAYSIZE(szTemp));
     htiUserLogs = TreeViewAddItem(hwndTreeView, NULL, szTemp, 0, 1, (LPARAM)NULL);
 
     /* Create the Event details pane (optional) */
     hwndEventDetails = CreateEventDetailsCtrl(hInst, hwndMainWindow, (LPARAM)NULL);
     if (hwndEventDetails)
     {
     SetWindowLongPtrW(hwndEventDetails, GWL_EXSTYLE,
                       GetWindowLongPtrW(hwndEventDetails, GWL_EXSTYLE) | WS_EX_CLIENTEDGE);
     SetWindowPos(hwndEventDetails, NULL,
                  nVSplitPos + SPLIT_WIDTH/2,
                  nHSplitPos + SPLIT_WIDTH/2,
                  (rcClient.right - rcClient.left) - nVSplitPos - SPLIT_WIDTH/2,
                  (rcClient.bottom - rcClient.top) - nHSplitPos - SPLIT_WIDTH/2 - StatusHeight,
                  SWP_NOZORDER | SWP_NOACTIVATE | (Settings.bShowDetailsPane ? SWP_SHOWWINDOW : SWP_HIDEWINDOW));
     }
 
     /* Create the ListView */
     hwndListView = CreateWindowExW(WS_EX_CLIENTEDGE,
                                    WC_LISTVIEWW,
                                    NULL,
                                    WS_CHILD | WS_VISIBLE | LVS_SHOWSELALWAYS | LVS_REPORT,
                                    nVSplitPos + SPLIT_WIDTH/2,
                                    0,
                                    (rcClient.right - rcClient.left) - nVSplitPos - SPLIT_WIDTH/2,
                                    hwndEventDetails && Settings.bShowDetailsPane
                                        ? nHSplitPos - SPLIT_WIDTH/2
                                        : (rcClient.bottom - rcClient.top) - StatusHeight,
                                    hwndMainWindow,
                                    NULL,
                                    hInstance,
                                    NULL);
 
     /* Add the extended ListView styles */
     ListView_SetExtendedListViewStyle(hwndListView, LVS_EX_HEADERDRAGDROP | LVS_EX_FULLROWSELECT | LVS_EX_LABELTIP | (Settings.bShowGrid ? LVS_EX_GRIDLINES : 0));
 
     /* Create the ImageList */
     hSmall = ImageList_Create(GetSystemMetrics(SM_CXSMICON),
                               GetSystemMetrics(SM_CYSMICON),
                               ILC_COLOR32 | ILC_MASK, // ILC_COLOR24
                               1, 1);
 
     /* Add event type icons to the ImageList */
     ImageList_AddIcon(hSmall, LoadIconW(hInstance, MAKEINTRESOURCEW(IDI_INFORMATIONICON)));
     ImageList_AddIcon(hSmall, LoadIconW(hInstance, MAKEINTRESOURCEW(IDI_WARNINGICON)));
     ImageList_AddIcon(hSmall, LoadIconW(hInstance, MAKEINTRESOURCEW(IDI_ERRORICON)));
     ImageList_AddIcon(hSmall, LoadIconW(hInstance, MAKEINTRESOURCEW(IDI_AUDITSUCCESSICON)));
     ImageList_AddIcon(hSmall, LoadIconW(hInstance, MAKEINTRESOURCEW(IDI_AUDITFAILUREICON)));
 
     /* Assign the ImageList to the List View */
     ListView_SetImageList(hwndListView, hSmall, LVSIL_SMALL);
 
     /* Now set up the listview with its columns */
     lvc.mask = LVCF_TEXT | LVCF_WIDTH;
     lvc.cx = 90;
     LoadStringW(hInstance,
                 IDS_COLUMNTYPE,
                 szTemp,
                 ARRAYSIZE(szTemp));
     lvc.pszText = szTemp;
     ListView_InsertColumn(hwndListView, 0, &lvc);
 
     lvc.cx = 70;
     LoadStringW(hInstance,
                 IDS_COLUMNDATE,
                 szTemp,
                 ARRAYSIZE(szTemp));
     lvc.pszText = szTemp;
     ListView_InsertColumn(hwndListView, 1, &lvc);
 
     lvc.cx = 70;
     LoadStringW(hInstance,
                 IDS_COLUMNTIME,
                 szTemp,
                 ARRAYSIZE(szTemp));
     lvc.pszText = szTemp;
     ListView_InsertColumn(hwndListView, 2, &lvc);
 
     lvc.cx = 150;
     LoadStringW(hInstance,
                 IDS_COLUMNSOURCE,
                 szTemp,
                 ARRAYSIZE(szTemp));
     lvc.pszText = szTemp;
     ListView_InsertColumn(hwndListView, 3, &lvc);
 
     lvc.cx = 100;
     LoadStringW(hInstance,
                 IDS_COLUMNCATEGORY,
                 szTemp,
                 ARRAYSIZE(szTemp));
     lvc.pszText = szTemp;
     ListView_InsertColumn(hwndListView, 4, &lvc);
 
     lvc.cx = 60;
     LoadStringW(hInstance,
                 IDS_COLUMNEVENT,
                 szTemp,
                 ARRAYSIZE(szTemp));
     lvc.pszText = szTemp;
     ListView_InsertColumn(hwndListView, 5, &lvc);
 
     lvc.cx = 120;
     LoadStringW(hInstance,
                 IDS_COLUMNUSER,
                 szTemp,
                 ARRAYSIZE(szTemp));
     lvc.pszText = szTemp;
     ListView_InsertColumn(hwndListView, 6, &lvc);
 
     lvc.cx = 100;
     LoadStringW(hInstance,
                 IDS_COLUMNCOMPUTER,
                 szTemp,
                 ARRAYSIZE(szTemp));
     lvc.pszText = szTemp;
     ListView_InsertColumn(hwndListView, 7, &lvc);
 
     /* Initialize the save Dialog */
     ZeroMemory(&sfn, sizeof(sfn));
     ZeroMemory(szSaveFilter, sizeof(szSaveFilter));
 
     LoadStringW(hInst, IDS_SAVE_FILTER, szSaveFilter, ARRAYSIZE(szSaveFilter));
 
     sfn.lStructSize     = sizeof(sfn);
     sfn.hwndOwner       = hwndMainWindow;
     sfn.hInstance       = hInstance;
     sfn.lpstrFilter     = szSaveFilter;
     sfn.lpstrInitialDir = NULL;
     sfn.Flags           = OFN_HIDEREADONLY | OFN_SHAREAWARE;
     sfn.lpstrDefExt     = NULL;
 
     ShowWindow(hwndMainWindow, Settings.wpPos.showCmd);
     UpdateWindow(hwndMainWindow);
 
     return TRUE;
 }

Classes

Macros

Typedefs

Functions

Variables

Macro Definition Documentation

◆ EVENT_CATEGORY_MESSAGE_FILE

◆ EVENT_DLL_SEPARATOR

◆ EVENT_MESSAGE_EVENTTEXT_BUFFER

◆ EVENT_MESSAGE_FILE

◆ EVENT_MESSAGE_FILE_BUFFER

◆ EVENT_PARAMETER_MESSAGE_FILE

◆ LVM_PROGRESS

◆ MAX_LOADSTRING

◆ SPLIT_WIDTH

Typedef Documentation

◆ PSETTINGS

◆ SETTINGS

Function Documentation

◆ AllocAndCopyMultiStr()

◆ AllocEventLog()

◆ AllocEventLogFilter()

◆ ApplyParameterStringsToMessage()

◆ BuildLogListAndFilterList()

◆ ClearEvents()

◆ CloseUserEventLog()

◆ DisplayUsage()

◆ EnumEvents()

◆ EnumEventsThread()

◆ EventDetails()

◆ EventLog_Free()

◆ EventLogFilter_AddRef()

◆ EventLogFilter_Free()

◆ EventLogFilter_Release()

◆ EventLogProperties()

◆ EventLogPropProc()

◆ EventTimeToSystemTime()

◆ FilterByString()

◆ FilterByType()

◆ FormatByteSize()

◆ FormatFileSizeWithBytes()

◆ FormatInteger()

◆ FreeLogFilterList()

◆ FreeLogList()

◆ FreeRecords()

◆ GetDisplayNameFileAndID()

◆ GetEventCategory()

◆ GetEventMessage()

◆ GetEventMessageFileDLL()

◆ GetEventType()

◆ GetEventUserName()

◆ GetExpandedFilePathName()

◆ GetFileTimeString()

◆ GetMessageStringFromDll()

◆ GetMessageStringFromDllList()

◆ GetSelectedFilter()

◆ InitInstance()