evtlib.c

Go to the documentation of this file.

/*
 * PROJECT:         ReactOS EventLog File Library
 * LICENSE:         GPL - See COPYING in the top level directory
 * FILE:            sdk/lib/evtlib/evtlib.c
 * PURPOSE:         Provides functionality for reading and writing
 *                  EventLog files in the NT <= 5.2 (.evt) format.
 * PROGRAMMERS:     Copyright 2005 Saveliy Tretiakov
 *                  Michael Martin
 *                  Hermes Belusca-Maito
 */

/* INCLUDES ******************************************************************/

#include "evtlib.h"

#define NDEBUG
#include <debug.h>

#define EVTLTRACE(...)  DPRINT("EvtLib: " __VA_ARGS__)
// Once things become stabilized enough, replace all the EVTLTRACE1 by EVTLTRACE
#define EVTLTRACE1(...)  DPRINT1("EvtLib: " __VA_ARGS__)


/* GLOBALS *******************************************************************/

static const EVENTLOGEOF EOFRecord =
{
    sizeof(EOFRecord),
    0x11111111, 0x22222222, 0x33333333, 0x44444444,
    0, 0, 0, 0,
    sizeof(EOFRecord)
};

/* HELPER FUNCTIONS **********************************************************/

static NTSTATUS
ReadLogBuffer(
    IN  PEVTLOGFILE LogFile,
    OUT PVOID   Buffer,
    IN  SIZE_T  Length,
    OUT PSIZE_T ReadLength OPTIONAL,
    IN  PLARGE_INTEGER ByteOffset,
    OUT PLARGE_INTEGER NextOffset OPTIONAL)
{
    NTSTATUS Status;
    LARGE_INTEGER FileOffset;
    SIZE_T BufSize;
    SIZE_T ReadBufLength = 0, OldReadBufLength;

    ASSERT(LogFile->CurrentSize <= LogFile->Header.MaxSize);
    ASSERT(ByteOffset->QuadPart <= LogFile->CurrentSize);

    if (ReadLength)
        *ReadLength = 0;

    if (NextOffset)
        NextOffset->QuadPart = 0LL;

    /* Read the first part of the buffer */
    FileOffset = *ByteOffset;
    BufSize = min(Length, LogFile->CurrentSize - FileOffset.QuadPart);

    Status = LogFile->FileRead(LogFile,
                               &FileOffset,
                               Buffer,
                               BufSize,
                               &ReadBufLength);
    if (!NT_SUCCESS(Status))
    {
        EVTLTRACE("FileRead() failed (Status 0x%08lx)\n", Status);
        return Status;
    }

    if (Length > BufSize)
    {
        OldReadBufLength = ReadBufLength;

        /*
         * The buffer was splitted in two, its second part
         * is to be read at the beginning of the log.
         */
        Buffer = (PVOID)((ULONG_PTR)Buffer + BufSize);
        BufSize = Length - BufSize;
        FileOffset.QuadPart = sizeof(EVENTLOGHEADER);

        Status = LogFile->FileRead(LogFile,
                                   &FileOffset,
                                   Buffer,
                                   BufSize,
                                   &ReadBufLength);
        if (!NT_SUCCESS(Status))
        {
            EVTLTRACE("FileRead() failed (Status 0x%08lx)\n", Status);
            return Status;
        }
        /* Add the read number of bytes from the first read */
        ReadBufLength += OldReadBufLength;
    }

    if (ReadLength)
        *ReadLength = ReadBufLength;

    /* We return the offset just after the end of the read buffer */
    if (NextOffset)
        NextOffset->QuadPart = FileOffset.QuadPart + BufSize;

    return Status;
}

static NTSTATUS
WriteLogBuffer(
    IN  PEVTLOGFILE LogFile,
    IN  PVOID   Buffer,
    IN  SIZE_T  Length,
    OUT PSIZE_T WrittenLength OPTIONAL,
    IN  PLARGE_INTEGER ByteOffset,
    OUT PLARGE_INTEGER NextOffset OPTIONAL)
{
    NTSTATUS Status;
    LARGE_INTEGER FileOffset;
    SIZE_T BufSize;
    SIZE_T WrittenBufLength = 0, OldWrittenBufLength;

    /* We must have write access to the log file */
    ASSERT(!LogFile->ReadOnly);

    /*
     * It is expected that the log file is already correctly expanded
     * before we can write in it. Therefore the following assertions hold.
     */
    ASSERT(LogFile->CurrentSize <= LogFile->Header.MaxSize);
    ASSERT(ByteOffset->QuadPart <= LogFile->CurrentSize);

    if (WrittenLength)
        *WrittenLength = 0;

    if (NextOffset)
        NextOffset->QuadPart = 0LL;

    /* Write the first part of the buffer */
    FileOffset = *ByteOffset;
    BufSize = min(Length, LogFile->CurrentSize - FileOffset.QuadPart);

    Status = LogFile->FileWrite(LogFile,
                                &FileOffset,
                                Buffer,
                                BufSize,
                                &WrittenBufLength);
    if (!NT_SUCCESS(Status))
    {
        EVTLTRACE("FileWrite() failed (Status 0x%08lx)\n", Status);
        return Status;
    }

    if (Length > BufSize)
    {
        OldWrittenBufLength = WrittenBufLength;

        /*
         * The buffer was splitted in two, its second part
         * is written at the beginning of the log.
         */
        Buffer = (PVOID)((ULONG_PTR)Buffer + BufSize);
        BufSize = Length - BufSize;
        FileOffset.QuadPart = sizeof(EVENTLOGHEADER);

        Status = LogFile->FileWrite(LogFile,
                                    &FileOffset,
                                    Buffer,
                                    BufSize,
                                    &WrittenBufLength);
        if (!NT_SUCCESS(Status))
        {
            EVTLTRACE("FileWrite() failed (Status 0x%08lx)\n", Status);
            return Status;
        }
        /* Add the written number of bytes from the first write */
        WrittenBufLength += OldWrittenBufLength;

        /* The log wraps */
        LogFile->Header.Flags |= ELF_LOGFILE_HEADER_WRAP;
    }

    if (WrittenLength)
        *WrittenLength = WrittenBufLength;

    /* We return the offset just after the end of the written buffer */
    if (NextOffset)
        NextOffset->QuadPart = FileOffset.QuadPart + BufSize;

    return Status;
}


/* Returns 0 if nothing is found */
static ULONG
ElfpOffsetByNumber(
    IN PEVTLOGFILE LogFile,
    IN ULONG RecordNumber)
{
    UINT i;

    for (i = 0; i < LogFile->OffsetInfoNext; i++)
    {
        if (LogFile->OffsetInfo[i].EventNumber == RecordNumber)
            return LogFile->OffsetInfo[i].EventOffset;
    }
    return 0;
}

#define OFFSET_INFO_INCREMENT   64

static BOOL
ElfpAddOffsetInformation(
    IN PEVTLOGFILE LogFile,
    IN ULONG ulNumber,
    IN ULONG ulOffset)
{
    PVOID NewOffsetInfo;

    if (LogFile->OffsetInfoNext == LogFile->OffsetInfoSize)
    {
        /* Allocate a new offset table */
        NewOffsetInfo = LogFile->Allocate((LogFile->OffsetInfoSize + OFFSET_INFO_INCREMENT) *
                                              sizeof(EVENT_OFFSET_INFO),
                                          HEAP_ZERO_MEMORY,
                                          TAG_ELF);
        if (!NewOffsetInfo)
        {
            EVTLTRACE1("Cannot reallocate heap.\n");
            return FALSE;
        }

        /* Free the old offset table and use the new one */
        if (LogFile->OffsetInfo)
        {
            /* Copy the handles from the old table to the new one */
            RtlCopyMemory(NewOffsetInfo,
                          LogFile->OffsetInfo,
                          LogFile->OffsetInfoSize * sizeof(EVENT_OFFSET_INFO));
            LogFile->Free(LogFile->OffsetInfo, 0, TAG_ELF);
        }
        LogFile->OffsetInfo = (PEVENT_OFFSET_INFO)NewOffsetInfo;
        LogFile->OffsetInfoSize += OFFSET_INFO_INCREMENT;
    }

    LogFile->OffsetInfo[LogFile->OffsetInfoNext].EventNumber = ulNumber;
    LogFile->OffsetInfo[LogFile->OffsetInfoNext].EventOffset = ulOffset;
    LogFile->OffsetInfoNext++;

    return TRUE;
}

static BOOL
ElfpDeleteOffsetInformation(
    IN PEVTLOGFILE LogFile,
    IN ULONG ulNumberMin,
    IN ULONG ulNumberMax)
{
    UINT i;

    if (ulNumberMin > ulNumberMax)
        return FALSE;

    /* Remove records ulNumberMin to ulNumberMax inclusive */
    while (ulNumberMin <= ulNumberMax)
    {
        /*
         * As the offset information is listed in increasing order, and we want
         * to keep the list without holes, we demand that ulNumberMin is the first
         * element in the list.
         */
        if (ulNumberMin != LogFile->OffsetInfo[0].EventNumber)
            return FALSE;

        /*
         * RtlMoveMemory(&LogFile->OffsetInfo[0],
         *               &LogFile->OffsetInfo[1],
         *               sizeof(EVENT_OFFSET_INFO) * (LogFile->OffsetInfoNext - 1));
         */
        for (i = 0; i < LogFile->OffsetInfoNext - 1; i++)
        {
            LogFile->OffsetInfo[i].EventNumber = LogFile->OffsetInfo[i + 1].EventNumber;
            LogFile->OffsetInfo[i].EventOffset = LogFile->OffsetInfo[i + 1].EventOffset;
        }
        LogFile->OffsetInfoNext--;

        /* Go to the next offset information */
        ulNumberMin++;
    }

    return TRUE;
}


static NTSTATUS
ElfpInitNewFile(
    IN PEVTLOGFILE LogFile,
    IN ULONG FileSize,
    IN ULONG MaxSize,
    IN ULONG Retention)
{
    NTSTATUS Status;
    LARGE_INTEGER FileOffset;
    SIZE_T WrittenLength;
    EVENTLOGEOF EofRec;

    /* Initialize the event log header */
    RtlZeroMemory(&LogFile->Header, sizeof(EVENTLOGHEADER));

    LogFile->Header.HeaderSize = sizeof(EVENTLOGHEADER);
    LogFile->Header.Signature  = LOGFILE_SIGNATURE;
    LogFile->Header.MajorVersion = MAJORVER;
    LogFile->Header.MinorVersion = MINORVER;

    /* Set the offset to the oldest record */
    LogFile->Header.StartOffset = sizeof(EVENTLOGHEADER);
    /* Set the offset to the ELF_EOF_RECORD */
    LogFile->Header.EndOffset = sizeof(EVENTLOGHEADER);
    /* Set the number of the next record that will be added */
    LogFile->Header.CurrentRecordNumber = 1;
    /* The event log is empty, there is no record so far */
    LogFile->Header.OldestRecordNumber = 0;

    // FIXME: Windows' EventLog log file sizes are always multiple of 64kB
    // but that does not mean the real log size is == file size.

    /* Round MaxSize to be a multiple of ULONG (normally on Windows: multiple of 64 kB) */
    LogFile->Header.MaxSize = ROUND_UP(MaxSize, sizeof(ULONG));
    LogFile->CurrentSize = LogFile->Header.MaxSize; // or: FileSize ??
    LogFile->FileSetSize(LogFile, LogFile->CurrentSize, 0);

    LogFile->Header.Flags = 0;
    LogFile->Header.Retention = Retention;
    LogFile->Header.EndHeaderSize = sizeof(EVENTLOGHEADER);

    /* Write the header */
    FileOffset.QuadPart = 0LL;
    Status = LogFile->FileWrite(LogFile,
                                &FileOffset,
                                &LogFile->Header,
                                sizeof(EVENTLOGHEADER),
                                &WrittenLength);
    if (!NT_SUCCESS(Status))
    {
        EVTLTRACE1("FileWrite() failed (Status 0x%08lx)\n", Status);
        return Status;
    }

    /* Initialize the ELF_EOF_RECORD and write it */
    RtlCopyMemory(&EofRec, &EOFRecord, sizeof(EOFRecord));
    EofRec.BeginRecord = LogFile->Header.StartOffset;
    EofRec.EndRecord   = LogFile->Header.EndOffset;
    EofRec.CurrentRecordNumber = LogFile->Header.CurrentRecordNumber;
    EofRec.OldestRecordNumber  = LogFile->Header.OldestRecordNumber;

    Status = LogFile->FileWrite(LogFile,
                                NULL,
                                &EofRec,
                                sizeof(EofRec),
                                &WrittenLength);
    if (!NT_SUCCESS(Status))
    {
        EVTLTRACE1("FileWrite() failed (Status 0x%08lx)\n", Status);
        return Status;
    }

    Status = LogFile->FileFlush(LogFile, NULL, 0);
    if (!NT_SUCCESS(Status))
    {
        EVTLTRACE1("FileFlush() failed (Status 0x%08lx)\n", Status);
        return Status;
    }

    return STATUS_SUCCESS;
}

static NTSTATUS
ElfpInitExistingFile(
    IN PEVTLOGFILE LogFile,
    IN ULONG FileSize,
    // IN ULONG MaxSize,
    IN ULONG Retention)
{
    NTSTATUS Status;
    LARGE_INTEGER FileOffset, NextOffset;
    SIZE_T ReadLength;
    ULONG RecordNumber = 0;
    ULONG RecOffset;
    PULONG pRecSize2;
    EVENTLOGEOF EofRec;
    EVENTLOGRECORD RecBuf;
    PEVENTLOGRECORD pRecBuf;
    BOOLEAN Wrapping = FALSE;
    BOOLEAN IsLogDirty = FALSE;

    /* Read the log header */
    FileOffset.QuadPart = 0LL;
    Status = LogFile->FileRead(LogFile,
                               &FileOffset,
                               &LogFile->Header,
                               sizeof(EVENTLOGHEADER),
                               &ReadLength);
    if (!NT_SUCCESS(Status))
    {
        EVTLTRACE1("FileRead() failed (Status 0x%08lx)\n", Status);
        return STATUS_EVENTLOG_FILE_CORRUPT; // return Status;
    }
    if (ReadLength != sizeof(EVENTLOGHEADER))
    {
        EVTLTRACE("Invalid file `%wZ'.\n", &LogFile->FileName);
        return STATUS_EVENTLOG_FILE_CORRUPT;
    }

    /* Header validity checks */

    if (LogFile->Header.HeaderSize != sizeof(EVENTLOGHEADER) ||
        LogFile->Header.EndHeaderSize != sizeof(EVENTLOGHEADER))
    {
        EVTLTRACE("Invalid header size in `%wZ'.\n", &LogFile->FileName);
        return STATUS_EVENTLOG_FILE_CORRUPT;
    }

    if (LogFile->Header.Signature != LOGFILE_SIGNATURE)
    {
        EVTLTRACE("Invalid signature %x in `%wZ'.\n",
               LogFile->Header.Signature, &LogFile->FileName);
        return STATUS_EVENTLOG_FILE_CORRUPT;
    }

    IsLogDirty = (LogFile->Header.Flags & ELF_LOGFILE_HEADER_DIRTY);

    /* If the log is read-only (e.g. a backup log) and is dirty, then it is corrupted */
    if (LogFile->ReadOnly && IsLogDirty)
    {
        EVTLTRACE("Read-only log `%wZ' is dirty.\n", &LogFile->FileName);
        return STATUS_EVENTLOG_FILE_CORRUPT;
    }

    LogFile->CurrentSize = FileSize;
    // FIXME!! What to do? And what to do if the MaxSize from the registry
    // is strictly less than the CurrentSize?? Should we "reduce" the log size
    // by clearing it completely??
    // --> ANSWER: Save the new MaxSize somewhere, and only when the log is
    //     being cleared, use the new MaxSize to resize (ie. shrink) it.
    // LogFile->FileSetSize(LogFile, LogFile->CurrentSize, 0);

    /* Adjust the log maximum size if needed */
    if (LogFile->CurrentSize > LogFile->Header.MaxSize)
        LogFile->Header.MaxSize = LogFile->CurrentSize;

    /*
     * Reset the log retention value. The value stored
     * in the log file is just for information purposes.
     */
    LogFile->Header.Retention = Retention;

    /*
     * For a non-read-only dirty log, the most up-to-date information about
     * the Start/End offsets and the Oldest and Current event record numbers
     * are found in the EOF record. We need to locate the EOF record without
     * relying on the log header's EndOffset, then patch the log header with
     * the values from the EOF record.
     */
    if ((LogFile->Header.EndOffset >= sizeof(EVENTLOGHEADER)) &&
        (LogFile->Header.EndOffset <  LogFile->CurrentSize) &&
        (LogFile->Header.EndOffset & 3) == 0) // EndOffset % sizeof(ULONG) == 0
    {
        /* The header EOF offset may be valid, try to start with it */
        RecOffset = LogFile->Header.EndOffset;
    }
    else
    {
        /* The header EOF offset could not be valid, so start from the beginning */
        RecOffset = sizeof(EVENTLOGHEADER);
    }

    FileOffset.QuadPart = RecOffset;
    Wrapping = FALSE;

    for (;;)
    {
        if (Wrapping && FileOffset.QuadPart >= RecOffset)
        {
            EVTLTRACE1("EOF record not found!\n");
            return STATUS_EVENTLOG_FILE_CORRUPT;
        }

        /* Attempt to read the fixed part of an EVENTLOGEOF (may wrap) */
        Status = ReadLogBuffer(LogFile,
                               &EofRec,
                               EVENTLOGEOF_SIZE_FIXED,
                               &ReadLength,
                               &FileOffset,
                               NULL);
        if (!NT_SUCCESS(Status))
        {
            EVTLTRACE1("ReadLogBuffer failed (Status 0x%08lx)\n", Status);
            return STATUS_EVENTLOG_FILE_CORRUPT;
        }
        if (ReadLength != EVENTLOGEOF_SIZE_FIXED)
        {
            EVTLTRACE1("Cannot read at most an EOF record!\n");
            return STATUS_EVENTLOG_FILE_CORRUPT;
        }

        /* Is it an EVENTLOGEOF record? */
        if (RtlCompareMemory(&EofRec, &EOFRecord, EVENTLOGEOF_SIZE_FIXED) == EVENTLOGEOF_SIZE_FIXED)
        {
            DPRINT("Found EOF record at %llx\n", FileOffset.QuadPart);

            /* Got it! Break the loop and continue */
            break;
        }

        /* No, continue looping */
        if (*(PULONG)((ULONG_PTR)&EofRec + sizeof(ULONG)) == *(PULONG)(&EOFRecord))
            FileOffset.QuadPart += sizeof(ULONG);
        else
        if (*(PULONG)((ULONG_PTR)&EofRec + 2*sizeof(ULONG)) == *(PULONG)(&EOFRecord))
            FileOffset.QuadPart += 2*sizeof(ULONG);
        else
        if (*(PULONG)((ULONG_PTR)&EofRec + 3*sizeof(ULONG)) == *(PULONG)(&EOFRecord))
            FileOffset.QuadPart += 3*sizeof(ULONG);
        else
        if (*(PULONG)((ULONG_PTR)&EofRec + 4*sizeof(ULONG)) == *(PULONG)(&EOFRecord))
            FileOffset.QuadPart += 4*sizeof(ULONG);
        else
            FileOffset.QuadPart += 5*sizeof(ULONG); // EVENTLOGEOF_SIZE_FIXED

        if (FileOffset.QuadPart >= LogFile->CurrentSize /* LogFile->Header.MaxSize */)
        {
            /* Wrap the offset */
            FileOffset.QuadPart -= LogFile->CurrentSize /* LogFile->Header.MaxSize */ - sizeof(EVENTLOGHEADER);
            Wrapping = TRUE;
        }
    }
    /*
     * The only way to be there is to have found a valid EOF record.
     * Otherwise the previous loop has failed and STATUS_EVENTLOG_FILE_CORRUPT
     * was returned.
     */

    /* Read the full EVENTLOGEOF (may wrap) and validate it */
    Status = ReadLogBuffer(LogFile,
                           &EofRec,
                           sizeof(EofRec),
                           &ReadLength,
                           &FileOffset,
                           NULL);
    if (!NT_SUCCESS(Status))
    {
        EVTLTRACE1("ReadLogBuffer failed (Status 0x%08lx)\n", Status);
        return STATUS_EVENTLOG_FILE_CORRUPT;
    }
    if (ReadLength != sizeof(EofRec))
    {
        EVTLTRACE1("Cannot read the full EOF record!\n");
        return STATUS_EVENTLOG_FILE_CORRUPT;
    }

    /* Complete validity checks */
    if ((EofRec.RecordSizeEnd != EofRec.RecordSizeBeginning) ||
        (EofRec.EndRecord != FileOffset.QuadPart))
    {
        DPRINT1("EOF record %llx is corrupted (0x%x vs. 0x%x ; 0x%x vs. 0x%llx), expected 0x%x 0x%x!\n",
                FileOffset.QuadPart,
                EofRec.RecordSizeEnd, EofRec.RecordSizeBeginning,
                EofRec.EndRecord, FileOffset.QuadPart,
                EOFRecord.RecordSizeEnd, EOFRecord.RecordSizeBeginning);
        DPRINT1("RecordSizeEnd = 0x%x\n", EofRec.RecordSizeEnd);
        DPRINT1("RecordSizeBeginning = 0x%x\n", EofRec.RecordSizeBeginning);
        DPRINT1("EndRecord = 0x%x\n", EofRec.EndRecord);
        return STATUS_EVENTLOG_FILE_CORRUPT;
    }

    /* The EOF record is valid, break the loop and continue */

    /* If the log is not dirty, the header values should correspond to the EOF ones */
    if (!IsLogDirty)
    {
        if ( (LogFile->Header.StartOffset != EofRec.BeginRecord) ||
             (LogFile->Header.EndOffset   != EofRec.EndRecord)   ||
             (LogFile->Header.CurrentRecordNumber != EofRec.CurrentRecordNumber) ||
             (LogFile->Header.OldestRecordNumber  != EofRec.OldestRecordNumber) )
        {
            DPRINT1("\n"
                    "Log header or EOF record is corrupted:\n"
                    "    StartOffset: 0x%x, expected 0x%x; EndOffset: 0x%x, expected 0x%x;\n"
                    "    CurrentRecordNumber: %d, expected %d; OldestRecordNumber: %d, expected %d.\n",
                    LogFile->Header.StartOffset, EofRec.BeginRecord,
                    LogFile->Header.EndOffset  , EofRec.EndRecord,
                    LogFile->Header.CurrentRecordNumber, EofRec.CurrentRecordNumber,
                    LogFile->Header.OldestRecordNumber , EofRec.OldestRecordNumber);

            return STATUS_EVENTLOG_FILE_CORRUPT;
        }
    }

    /* If the log is dirty, patch the log header with the values from the EOF record */
    if (!LogFile->ReadOnly && IsLogDirty)
    {
        LogFile->Header.StartOffset = EofRec.BeginRecord;
        LogFile->Header.EndOffset   = EofRec.EndRecord;
        LogFile->Header.CurrentRecordNumber = EofRec.CurrentRecordNumber;
        LogFile->Header.OldestRecordNumber  = EofRec.OldestRecordNumber;
    }

    /*
     * FIXME! During operations the EOF record is the one that is the most
     * updated (its Oldest & Current record numbers are always up-to
     * date) while the ones from the header may be unsync. When closing
     * (or flushing?) the event log, the header's record numbers get
     * updated with the same values as the ones stored in the EOF record.
     */

    /* Verify Start/End offsets boundaries */

    if ((LogFile->Header.StartOffset >= LogFile->CurrentSize) ||
        (LogFile->Header.StartOffset & 3) != 0) // StartOffset % sizeof(ULONG) != 0
    {
        EVTLTRACE("Invalid start offset 0x%x in `%wZ'.\n",
               LogFile->Header.StartOffset, &LogFile->FileName);
        return STATUS_EVENTLOG_FILE_CORRUPT;
    }
    if ((LogFile->Header.EndOffset >= LogFile->CurrentSize) ||
        (LogFile->Header.EndOffset & 3) != 0) // EndOffset % sizeof(ULONG) != 0
    {
        EVTLTRACE("Invalid EOF offset 0x%x in `%wZ'.\n",
               LogFile->Header.EndOffset, &LogFile->FileName);
        return STATUS_EVENTLOG_FILE_CORRUPT;
    }

    if ((LogFile->Header.StartOffset != LogFile->Header.EndOffset) &&
        (LogFile->Header.MaxSize - LogFile->Header.StartOffset < sizeof(EVENTLOGRECORD)))
    {
        /*
         * If StartOffset does not point to EndOffset i.e. to an EVENTLOGEOF,
         * it should point to a non-splitted EVENTLOGRECORD.
         */
        EVTLTRACE("Invalid start offset 0x%x in `%wZ'.\n",
               LogFile->Header.StartOffset, &LogFile->FileName);
        return STATUS_EVENTLOG_FILE_CORRUPT;
    }

    if ((LogFile->Header.StartOffset < LogFile->Header.EndOffset) &&
        (LogFile->Header.EndOffset - LogFile->Header.StartOffset < sizeof(EVENTLOGRECORD)))
    {
        /*
         * In non-wrapping case, there must be enough space between StartOffset
         * and EndOffset to contain at least a full EVENTLOGRECORD.
         */
        EVTLTRACE("Invalid start offset 0x%x or end offset 0x%x in `%wZ'.\n",
               LogFile->Header.StartOffset, LogFile->Header.EndOffset, &LogFile->FileName);
        return STATUS_EVENTLOG_FILE_CORRUPT;
    }

    if (LogFile->Header.StartOffset <= LogFile->Header.EndOffset)
    {
        /*
         * Non-wrapping case: the (wrapping) free space starting at EndOffset
         * must be able to contain an EVENTLOGEOF.
         */
        if (LogFile->Header.MaxSize - LogFile->Header.EndOffset +
            LogFile->Header.StartOffset - sizeof(EVENTLOGHEADER) < sizeof(EVENTLOGEOF))
        {
            EVTLTRACE("Invalid EOF offset 0x%x in `%wZ'.\n",
                   LogFile->Header.EndOffset, &LogFile->FileName);
            return STATUS_EVENTLOG_FILE_CORRUPT;
        }
    }
    else // if (LogFile->Header.StartOffset > LogFile->Header.EndOffset)
    {
        /*
         * Wrapping case: the free space between EndOffset and StartOffset
         * must be able to contain an EVENTLOGEOF.
         */
        if (LogFile->Header.StartOffset - LogFile->Header.EndOffset < sizeof(EVENTLOGEOF))
        {
            EVTLTRACE("Invalid EOF offset 0x%x in `%wZ'.\n",
                   LogFile->Header.EndOffset, &LogFile->FileName);
            return STATUS_EVENTLOG_FILE_CORRUPT;
        }
    }

    /* Start enumerating the event records from the beginning */
    RecOffset = LogFile->Header.StartOffset;
    FileOffset.QuadPart = RecOffset;
    Wrapping = FALSE;

    // // FIXME! FIXME!
    // if (!(LogFile->Header.Flags & ELF_LOGFILE_HEADER_WRAP))
    // {
        // DPRINT1("Log file was wrapping but the flag was not set! Fixing...\n");
        // LogFile->Header.Flags |= ELF_LOGFILE_HEADER_WRAP;
    // }

    DPRINT("StartOffset = 0x%x, EndOffset = 0x%x\n",
           LogFile->Header.StartOffset, LogFile->Header.EndOffset);

    /*
     * For non-read-only logs of size < MaxSize, reorganize the events
     * such that they do not wrap as soon as we write new ones.
     */
#if 0
    if (!LogFile->ReadOnly)
    {
        pRecBuf = LogFile->Allocate(RecBuf.Length, 0, TAG_ELF_BUF);
        if (pRecBuf == NULL)
        {
            DPRINT1("Cannot allocate temporary buffer, skip event reorganization.\n");
            goto Continue;
        }

        // TODO: Do the job!
    }

Continue:

    DPRINT1("StartOffset = 0x%x, EndOffset = 0x%x\n",
            LogFile->Header.StartOffset, LogFile->Header.EndOffset);
#endif

    while (FileOffset.QuadPart != LogFile->Header.EndOffset)
    {
        if (Wrapping && FileOffset.QuadPart >= RecOffset)
        {
            /* We have finished enumerating all the event records */
            break;
        }

        /* Read the next EVENTLOGRECORD header at once (it cannot be split) */
        Status = LogFile->FileRead(LogFile,
                                   &FileOffset,
                                   &RecBuf,
                                   sizeof(RecBuf),
                                   &ReadLength);
        if (!NT_SUCCESS(Status))
        {
            EVTLTRACE1("FileRead() failed (Status 0x%08lx)\n", Status);
            return STATUS_EVENTLOG_FILE_CORRUPT;
        }
        if (ReadLength != sizeof(RecBuf))
        {
            DPRINT1("Length != sizeof(RecBuf)\n");
            break;
        }

        if (RecBuf.Reserved != LOGFILE_SIGNATURE ||
            RecBuf.Length < sizeof(EVENTLOGRECORD))
        {
            DPRINT1("RecBuf problem\n");
            break;
        }

        /* Allocate a full EVENTLOGRECORD (header + data) */
        pRecBuf = LogFile->Allocate(RecBuf.Length, 0, TAG_ELF_BUF);
        if (pRecBuf == NULL)
        {
            EVTLTRACE1("Cannot allocate heap!\n");
            return STATUS_NO_MEMORY;
        }

        /* Attempt to read the full EVENTLOGRECORD (can wrap) */
        Status = ReadLogBuffer(LogFile,
                               pRecBuf,
                               RecBuf.Length,
                               &ReadLength,
                               &FileOffset,
                               &NextOffset);
        if (!NT_SUCCESS(Status))
        {
            EVTLTRACE1("ReadLogBuffer failed (Status 0x%08lx)\n", Status);
            LogFile->Free(pRecBuf, 0, TAG_ELF_BUF);
            return STATUS_EVENTLOG_FILE_CORRUPT;
        }
        if (ReadLength != RecBuf.Length)
        {
            DPRINT1("Oh oh!!\n");
            LogFile->Free(pRecBuf, 0, TAG_ELF_BUF);
            break;
        }

        // /* If OverWrittenRecords is TRUE and this record has already been read */
        // if (OverWrittenRecords && (pRecBuf->RecordNumber == LogFile->Header.OldestRecordNumber))
        // {
            // LogFile->Free(pRecBuf, 0, TAG_ELF_BUF);
            // break;
        // }

        pRecSize2 = (PULONG)((ULONG_PTR)pRecBuf + RecBuf.Length - 4);

        if (*pRecSize2 != RecBuf.Length)
        {
            EVTLTRACE1("Invalid RecordSizeEnd of record %d (0x%x) in `%wZ'\n",
                    RecordNumber, *pRecSize2, &LogFile->FileName);
            LogFile->Free(pRecBuf, 0, TAG_ELF_BUF);
            break;
        }

        EVTLTRACE("Add new record %d @ offset 0x%x\n", pRecBuf->RecordNumber, FileOffset.QuadPart);

        RecordNumber++;

        if (!ElfpAddOffsetInformation(LogFile,
                                      pRecBuf->RecordNumber,
                                      FileOffset.QuadPart))
        {
            EVTLTRACE1("ElfpAddOffsetInformation() failed!\n");
            LogFile->Free(pRecBuf, 0, TAG_ELF_BUF);
            return STATUS_EVENTLOG_FILE_CORRUPT;
        }

        LogFile->Free(pRecBuf, 0, TAG_ELF_BUF);

        if (NextOffset.QuadPart == LogFile->Header.EndOffset)
        {
            /* We have finished enumerating all the event records */
            DPRINT("NextOffset.QuadPart == LogFile->Header.EndOffset, break\n");
            break;
        }

        /*
         * If this was the last event record before the end of the log file,
         * the next one should start at the beginning of the log and the space
         * between the last event record and the end of the file is padded.
         */
        if (LogFile->Header.MaxSize - NextOffset.QuadPart < sizeof(EVENTLOGRECORD))
        {
            /* Wrap to the beginning of the log */
            DPRINT("Wrap!\n");
            NextOffset.QuadPart = sizeof(EVENTLOGHEADER);
        }

        /*
         * If the next offset to read is below the current offset,
         * this means we are wrapping.
         */
        if (FileOffset.QuadPart > NextOffset.QuadPart)
        {
            DPRINT("Wrapping = TRUE;\n");
            Wrapping = TRUE;
        }

        /* Move the current offset */
        FileOffset = NextOffset;
    }

    /* If the event log was empty, it will now contain one record */
    if (RecordNumber != 0 && LogFile->Header.OldestRecordNumber == 0)
        LogFile->Header.OldestRecordNumber = 1;

    LogFile->Header.CurrentRecordNumber = RecordNumber + LogFile->Header.OldestRecordNumber;
    if (LogFile->Header.CurrentRecordNumber == 0)
        LogFile->Header.CurrentRecordNumber = 1;

    /* Flush the log if it is not read-only */
    if (!LogFile->ReadOnly)
    {
        Status = ElfFlushFile(LogFile);
        if (!NT_SUCCESS(Status))
        {
            EVTLTRACE1("ElfFlushFile() failed (Status 0x%08lx)\n", Status);
            return STATUS_EVENTLOG_FILE_CORRUPT; // Status;
        }
    }

    return STATUS_SUCCESS;
}


/* FUNCTIONS *****************************************************************/

NTSTATUS
NTAPI
ElfCreateFile(
    IN OUT PEVTLOGFILE LogFile,
    IN PUNICODE_STRING FileName OPTIONAL,
    IN ULONG    FileSize,
    IN ULONG    MaxSize,
    IN ULONG    Retention,
    IN BOOLEAN  CreateNew,
    IN BOOLEAN  ReadOnly,
    IN PELF_ALLOCATE_ROUTINE   Allocate,
    IN PELF_FREE_ROUTINE       Free,
    IN PELF_FILE_SET_SIZE_ROUTINE FileSetSize,
    IN PELF_FILE_WRITE_ROUTINE FileWrite,
    IN PELF_FILE_READ_ROUTINE  FileRead,
    IN PELF_FILE_FLUSH_ROUTINE FileFlush) // What about Seek ??
{
    NTSTATUS Status = STATUS_SUCCESS;

    ASSERT(LogFile);

    /* Creating a new log file with the 'ReadOnly' flag set is incompatible */
    if (CreateNew && ReadOnly)
        return STATUS_INVALID_PARAMETER;

    RtlZeroMemory(LogFile, sizeof(*LogFile));

    LogFile->Allocate  = Allocate;
    LogFile->Free      = Free;
    LogFile->FileSetSize = FileSetSize;
    LogFile->FileWrite = FileWrite;
    LogFile->FileRead  = FileRead;
    LogFile->FileFlush = FileFlush;

    /* Copy the log file name if provided (optional) */
    RtlInitEmptyUnicodeString(&LogFile->FileName, NULL, 0);
    if (FileName && FileName->Buffer && FileName->Length &&
        (FileName->Length <= FileName->MaximumLength))
    {
        LogFile->FileName.Buffer = LogFile->Allocate(FileName->Length,
                                                     HEAP_ZERO_MEMORY,
                                                     TAG_ELF);
        if (LogFile->FileName.Buffer)
        {
            LogFile->FileName.MaximumLength = FileName->Length;
            RtlCopyUnicodeString(&LogFile->FileName, FileName);
        }
    }

    LogFile->OffsetInfo = LogFile->Allocate(OFFSET_INFO_INCREMENT * sizeof(EVENT_OFFSET_INFO),
                                            HEAP_ZERO_MEMORY,
                                            TAG_ELF);
    if (LogFile->OffsetInfo == NULL)
    {
        EVTLTRACE1("Cannot allocate heap\n");
        Status = STATUS_NO_MEMORY;
        goto Quit;
    }
    LogFile->OffsetInfoSize = OFFSET_INFO_INCREMENT;
    LogFile->OffsetInfoNext = 0;

    // FIXME: Always use the regitry values for MaxSize,
    // even for existing logs!

    // FIXME: On Windows, EventLog uses the MaxSize setting
    // from the registry itself; the MaxSize from the header
    // is just for information purposes.

    EVTLTRACE("Initializing log file `%wZ'\n", &LogFile->FileName);

    LogFile->ReadOnly = ReadOnly; // !CreateNew && ReadOnly;

    if (CreateNew)
        Status = ElfpInitNewFile(LogFile, FileSize, MaxSize, Retention);
    else
        Status = ElfpInitExistingFile(LogFile, FileSize, /* MaxSize, */ Retention);

Quit:
    if (!NT_SUCCESS(Status))
    {
        if (LogFile->OffsetInfo)
            LogFile->Free(LogFile->OffsetInfo, 0, TAG_ELF);

        if (LogFile->FileName.Buffer)
            LogFile->Free(LogFile->FileName.Buffer, 0, TAG_ELF);
    }

    return Status;
}

NTSTATUS
NTAPI
ElfReCreateFile(
    IN PEVTLOGFILE LogFile)
{
    ASSERT(LogFile);

    return ElfpInitNewFile(LogFile,
                           LogFile->CurrentSize,
                           LogFile->Header.MaxSize,
                           LogFile->Header.Retention);
}

NTSTATUS
NTAPI
ElfBackupFile(
    IN PEVTLOGFILE LogFile,
    IN PEVTLOGFILE BackupLogFile)
{
    NTSTATUS Status;

    LARGE_INTEGER FileOffset;
    SIZE_T ReadLength, WrittenLength;
    PEVENTLOGHEADER Header;
    EVENTLOGRECORD RecBuf;
    EVENTLOGEOF EofRec;
    ULONG i;
    ULONG RecOffset;
    PVOID Buffer = NULL;

    ASSERT(LogFile);

    RtlZeroMemory(BackupLogFile, sizeof(*BackupLogFile));

    BackupLogFile->FileSetSize = LogFile->FileSetSize;
    BackupLogFile->FileWrite = LogFile->FileWrite;
    BackupLogFile->FileFlush = LogFile->FileFlush;

    // BackupLogFile->CurrentSize = LogFile->CurrentSize;

    BackupLogFile->ReadOnly = FALSE;

    /* Initialize the (dirty) log file header */
    Header = &BackupLogFile->Header;
    Header->HeaderSize = sizeof(EVENTLOGHEADER);
    Header->Signature = LOGFILE_SIGNATURE;
    Header->MajorVersion = MAJORVER;
    Header->MinorVersion = MINORVER;
    Header->StartOffset = sizeof(EVENTLOGHEADER);
    Header->EndOffset = sizeof(EVENTLOGHEADER);
    Header->CurrentRecordNumber = 1;
    Header->OldestRecordNumber = 0;
    Header->MaxSize = LogFile->Header.MaxSize;
    Header->Flags = ELF_LOGFILE_HEADER_DIRTY;
    Header->Retention = LogFile->Header.Retention;
    Header->EndHeaderSize = sizeof(EVENTLOGHEADER);

    /* Write the (dirty) log file header */
    FileOffset.QuadPart = 0LL;
    Status = BackupLogFile->FileWrite(BackupLogFile,
                                      &FileOffset,
                                      Header,
                                      sizeof(EVENTLOGHEADER),
                                      &WrittenLength);
    if (!NT_SUCCESS(Status))
    {
        EVTLTRACE1("Failed to write the log file header (Status 0x%08lx)\n", Status);
        goto Quit;
    }

    for (i = LogFile->Header.OldestRecordNumber; i < LogFile->Header.CurrentRecordNumber; i++)
    {
        RecOffset = ElfpOffsetByNumber(LogFile, i);
        if (RecOffset == 0)
            break;

        /* Read the next EVENTLOGRECORD header at once (it cannot be split) */
        FileOffset.QuadPart = RecOffset;
        Status = LogFile->FileRead(LogFile,
                                   &FileOffset,
                                   &RecBuf,
                                   sizeof(RecBuf),
                                   &ReadLength);
        if (!NT_SUCCESS(Status))
        {
            EVTLTRACE1("FileRead() failed (Status 0x%08lx)\n", Status);
            goto Quit;
        }

        // if (ReadLength != sizeof(RecBuf))
            // break;

        Buffer = LogFile->Allocate(RecBuf.Length, 0, TAG_ELF_BUF);
        if (Buffer == NULL)
        {
            EVTLTRACE1("Allocate() failed!\n");
            goto Quit;
        }

        /* Read the full EVENTLOGRECORD (header + data) with wrapping */
        Status = ReadLogBuffer(LogFile,
                               Buffer,
                               RecBuf.Length,
                               &ReadLength,
                               &FileOffset,
                               NULL);
        if (!NT_SUCCESS(Status))
        {
            EVTLTRACE1("ReadLogBuffer failed (Status 0x%08lx)\n", Status);
            LogFile->Free(Buffer, 0, TAG_ELF_BUF);
            // Status = STATUS_EVENTLOG_FILE_CORRUPT;
            goto Quit;
        }

        /* Write the event record (no wrap for the backup log) */
        Status = BackupLogFile->FileWrite(BackupLogFile,
                                          NULL,
                                          Buffer,
                                          RecBuf.Length,
                                          &WrittenLength);
        if (!NT_SUCCESS(Status))
        {
            EVTLTRACE1("FileWrite() failed (Status 0x%08lx)\n", Status);
            LogFile->Free(Buffer, 0, TAG_ELF_BUF);
            goto Quit;
        }

        /* Update the header information */
        Header->EndOffset += RecBuf.Length;

        /* Free the buffer */
        LogFile->Free(Buffer, 0, TAG_ELF_BUF);
        Buffer = NULL;
    }

// Quit:

    /* Initialize the ELF_EOF_RECORD and write it (no wrap for the backup log) */
    RtlCopyMemory(&EofRec, &EOFRecord, sizeof(EOFRecord));
    EofRec.BeginRecord = Header->StartOffset;
    EofRec.EndRecord   = Header->EndOffset;
    EofRec.CurrentRecordNumber = LogFile->Header.CurrentRecordNumber;
    EofRec.OldestRecordNumber  = LogFile->Header.OldestRecordNumber;

    Status = BackupLogFile->FileWrite(BackupLogFile,
                                      NULL,
                                      &EofRec,
                                      sizeof(EofRec),
                                      &WrittenLength);
    if (!NT_SUCCESS(Status))
    {
        EVTLTRACE1("FileWrite() failed (Status 0x%08lx)\n", Status);
        goto Quit;
    }

    /* Update the header information */
    Header->CurrentRecordNumber = LogFile->Header.CurrentRecordNumber;
    Header->OldestRecordNumber  = LogFile->Header.OldestRecordNumber;
    Header->MaxSize = ROUND_UP(Header->EndOffset + sizeof(EofRec), sizeof(ULONG));
    Header->Flags = 0; // FIXME?

    /* Flush the log file - Write the (clean) log file header */
    Status = ElfFlushFile(BackupLogFile);

Quit:
    return Status;
}

NTSTATUS
NTAPI
ElfFlushFile(
    IN PEVTLOGFILE LogFile)
{
    NTSTATUS Status;
    LARGE_INTEGER FileOffset;
    SIZE_T WrittenLength;

    ASSERT(LogFile);

    if (LogFile->ReadOnly)
        return STATUS_SUCCESS; // STATUS_ACCESS_DENIED;

    /*
     * NOTE that both the EOF record *AND* the log file header
     * are supposed to be already updated!
     * We just remove the dirty log bit.
     */
    LogFile->Header.Flags &= ~ELF_LOGFILE_HEADER_DIRTY;

    /* Update the log file header */
    FileOffset.QuadPart = 0LL;
    Status = LogFile->FileWrite(LogFile,
                                &FileOffset,
                                &LogFile->Header,
                                sizeof(EVENTLOGHEADER),
                                &WrittenLength);
    if (!NT_SUCCESS(Status))
    {
        EVTLTRACE1("FileWrite() failed (Status 0x%08lx)\n", Status);
        return Status;
    }

    /* Flush the log file */
    Status = LogFile->FileFlush(LogFile, NULL, 0);
    if (!NT_SUCCESS(Status))
    {
        EVTLTRACE1("FileFlush() failed (Status 0x%08lx)\n", Status);
        return Status;
    }

    return STATUS_SUCCESS;
}

VOID
NTAPI
ElfCloseFile(  // ElfFree
    IN PEVTLOGFILE LogFile)
{
    ASSERT(LogFile);

    /* Flush the log file */
    ElfFlushFile(LogFile);

    /* Free the data */
    LogFile->Free(LogFile->OffsetInfo, 0, TAG_ELF);

    if (LogFile->FileName.Buffer)
        LogFile->Free(LogFile->FileName.Buffer, 0, TAG_ELF);
    RtlInitEmptyUnicodeString(&LogFile->FileName, NULL, 0);
}

NTSTATUS
NTAPI
ElfReadRecord(
    IN  PEVTLOGFILE LogFile,
    IN  ULONG RecordNumber,
    OUT PEVENTLOGRECORD Record,
    IN  SIZE_T  BufSize, // Length
    OUT PSIZE_T BytesRead OPTIONAL,
    OUT PSIZE_T BytesNeeded OPTIONAL)
{
    NTSTATUS Status;
    LARGE_INTEGER FileOffset;
    ULONG RecOffset;
    SIZE_T RecSize;
    SIZE_T ReadLength;

    ASSERT(LogFile);

    if (BytesRead)
        *BytesRead = 0;

    if (BytesNeeded)
        *BytesNeeded = 0;

    /* Retrieve the offset of the event record */
    RecOffset = ElfpOffsetByNumber(LogFile, RecordNumber);
    if (RecOffset == 0)
        return STATUS_NOT_FOUND;

    /* Retrieve its full size */
    FileOffset.QuadPart = RecOffset;
    Status = LogFile->FileRead(LogFile,
                               &FileOffset,
                               &RecSize,
                               sizeof(RecSize),
                               &ReadLength);
    if (!NT_SUCCESS(Status))
    {
        EVTLTRACE1("FileRead() failed (Status 0x%08lx)\n", Status);
        // Status = STATUS_EVENTLOG_FILE_CORRUPT;
        return Status;
    }

    /* Check whether the buffer is big enough to hold the event record */
    if (BufSize < RecSize)
    {
        if (BytesNeeded)
            *BytesNeeded = RecSize;

        return STATUS_BUFFER_TOO_SMALL;
    }

    /* Read the event record into the buffer */
    FileOffset.QuadPart = RecOffset;
    Status = ReadLogBuffer(LogFile,
                           Record,
                           RecSize,
                           &ReadLength,
                           &FileOffset,
                           NULL);
    if (!NT_SUCCESS(Status))
    {
        EVTLTRACE1("ReadLogBuffer failed (Status 0x%08lx)\n", Status);
        // Status = STATUS_EVENTLOG_FILE_CORRUPT;
    }

    if (BytesRead)
        *BytesRead = ReadLength;

    return Status;
}

NTSTATUS
NTAPI
ElfWriteRecord(
    IN PEVTLOGFILE LogFile,
    IN PEVENTLOGRECORD Record,
    IN SIZE_T BufSize)
{
    NTSTATUS Status;
    LARGE_INTEGER FileOffset, NextOffset;
    SIZE_T ReadLength, WrittenLength;
    EVENTLOGEOF EofRec;
    EVENTLOGRECORD RecBuf;
    ULONG FreeSpace = 0;
    ULONG UpperBound;
    ULONG RecOffset, WriteOffset;

    ASSERT(LogFile);

    if (LogFile->ReadOnly)
        return STATUS_ACCESS_DENIED;

    // ASSERT(sizeof(*Record) == sizeof(RecBuf));

    if (!Record || BufSize < sizeof(*Record))
        return STATUS_INVALID_PARAMETER;

    Record->RecordNumber = LogFile->Header.CurrentRecordNumber;

    /* Compute the available log free space */
    if (LogFile->Header.StartOffset <= LogFile->Header.EndOffset)
        FreeSpace = LogFile->Header.MaxSize - LogFile->Header.EndOffset + LogFile->Header.StartOffset - sizeof(EVENTLOGHEADER);
    else // if (LogFile->Header.StartOffset > LogFile->Header.EndOffset)
        FreeSpace = LogFile->Header.StartOffset - LogFile->Header.EndOffset;

    LogFile->Header.Flags |= ELF_LOGFILE_HEADER_DIRTY;

    /* If the event log was empty, it will now contain one record */
    if (LogFile->Header.OldestRecordNumber == 0)
        LogFile->Header.OldestRecordNumber = 1;

    /* By default we append the new record at the old EOF record offset */
    WriteOffset = LogFile->Header.EndOffset;

    /*
     * Check whether the log is going to wrap (the events being overwritten).
     */

    if (LogFile->Header.StartOffset <= LogFile->Header.EndOffset)
        UpperBound = LogFile->Header.MaxSize;
    else // if (LogFile->Header.StartOffset > LogFile->Header.EndOffset)
        UpperBound = LogFile->Header.StartOffset;

    // if (LogFile->Header.MaxSize - WriteOffset < BufSize + sizeof(EofRec))
    if (UpperBound - WriteOffset < BufSize + sizeof(EofRec))
    {
        EVTLTRACE("The event log file has reached maximum size (0x%x), wrapping...\n"
               "UpperBound = 0x%x, WriteOffset = 0x%x, BufSize = 0x%x\n",
               LogFile->Header.MaxSize, UpperBound, WriteOffset, BufSize);
        /* This will be done later */
    }

    if ( (LogFile->Header.StartOffset < LogFile->Header.EndOffset) &&
         (LogFile->Header.MaxSize - WriteOffset < sizeof(RecBuf)) ) // (UpperBound - WriteOffset < sizeof(RecBuf))
    {
        // ASSERT(UpperBound  == LogFile->Header.MaxSize);
        // ASSERT(WriteOffset == LogFile->Header.EndOffset);

        /*
         * We cannot fit the EVENTLOGRECORD header of the buffer before
         * the end of the file. We need to pad the end of the log with
         * 0x00000027, normally we will need to pad at most 0x37 bytes
         * (corresponding to sizeof(EVENTLOGRECORD) - 1).
         */

        /* Rewind to the beginning of the log, just after the header */
        WriteOffset = sizeof(EVENTLOGHEADER);
        UpperBound = LogFile->Header.StartOffset;

        FreeSpace = LogFile->Header.StartOffset - WriteOffset;

        LogFile->Header.Flags |= ELF_LOGFILE_HEADER_WRAP;
    }
    /*
     * Otherwise, we can fit the header and only part
     * of the data will overwrite the oldest records.
     *
     * It might be possible that all the event record can fit in one piece,
     * but that the EOF record needs to be split. This is not a problem,
     * EVENTLOGEOF can be splitted while EVENTLOGRECORD cannot be.
     */

    if (UpperBound - WriteOffset < BufSize + sizeof(EofRec))
    {
        ULONG OrgOldestRecordNumber, OldestRecordNumber;

        // DPRINT("EventLogFile has reached maximum size, wrapping...\n");

        OldestRecordNumber = OrgOldestRecordNumber = LogFile->Header.OldestRecordNumber;

        // FIXME: Assert whether LogFile->Header.StartOffset is the beginning of a record???
        // NOTE: It should be, by construction (and this should have been checked when
        // initializing a new, or existing log).

        /*
         * Determine how many old records need to be overwritten.
         * Check the size of the record as the record added may be larger.
         * Need to take into account that we append the EOF record.
         */
        while (FreeSpace < BufSize + sizeof(EofRec))
        {
            /* Get the oldest record data */
            RecOffset = ElfpOffsetByNumber(LogFile, OldestRecordNumber);
            if (RecOffset == 0)
            {
                EVTLTRACE1("Record number %d cannot be found, or log file is full and cannot wrap!\n", OldestRecordNumber);
                LogFile->Header.Flags |= ELF_LOGFILE_LOGFULL_WRITTEN;
                return STATUS_LOG_FILE_FULL;
            }

            RtlZeroMemory(&RecBuf, sizeof(RecBuf));

            FileOffset.QuadPart = RecOffset;
            Status = LogFile->FileRead(LogFile,
                                       &FileOffset,
                                       &RecBuf,
                                       sizeof(RecBuf),
                                       &ReadLength);
            if (!NT_SUCCESS(Status))
            {
                EVTLTRACE1("FileRead() failed (Status 0x%08lx)\n", Status);
                // Status = STATUS_EVENTLOG_FILE_CORRUPT;
                return Status;
            }

            if (RecBuf.Reserved != LOGFILE_SIGNATURE)
            {
                EVTLTRACE1("The event log file is corrupted!\n");
                return STATUS_EVENTLOG_FILE_CORRUPT;
            }

            /*
             * Check whether this event can be overwritten by comparing its
             * written timestamp with the log's retention value. This value
             * is the time interval, in seconds, that events records are
             * protected from being overwritten.
             *
             * If the retention value is zero the events are always overwritten.
             *
             * If the retention value is non-zero, when the age of an event,
             * in seconds, reaches or exceeds this value, it can be overwritten.
             * Also if the events are in the future, we do not overwrite them.
             */
            if (LogFile->Header.Retention != 0 &&
                (Record->TimeWritten <  RecBuf.TimeWritten ||
                (Record->TimeWritten >= RecBuf.TimeWritten &&
                 Record->TimeWritten -  RecBuf.TimeWritten < LogFile->Header.Retention)))
            {
                EVTLTRACE1("The event log file is full and cannot wrap because of the retention policy.\n");
                LogFile->Header.Flags |= ELF_LOGFILE_LOGFULL_WRITTEN;
                return STATUS_LOG_FILE_FULL;
            }

            /*
             * Advance the oldest record number, add the event record length
             * (as long as it is valid...) then take account for the possible
             * paddind after the record, in case this is the last one at the
             * end of the file.
             */
            OldestRecordNumber++;
            RecOffset += RecBuf.Length;
            FreeSpace += RecBuf.Length;

            /*
             * If this was the last event record before the end of the log file,
             * the next one should start at the beginning of the log and the space
             * between the last event record and the end of the file is padded.
             */
            if (LogFile->Header.MaxSize - RecOffset < sizeof(EVENTLOGRECORD))
            {
                /* Add the padding size */
                FreeSpace += LogFile->Header.MaxSize - RecOffset;
            }
        }

        EVTLTRACE("Record will fit. FreeSpace %d, BufSize %d\n", FreeSpace, BufSize);

        /* The log records are wrapping */
        LogFile->Header.Flags |= ELF_LOGFILE_HEADER_WRAP;


        // FIXME: May lead to corruption if the other subsequent calls fail...

        /*
         * We have validated all the region of events to be discarded,
         * now we can perform their deletion.
         */
        ElfpDeleteOffsetInformation(LogFile, OrgOldestRecordNumber, OldestRecordNumber - 1);
        LogFile->Header.OldestRecordNumber = OldestRecordNumber;
        LogFile->Header.StartOffset = ElfpOffsetByNumber(LogFile, OldestRecordNumber);
        if (LogFile->Header.StartOffset == 0)
        {
            /*
             * We have deleted all the existing event records to make place
             * for the new one. We can put it at the start of the event log.
             */
            LogFile->Header.StartOffset = sizeof(EVENTLOGHEADER);
            WriteOffset = LogFile->Header.StartOffset;
            LogFile->Header.EndOffset = WriteOffset;
        }

        EVTLTRACE("MaxSize = 0x%x, StartOffset = 0x%x, WriteOffset = 0x%x, EndOffset = 0x%x, BufSize = 0x%x\n"
                  "OldestRecordNumber = %d\n",
                  LogFile->Header.MaxSize, LogFile->Header.StartOffset, WriteOffset, LogFile->Header.EndOffset, BufSize,
                  OldestRecordNumber);
    }

    /*
     * Expand the log file if needed.
     * NOTE: It may be needed to perform this task a bit sooner if we need
     * such a thing for performing read operations, in the future...
     * Or if this operation needs to modify 'FreeSpace'...
     */
    if (LogFile->CurrentSize < LogFile->Header.MaxSize)
    {
        EVTLTRACE1("Expanding the log file from %lu to %lu\n",
                LogFile->CurrentSize, LogFile->Header.MaxSize);

        LogFile->CurrentSize = LogFile->Header.MaxSize;
        LogFile->FileSetSize(LogFile, LogFile->CurrentSize, 0);
    }

    /* Since we can write events in the log, clear the log full flag */
    LogFile->Header.Flags &= ~ELF_LOGFILE_LOGFULL_WRITTEN;

    /* Pad the end of the log */
    // if (LogFile->Header.EndOffset + sizeof(RecBuf) > LogFile->Header.MaxSize)
    if (WriteOffset < LogFile->Header.EndOffset)
    {
        /* Pad all the space from LogFile->Header.EndOffset to LogFile->Header.MaxSize */
        WrittenLength = ROUND_DOWN(LogFile->Header.MaxSize - LogFile->Header.EndOffset, sizeof(ULONG));
        RtlFillMemoryUlong(&RecBuf, WrittenLength, 0x00000027);

        FileOffset.QuadPart = LogFile->Header.EndOffset;
        Status = LogFile->FileWrite(LogFile,
                                    &FileOffset,
                                    &RecBuf,
                                    WrittenLength,
                                    &WrittenLength);
        if (!NT_SUCCESS(Status))
        {
            EVTLTRACE1("FileWrite() failed (Status 0x%08lx)\n", Status);
            // return Status;
        }
    }

    /* Write the event record buffer with possible wrap at offset sizeof(EVENTLOGHEADER) */
    FileOffset.QuadPart = WriteOffset;
    Status = WriteLogBuffer(LogFile,
                            Record,
                            BufSize,
                            &WrittenLength,
                            &FileOffset,
                            &NextOffset);
    if (!NT_SUCCESS(Status))
    {
        EVTLTRACE1("WriteLogBuffer failed (Status 0x%08lx)\n", Status);
        return Status;
    }
    /* FileOffset now contains the offset just after the end of the record buffer */
    FileOffset = NextOffset;

    if (!ElfpAddOffsetInformation(LogFile,
                                  Record->RecordNumber,
                                  WriteOffset))
    {
        return STATUS_NO_MEMORY; // STATUS_EVENTLOG_FILE_CORRUPT;
    }

    LogFile->Header.CurrentRecordNumber++;
    if (LogFile->Header.CurrentRecordNumber == 0)
        LogFile->Header.CurrentRecordNumber = 1;

    /*
     * Write the new EOF record offset just after the event record.
     * The EOF record can wrap (be splitted) if less than sizeof(EVENTLOGEOF)
     * bytes remains between the end of the record and the end of the log file.
     */
    LogFile->Header.EndOffset = FileOffset.QuadPart;

    RtlCopyMemory(&EofRec, &EOFRecord, sizeof(EOFRecord));
    EofRec.BeginRecord = LogFile->Header.StartOffset;
    EofRec.EndRecord   = LogFile->Header.EndOffset;
    EofRec.CurrentRecordNumber = LogFile->Header.CurrentRecordNumber;
    EofRec.OldestRecordNumber  = LogFile->Header.OldestRecordNumber;

    // FileOffset.QuadPart = LogFile->Header.EndOffset;
    Status = WriteLogBuffer(LogFile,
                            &EofRec,
                            sizeof(EofRec),
                            &WrittenLength,
                            &FileOffset,
                            &NextOffset);
    if (!NT_SUCCESS(Status))
    {
        EVTLTRACE1("WriteLogBuffer failed (Status 0x%08lx)\n", Status);
        return Status;
    }
    FileOffset = NextOffset;

    /* Flush the log file */
    Status = ElfFlushFile(LogFile);
    if (!NT_SUCCESS(Status))
    {
        EVTLTRACE1("ElfFlushFile() failed (Status 0x%08lx)\n", Status);
        return STATUS_EVENTLOG_FILE_CORRUPT; // Status;
    }

    return Status;
}

ULONG
NTAPI
ElfGetOldestRecord(
    IN PEVTLOGFILE LogFile)
{
    ASSERT(LogFile);
    return LogFile->Header.OldestRecordNumber;
}

ULONG
NTAPI
ElfGetCurrentRecord(
    IN PEVTLOGFILE LogFile)
{
    ASSERT(LogFile);
    return LogFile->Header.CurrentRecordNumber;
}

ULONG
NTAPI
ElfGetFlags(
    IN PEVTLOGFILE LogFile)
{
    ASSERT(LogFile);
    return LogFile->Header.Flags;
}

#if DBG
VOID PRINT_HEADER(PEVENTLOGHEADER Header)
{
    ULONG Flags = Header->Flags;

    EVTLTRACE1("PRINT_HEADER(0x%p)\n", Header);

    DbgPrint("HeaderSize    = %lu\n" , Header->HeaderSize);
    DbgPrint("Signature     = 0x%x\n", Header->Signature);
    DbgPrint("MajorVersion  = %lu\n" , Header->MajorVersion);
    DbgPrint("MinorVersion  = %lu\n" , Header->MinorVersion);
    DbgPrint("StartOffset   = 0x%x\n", Header->StartOffset);
    DbgPrint("EndOffset     = 0x%x\n", Header->EndOffset);
    DbgPrint("CurrentRecordNumber = %lu\n", Header->CurrentRecordNumber);
    DbgPrint("OldestRecordNumber  = %lu\n", Header->OldestRecordNumber);
    DbgPrint("MaxSize       = 0x%x\n", Header->MaxSize);
    DbgPrint("Retention     = 0x%x\n", Header->Retention);
    DbgPrint("EndHeaderSize = %lu\n" , Header->EndHeaderSize);
    DbgPrint("Flags: ");
    if (Flags & ELF_LOGFILE_HEADER_DIRTY)
    {
        DbgPrint("ELF_LOGFILE_HEADER_DIRTY");
        Flags &= ~ELF_LOGFILE_HEADER_DIRTY;
    }
    if (Flags) DbgPrint(" | ");
    if (Flags & ELF_LOGFILE_HEADER_WRAP)
    {
        DbgPrint("ELF_LOGFILE_HEADER_WRAP");
        Flags &= ~ELF_LOGFILE_HEADER_WRAP;
    }
    if (Flags) DbgPrint(" | ");
    if (Flags & ELF_LOGFILE_LOGFULL_WRITTEN)
    {
        DbgPrint("ELF_LOGFILE_LOGFULL_WRITTEN");
        Flags &= ~ELF_LOGFILE_LOGFULL_WRITTEN;
    }
    if (Flags) DbgPrint(" | ");
    if (Flags & ELF_LOGFILE_ARCHIVE_SET)
    {
        DbgPrint("ELF_LOGFILE_ARCHIVE_SET");
        Flags &= ~ELF_LOGFILE_ARCHIVE_SET;
    }
    if (Flags) DbgPrint(" | 0x%x", Flags);
    DbgPrint("\n");
}
#endif