ReactOS 0.4.17-dev-470-gf9e3448
evtlib.h File Reference
#include <ndk/rtlfuncs.h>
#include <pshpack4.h>
#include <poppack.h>
Include dependency graph for evtlib.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Classes

struct  _EVENTLOGHEADER
 
struct  _EVENTLOGRECORD
 
struct  _EVENTLOGEOF
 
struct  _EVENT_OFFSET_INFO
 
struct  _EVTLOGFILE
 

Macros

#define NTOS_MODE_USER
 
#define ROUND_DOWN(n, align)   (((ULONG)n) & ~((align) - 1l))
 
#define ROUND_UP(n, align)   ROUND_DOWN(((ULONG)n) + (align) - 1, (align))
 
#define MAJORVER   1
 
#define MINORVER   1
 
#define LOGFILE_SIGNATURE   0x654c664c
 
#define ELF_LOGFILE_HEADER_DIRTY   1
 
#define ELF_LOGFILE_HEADER_WRAP   2
 
#define ELF_LOGFILE_LOGFULL_WRITTEN   4
 
#define ELF_LOGFILE_ARCHIVE_SET   8
 
#define EVENTLOG_SUCCESS   0
 
#define EVENTLOG_ERROR_TYPE   1
 
#define EVENTLOG_WARNING_TYPE   2
 
#define EVENTLOG_INFORMATION_TYPE   4
 
#define EVENTLOG_AUDIT_SUCCESS   8
 
#define EVENTLOG_AUDIT_FAILURE   16
 
#define EVENTLOGEOF_SIZE_FIXED   (5 * sizeof(ULONG))
 
#define TAG_ELF   ' flE'
 
#define TAG_ELF_BUF   'BflE'
 

Typedefs

typedef struct _EVENTLOGHEADER EVENTLOGHEADER
 
typedef struct _EVENTLOGHEADERPEVENTLOGHEADER
 
typedef struct _EVENTLOGRECORD EVENTLOGRECORD
 
typedef struct _EVENTLOGRECORDPEVENTLOGRECORD
 
typedef struct _EVENTLOGEOF EVENTLOGEOF
 
typedef struct _EVENTLOGEOFPEVENTLOGEOF
 
typedef struct _EVENT_OFFSET_INFO EVENT_OFFSET_INFO
 
typedef struct _EVENT_OFFSET_INFOPEVENT_OFFSET_INFO
 
typedef PVOID(NTAPIPELF_ALLOCATE_ROUTINE) (IN SIZE_T Size, IN ULONG Flags, IN ULONG Tag)
 
typedef VOID(NTAPIPELF_FREE_ROUTINE) (IN PVOID Ptr, IN ULONG Flags, IN ULONG Tag)
 
typedef NTSTATUS(NTAPIPELF_FILE_READ_ROUTINE) (IN struct _EVTLOGFILE *LogFile, IN PLARGE_INTEGER FileOffset, OUT PVOID Buffer, IN SIZE_T Length, OUT PSIZE_T ReadLength OPTIONAL)
 
typedef NTSTATUS(NTAPIPELF_FILE_WRITE_ROUTINE) (IN struct _EVTLOGFILE *LogFile, IN PLARGE_INTEGER FileOffset, IN PVOID Buffer, IN SIZE_T Length, OUT PSIZE_T WrittenLength OPTIONAL)
 
typedef NTSTATUS(NTAPIPELF_FILE_SET_SIZE_ROUTINE) (IN struct _EVTLOGFILE *LogFile, IN ULONG FileSize, IN ULONG OldFileSize)
 
typedef NTSTATUS(NTAPIPELF_FILE_FLUSH_ROUTINE) (IN struct _EVTLOGFILE *LogFile, IN PLARGE_INTEGER FileOffset, IN ULONG Length)
 
typedef struct _EVTLOGFILE EVTLOGFILE
 
typedef struct _EVTLOGFILEPEVTLOGFILE
 

Functions

 C_ASSERT (EVENTLOGEOF_SIZE_FIXED==FIELD_OFFSET(EVENTLOGEOF, BeginRecord))
 
NTSTATUS NTAPI ElfCreateFile (IN OUT PEVTLOGFILE LogFile, IN PUNICODE_STRING FileName OPTIONAL, IN ULONG FileSize, IN ULONG MaxSize, IN ULONG Retention, IN BOOLEAN CreateNew, IN BOOLEAN ReadOnly, IN PELF_ALLOCATE_ROUTINE Allocate, IN PELF_FREE_ROUTINE Free, IN PELF_FILE_SET_SIZE_ROUTINE FileSetSize, IN PELF_FILE_WRITE_ROUTINE FileWrite, IN PELF_FILE_READ_ROUTINE FileRead, IN PELF_FILE_FLUSH_ROUTINE FileFlush)
 
NTSTATUS NTAPI ElfReCreateFile (IN PEVTLOGFILE LogFile)
 
NTSTATUS NTAPI ElfBackupFile (IN PEVTLOGFILE LogFile, IN PEVTLOGFILE BackupLogFile)
 
NTSTATUS NTAPI ElfFlushFile (IN PEVTLOGFILE LogFile)
 
VOID NTAPI ElfCloseFile (IN PEVTLOGFILE LogFile)
 
NTSTATUS NTAPI ElfReadRecord (IN PEVTLOGFILE LogFile, IN ULONG RecordNumber, OUT PEVENTLOGRECORD Record, IN SIZE_T BufSize, OUT PSIZE_T BytesRead OPTIONAL, OUT PSIZE_T BytesNeeded OPTIONAL)
 
NTSTATUS NTAPI ElfWriteRecord (IN PEVTLOGFILE LogFile, IN PEVENTLOGRECORD Record, IN SIZE_T BufSize)
 
ULONG NTAPI ElfGetOldestRecord (IN PEVTLOGFILE LogFile)
 
ULONG NTAPI ElfGetCurrentRecord (IN PEVTLOGFILE LogFile)
 
ULONG NTAPI ElfGetFlags (IN PEVTLOGFILE LogFile)
 

Macro Definition Documentation

◆ ELF_LOGFILE_ARCHIVE_SET

#define ELF_LOGFILE_ARCHIVE_SET   8

Definition at line 51 of file evtlib.h.

◆ ELF_LOGFILE_HEADER_DIRTY

#define ELF_LOGFILE_HEADER_DIRTY   1

Definition at line 48 of file evtlib.h.

◆ ELF_LOGFILE_HEADER_WRAP

#define ELF_LOGFILE_HEADER_WRAP   2

Definition at line 49 of file evtlib.h.

◆ ELF_LOGFILE_LOGFULL_WRITTEN

#define ELF_LOGFILE_LOGFULL_WRITTEN   4

Definition at line 50 of file evtlib.h.

◆ EVENTLOG_AUDIT_FAILURE

#define EVENTLOG_AUDIT_FAILURE   16

Definition at line 88 of file evtlib.h.

◆ EVENTLOG_AUDIT_SUCCESS

#define EVENTLOG_AUDIT_SUCCESS   8

Definition at line 87 of file evtlib.h.

◆ EVENTLOG_ERROR_TYPE

#define EVENTLOG_ERROR_TYPE   1

Definition at line 84 of file evtlib.h.

◆ EVENTLOG_INFORMATION_TYPE

#define EVENTLOG_INFORMATION_TYPE   4

Definition at line 86 of file evtlib.h.

◆ EVENTLOG_SUCCESS

#define EVENTLOG_SUCCESS   0

Definition at line 83 of file evtlib.h.

◆ EVENTLOG_WARNING_TYPE

#define EVENTLOG_WARNING_TYPE   2

Definition at line 85 of file evtlib.h.

◆ EVENTLOGEOF_SIZE_FIXED

#define EVENTLOGEOF_SIZE_FIXED   (5 * sizeof(ULONG))

Definition at line 139 of file evtlib.h.

◆ LOGFILE_SIGNATURE

#define LOGFILE_SIGNATURE   0x654c664c

Definition at line 43 of file evtlib.h.

◆ MAJORVER

#define MAJORVER   1

Definition at line 41 of file evtlib.h.

◆ MINORVER

#define MINORVER   1

Definition at line 42 of file evtlib.h.

◆ NTOS_MODE_USER

#define NTOS_MODE_USER

Definition at line 27 of file evtlib.h.

◆ ROUND_DOWN

#define ROUND_DOWN (   n,
  align 
)    (((ULONG)n) & ~((align) - 1l))

Definition at line 31 of file evtlib.h.

◆ ROUND_UP

#define ROUND_UP (   n,
  align 
)    ROUND_DOWN(((ULONG)n) + (align) - 1, (align))

Definition at line 35 of file evtlib.h.

◆ TAG_ELF

#define TAG_ELF   ' flE'

Definition at line 151 of file evtlib.h.

◆ TAG_ELF_BUF

#define TAG_ELF_BUF   'BflE'

Definition at line 152 of file evtlib.h.

Typedef Documentation

◆ EVENT_OFFSET_INFO

◆ EVENTLOGEOF

◆ EVENTLOGHEADER

◆ EVENTLOGRECORD

◆ EVTLOGFILE

◆ PELF_ALLOCATE_ROUTINE

typedef PVOID(NTAPI * PELF_ALLOCATE_ROUTINE) (IN SIZE_T Size, IN ULONG Flags, IN ULONG Tag)

Definition at line 156 of file evtlib.h.

◆ PELF_FILE_FLUSH_ROUTINE

typedef NTSTATUS(NTAPI * PELF_FILE_FLUSH_ROUTINE) (IN struct _EVTLOGFILE *LogFile, IN PLARGE_INTEGER FileOffset, IN ULONG Length)

Definition at line 195 of file evtlib.h.

◆ PELF_FILE_READ_ROUTINE

Definition at line 170 of file evtlib.h.

◆ PELF_FILE_SET_SIZE_ROUTINE

typedef NTSTATUS(NTAPI * PELF_FILE_SET_SIZE_ROUTINE) (IN struct _EVTLOGFILE *LogFile, IN ULONG FileSize, IN ULONG OldFileSize)

Definition at line 188 of file evtlib.h.

◆ PELF_FILE_WRITE_ROUTINE

typedef NTSTATUS(NTAPI * PELF_FILE_WRITE_ROUTINE) (IN struct _EVTLOGFILE *LogFile, IN PLARGE_INTEGER FileOffset, IN PVOID Buffer, IN SIZE_T Length, OUT PSIZE_T WrittenLength OPTIONAL)

Definition at line 179 of file evtlib.h.

◆ PELF_FREE_ROUTINE

typedef VOID(NTAPI * PELF_FREE_ROUTINE) (IN PVOID Ptr, IN ULONG Flags, IN ULONG Tag)

Definition at line 163 of file evtlib.h.

◆ PEVENT_OFFSET_INFO

◆ PEVENTLOGEOF

◆ PEVENTLOGHEADER

◆ PEVENTLOGRECORD

◆ PEVTLOGFILE

Function Documentation

◆ C_ASSERT()

C_ASSERT ( EVENTLOGEOF_SIZE_FIXED  = =FIELD_OFFSET(EVENTLOGEOF, BeginRecord))

◆ ElfBackupFile()

NTSTATUS NTAPI ElfBackupFile ( IN PEVTLOGFILE  LogFile,
IN PEVTLOGFILE  BackupLogFile 
)

Definition at line 992 of file evtlib.c.

995{
997
999 SIZE_T ReadLength, WrittenLength;
1001 EVENTLOGRECORD RecBuf;
1002 EVENTLOGEOF EofRec;
1003 ULONG i;
1004 ULONG RecOffset;
1005 PVOID Buffer = NULL;
1006
1007 ASSERT(LogFile);
1008
1009 RtlZeroMemory(BackupLogFile, sizeof(*BackupLogFile));
1010
1011 BackupLogFile->FileSetSize = LogFile->FileSetSize;
1012 BackupLogFile->FileWrite = LogFile->FileWrite;
1013 BackupLogFile->FileFlush = LogFile->FileFlush;
1014
1015 // BackupLogFile->CurrentSize = LogFile->CurrentSize;
1016
1017 BackupLogFile->ReadOnly = FALSE;
1018
1019 /* Initialize the (dirty) log file header */
1020 Header = &BackupLogFile->Header;
1021 Header->HeaderSize = sizeof(EVENTLOGHEADER);
1022 Header->Signature = LOGFILE_SIGNATURE;
1023 Header->MajorVersion = MAJORVER;
1024 Header->MinorVersion = MINORVER;
1025 Header->StartOffset = sizeof(EVENTLOGHEADER);
1026 Header->EndOffset = sizeof(EVENTLOGHEADER);
1027 Header->CurrentRecordNumber = 1;
1028 Header->OldestRecordNumber = 0;
1029 Header->MaxSize = LogFile->Header.MaxSize;
1031 Header->Retention = LogFile->Header.Retention;
1032 Header->EndHeaderSize = sizeof(EVENTLOGHEADER);
1033
1034 /* Write the (dirty) log file header */
1035 FileOffset.QuadPart = 0LL;
1036 Status = BackupLogFile->FileWrite(BackupLogFile,
1037 &FileOffset,
1038 Header,
1039 sizeof(EVENTLOGHEADER),
1040 &WrittenLength);
1041 if (!NT_SUCCESS(Status))
1042 {
1043 EVTLTRACE1("Failed to write the log file header (Status 0x%08lx)\n", Status);
1044 goto Quit;
1045 }
1046
1047 for (i = LogFile->Header.OldestRecordNumber; i < LogFile->Header.CurrentRecordNumber; i++)
1048 {
1049 RecOffset = ElfpOffsetByNumber(LogFile, i);
1050 if (RecOffset == 0)
1051 break;
1052
1053 /* Read the next EVENTLOGRECORD header at once (it cannot be split) */
1054 FileOffset.QuadPart = RecOffset;
1055 Status = LogFile->FileRead(LogFile,
1056 &FileOffset,
1057 &RecBuf,
1058 sizeof(RecBuf),
1059 &ReadLength);
1060 if (!NT_SUCCESS(Status))
1061 {
1062 EVTLTRACE1("FileRead() failed (Status 0x%08lx)\n", Status);
1063 goto Quit;
1064 }
1065
1066 // if (ReadLength != sizeof(RecBuf))
1067 // break;
1068
1069 Buffer = LogFile->Allocate(RecBuf.Length, 0, TAG_ELF_BUF);
1070 if (Buffer == NULL)
1071 {
1072 EVTLTRACE1("Allocate() failed!\n");
1073 goto Quit;
1074 }
1075
1076 /* Read the full EVENTLOGRECORD (header + data) with wrapping */
1077 Status = ReadLogBuffer(LogFile,
1078 Buffer,
1079 RecBuf.Length,
1080 &ReadLength,
1081 &FileOffset,
1082 NULL);
1083 if (!NT_SUCCESS(Status))
1084 {
1085 EVTLTRACE1("ReadLogBuffer failed (Status 0x%08lx)\n", Status);
1086 LogFile->Free(Buffer, 0, TAG_ELF_BUF);
1087 // Status = STATUS_EVENTLOG_FILE_CORRUPT;
1088 goto Quit;
1089 }
1090
1091 /* Write the event record (no wrap for the backup log) */
1092 Status = BackupLogFile->FileWrite(BackupLogFile,
1093 NULL,
1094 Buffer,
1095 RecBuf.Length,
1096 &WrittenLength);
1097 if (!NT_SUCCESS(Status))
1098 {
1099 EVTLTRACE1("FileWrite() failed (Status 0x%08lx)\n", Status);
1100 LogFile->Free(Buffer, 0, TAG_ELF_BUF);
1101 goto Quit;
1102 }
1103
1104 /* Update the header information */
1105 Header->EndOffset += RecBuf.Length;
1106
1107 /* Free the buffer */
1108 LogFile->Free(Buffer, 0, TAG_ELF_BUF);
1109 Buffer = NULL;
1110 }
1111
1112// Quit:
1113
1114 /* Initialize the ELF_EOF_RECORD and write it (no wrap for the backup log) */
1115 RtlCopyMemory(&EofRec, &EOFRecord, sizeof(EOFRecord));
1116 EofRec.BeginRecord = Header->StartOffset;
1117 EofRec.EndRecord = Header->EndOffset;
1118 EofRec.CurrentRecordNumber = LogFile->Header.CurrentRecordNumber;
1119 EofRec.OldestRecordNumber = LogFile->Header.OldestRecordNumber;
1120
1121 Status = BackupLogFile->FileWrite(BackupLogFile,
1122 NULL,
1123 &EofRec,
1124 sizeof(EofRec),
1125 &WrittenLength);
1126 if (!NT_SUCCESS(Status))
1127 {
1128 EVTLTRACE1("FileWrite() failed (Status 0x%08lx)\n", Status);
1129 goto Quit;
1130 }
1131
1132 /* Update the header information */
1133 Header->CurrentRecordNumber = LogFile->Header.CurrentRecordNumber;
1134 Header->OldestRecordNumber = LogFile->Header.OldestRecordNumber;
1135 Header->MaxSize = ROUND_UP(Header->EndOffset + sizeof(EofRec), sizeof(ULONG));
1136 Header->Flags = 0; // FIXME?
1137
1138 /* Flush the log file - Write the (clean) log file header */
1139 Status = ElfFlushFile(BackupLogFile);
1140
1141Quit:
1142 return Status;
1143}
ULONG ReadLength
LONG NTSTATUS
Definition: precomp.h:26
_In_ PFCB _In_ LONGLONG FileOffset
Definition: cdprocs.h:160
Definition: bufpool.h:45
Definition: Header.h:9
Header(const std::string &filename_)
Definition: Header.h:18
#define NULL
Definition: types.h:112
#define FALSE
Definition: types.h:117
#define NT_SUCCESS(StatCode)
Definition: apphelp.c:33
#define ROUND_UP(n, align)
Definition: eventvwr.h:34
static const EVENTLOGEOF EOFRecord
Definition: evtlib.c:28
static ULONG ElfpOffsetByNumber(IN PEVTLOGFILE LogFile, IN ULONG RecordNumber)
Definition: evtlib.c:199
static NTSTATUS ReadLogBuffer(IN PEVTLOGFILE LogFile, OUT PVOID Buffer, IN SIZE_T Length, OUT PSIZE_T ReadLength OPTIONAL, IN PLARGE_INTEGER ByteOffset, OUT PLARGE_INTEGER NextOffset OPTIONAL)
Definition: evtlib.c:39
NTSTATUS NTAPI ElfFlushFile(IN PEVTLOGFILE LogFile)
Definition: evtlib.c:1147
#define EVTLTRACE1(fmt,...)
Definition: evtlib.c:21
#define LOGFILE_SIGNATURE
Definition: evtlib.h:43
#define TAG_ELF_BUF
Definition: evtlib.h:152
#define MAJORVER
Definition: evtlib.h:41
#define MINORVER
Definition: evtlib.h:42
#define ELF_LOGFILE_HEADER_DIRTY
Definition: evtlib.h:48
struct _EVENTLOGHEADER EVENTLOGHEADER
Status
Definition: gdiplustypes.h:24
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
#define ASSERT(a)
Definition: mode.c:44
ULONG EndRecord
Definition: evtlib.h:133
ULONG CurrentRecordNumber
Definition: evtlib.h:134
ULONG BeginRecord
Definition: evtlib.h:132
ULONG OldestRecordNumber
Definition: evtlib.h:135
#define LL
Definition: tui.h:166
ULONG_PTR SIZE_T
Definition: typedefs.h:80
#define RtlCopyMemory(Destination, Source, Length)
Definition: typedefs.h:263
#define RtlZeroMemory(Destination, Length)
Definition: typedefs.h:262
uint32_t ULONG
Definition: typedefs.h:59

Referenced by LogfBackupFile().

◆ ElfCloseFile()

VOID NTAPI ElfCloseFile ( IN PEVTLOGFILE  LogFile)

Definition at line 1192 of file evtlib.c.

1194{
1195 ASSERT(LogFile);
1196
1197 /* Flush the log file */
1198 ElfFlushFile(LogFile);
1199
1200 /* Free the data */
1201 LogFile->Free(LogFile->OffsetInfo, 0, TAG_ELF);
1202
1203 if (LogFile->FileName.Buffer)
1204 LogFile->Free(LogFile->FileName.Buffer, 0, TAG_ELF);
1205 RtlInitEmptyUnicodeString(&LogFile->FileName, NULL, 0);
1206}
#define TAG_ELF
Definition: evtlib.h:151

Referenced by LogfClose().

◆ ElfCreateFile()

NTSTATUS NTAPI ElfCreateFile ( IN OUT PEVTLOGFILE  LogFile,
IN PUNICODE_STRING FileName  OPTIONAL,
IN ULONG  FileSize,
IN ULONG  MaxSize,
IN ULONG  Retention,
IN BOOLEAN  CreateNew,
IN BOOLEAN  ReadOnly,
IN PELF_ALLOCATE_ROUTINE  Allocate,
IN PELF_FREE_ROUTINE  Free,
IN PELF_FILE_SET_SIZE_ROUTINE  FileSetSize,
IN PELF_FILE_WRITE_ROUTINE  FileWrite,
IN PELF_FILE_READ_ROUTINE  FileRead,
IN PELF_FILE_FLUSH_ROUTINE  FileFlush 
)

Definition at line 889 of file evtlib.c.

903{
905
906 ASSERT(LogFile);
907
908 /* Creating a new log file with the 'ReadOnly' flag set is incompatible */
909 if (CreateNew && ReadOnly)
911
912 RtlZeroMemory(LogFile, sizeof(*LogFile));
913
914 LogFile->Allocate = Allocate;
915 LogFile->Free = Free;
916 LogFile->FileSetSize = FileSetSize;
917 LogFile->FileWrite = FileWrite;
918 LogFile->FileRead = FileRead;
919 LogFile->FileFlush = FileFlush;
920
921 /* Copy the log file name if provided (optional) */
922 RtlInitEmptyUnicodeString(&LogFile->FileName, NULL, 0);
923 if (FileName && FileName->Buffer && FileName->Length &&
924 (FileName->Length <= FileName->MaximumLength))
925 {
926 LogFile->FileName.Buffer = LogFile->Allocate(FileName->Length,
928 TAG_ELF);
929 if (LogFile->FileName.Buffer)
930 {
931 LogFile->FileName.MaximumLength = FileName->Length;
932 RtlCopyUnicodeString(&LogFile->FileName, FileName);
933 }
934 }
935
936 LogFile->OffsetInfo = LogFile->Allocate(OFFSET_INFO_INCREMENT * sizeof(EVENT_OFFSET_INFO),
938 TAG_ELF);
939 if (LogFile->OffsetInfo == NULL)
940 {
941 EVTLTRACE1("Cannot allocate heap\n");
943 goto Quit;
944 }
945 LogFile->OffsetInfoSize = OFFSET_INFO_INCREMENT;
946 LogFile->OffsetInfoNext = 0;
947
948 // FIXME: Always use the regitry values for MaxSize,
949 // even for existing logs!
950
951 // FIXME: On Windows, EventLog uses the MaxSize setting
952 // from the registry itself; the MaxSize from the header
953 // is just for information purposes.
954
955 EVTLTRACE("Initializing log file `%wZ'\n", &LogFile->FileName);
956
957 LogFile->ReadOnly = ReadOnly; // !CreateNew && ReadOnly;
958
959 if (CreateNew)
960 Status = ElfpInitNewFile(LogFile, FileSize, MaxSize, Retention);
961 else
962 Status = ElfpInitExistingFile(LogFile, FileSize, /* MaxSize, */ Retention);
963
964Quit:
965 if (!NT_SUCCESS(Status))
966 {
967 if (LogFile->OffsetInfo)
968 LogFile->Free(LogFile->OffsetInfo, 0, TAG_ELF);
969
970 if (LogFile->FileName.Buffer)
971 LogFile->Free(LogFile->FileName.Buffer, 0, TAG_ELF);
972 }
973
974 return Status;
975}
_In_ PATA_DEVICE_REQUEST _In_ BOOLEAN Allocate
Definition: ata_shared.h:437
#define STATUS_NO_MEMORY
Definition: d3dkmdt.h:51
#define HEAP_ZERO_MEMORY
Definition: compat.h:134
#define EVTLTRACE(fmt,...)
Definition: evtlib.c:19
static NTSTATUS ElfpInitNewFile(IN PEVTLOGFILE LogFile, IN ULONG FileSize, IN ULONG MaxSize, IN ULONG Retention)
Definition: evtlib.c:299
static NTSTATUS ElfpInitExistingFile(IN PEVTLOGFILE LogFile, IN ULONG FileSize, IN ULONG Retention)
Definition: evtlib.c:392
#define OFFSET_INFO_INCREMENT
Definition: evtlib.c:213
_Must_inspect_result_ _Out_ PLARGE_INTEGER FileSize
Definition: fsrtlfuncs.h:108
NTSYSAPI VOID NTAPI RtlCopyUnicodeString(PUNICODE_STRING DestinationString, PUNICODE_STRING SourceString)
@ ReadOnly
Definition: arc.h:89
#define STATUS_SUCCESS
Definition: shellext.h:65
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
_In_opt_ PALLOCATE_FUNCTION _In_opt_ PFREE_FUNCTION Free
Definition: exfuncs.h:815

Referenced by LogfCreate().

◆ ElfFlushFile()

NTSTATUS NTAPI ElfFlushFile ( IN PEVTLOGFILE  LogFile)

Definition at line 1147 of file evtlib.c.

1149{
1152 SIZE_T WrittenLength;
1153
1154 ASSERT(LogFile);
1155
1156 if (LogFile->ReadOnly)
1157 return STATUS_SUCCESS; // STATUS_ACCESS_DENIED;
1158
1159 /*
1160 * NOTE that both the EOF record *AND* the log file header
1161 * are supposed to be already updated!
1162 * We just remove the dirty log bit.
1163 */
1164 LogFile->Header.Flags &= ~ELF_LOGFILE_HEADER_DIRTY;
1165
1166 /* Update the log file header */
1167 FileOffset.QuadPart = 0LL;
1168 Status = LogFile->FileWrite(LogFile,
1169 &FileOffset,
1170 &LogFile->Header,
1171 sizeof(EVENTLOGHEADER),
1172 &WrittenLength);
1173 if (!NT_SUCCESS(Status))
1174 {
1175 EVTLTRACE1("FileWrite() failed (Status 0x%08lx)\n", Status);
1176 return Status;
1177 }
1178
1179 /* Flush the log file */
1180 Status = LogFile->FileFlush(LogFile, NULL, 0);
1181 if (!NT_SUCCESS(Status))
1182 {
1183 EVTLTRACE1("FileFlush() failed (Status 0x%08lx)\n", Status);
1184 return Status;
1185 }
1186
1187 return STATUS_SUCCESS;
1188}
FSRTL_ADVANCED_FCB_HEADER Header
Definition: cdstruc.h:925

Referenced by ElfBackupFile(), ElfCloseFile(), ElfpInitExistingFile(), ElfrFlushEL(), and ElfWriteRecord().

◆ ElfGetCurrentRecord()

ULONG NTAPI ElfGetCurrentRecord ( IN PEVTLOGFILE  LogFile)

Definition at line 1625 of file evtlib.c.

1627{
1628 ASSERT(LogFile);
1629 return LogFile->Header.CurrentRecordNumber;
1630}

Referenced by ElfrNumberOfRecords(), and LogfReadEvents().

◆ ElfGetFlags()

ULONG NTAPI ElfGetFlags ( IN PEVTLOGFILE  LogFile)

Definition at line 1634 of file evtlib.c.

1636{
1637 ASSERT(LogFile);
1638 return LogFile->Header.Flags;
1639}

Referenced by ElfrGetLogInformation().

◆ ElfGetOldestRecord()

ULONG NTAPI ElfGetOldestRecord ( IN PEVTLOGFILE  LogFile)

Definition at line 1616 of file evtlib.c.

1618{
1619 ASSERT(LogFile);
1620 return LogFile->Header.OldestRecordNumber;
1621}

Referenced by ElfrNumberOfRecords(), ElfrOldestRecord(), and LogfReadEvents().

◆ ElfReadRecord()

NTSTATUS NTAPI ElfReadRecord ( IN PEVTLOGFILE  LogFile,
IN ULONG  RecordNumber,
OUT PEVENTLOGRECORD  Record,
IN SIZE_T  BufSize,
OUT PSIZE_T BytesRead  OPTIONAL,
OUT PSIZE_T BytesNeeded  OPTIONAL 
)

Definition at line 1210 of file evtlib.c.

1217{
1220 ULONG RecOffset;
1221 ULONG RecSize;
1223
1224 ASSERT(LogFile);
1225
1226 if (BytesRead)
1227 *BytesRead = 0;
1228
1229 if (BytesNeeded)
1230 *BytesNeeded = 0;
1231
1232 /* Retrieve the offset of the event record */
1233 RecOffset = ElfpOffsetByNumber(LogFile, RecordNumber);
1234 if (RecOffset == 0)
1235 return STATUS_NOT_FOUND;
1236
1237 /* Retrieve its full size */
1238 FileOffset.QuadPart = RecOffset;
1239 Status = LogFile->FileRead(LogFile,
1240 &FileOffset,
1241 &RecSize,
1242 sizeof(RecSize),
1243 &ReadLength);
1244 if (!NT_SUCCESS(Status))
1245 {
1246 EVTLTRACE1("FileRead() failed (Status 0x%08lx)\n", Status);
1247 // Status = STATUS_EVENTLOG_FILE_CORRUPT;
1248 return Status;
1249 }
1250
1251 /* Check whether the buffer is big enough to hold the event record */
1252 if (BufSize < RecSize)
1253 {
1254 if (BytesNeeded)
1255 *BytesNeeded = RecSize;
1256
1258 }
1259
1260 /* Read the event record into the buffer */
1261 FileOffset.QuadPart = RecOffset;
1262 Status = ReadLogBuffer(LogFile,
1263 Record,
1264 RecSize,
1265 &ReadLength,
1266 &FileOffset,
1267 NULL);
1268 if (!NT_SUCCESS(Status))
1269 {
1270 EVTLTRACE1("ReadLogBuffer failed (Status 0x%08lx)\n", Status);
1271 // Status = STATUS_EVENTLOG_FILE_CORRUPT;
1272 }
1273
1274 if (BytesRead)
1276
1277 return Status;
1278}
#define BufSize
Definition: FsRtlTunnel.c:28
#define STATUS_NOT_FOUND
Definition: shellext.h:72
#define STATUS_BUFFER_TOO_SMALL
Definition: shellext.h:69
_Must_inspect_result_ _In_ WDFIOTARGET _In_opt_ WDFREQUEST _In_opt_ PWDF_MEMORY_DESCRIPTOR _In_opt_ PLONGLONG _In_opt_ PWDF_REQUEST_SEND_OPTIONS _Out_opt_ PULONG_PTR BytesRead
Definition: wdfiotarget.h:870
_In_ struct _KBUGCHECK_REASON_CALLBACK_RECORD * Record
Definition: ketypes.h:320

Referenced by ReadRecord().

◆ ElfReCreateFile()

NTSTATUS NTAPI ElfReCreateFile ( IN PEVTLOGFILE  LogFile)

Definition at line 979 of file evtlib.c.

981{
982 ASSERT(LogFile);
983
984 return ElfpInitNewFile(LogFile,
985 LogFile->CurrentSize,
986 LogFile->Header.MaxSize,
987 LogFile->Header.Retention);
988}

Referenced by LogfClearFile().

◆ ElfWriteRecord()

NTSTATUS NTAPI ElfWriteRecord ( IN PEVTLOGFILE  LogFile,
IN PEVENTLOGRECORD  Record,
IN SIZE_T  BufSize 
)

Definition at line 1282 of file evtlib.c.

1286{
1288 LARGE_INTEGER FileOffset, NextOffset;
1289 SIZE_T ReadLength, WrittenLength;
1290 EVENTLOGEOF EofRec;
1291 EVENTLOGRECORD RecBuf;
1292 ULONG FreeSpace = 0;
1293 ULONG UpperBound;
1294 ULONG RecOffset, WriteOffset;
1295
1296 ASSERT(LogFile);
1297
1298 if (LogFile->ReadOnly)
1299 return STATUS_ACCESS_DENIED;
1300
1301 // ASSERT(sizeof(*Record) == sizeof(RecBuf));
1302
1303 if (!Record || BufSize < sizeof(*Record))
1305
1306 Record->RecordNumber = LogFile->Header.CurrentRecordNumber;
1307
1308 /* Compute the available log free space */
1309 if (LogFile->Header.StartOffset <= LogFile->Header.EndOffset)
1310 FreeSpace = LogFile->Header.MaxSize - LogFile->Header.EndOffset + LogFile->Header.StartOffset - sizeof(EVENTLOGHEADER);
1311 else // if (LogFile->Header.StartOffset > LogFile->Header.EndOffset)
1312 FreeSpace = LogFile->Header.StartOffset - LogFile->Header.EndOffset;
1313
1314 LogFile->Header.Flags |= ELF_LOGFILE_HEADER_DIRTY;
1315
1316 /* If the event log was empty, it will now contain one record */
1317 if (LogFile->Header.OldestRecordNumber == 0)
1318 LogFile->Header.OldestRecordNumber = 1;
1319
1320 /* By default we append the new record at the old EOF record offset */
1321 WriteOffset = LogFile->Header.EndOffset;
1322
1323 /*
1324 * Check whether the log is going to wrap (the events being overwritten).
1325 */
1326
1327 if (LogFile->Header.StartOffset <= LogFile->Header.EndOffset)
1328 UpperBound = LogFile->Header.MaxSize;
1329 else // if (LogFile->Header.StartOffset > LogFile->Header.EndOffset)
1330 UpperBound = LogFile->Header.StartOffset;
1331
1332 // if (LogFile->Header.MaxSize - WriteOffset < BufSize + sizeof(EofRec))
1333 if (UpperBound - WriteOffset < BufSize + sizeof(EofRec))
1334 {
1335 EVTLTRACE("The event log file has reached maximum size (0x%x), wrapping...\n"
1336 "UpperBound = 0x%x, WriteOffset = 0x%x, BufSize = 0x%x\n",
1337 LogFile->Header.MaxSize, UpperBound, WriteOffset, BufSize);
1338 /* This will be done later */
1339 }
1340
1341 if ( (LogFile->Header.StartOffset < LogFile->Header.EndOffset) &&
1342 (LogFile->Header.MaxSize - WriteOffset < sizeof(RecBuf)) ) // (UpperBound - WriteOffset < sizeof(RecBuf))
1343 {
1344 // ASSERT(UpperBound == LogFile->Header.MaxSize);
1345 // ASSERT(WriteOffset == LogFile->Header.EndOffset);
1346
1347 /*
1348 * We cannot fit the EVENTLOGRECORD header of the buffer before
1349 * the end of the file. We need to pad the end of the log with
1350 * 0x00000027, normally we will need to pad at most 0x37 bytes
1351 * (corresponding to sizeof(EVENTLOGRECORD) - 1).
1352 */
1353
1354 /* Rewind to the beginning of the log, just after the header */
1355 WriteOffset = sizeof(EVENTLOGHEADER);
1356 UpperBound = LogFile->Header.StartOffset;
1357
1358 FreeSpace = LogFile->Header.StartOffset - WriteOffset;
1359
1360 LogFile->Header.Flags |= ELF_LOGFILE_HEADER_WRAP;
1361 }
1362 /*
1363 * Otherwise, we can fit the header and only part
1364 * of the data will overwrite the oldest records.
1365 *
1366 * It might be possible that all the event record can fit in one piece,
1367 * but that the EOF record needs to be split. This is not a problem,
1368 * EVENTLOGEOF can be splitted while EVENTLOGRECORD cannot be.
1369 */
1370
1371 if (UpperBound - WriteOffset < BufSize + sizeof(EofRec))
1372 {
1373 ULONG OrgOldestRecordNumber, OldestRecordNumber;
1374
1375 // DPRINT("EventLogFile has reached maximum size, wrapping...\n");
1376
1377 OldestRecordNumber = OrgOldestRecordNumber = LogFile->Header.OldestRecordNumber;
1378
1379 // FIXME: Assert whether LogFile->Header.StartOffset is the beginning of a record???
1380 // NOTE: It should be, by construction (and this should have been checked when
1381 // initializing a new, or existing log).
1382
1383 /*
1384 * Determine how many old records need to be overwritten.
1385 * Check the size of the record as the record added may be larger.
1386 * Need to take into account that we append the EOF record.
1387 */
1388 while (FreeSpace < BufSize + sizeof(EofRec))
1389 {
1390 /* Get the oldest record data */
1391 RecOffset = ElfpOffsetByNumber(LogFile, OldestRecordNumber);
1392 if (RecOffset == 0)
1393 {
1394 EVTLTRACE1("Record number %d cannot be found, or log file is full and cannot wrap!\n", OldestRecordNumber);
1395 LogFile->Header.Flags |= ELF_LOGFILE_LOGFULL_WRITTEN;
1396 return STATUS_LOG_FILE_FULL;
1397 }
1398
1399 RtlZeroMemory(&RecBuf, sizeof(RecBuf));
1400
1401 FileOffset.QuadPart = RecOffset;
1402 Status = LogFile->FileRead(LogFile,
1403 &FileOffset,
1404 &RecBuf,
1405 sizeof(RecBuf),
1406 &ReadLength);
1407 if (!NT_SUCCESS(Status))
1408 {
1409 EVTLTRACE1("FileRead() failed (Status 0x%08lx)\n", Status);
1410 // Status = STATUS_EVENTLOG_FILE_CORRUPT;
1411 return Status;
1412 }
1413
1414 if (RecBuf.Reserved != LOGFILE_SIGNATURE)
1415 {
1416 EVTLTRACE1("The event log file is corrupted!\n");
1418 }
1419
1420 /*
1421 * Check whether this event can be overwritten by comparing its
1422 * written timestamp with the log's retention value. This value
1423 * is the time interval, in seconds, that events records are
1424 * protected from being overwritten.
1425 *
1426 * If the retention value is zero the events are always overwritten.
1427 *
1428 * If the retention value is non-zero, when the age of an event,
1429 * in seconds, reaches or exceeds this value, it can be overwritten.
1430 * Also if the events are in the future, we do not overwrite them.
1431 */
1432 if (LogFile->Header.Retention != 0 &&
1433 (Record->TimeWritten < RecBuf.TimeWritten ||
1434 (Record->TimeWritten >= RecBuf.TimeWritten &&
1435 Record->TimeWritten - RecBuf.TimeWritten < LogFile->Header.Retention)))
1436 {
1437 EVTLTRACE1("The event log file is full and cannot wrap because of the retention policy.\n");
1438 LogFile->Header.Flags |= ELF_LOGFILE_LOGFULL_WRITTEN;
1439 return STATUS_LOG_FILE_FULL;
1440 }
1441
1442 /*
1443 * Advance the oldest record number, add the event record length
1444 * (as long as it is valid...) then take account for the possible
1445 * paddind after the record, in case this is the last one at the
1446 * end of the file.
1447 */
1448 OldestRecordNumber++;
1449 RecOffset += RecBuf.Length;
1450 FreeSpace += RecBuf.Length;
1451
1452 /*
1453 * If this was the last event record before the end of the log file,
1454 * the next one should start at the beginning of the log and the space
1455 * between the last event record and the end of the file is padded.
1456 */
1457 if (LogFile->Header.MaxSize - RecOffset < sizeof(EVENTLOGRECORD))
1458 {
1459 /* Add the padding size */
1460 FreeSpace += LogFile->Header.MaxSize - RecOffset;
1461 }
1462 }
1463
1464 EVTLTRACE("Record will fit. FreeSpace %d, BufSize %d\n", FreeSpace, BufSize);
1465
1466 /* The log records are wrapping */
1467 LogFile->Header.Flags |= ELF_LOGFILE_HEADER_WRAP;
1468
1469
1470 // FIXME: May lead to corruption if the other subsequent calls fail...
1471
1472 /*
1473 * We have validated all the region of events to be discarded,
1474 * now we can perform their deletion.
1475 */
1476 ElfpDeleteOffsetInformation(LogFile, OrgOldestRecordNumber, OldestRecordNumber - 1);
1477 LogFile->Header.OldestRecordNumber = OldestRecordNumber;
1478 LogFile->Header.StartOffset = ElfpOffsetByNumber(LogFile, OldestRecordNumber);
1479 if (LogFile->Header.StartOffset == 0)
1480 {
1481 /*
1482 * We have deleted all the existing event records to make place
1483 * for the new one. We can put it at the start of the event log.
1484 */
1485 LogFile->Header.StartOffset = sizeof(EVENTLOGHEADER);
1486 WriteOffset = LogFile->Header.StartOffset;
1487 LogFile->Header.EndOffset = WriteOffset;
1488 }
1489
1490 EVTLTRACE("MaxSize = 0x%x, StartOffset = 0x%x, WriteOffset = 0x%x, EndOffset = 0x%x, BufSize = 0x%x\n"
1491 "OldestRecordNumber = %d\n",
1492 LogFile->Header.MaxSize, LogFile->Header.StartOffset, WriteOffset, LogFile->Header.EndOffset, BufSize,
1493 OldestRecordNumber);
1494 }
1495
1496 /*
1497 * Expand the log file if needed.
1498 * NOTE: It may be needed to perform this task a bit sooner if we need
1499 * such a thing for performing read operations, in the future...
1500 * Or if this operation needs to modify 'FreeSpace'...
1501 */
1502 if (LogFile->CurrentSize < LogFile->Header.MaxSize)
1503 {
1504 ULONG NewSize = WriteOffset + BufSize + sizeof(EofRec);
1505
1506 if (WriteOffset < LogFile->Header.EndOffset || NewSize > LogFile->Header.MaxSize)
1507 NewSize = LogFile->Header.MaxSize;
1508 else
1510
1511 if (NewSize > LogFile->CurrentSize)
1512 {
1513 EVTLTRACE1("Expanding the log file from %lu to %lu\n",
1514 LogFile->CurrentSize, NewSize);
1515 Status = LogFile->FileSetSize(LogFile, NewSize, LogFile->CurrentSize);
1516 if (!NT_SUCCESS(Status))
1517 {
1518 EVTLTRACE1("FileSetSize() failed (Status 0x%08lx)\n", Status);
1519 return Status;
1520 }
1521 LogFile->CurrentSize = NewSize;
1522 }
1523 }
1524
1525 /* Since we can write events in the log, clear the log full flag */
1526 LogFile->Header.Flags &= ~ELF_LOGFILE_LOGFULL_WRITTEN;
1527
1528 /* Pad the end of the log */
1529 // if (LogFile->Header.EndOffset + sizeof(RecBuf) > LogFile->Header.MaxSize)
1530 if (WriteOffset < LogFile->Header.EndOffset)
1531 {
1532 /* Pad all the space from LogFile->Header.EndOffset to LogFile->Header.MaxSize */
1533 WrittenLength = ROUND_DOWN(LogFile->Header.MaxSize - LogFile->Header.EndOffset, sizeof(ULONG));
1534 RtlFillMemoryUlong(&RecBuf, WrittenLength, 0x00000027);
1535
1536 FileOffset.QuadPart = LogFile->Header.EndOffset;
1537 Status = LogFile->FileWrite(LogFile,
1538 &FileOffset,
1539 &RecBuf,
1540 WrittenLength,
1541 &WrittenLength);
1542 if (!NT_SUCCESS(Status))
1543 {
1544 EVTLTRACE1("FileWrite() failed (Status 0x%08lx)\n", Status);
1545 // return Status;
1546 }
1547 }
1548
1549 /* Write the event record buffer with possible wrap at offset sizeof(EVENTLOGHEADER) */
1550 FileOffset.QuadPart = WriteOffset;
1551 Status = WriteLogBuffer(LogFile,
1552 Record,
1553 BufSize,
1554 &WrittenLength,
1555 &FileOffset,
1556 &NextOffset);
1557 if (!NT_SUCCESS(Status))
1558 {
1559 EVTLTRACE1("WriteLogBuffer failed (Status 0x%08lx)\n", Status);
1560 return Status;
1561 }
1562 /* FileOffset now contains the offset just after the end of the record buffer */
1563 FileOffset = NextOffset;
1564
1565 if (!ElfpAddOffsetInformation(LogFile,
1566 Record->RecordNumber,
1567 WriteOffset))
1568 {
1569 return STATUS_NO_MEMORY; // STATUS_EVENTLOG_FILE_CORRUPT;
1570 }
1571
1572 LogFile->Header.CurrentRecordNumber++;
1573 if (LogFile->Header.CurrentRecordNumber == 0)
1574 LogFile->Header.CurrentRecordNumber = 1;
1575
1576 /*
1577 * Write the new EOF record offset just after the event record.
1578 * The EOF record can wrap (be splitted) if less than sizeof(EVENTLOGEOF)
1579 * bytes remains between the end of the record and the end of the log file.
1580 */
1581 LogFile->Header.EndOffset = FileOffset.QuadPart;
1582
1583 RtlCopyMemory(&EofRec, &EOFRecord, sizeof(EOFRecord));
1584 EofRec.BeginRecord = LogFile->Header.StartOffset;
1585 EofRec.EndRecord = LogFile->Header.EndOffset;
1586 EofRec.CurrentRecordNumber = LogFile->Header.CurrentRecordNumber;
1587 EofRec.OldestRecordNumber = LogFile->Header.OldestRecordNumber;
1588
1589 // FileOffset.QuadPart = LogFile->Header.EndOffset;
1590 Status = WriteLogBuffer(LogFile,
1591 &EofRec,
1592 sizeof(EofRec),
1593 &WrittenLength,
1594 &FileOffset,
1595 &NextOffset);
1596 if (!NT_SUCCESS(Status))
1597 {
1598 EVTLTRACE1("WriteLogBuffer failed (Status 0x%08lx)\n", Status);
1599 return Status;
1600 }
1601 FileOffset = NextOffset;
1602
1603 /* Flush the log file */
1604 Status = ElfFlushFile(LogFile);
1605 if (!NT_SUCCESS(Status))
1606 {
1607 EVTLTRACE1("ElfFlushFile() failed (Status 0x%08lx)\n", Status);
1608 return STATUS_EVENTLOG_FILE_CORRUPT; // Status;
1609 }
1610
1611 return Status;
1612}
#define ROUND_DOWN(n, align)
Definition: eventvwr.h:33
static BOOL ElfpAddOffsetInformation(IN PEVTLOGFILE LogFile, IN ULONG ulNumber, IN ULONG ulOffset)
Definition: evtlib.c:216
#define EVENTLOG_FILE_GRANULARITY
Definition: evtlib.c:26
static BOOL ElfpDeleteOffsetInformation(IN PEVTLOGFILE LogFile, IN ULONG ulNumberMin, IN ULONG ulNumberMax)
Definition: evtlib.c:257
static NTSTATUS WriteLogBuffer(IN PEVTLOGFILE LogFile, IN PVOID Buffer, IN SIZE_T Length, OUT PSIZE_T WrittenLength OPTIONAL, IN PLARGE_INTEGER ByteOffset, OUT PLARGE_INTEGER NextOffset OPTIONAL)
Definition: evtlib.c:113
#define ELF_LOGFILE_LOGFULL_WRITTEN
Definition: evtlib.h:50
#define ELF_LOGFILE_HEADER_WRAP
Definition: evtlib.h:49
_Must_inspect_result_ _In_ USHORT NewSize
Definition: fltkernel.h:975
#define RtlFillMemoryUlong(dst, len, val)
Definition: mkhive.h:55
#define STATUS_LOG_FILE_FULL
Definition: ntstatus.h:719
#define STATUS_EVENTLOG_FILE_CORRUPT
Definition: ntstatus.h:725
#define STATUS_ACCESS_DENIED
Definition: udferr_usr.h:145
_Must_inspect_result_ _In_ WDFUSBPIPE _In_ WDFREQUEST _In_opt_ WDFMEMORY _In_opt_ PWDFMEMORY_OFFSET WriteOffset
Definition: wdfusb.h:1921

Referenced by LogfWriteRecord().