ReactOS  r75214
Classes | Macros | Typedefs | Functions
evtlib.h File Reference
#include <ndk/rtlfuncs.h>
#include <pshpack4.h>
#include <poppack.h>
Include dependency graph for evtlib.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Classes

struct  _EVENTLOGHEADER
 
struct  _EVENTLOGRECORD
 
struct  _EVENTLOGEOF
 
struct  _EVENT_OFFSET_INFO
 
struct  _EVTLOGFILE
 

Macros

#define NTOS_MODE_USER
 
#define ROUND_DOWN(n, align)   (((ULONG)n) & ~((align) - 1l))
 
#define ROUND_UP(n, align)   ROUND_DOWN(((ULONG)n) + (align) - 1, (align))
 
#define MAJORVER   1
 
#define MINORVER   1
 
#define LOGFILE_SIGNATURE   0x654c664c
 
#define ELF_LOGFILE_HEADER_DIRTY   1
 
#define ELF_LOGFILE_HEADER_WRAP   2
 
#define ELF_LOGFILE_LOGFULL_WRITTEN   4
 
#define ELF_LOGFILE_ARCHIVE_SET   8
 
#define EVENTLOG_SUCCESS   0
 
#define EVENTLOG_ERROR_TYPE   1
 
#define EVENTLOG_WARNING_TYPE   2
 
#define EVENTLOG_INFORMATION_TYPE   4
 
#define EVENTLOG_AUDIT_SUCCESS   8
 
#define EVENTLOG_AUDIT_FAILURE   16
 
#define EVENTLOGEOF_SIZE_FIXED   (5 * sizeof(ULONG))
 
#define TAG_ELF   ' flE'
 
#define TAG_ELF_BUF   'BflE'
 

Typedefs

typedef struct _EVENTLOGHEADER EVENTLOGHEADER
 
typedef struct _EVENTLOGHEADERPEVENTLOGHEADER
 
typedef struct _EVENTLOGRECORD EVENTLOGRECORD
 
typedef struct _EVENTLOGRECORDPEVENTLOGRECORD
 
typedef struct _EVENTLOGEOF EVENTLOGEOF
 
typedef struct _EVENTLOGEOFPEVENTLOGEOF
 
typedef struct _EVENT_OFFSET_INFO EVENT_OFFSET_INFO
 
typedef struct _EVENT_OFFSET_INFOPEVENT_OFFSET_INFO
 
typedef IN ULONG Flags
 
typedef IN ULONG IN ULONG Tag
 
typedef VOID(NTAPIPELF_FREE_ROUTINE )(IN PVOID Ptr, IN ULONG Flags)
 
typedef NTSTATUS(NTAPIPELF_FILE_READ_ROUTINE )(IN struct _EVTLOGFILE *LogFile, IN PLARGE_INTEGER FileOffset, OUT PVOID Buffer, IN SIZE_T Length, OUT PSIZE_T ReadLength OPTIONAL)
 
typedef NTSTATUS(NTAPIPELF_FILE_WRITE_ROUTINE )(IN struct _EVTLOGFILE *LogFile, IN PLARGE_INTEGER FileOffset, IN PVOID Buffer, IN SIZE_T Length, OUT PSIZE_T WrittenLength OPTIONAL)
 
typedef NTSTATUS(NTAPIPELF_FILE_SET_SIZE_ROUTINE )(IN struct _EVTLOGFILE *LogFile, IN ULONG FileSize, IN ULONG OldFileSize)
 
typedef NTSTATUS(NTAPIPELF_FILE_FLUSH_ROUTINE )(IN struct _EVTLOGFILE *LogFile, IN PLARGE_INTEGER FileOffset, IN ULONG Length)
 
typedef struct _EVTLOGFILE EVTLOGFILE
 
typedef struct _EVTLOGFILEPEVTLOGFILE
 

Functions

 C_ASSERT (EVENTLOGEOF_SIZE_FIXED==FIELD_OFFSET(EVENTLOGEOF, BeginRecord))
 
typedef PVOID (NTAPI *PELF_ALLOCATE_ROUTINE)(IN SIZE_T Size
 
NTSTATUS NTAPI ElfCreateFile (IN PEVTLOGFILE LogFile, IN PUNICODE_STRING FileName OPTIONAL, IN ULONG FileSize, IN ULONG MaxSize, IN ULONG Retention, IN BOOLEAN CreateNew, IN BOOLEAN ReadOnly, IN PELF_ALLOCATE_ROUTINE Allocate, IN PELF_FREE_ROUTINE Free, IN PELF_FILE_SET_SIZE_ROUTINE FileSetSize, IN PELF_FILE_WRITE_ROUTINE FileWrite, IN PELF_FILE_READ_ROUTINE FileRead, IN PELF_FILE_FLUSH_ROUTINE FileFlush)
 
NTSTATUS NTAPI ElfReCreateFile (IN PEVTLOGFILE LogFile)
 
NTSTATUS NTAPI ElfBackupFile (IN PEVTLOGFILE LogFile, IN PEVTLOGFILE BackupLogFile)
 
NTSTATUS NTAPI ElfFlushFile (IN PEVTLOGFILE LogFile)
 
VOID NTAPI ElfCloseFile (IN PEVTLOGFILE LogFile)
 
NTSTATUS NTAPI ElfReadRecord (IN PEVTLOGFILE LogFile, IN ULONG RecordNumber, OUT PEVENTLOGRECORD Record, IN SIZE_T BufSize, OUT PSIZE_T BytesRead OPTIONAL, OUT PSIZE_T BytesNeeded OPTIONAL)
 
NTSTATUS NTAPI ElfWriteRecord (IN PEVTLOGFILE LogFile, IN PEVENTLOGRECORD Record, IN SIZE_T BufSize)
 
ULONG NTAPI ElfGetOldestRecord (IN PEVTLOGFILE LogFile)
 
ULONG NTAPI ElfGetCurrentRecord (IN PEVTLOGFILE LogFile)
 
ULONG NTAPI ElfGetFlags (IN PEVTLOGFILE LogFile)
 

Macro Definition Documentation

#define ELF_LOGFILE_ARCHIVE_SET   8

Definition at line 45 of file evtlib.h.

#define ELF_LOGFILE_HEADER_DIRTY   1

Definition at line 42 of file evtlib.h.

Referenced by ElfBackupFile(), ElfFlushFile(), ElfpInitExistingFile(), and ElfWriteRecord().

#define ELF_LOGFILE_HEADER_WRAP   2

Definition at line 43 of file evtlib.h.

Referenced by ElfWriteRecord(), and WriteLogBuffer().

#define ELF_LOGFILE_LOGFULL_WRITTEN   4

Definition at line 44 of file evtlib.h.

Referenced by ElfrGetLogInformation(), and ElfWriteRecord().

#define EVENTLOG_AUDIT_FAILURE   16

Definition at line 82 of file evtlib.h.

#define EVENTLOG_AUDIT_SUCCESS   8

Definition at line 81 of file evtlib.h.

#define EVENTLOG_ERROR_TYPE   1

Definition at line 78 of file evtlib.h.

#define EVENTLOG_INFORMATION_TYPE   4

Definition at line 80 of file evtlib.h.

#define EVENTLOG_SUCCESS   0

Definition at line 77 of file evtlib.h.

#define EVENTLOG_WARNING_TYPE   2

Definition at line 79 of file evtlib.h.

#define EVENTLOGEOF_SIZE_FIXED   (5 * sizeof(ULONG))

Definition at line 133 of file evtlib.h.

Referenced by ElfpInitExistingFile().

#define LOGFILE_SIGNATURE   0x654c664c

Definition at line 37 of file evtlib.h.

Referenced by ElfBackupFile(), ElfpInitExistingFile(), ElfpInitNewFile(), ElfWriteRecord(), and LogfAllocAndBuildNewRecord().

#define MAJORVER   1

Definition at line 35 of file evtlib.h.

Referenced by ElfBackupFile(), and ElfpInitNewFile().

#define MINORVER   1

Definition at line 36 of file evtlib.h.

Referenced by ElfBackupFile(), and ElfpInitNewFile().

#define NTOS_MODE_USER

Definition at line 21 of file evtlib.h.

#define ROUND_DOWN (   n,
  align 
)    (((ULONG)n) & ~((align) - 1l))

Definition at line 25 of file evtlib.h.

#define ROUND_UP (   n,
  align 
)    ROUND_DOWN(((ULONG)n) + (align) - 1, (align))

Definition at line 29 of file evtlib.h.

#define TAG_ELF   ' flE'

Definition at line 145 of file evtlib.h.

Referenced by ElfCreateFile(), and ElfpAddOffsetInformation().

#define TAG_ELF_BUF   'BflE'

Definition at line 146 of file evtlib.h.

Referenced by ElfBackupFile(), and ElfpInitExistingFile().

Typedef Documentation

typedef struct _EVENT_OFFSET_INFO EVENT_OFFSET_INFO
typedef struct _EVENTLOGEOF EVENTLOGEOF
typedef struct _EVENTLOGHEADER EVENTLOGHEADER
typedef struct _EVENTLOGRECORD EVENTLOGRECORD
typedef struct _EVTLOGFILE EVTLOGFILE
typedef IN ULONG Flags

Definition at line 153 of file evtlib.h.

typedef NTSTATUS(NTAPI * PELF_FILE_FLUSH_ROUTINE)(IN struct _EVTLOGFILE *LogFile, IN PLARGE_INTEGER FileOffset, IN ULONG Length)

Definition at line 189 of file evtlib.h.

typedef NTSTATUS(NTAPI * PELF_FILE_READ_ROUTINE)(IN struct _EVTLOGFILE *LogFile, IN PLARGE_INTEGER FileOffset, OUT PVOID Buffer, IN SIZE_T Length, OUT PSIZE_T ReadLength OPTIONAL)

Definition at line 164 of file evtlib.h.

typedef NTSTATUS(NTAPI * PELF_FILE_SET_SIZE_ROUTINE)(IN struct _EVTLOGFILE *LogFile, IN ULONG FileSize, IN ULONG OldFileSize)

Definition at line 182 of file evtlib.h.

typedef NTSTATUS(NTAPI * PELF_FILE_WRITE_ROUTINE)(IN struct _EVTLOGFILE *LogFile, IN PLARGE_INTEGER FileOffset, IN PVOID Buffer, IN SIZE_T Length, OUT PSIZE_T WrittenLength OPTIONAL)

Definition at line 173 of file evtlib.h.

typedef VOID(NTAPI * PELF_FREE_ROUTINE)(IN PVOID Ptr, IN ULONG Flags)

Definition at line 158 of file evtlib.h.

typedef struct _EVENT_OFFSET_INFO * PEVENT_OFFSET_INFO
typedef struct _EVENTLOGEOF * PEVENTLOGEOF
typedef struct _EVENTLOGHEADER * PEVENTLOGHEADER
typedef struct _EVENTLOGRECORD * PEVENTLOGRECORD
typedef struct _EVTLOGFILE * PEVTLOGFILE
_In_ ULONG _In_opt_ PACCESS_STATE _In_ ACCESS_MASK _In_opt_ POBJECT_TYPE _In_ KPROCESSOR_MODE _In_ ULONG Tag

Definition at line 153 of file evtlib.h.

Function Documentation

C_ASSERT ( EVENTLOGEOF_SIZE_FIXED  = =FIELD_OFFSET(EVENTLOGEOF, BeginRecord))
NTSTATUS NTAPI ElfBackupFile ( IN PEVTLOGFILE  LogFile,
IN PEVTLOGFILE  BackupLogFile 
)

Definition at line 980 of file evtlib.c.

Referenced by LogfBackupFile().

983 {
984  NTSTATUS Status;
985 
986  LARGE_INTEGER FileOffset;
987  SIZE_T ReadLength, WrittenLength;
988  PEVENTLOGHEADER Header;
989  EVENTLOGRECORD RecBuf;
990  EVENTLOGEOF EofRec;
991  ULONG i;
992  ULONG RecOffset;
993  PVOID Buffer = NULL;
994 
995  ASSERT(LogFile);
996 
997  RtlZeroMemory(BackupLogFile, sizeof(*BackupLogFile));
998 
999  BackupLogFile->FileSetSize = LogFile->FileSetSize;
1000  BackupLogFile->FileWrite = LogFile->FileWrite;
1001  BackupLogFile->FileFlush = LogFile->FileFlush;
1002 
1003  // BackupLogFile->CurrentSize = LogFile->CurrentSize;
1004 
1005  BackupLogFile->ReadOnly = FALSE;
1006 
1007  /* Initialize the (dirty) log file header */
1008  Header = &BackupLogFile->Header;
1009  Header->HeaderSize = sizeof(EVENTLOGHEADER);
1010  Header->Signature = LOGFILE_SIGNATURE;
1011  Header->MajorVersion = MAJORVER;
1012  Header->MinorVersion = MINORVER;
1013  Header->StartOffset = sizeof(EVENTLOGHEADER);
1014  Header->EndOffset = sizeof(EVENTLOGHEADER);
1015  Header->CurrentRecordNumber = 1;
1016  Header->OldestRecordNumber = 0;
1017  Header->MaxSize = LogFile->Header.MaxSize;
1018  Header->Flags = ELF_LOGFILE_HEADER_DIRTY;
1019  Header->Retention = LogFile->Header.Retention;
1020  Header->EndHeaderSize = sizeof(EVENTLOGHEADER);
1021 
1022  /* Write the (dirty) log file header */
1023  FileOffset.QuadPart = 0LL;
1024  Status = BackupLogFile->FileWrite(BackupLogFile,
1025  &FileOffset,
1026  Header,
1027  sizeof(EVENTLOGHEADER),
1028  &WrittenLength);
1029  if (!NT_SUCCESS(Status))
1030  {
1031  EVTLTRACE1("Failed to write the log file header (Status 0x%08lx)\n", Status);
1032  goto Quit;
1033  }
1034 
1035  for (i = LogFile->Header.OldestRecordNumber; i < LogFile->Header.CurrentRecordNumber; i++)
1036  {
1037  RecOffset = ElfpOffsetByNumber(LogFile, i);
1038  if (RecOffset == 0)
1039  break;
1040 
1041  /* Read the next EVENTLOGRECORD header at once (it cannot be split) */
1042  FileOffset.QuadPart = RecOffset;
1043  Status = LogFile->FileRead(LogFile,
1044  &FileOffset,
1045  &RecBuf,
1046  sizeof(RecBuf),
1047  &ReadLength);
1048  if (!NT_SUCCESS(Status))
1049  {
1050  EVTLTRACE1("FileRead() failed (Status 0x%08lx)\n", Status);
1051  goto Quit;
1052  }
1053 
1054  // if (ReadLength != sizeof(RecBuf))
1055  // break;
1056 
1057  Buffer = LogFile->Allocate(RecBuf.Length, 0, TAG_ELF_BUF);
1058  if (Buffer == NULL)
1059  {
1060  EVTLTRACE1("Allocate() failed!\n");
1061  goto Quit;
1062  }
1063 
1064  /* Read the full EVENTLOGRECORD (header + data) with wrapping */
1065  Status = ReadLogBuffer(LogFile,
1066  Buffer,
1067  RecBuf.Length,
1068  &ReadLength,
1069  &FileOffset,
1070  NULL);
1071  if (!NT_SUCCESS(Status))
1072  {
1073  EVTLTRACE1("ReadLogBuffer failed (Status 0x%08lx)\n", Status);
1074  LogFile->Free(Buffer, 0);
1075  // Status = STATUS_EVENTLOG_FILE_CORRUPT;
1076  goto Quit;
1077  }
1078 
1079  /* Write the event record (no wrap for the backup log) */
1080  Status = BackupLogFile->FileWrite(BackupLogFile,
1081  NULL,
1082  Buffer,
1083  RecBuf.Length,
1084  &WrittenLength);
1085  if (!NT_SUCCESS(Status))
1086  {
1087  EVTLTRACE1("FileWrite() failed (Status 0x%08lx)\n", Status);
1088  LogFile->Free(Buffer, 0);
1089  goto Quit;
1090  }
1091 
1092  /* Update the header information */
1093  Header->EndOffset += RecBuf.Length;
1094 
1095  /* Free the buffer */
1096  LogFile->Free(Buffer, 0);
1097  Buffer = NULL;
1098  }
1099 
1100 // Quit:
1101 
1102  /* Initialize the ELF_EOF_RECORD and write it (no wrap for the backup log) */
1103  RtlCopyMemory(&EofRec, &EOFRecord, sizeof(EOFRecord));
1104  EofRec.BeginRecord = Header->StartOffset;
1105  EofRec.EndRecord = Header->EndOffset;
1106  EofRec.CurrentRecordNumber = LogFile->Header.CurrentRecordNumber;
1107  EofRec.OldestRecordNumber = LogFile->Header.OldestRecordNumber;
1108 
1109  Status = BackupLogFile->FileWrite(BackupLogFile,
1110  NULL,
1111  &EofRec,
1112  sizeof(EofRec),
1113  &WrittenLength);
1114  if (!NT_SUCCESS(Status))
1115  {
1116  EVTLTRACE1("FileWrite() failed (Status 0x%08lx)\n", Status);
1117  goto Quit;
1118  }
1119 
1120  /* Update the header information */
1121  Header->CurrentRecordNumber = LogFile->Header.CurrentRecordNumber;
1122  Header->OldestRecordNumber = LogFile->Header.OldestRecordNumber;
1123  Header->MaxSize = ROUND_UP(Header->EndOffset + sizeof(EofRec), sizeof(ULONG));
1124  Header->Flags = 0; // FIXME?
1125 
1126  /* Flush the log file - Write the (clean) log file header */
1127  Status = ElfFlushFile(BackupLogFile);
1128 
1129 Quit:
1130  return Status;
1131 }
PVOID
DWORD *typedef PVOID
Definition: winlogon.h:52
_EVENTLOGRECORD
Definition: winnt_old.h:2560
RtlCopyMemory
NTSYSAPI VOID NTAPI RtlCopyMemory(VOID UNALIGNED *Destination, CONST VOID UNALIGNED *Source, ULONG Length)
LL
#define LL
Definition: tui.h:72
ROUND_UP
#define ROUND_UP(n, align)
Definition: eventvwr.h:31
ASSERT
ASSERT((InvokeOnSuccess||InvokeOnError||InvokeOnCancel)?(CompletionRoutine!=NULL):TRUE)
_EVENTLOGEOF
Definition: evtlib.h:119
EVTLTRACE1
#define EVTLTRACE1(...)
Definition: evtlib.c:21
_EVENTLOGHEADER::Signature
ULONG Signature
Definition: evtlib.h:59
_EVENTLOGRECORD::Length
DWORD Length
Definition: winnt_old.h:2561
_EVENTLOGEOF::OldestRecordNumber
ULONG OldestRecordNumber
Definition: evtlib.h:129
EOFRecord
static const EVENTLOGEOF EOFRecord
Definition: evtlib.c:26
i
GLenum GLclampf GLint i
Definition: glfuncs.h:14
FALSE
#define FALSE
Definition: types.h:117
Header
Definition: Header.h:8
NULL
smooth NULL
Definition: ftsmooth.c:513
_EVENTLOGEOF::EndRecord
ULONG EndRecord
Definition: evtlib.h:127
Buffer
Definition: bufpool.h:45
EVENTLOGHEADER
struct _EVENTLOGHEADER EVENTLOGHEADER
_EVENTLOGHEADER::Flags
ULONG Flags
Definition: evtlib.h:67
LOGFILE_SIGNATURE
#define LOGFILE_SIGNATURE
Definition: evtlib.h:37
MINORVER
#define MINORVER
Definition: evtlib.h:36
_EVENTLOGHEADER::MajorVersion
ULONG MajorVersion
Definition: evtlib.h:60
_EVENTLOGHEADER::OldestRecordNumber
ULONG OldestRecordNumber
Definition: evtlib.h:65
_EVENTLOGHEADER::MinorVersion
ULONG MinorVersion
Definition: evtlib.h:61
ReadLogBuffer
static NTSTATUS ReadLogBuffer(IN PEVTLOGFILE LogFile, OUT PVOID Buffer, IN SIZE_T Length, OUT PSIZE_T ReadLength OPTIONAL, IN PLARGE_INTEGER ByteOffset, OUT PLARGE_INTEGER NextOffset OPTIONAL)
Definition: evtlib.c:37
_EVENTLOGEOF::BeginRecord
ULONG BeginRecord
Definition: evtlib.h:126
_EVENTLOGHEADER::EndHeaderSize
ULONG EndHeaderSize
Definition: evtlib.h:69
_EVENTLOGHEADER::CurrentRecordNumber
ULONG CurrentRecordNumber
Definition: evtlib.h:64
ELF_LOGFILE_HEADER_DIRTY
#define ELF_LOGFILE_HEADER_DIRTY
Definition: evtlib.h:42
Status
Status
Definition: gdiplustypes.h:24
_EVENTLOGHEADER::MaxSize
ULONG MaxSize
Definition: evtlib.h:66
_EVENTLOGHEADER::EndOffset
ULONG EndOffset
Definition: evtlib.h:63
_EVENTLOGEOF::CurrentRecordNumber
ULONG CurrentRecordNumber
Definition: evtlib.h:128
SIZE_T
ULONG_PTR SIZE_T
Definition: typedefs.h:79
NT_SUCCESS
#define NT_SUCCESS(StatCode)
Definition: cmd.c:149
NTSTATUS
LONG NTSTATUS
Definition: DriverTester.h:11
_EVENTLOGHEADER::HeaderSize
ULONG HeaderSize
Definition: evtlib.h:58
_EVENTLOGHEADER::Retention
ULONG Retention
Definition: evtlib.h:68
TAG_ELF_BUF
#define TAG_ELF_BUF
Definition: evtlib.h:146
_LARGE_INTEGER
Definition: typedefs.h:101
FileOffset
_In_ PLARGE_INTEGER FileOffset
Definition: cctypes.h:53
_EVENTLOGHEADER::StartOffset
ULONG StartOffset
Definition: evtlib.h:62
MAJORVER
#define MAJORVER
Definition: evtlib.h:35
ElfFlushFile
NTSTATUS NTAPI ElfFlushFile(IN PEVTLOGFILE LogFile)
Definition: evtlib.c:1135
ULONG
unsigned int ULONG
Definition: retypes.h:1
RtlZeroMemory
#define RtlZeroMemory(Destination, Length)
Definition: typedefs.h:262
_EVENTLOGHEADER
Definition: evtlib.h:56
ElfpOffsetByNumber
static ULONG ElfpOffsetByNumber(IN PEVTLOGFILE LogFile, IN ULONG RecordNumber)
Definition: evtlib.c:197
_LARGE_INTEGER::QuadPart
LONGLONG QuadPart
Definition: typedefs.h:113
VOID NTAPI ElfCloseFile ( IN PEVTLOGFILE  LogFile)

Definition at line 1180 of file evtlib.c.

Referenced by LogfClose().

1182 {
1183  ASSERT(LogFile);
1184 
1185  /* Flush the log file */
1186  ElfFlushFile(LogFile);
1187 
1188  /* Free the data */
1189  LogFile->Free(LogFile->OffsetInfo, 0);
1190 
1191  if (LogFile->FileName.Buffer)
1192  LogFile->Free(LogFile->FileName.Buffer, 0);
1193  RtlInitEmptyUnicodeString(&LogFile->FileName, NULL, 0);
1194 }
ASSERT
ASSERT((InvokeOnSuccess||InvokeOnError||InvokeOnCancel)?(CompletionRoutine!=NULL):TRUE)
NULL
smooth NULL
Definition: ftsmooth.c:513
ElfFlushFile
NTSTATUS NTAPI ElfFlushFile(IN PEVTLOGFILE LogFile)
Definition: evtlib.c:1135
NTSTATUS NTAPI ElfCreateFile ( IN PEVTLOGFILE  LogFile,
IN PUNICODE_STRING FileName  OPTIONAL,
IN ULONG  FileSize,
IN ULONG  MaxSize,
IN ULONG  Retention,
IN BOOLEAN  CreateNew,
IN BOOLEAN  ReadOnly,
IN PELF_ALLOCATE_ROUTINE  Allocate,
IN PELF_FREE_ROUTINE  Free,
IN PELF_FILE_SET_SIZE_ROUTINE  FileSetSize,
IN PELF_FILE_WRITE_ROUTINE  FileWrite,
IN PELF_FILE_READ_ROUTINE  FileRead,
IN PELF_FILE_FLUSH_ROUTINE  FileFlush 
)

Definition at line 876 of file evtlib.c.

Referenced by LogfCreate().

890 {
891  NTSTATUS Status = STATUS_SUCCESS;
892 
893  ASSERT(LogFile);
894 
895  /* Creating a new log file with the 'ReadOnly' flag set is incompatible */
896  if (CreateNew && ReadOnly)
897  return STATUS_INVALID_PARAMETER;
898 
899  RtlZeroMemory(LogFile, sizeof(*LogFile));
900 
901  LogFile->Allocate = Allocate;
902  LogFile->Free = Free;
903  LogFile->FileSetSize = FileSetSize;
904  LogFile->FileWrite = FileWrite;
905  LogFile->FileRead = FileRead;
906  LogFile->FileFlush = FileFlush;
907 
908  /* Copy the log file name if provided (optional) */
909  RtlInitEmptyUnicodeString(&LogFile->FileName, NULL, 0);
910  if (FileName && FileName->Buffer && FileName->Length &&
911  (FileName->Length <= FileName->MaximumLength))
912  {
913  LogFile->FileName.Buffer = LogFile->Allocate(FileName->Length,
914  HEAP_ZERO_MEMORY,
915  TAG_ELF);
916  if (LogFile->FileName.Buffer)
917  {
918  LogFile->FileName.MaximumLength = FileName->Length;
919  RtlCopyUnicodeString(&LogFile->FileName, FileName);
920  }
921  }
922 
923  LogFile->OffsetInfo = LogFile->Allocate(OFFSET_INFO_INCREMENT * sizeof(EVENT_OFFSET_INFO),
924  HEAP_ZERO_MEMORY,
925  TAG_ELF);
926  if (LogFile->OffsetInfo == NULL)
927  {
928  EVTLTRACE1("Cannot allocate heap\n");
929  Status = STATUS_NO_MEMORY;
930  goto Quit;
931  }
932  LogFile->OffsetInfoSize = OFFSET_INFO_INCREMENT;
933  LogFile->OffsetInfoNext = 0;
934 
935  // FIXME: Always use the regitry values for MaxSize,
936  // even for existing logs!
937 
938  // FIXME: On Windows, EventLog uses the MaxSize setting
939  // from the registry itself; the MaxSize from the header
940  // is just for information purposes.
941 
942  EVTLTRACE("Initializing log file `%wZ'\n", &LogFile->FileName);
943 
944  LogFile->ReadOnly = ReadOnly; // !CreateNew && ReadOnly;
945 
946  if (CreateNew)
947  Status = ElfpInitNewFile(LogFile, FileSize, MaxSize, Retention);
948  else
949  Status = ElfpInitExistingFile(LogFile, FileSize, /* MaxSize, */ Retention);
950 
951 Quit:
952  if (!NT_SUCCESS(Status))
953  {
954  if (LogFile->OffsetInfo)
955  LogFile->Free(LogFile->OffsetInfo, 0);
956 
957  if (LogFile->FileName.Buffer)
958  LogFile->Free(LogFile->FileName.Buffer, 0);
959  }
960 
961  return Status;
962 
963 }
STATUS_SUCCESS
#define STATUS_SUCCESS
Definition: contextmenu.cpp:55
ASSERT
ASSERT((InvokeOnSuccess||InvokeOnError||InvokeOnCancel)?(CompletionRoutine!=NULL):TRUE)
STATUS_INVALID_PARAMETER
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
FileSize
static SIZE_T FileSize
Definition: cabinet.c:51
ReadOnly
Definition: arc.h:80
OFFSET_INFO_INCREMENT
#define OFFSET_INFO_INCREMENT
Definition: evtlib.c:211
EVTLTRACE1
#define EVTLTRACE1(...)
Definition: evtlib.c:21
ElfpInitNewFile
static NTSTATUS ElfpInitNewFile(IN PEVTLOGFILE LogFile, IN ULONG FileSize, IN ULONG MaxSize, IN ULONG Retention)
Definition: evtlib.c:297
Allocate
_In_opt_ PALLOCATE_FUNCTION Allocate
Definition: exfuncs.h:656
RtlCopyUnicodeString
NTSYSAPI VOID NTAPI RtlCopyUnicodeString(PUNICODE_STRING DestinationString, PUNICODE_STRING SourceString)
Free
_In_opt_ PALLOCATE_FUNCTION _In_opt_ PFREE_FUNCTION Free
Definition: exfuncs.h:656
NULL
smooth NULL
Definition: ftsmooth.c:513
_FileName
Definition: filecomp.c:347
TAG_ELF
#define TAG_ELF
Definition: evtlib.h:145
_EVENT_OFFSET_INFO
Definition: evtlib.h:139
Status
Status
Definition: gdiplustypes.h:24
NT_SUCCESS
#define NT_SUCCESS(StatCode)
Definition: cmd.c:149
NTSTATUS
LONG NTSTATUS
Definition: DriverTester.h:11
STATUS_NO_MEMORY
#define STATUS_NO_MEMORY
Definition: ntstatus.h:246
HEAP_ZERO_MEMORY
#define HEAP_ZERO_MEMORY
Definition: compat.h:123
EVTLTRACE
#define EVTLTRACE(...)
Definition: evtlib.c:19
RtlZeroMemory
#define RtlZeroMemory(Destination, Length)
Definition: typedefs.h:262
ElfpInitExistingFile
static NTSTATUS ElfpInitExistingFile(IN PEVTLOGFILE LogFile, IN ULONG FileSize, IN ULONG Retention)
Definition: evtlib.c:379
NTSTATUS NTAPI ElfFlushFile ( IN PEVTLOGFILE  LogFile)

Definition at line 1135 of file evtlib.c.

Referenced by ElfBackupFile(), ElfCloseFile(), ElfpInitExistingFile(), ElfrFlushEL(), and ElfWriteRecord().

1137 {
1138  NTSTATUS Status;
1139  LARGE_INTEGER FileOffset;
1140  SIZE_T WrittenLength;
1141 
1142  ASSERT(LogFile);
1143 
1144  if (LogFile->ReadOnly)
1145  return STATUS_SUCCESS; // STATUS_ACCESS_DENIED;
1146 
1147  /*
1148  * NOTE that both the EOF record *AND* the log file header
1149  * are supposed to be already updated!
1150  * We just remove the dirty log bit.
1151  */
1152  LogFile->Header.Flags &= ~ELF_LOGFILE_HEADER_DIRTY;
1153 
1154  /* Update the log file header */
1155  FileOffset.QuadPart = 0LL;
1156  Status = LogFile->FileWrite(LogFile,
1157  &FileOffset,
1158  &LogFile->Header,
1159  sizeof(EVENTLOGHEADER),
1160  &WrittenLength);
1161  if (!NT_SUCCESS(Status))
1162  {
1163  EVTLTRACE1("FileWrite() failed (Status 0x%08lx)\n", Status);
1164  return Status;
1165  }
1166 
1167  /* Flush the log file */
1168  Status = LogFile->FileFlush(LogFile, NULL, 0);
1169  if (!NT_SUCCESS(Status))
1170  {
1171  EVTLTRACE1("FileFlush() failed (Status 0x%08lx)\n", Status);
1172  return Status;
1173  }
1174 
1175  return STATUS_SUCCESS;
1176 }
STATUS_SUCCESS
#define STATUS_SUCCESS
Definition: contextmenu.cpp:55
LL
#define LL
Definition: tui.h:72
ASSERT
ASSERT((InvokeOnSuccess||InvokeOnError||InvokeOnCancel)?(CompletionRoutine!=NULL):TRUE)
EVTLTRACE1
#define EVTLTRACE1(...)
Definition: evtlib.c:21
NULL
smooth NULL
Definition: ftsmooth.c:513
ELF_LOGFILE_HEADER_DIRTY
#define ELF_LOGFILE_HEADER_DIRTY
Definition: evtlib.h:42
Status
Status
Definition: gdiplustypes.h:24
SIZE_T
ULONG_PTR SIZE_T
Definition: typedefs.h:79
NT_SUCCESS
#define NT_SUCCESS(StatCode)
Definition: cmd.c:149
NTSTATUS
LONG NTSTATUS
Definition: DriverTester.h:11
_LARGE_INTEGER
Definition: typedefs.h:101
FileOffset
_In_ PLARGE_INTEGER FileOffset
Definition: cctypes.h:53
_EVENTLOGHEADER
Definition: evtlib.h:56
_LARGE_INTEGER::QuadPart
LONGLONG QuadPart
Definition: typedefs.h:113
ULONG NTAPI ElfGetCurrentRecord ( IN PEVTLOGFILE  LogFile)

Definition at line 1599 of file evtlib.c.

Referenced by ElfrNumberOfRecords(), and LogfReadEvents().

1601 {
1602  ASSERT(LogFile);
1603  return LogFile->Header.CurrentRecordNumber;
1604 }
ASSERT
ASSERT((InvokeOnSuccess||InvokeOnError||InvokeOnCancel)?(CompletionRoutine!=NULL):TRUE)
ULONG NTAPI ElfGetFlags ( IN PEVTLOGFILE  LogFile)

Definition at line 1608 of file evtlib.c.

Referenced by ElfrGetLogInformation().

1610 {
1611  ASSERT(LogFile);
1612  return LogFile->Header.Flags;
1613 }
ASSERT
ASSERT((InvokeOnSuccess||InvokeOnError||InvokeOnCancel)?(CompletionRoutine!=NULL):TRUE)
ULONG NTAPI ElfGetOldestRecord ( IN PEVTLOGFILE  LogFile)

Definition at line 1590 of file evtlib.c.

Referenced by ElfrNumberOfRecords(), ElfrOldestRecord(), and LogfReadEvents().

1592 {
1593  ASSERT(LogFile);
1594  return LogFile->Header.OldestRecordNumber;
1595 }
ASSERT
ASSERT((InvokeOnSuccess||InvokeOnError||InvokeOnCancel)?(CompletionRoutine!=NULL):TRUE)
NTSTATUS NTAPI ElfReadRecord ( IN PEVTLOGFILE  LogFile,
IN ULONG  RecordNumber,
OUT PEVENTLOGRECORD  Record,
IN SIZE_T  BufSize,
OUT PSIZE_T BytesRead  OPTIONAL,
OUT PSIZE_T BytesNeeded  OPTIONAL 
)

Definition at line 1198 of file evtlib.c.

Referenced by ReadRecord().

1205 {
1206  NTSTATUS Status;
1207  LARGE_INTEGER FileOffset;
1208  ULONG RecOffset;
1209  SIZE_T RecSize;
1210  SIZE_T ReadLength;
1211 
1212  ASSERT(LogFile);
1213 
1214  if (BytesRead)
1215  *BytesRead = 0;
1216 
1217  if (BytesNeeded)
1218  *BytesNeeded = 0;
1219 
1220  /* Retrieve the offset of the event record */
1221  RecOffset = ElfpOffsetByNumber(LogFile, RecordNumber);
1222  if (RecOffset == 0)
1223  return STATUS_NOT_FOUND;
1224 
1225  /* Retrieve its full size */
1226  FileOffset.QuadPart = RecOffset;
1227  Status = LogFile->FileRead(LogFile,
1228  &FileOffset,
1229  &RecSize,
1230  sizeof(RecSize),
1231  &ReadLength);
1232  if (!NT_SUCCESS(Status))
1233  {
1234  EVTLTRACE1("FileRead() failed (Status 0x%08lx)\n", Status);
1235  // Status = STATUS_EVENTLOG_FILE_CORRUPT;
1236  return Status;
1237  }
1238 
1239  /* Check whether the buffer is big enough to hold the event record */
1240  if (BufSize < RecSize)
1241  {
1242  if (BytesNeeded)
1243  *BytesNeeded = RecSize;
1244 
1245  return STATUS_BUFFER_TOO_SMALL;
1246  }
1247 
1248  /* Read the event record into the buffer */
1249  FileOffset.QuadPart = RecOffset;
1250  Status = ReadLogBuffer(LogFile,
1251  Record,
1252  RecSize,
1253  &ReadLength,
1254  &FileOffset,
1255  NULL);
1256  if (!NT_SUCCESS(Status))
1257  {
1258  EVTLTRACE1("ReadLogBuffer failed (Status 0x%08lx)\n", Status);
1259  // Status = STATUS_EVENTLOG_FILE_CORRUPT;
1260  }
1261 
1262  if (BytesRead)
1263  *BytesRead = ReadLength;
1264 
1265  return Status;
1266 }
ASSERT
ASSERT((InvokeOnSuccess||InvokeOnError||InvokeOnCancel)?(CompletionRoutine!=NULL):TRUE)
EVTLTRACE1
#define EVTLTRACE1(...)
Definition: evtlib.c:21
Record
_In_ struct _KBUGCHECK_REASON_CALLBACK_RECORD * Record
Definition: ketypes.h:256
STATUS_BUFFER_TOO_SMALL
#define STATUS_BUFFER_TOO_SMALL
Definition: udferr_usr.h:146
NULL
smooth NULL
Definition: ftsmooth.c:513
BufSize
#define BufSize
Definition: FsRtlTunnel.c:28
ReadLogBuffer
static NTSTATUS ReadLogBuffer(IN PEVTLOGFILE LogFile, OUT PVOID Buffer, IN SIZE_T Length, OUT PSIZE_T ReadLength OPTIONAL, IN PLARGE_INTEGER ByteOffset, OUT PLARGE_INTEGER NextOffset OPTIONAL)
Definition: evtlib.c:37
Status
Status
Definition: gdiplustypes.h:24
SIZE_T
ULONG_PTR SIZE_T
Definition: typedefs.h:79
NT_SUCCESS
#define NT_SUCCESS(StatCode)
Definition: cmd.c:149
NTSTATUS
LONG NTSTATUS
Definition: DriverTester.h:11
_LARGE_INTEGER
Definition: typedefs.h:101
FileOffset
_In_ PLARGE_INTEGER FileOffset
Definition: cctypes.h:53
ULONG
unsigned int ULONG
Definition: retypes.h:1
ElfpOffsetByNumber
static ULONG ElfpOffsetByNumber(IN PEVTLOGFILE LogFile, IN ULONG RecordNumber)
Definition: evtlib.c:197
BytesRead
_Must_inspect_result_ _In_ PFILE_OBJECT _In_opt_ PLARGE_INTEGER _In_ ULONG _In_ FLT_IO_OPERATION_FLAGS _Out_opt_ PULONG BytesRead
Definition: fltkernel.h:1255
STATUS_NOT_FOUND
#define STATUS_NOT_FOUND
Definition: udferr_usr.h:181
_LARGE_INTEGER::QuadPart
LONGLONG QuadPart
Definition: typedefs.h:113
NTSTATUS NTAPI ElfReCreateFile ( IN PEVTLOGFILE  LogFile)

Definition at line 967 of file evtlib.c.

Referenced by LogfClearFile().

969 {
970  ASSERT(LogFile);
971 
972  return ElfpInitNewFile(LogFile,
973  LogFile->CurrentSize,
974  LogFile->Header.MaxSize,
975  LogFile->Header.Retention);
976 }
ASSERT
ASSERT((InvokeOnSuccess||InvokeOnError||InvokeOnCancel)?(CompletionRoutine!=NULL):TRUE)
ElfpInitNewFile
static NTSTATUS ElfpInitNewFile(IN PEVTLOGFILE LogFile, IN ULONG FileSize, IN ULONG MaxSize, IN ULONG Retention)
Definition: evtlib.c:297
NTSTATUS NTAPI ElfWriteRecord ( IN PEVTLOGFILE  LogFile,
IN PEVENTLOGRECORD  Record,
IN SIZE_T  BufSize 
)

Definition at line 1270 of file evtlib.c.

Referenced by LogfWriteRecord().

1274 {
1275  NTSTATUS Status;
1276  LARGE_INTEGER FileOffset, NextOffset;
1277  SIZE_T ReadLength, WrittenLength;
1278  EVENTLOGEOF EofRec;
1279  EVENTLOGRECORD RecBuf;
1280  ULONG FreeSpace = 0;
1281  ULONG UpperBound;
1282  ULONG RecOffset, WriteOffset;
1283 
1284  ASSERT(LogFile);
1285 
1286  if (LogFile->ReadOnly)
1287  return STATUS_ACCESS_DENIED;
1288 
1289  // ASSERT(sizeof(*Record) == sizeof(RecBuf));
1290 
1291  if (!Record || BufSize < sizeof(*Record))
1292  return STATUS_INVALID_PARAMETER;
1293 
1294  Record->RecordNumber = LogFile->Header.CurrentRecordNumber;
1295 
1296  /* Compute the available log free space */
1297  if (LogFile->Header.StartOffset <= LogFile->Header.EndOffset)
1298  FreeSpace = LogFile->Header.MaxSize - LogFile->Header.EndOffset + LogFile->Header.StartOffset - sizeof(EVENTLOGHEADER);
1299  else // if (LogFile->Header.StartOffset > LogFile->Header.EndOffset)
1300  FreeSpace = LogFile->Header.StartOffset - LogFile->Header.EndOffset;
1301 
1302  LogFile->Header.Flags |= ELF_LOGFILE_HEADER_DIRTY;
1303 
1304  /* If the event log was empty, it will now contain one record */
1305  if (LogFile->Header.OldestRecordNumber == 0)
1306  LogFile->Header.OldestRecordNumber = 1;
1307 
1308  /* By default we append the new record at the old EOF record offset */
1309  WriteOffset = LogFile->Header.EndOffset;
1310 
1311  /*
1312  * Check whether the log is going to wrap (the events being overwritten).
1313  */
1314 
1315  if (LogFile->Header.StartOffset <= LogFile->Header.EndOffset)
1316  UpperBound = LogFile->Header.MaxSize;
1317  else // if (LogFile->Header.StartOffset > LogFile->Header.EndOffset)
1318  UpperBound = LogFile->Header.StartOffset;
1319 
1320  // if (LogFile->Header.MaxSize - WriteOffset < BufSize + sizeof(EofRec))
1321  if (UpperBound - WriteOffset < BufSize + sizeof(EofRec))
1322  {
1323  EVTLTRACE("The event log file has reached maximum size (0x%x), wrapping...\n"
1324  "UpperBound = 0x%x, WriteOffset = 0x%x, BufSize = 0x%x\n",
1325  LogFile->Header.MaxSize, UpperBound, WriteOffset, BufSize);
1326  /* This will be done later */
1327  }
1328 
1329  if ( (LogFile->Header.StartOffset < LogFile->Header.EndOffset) &&
1330  (LogFile->Header.MaxSize - WriteOffset < sizeof(RecBuf)) ) // (UpperBound - WriteOffset < sizeof(RecBuf))
1331  {
1332  // ASSERT(UpperBound == LogFile->Header.MaxSize);
1333  // ASSERT(WriteOffset == LogFile->Header.EndOffset);
1334 
1335  /*
1336  * We cannot fit the EVENTLOGRECORD header of the buffer before
1337  * the end of the file. We need to pad the end of the log with
1338  * 0x00000027, normally we will need to pad at most 0x37 bytes
1339  * (corresponding to sizeof(EVENTLOGRECORD) - 1).
1340  */
1341 
1342  /* Rewind to the beginning of the log, just after the header */
1343  WriteOffset = sizeof(EVENTLOGHEADER);
1344  UpperBound = LogFile->Header.StartOffset;
1345 
1346  FreeSpace = LogFile->Header.StartOffset - WriteOffset;
1347 
1348  LogFile->Header.Flags |= ELF_LOGFILE_HEADER_WRAP;
1349  }
1350  /*
1351  * Otherwise, we can fit the header and only part
1352  * of the data will overwrite the oldest records.
1353  *
1354  * It might be possible that all the event record can fit in one piece,
1355  * but that the EOF record needs to be split. This is not a problem,
1356  * EVENTLOGEOF can be splitted while EVENTLOGRECORD cannot be.
1357  */
1358 
1359  if (UpperBound - WriteOffset < BufSize + sizeof(EofRec))
1360  {
1361  ULONG OrgOldestRecordNumber, OldestRecordNumber;
1362 
1363  // DPRINT("EventLogFile has reached maximum size, wrapping...\n");
1364 
1365  OldestRecordNumber = OrgOldestRecordNumber = LogFile->Header.OldestRecordNumber;
1366 
1367  // FIXME: Assert whether LogFile->Header.StartOffset is the beginning of a record???
1368  // NOTE: It should be, by construction (and this should have been checked when
1369  // initializing a new, or existing log).
1370 
1371  /*
1372  * Determine how many old records need to be overwritten.
1373  * Check the size of the record as the record added may be larger.
1374  * Need to take into account that we append the EOF record.
1375  */
1376  while (FreeSpace < BufSize + sizeof(EofRec))
1377  {
1378  /* Get the oldest record data */
1379  RecOffset = ElfpOffsetByNumber(LogFile, OldestRecordNumber);
1380  if (RecOffset == 0)
1381  {
1382  EVTLTRACE1("Record number %d cannot be found, or log file is full and cannot wrap!\n", OldestRecordNumber);
1383  LogFile->Header.Flags |= ELF_LOGFILE_LOGFULL_WRITTEN;
1384  return STATUS_LOG_FILE_FULL;
1385  }
1386 
1387  RtlZeroMemory(&RecBuf, sizeof(RecBuf));
1388 
1389  FileOffset.QuadPart = RecOffset;
1390  Status = LogFile->FileRead(LogFile,
1391  &FileOffset,
1392  &RecBuf,
1393  sizeof(RecBuf),
1394  &ReadLength);
1395  if (!NT_SUCCESS(Status))
1396  {
1397  EVTLTRACE1("FileRead() failed (Status 0x%08lx)\n", Status);
1398  // Status = STATUS_EVENTLOG_FILE_CORRUPT;
1399  return Status;
1400  }
1401 
1402  if (RecBuf.Reserved != LOGFILE_SIGNATURE)
1403  {
1404  EVTLTRACE1("The event log file is corrupted!\n");
1405  return STATUS_EVENTLOG_FILE_CORRUPT;
1406  }
1407 
1408  /*
1409  * Check whether this event can be overwritten by comparing its
1410  * written timestamp with the log's retention value. This value
1411  * is the time interval, in seconds, that events records are
1412  * protected from being overwritten.
1413  *
1414  * If the retention value is zero the events are always overwritten.
1415  *
1416  * If the retention value is non-zero, when the age of an event,
1417  * in seconds, reaches or exceeds this value, it can be overwritten.
1418  * Also if the events are in the future, we do not overwrite them.
1419  */
1420  if (LogFile->Header.Retention != 0 &&
1421  (Record->TimeWritten < RecBuf.TimeWritten ||
1422  (Record->TimeWritten >= RecBuf.TimeWritten &&
1423  Record->TimeWritten - RecBuf.TimeWritten < LogFile->Header.Retention)))
1424  {
1425  EVTLTRACE1("The event log file is full and cannot wrap because of the retention policy.\n");
1426  LogFile->Header.Flags |= ELF_LOGFILE_LOGFULL_WRITTEN;
1427  return STATUS_LOG_FILE_FULL;
1428  }
1429 
1430  /*
1431  * Advance the oldest record number, add the event record length
1432  * (as long as it is valid...) then take account for the possible
1433  * paddind after the record, in case this is the last one at the
1434  * end of the file.
1435  */
1436  OldestRecordNumber++;
1437  RecOffset += RecBuf.Length;
1438  FreeSpace += RecBuf.Length;
1439 
1440  /*
1441  * If this was the last event record before the end of the log file,
1442  * the next one should start at the beginning of the log and the space
1443  * between the last event record and the end of the file is padded.
1444  */
1445  if (LogFile->Header.MaxSize - RecOffset < sizeof(EVENTLOGRECORD))
1446  {
1447  /* Add the padding size */
1448  FreeSpace += LogFile->Header.MaxSize - RecOffset;
1449  }
1450  }
1451 
1452  EVTLTRACE("Record will fit. FreeSpace %d, BufSize %d\n", FreeSpace, BufSize);
1453 
1454  /* The log records are wrapping */
1455  LogFile->Header.Flags |= ELF_LOGFILE_HEADER_WRAP;
1456 
1457 
1458  // FIXME: May lead to corruption if the other subsequent calls fail...
1459 
1460  /*
1461  * We have validated all the region of events to be discarded,
1462  * now we can perform their deletion.
1463  */
1464  ElfpDeleteOffsetInformation(LogFile, OrgOldestRecordNumber, OldestRecordNumber - 1);
1465  LogFile->Header.OldestRecordNumber = OldestRecordNumber;
1466  LogFile->Header.StartOffset = ElfpOffsetByNumber(LogFile, OldestRecordNumber);
1467  if (LogFile->Header.StartOffset == 0)
1468  {
1469  /*
1470  * We have deleted all the existing event records to make place
1471  * for the new one. We can put it at the start of the event log.
1472  */
1473  LogFile->Header.StartOffset = sizeof(EVENTLOGHEADER);
1474  WriteOffset = LogFile->Header.StartOffset;
1475  LogFile->Header.EndOffset = WriteOffset;
1476  }
1477 
1478  DPRINT1("MaxSize = 0x%x, StartOffset = 0x%x, WriteOffset = 0x%x, EndOffset = 0x%x, BufSize = 0x%x\n"
1479  "OldestRecordNumber = %d\n",
1480  LogFile->Header.MaxSize, LogFile->Header.StartOffset, WriteOffset, LogFile->Header.EndOffset, BufSize,
1481  OldestRecordNumber);
1482  }
1483 
1484  /*
1485  * Expand the log file if needed.
1486  * NOTE: It may be needed to perform this task a bit sooner if we need
1487  * such a thing for performing read operations, in the future...
1488  * Or if this operation needs to modify 'FreeSpace'...
1489  */
1490  if (LogFile->CurrentSize < LogFile->Header.MaxSize)
1491  {
1492  EVTLTRACE1("Expanding the log file from %lu to %lu\n",
1493  LogFile->CurrentSize, LogFile->Header.MaxSize);
1494 
1495  LogFile->CurrentSize = LogFile->Header.MaxSize;
1496  LogFile->FileSetSize(LogFile, LogFile->CurrentSize, 0);
1497  }
1498 
1499  /* Since we can write events in the log, clear the log full flag */
1500  LogFile->Header.Flags &= ~ELF_LOGFILE_LOGFULL_WRITTEN;
1501 
1502  /* Pad the end of the log */
1503  // if (LogFile->Header.EndOffset + sizeof(RecBuf) > LogFile->Header.MaxSize)
1504  if (WriteOffset < LogFile->Header.EndOffset)
1505  {
1506  /* Pad all the space from LogFile->Header.EndOffset to LogFile->Header.MaxSize */
1507  WrittenLength = ROUND_DOWN(LogFile->Header.MaxSize - LogFile->Header.EndOffset, sizeof(ULONG));
1508  RtlFillMemoryUlong(&RecBuf, WrittenLength, 0x00000027);
1509 
1510  FileOffset.QuadPart = LogFile->Header.EndOffset;
1511  Status = LogFile->FileWrite(LogFile,
1512  &FileOffset,
1513  &RecBuf,
1514  WrittenLength,
1515  &WrittenLength);
1516  if (!NT_SUCCESS(Status))
1517  {
1518  EVTLTRACE1("FileWrite() failed (Status 0x%08lx)\n", Status);
1519  // return Status;
1520  }
1521  }
1522 
1523  /* Write the event record buffer with possible wrap at offset sizeof(EVENTLOGHEADER) */
1524  FileOffset.QuadPart = WriteOffset;
1525  Status = WriteLogBuffer(LogFile,
1526  Record,
1527  BufSize,
1528  &WrittenLength,
1529  &FileOffset,
1530  &NextOffset);
1531  if (!NT_SUCCESS(Status))
1532  {
1533  EVTLTRACE1("WriteLogBuffer failed (Status 0x%08lx)\n", Status);
1534  return Status;
1535  }
1536  /* FileOffset now contains the offset just after the end of the record buffer */
1537  FileOffset = NextOffset;
1538 
1539  if (!ElfpAddOffsetInformation(LogFile,
1540  Record->RecordNumber,
1541  WriteOffset))
1542  {
1543  return STATUS_NO_MEMORY; // STATUS_EVENTLOG_FILE_CORRUPT;
1544  }
1545 
1546  LogFile->Header.CurrentRecordNumber++;
1547  if (LogFile->Header.CurrentRecordNumber == 0)
1548  LogFile->Header.CurrentRecordNumber = 1;
1549 
1550  /*
1551  * Write the new EOF record offset just after the event record.
1552  * The EOF record can wrap (be splitted) if less than sizeof(EVENTLOGEOF)
1553  * bytes remains between the end of the record and the end of the log file.
1554  */
1555  LogFile->Header.EndOffset = FileOffset.QuadPart;
1556 
1557  RtlCopyMemory(&EofRec, &EOFRecord, sizeof(EOFRecord));
1558  EofRec.BeginRecord = LogFile->Header.StartOffset;
1559  EofRec.EndRecord = LogFile->Header.EndOffset;
1560  EofRec.CurrentRecordNumber = LogFile->Header.CurrentRecordNumber;
1561  EofRec.OldestRecordNumber = LogFile->Header.OldestRecordNumber;
1562 
1563  // FileOffset.QuadPart = LogFile->Header.EndOffset;
1564  Status = WriteLogBuffer(LogFile,
1565  &EofRec,
1566  sizeof(EofRec),
1567  &WrittenLength,
1568  &FileOffset,
1569  &NextOffset);
1570  if (!NT_SUCCESS(Status))
1571  {
1572  EVTLTRACE1("WriteLogBuffer failed (Status 0x%08lx)\n", Status);
1573  return Status;
1574  }
1575  FileOffset = NextOffset;
1576 
1577  /* Flush the log file */
1578  Status = ElfFlushFile(LogFile);
1579  if (!NT_SUCCESS(Status))
1580  {
1581  EVTLTRACE1("ElfFlushFile() failed (Status 0x%08lx)\n", Status);
1582  return STATUS_EVENTLOG_FILE_CORRUPT; // Status;
1583  }
1584 
1585  return Status;
1586 }
_EVENTLOGRECORD
Definition: winnt_old.h:2560
RtlCopyMemory
NTSYSAPI VOID NTAPI RtlCopyMemory(VOID UNALIGNED *Destination, CONST VOID UNALIGNED *Source, ULONG Length)
ASSERT
ASSERT((InvokeOnSuccess||InvokeOnError||InvokeOnCancel)?(CompletionRoutine!=NULL):TRUE)
STATUS_INVALID_PARAMETER
#define STATUS_INVALID_PARAMETER
Definition: udferr_usr.h:135
_EVENTLOGEOF
Definition: evtlib.h:119
STATUS_LOG_FILE_FULL
#define STATUS_LOG_FILE_FULL
Definition: ntstatus.h:611
STATUS_EVENTLOG_FILE_CORRUPT
#define STATUS_EVENTLOG_FILE_CORRUPT
Definition: ntstatus.h:617
EVTLTRACE1
#define EVTLTRACE1(...)
Definition: evtlib.c:21
ELF_LOGFILE_HEADER_WRAP
#define ELF_LOGFILE_HEADER_WRAP
Definition: evtlib.h:43
ElfpAddOffsetInformation
static BOOL ElfpAddOffsetInformation(IN PEVTLOGFILE LogFile, IN ULONG ulNumber, IN ULONG ulOffset)
Definition: evtlib.c:214
_EVENTLOGRECORD::Length
DWORD Length
Definition: winnt_old.h:2561
_EVENTLOGEOF::OldestRecordNumber
ULONG OldestRecordNumber
Definition: evtlib.h:129
Record
_In_ struct _KBUGCHECK_REASON_CALLBACK_RECORD * Record
Definition: ketypes.h:256
EOFRecord
static const EVENTLOGEOF EOFRecord
Definition: evtlib.c:26
Header
Definition: Header.h:8
_EVENTLOGEOF::EndRecord
ULONG EndRecord
Definition: evtlib.h:127
EVENTLOGHEADER
struct _EVENTLOGHEADER EVENTLOGHEADER
ELF_LOGFILE_LOGFULL_WRITTEN
#define ELF_LOGFILE_LOGFULL_WRITTEN
Definition: evtlib.h:44
BufSize
#define BufSize
Definition: FsRtlTunnel.c:28
RtlFillMemoryUlong
#define RtlFillMemoryUlong(dst, len, val)
Definition: mkhive.h:49
LOGFILE_SIGNATURE
#define LOGFILE_SIGNATURE
Definition: evtlib.h:37
STATUS_ACCESS_DENIED
#define STATUS_ACCESS_DENIED
Definition: udferr_usr.h:145
_EVENTLOGEOF::BeginRecord
ULONG BeginRecord
Definition: evtlib.h:126
ELF_LOGFILE_HEADER_DIRTY
#define ELF_LOGFILE_HEADER_DIRTY
Definition: evtlib.h:42
Status
Status
Definition: gdiplustypes.h:24
_EVENTLOGEOF::CurrentRecordNumber
ULONG CurrentRecordNumber
Definition: evtlib.h:128
ROUND_DOWN
#define ROUND_DOWN(n, align)
Definition: eventvwr.h:30
SIZE_T
ULONG_PTR SIZE_T
Definition: typedefs.h:79
NT_SUCCESS
#define NT_SUCCESS(StatCode)
Definition: cmd.c:149
NTSTATUS
LONG NTSTATUS
Definition: DriverTester.h:11
WriteLogBuffer
static NTSTATUS WriteLogBuffer(IN PEVTLOGFILE LogFile, IN PVOID Buffer, IN SIZE_T Length, OUT PSIZE_T WrittenLength OPTIONAL, IN PLARGE_INTEGER ByteOffset, OUT PLARGE_INTEGER NextOffset OPTIONAL)
Definition: evtlib.c:111
STATUS_NO_MEMORY
#define STATUS_NO_MEMORY
Definition: ntstatus.h:246
_EVENTLOGRECORD::TimeWritten
DWORD TimeWritten
Definition: winnt_old.h:2565
_LARGE_INTEGER
Definition: typedefs.h:101
DPRINT1
#define DPRINT1
Definition: precomp.h:8
FileOffset
_In_ PLARGE_INTEGER FileOffset
Definition: cctypes.h:53
EVTLTRACE
#define EVTLTRACE(...)
Definition: evtlib.c:19
_EVENTLOGRECORD::Reserved
DWORD Reserved
Definition: winnt_old.h:2562
ElfFlushFile
NTSTATUS NTAPI ElfFlushFile(IN PEVTLOGFILE LogFile)
Definition: evtlib.c:1135
ULONG
unsigned int ULONG
Definition: retypes.h:1
RtlZeroMemory
#define RtlZeroMemory(Destination, Length)
Definition: typedefs.h:262
ElfpOffsetByNumber
static ULONG ElfpOffsetByNumber(IN PEVTLOGFILE LogFile, IN ULONG RecordNumber)
Definition: evtlib.c:197
_LARGE_INTEGER::QuadPart
LONGLONG QuadPart
Definition: typedefs.h:113
ElfpDeleteOffsetInformation
static BOOL ElfpDeleteOffsetInformation(IN PEVTLOGFILE LogFile, IN ULONG ulNumberMin, IN ULONG ulNumberMax)
Definition: evtlib.c:255
typedef PVOID ( NTAPI PELF_ALLOCATE_ROUTINE)