evtlib.h File Reference

#include <ndk/rtlfuncs.h>
#include <pshpack4.h>
#include <poppack.h>

Include dependency graph for evtlib.h:

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Classes
struct	_EVENTLOGHEADER
struct	_EVENTLOGRECORD
struct	_EVENTLOGEOF
struct	_EVENT_OFFSET_INFO
struct	_EVTLOGFILE

Macros
#define	NTOS_MODE_USER
#define	ROUND_DOWN(n, align)   (((ULONG)n) & ~((align) - 1l))
#define	ROUND_UP(n, align)   ROUND_DOWN(((ULONG)n) + (align) - 1, (align))
#define	MAJORVER   1
#define	MINORVER   1
#define	LOGFILE_SIGNATURE   0x654c664c
#define	ELF_LOGFILE_HEADER_DIRTY   1
#define	ELF_LOGFILE_HEADER_WRAP   2
#define	ELF_LOGFILE_LOGFULL_WRITTEN   4
#define	ELF_LOGFILE_ARCHIVE_SET   8
#define	EVENTLOG_SUCCESS   0
#define	EVENTLOG_ERROR_TYPE   1
#define	EVENTLOG_WARNING_TYPE   2
#define	EVENTLOG_INFORMATION_TYPE   4
#define	EVENTLOG_AUDIT_SUCCESS   8
#define	EVENTLOG_AUDIT_FAILURE   16
#define	EVENTLOGEOF_SIZE_FIXED   (5 * sizeof(ULONG))
#define	TAG_ELF   ' flE'
#define	TAG_ELF_BUF   'BflE'

Typedefs
typedef struct _EVENTLOGHEADER	EVENTLOGHEADER
typedef struct _EVENTLOGHEADER *	PEVENTLOGHEADER
typedef struct _EVENTLOGRECORD	EVENTLOGRECORD
typedef struct _EVENTLOGRECORD *	PEVENTLOGRECORD
typedef struct _EVENTLOGEOF	EVENTLOGEOF
typedef struct _EVENTLOGEOF *	PEVENTLOGEOF
typedef struct _EVENT_OFFSET_INFO	EVENT_OFFSET_INFO
typedef struct _EVENT_OFFSET_INFO *	PEVENT_OFFSET_INFO
typedef IN ULONG	Flags
typedef IN ULONG IN ULONG	Tag
typedef VOID(NTAPI *	PELF_FREE_ROUTINE) (IN PVOID Ptr, IN ULONG Flags, IN ULONG Tag)
typedef NTSTATUS(NTAPI *	PELF_FILE_READ_ROUTINE) (IN struct _EVTLOGFILE *LogFile, IN PLARGE_INTEGER FileOffset, OUT PVOID Buffer, IN SIZE_T Length, OUT PSIZE_T ReadLength OPTIONAL)
typedef NTSTATUS(NTAPI *	PELF_FILE_WRITE_ROUTINE) (IN struct _EVTLOGFILE *LogFile, IN PLARGE_INTEGER FileOffset, IN PVOID Buffer, IN SIZE_T Length, OUT PSIZE_T WrittenLength OPTIONAL)
typedef NTSTATUS(NTAPI *	PELF_FILE_SET_SIZE_ROUTINE) (IN struct _EVTLOGFILE *LogFile, IN ULONG FileSize, IN ULONG OldFileSize)
typedef NTSTATUS(NTAPI *	PELF_FILE_FLUSH_ROUTINE) (IN struct _EVTLOGFILE *LogFile, IN PLARGE_INTEGER FileOffset, IN ULONG Length)
typedef struct _EVTLOGFILE	EVTLOGFILE
typedef struct _EVTLOGFILE *	PEVTLOGFILE

Functions
	C_ASSERT (EVENTLOGEOF_SIZE_FIXED==FIELD_OFFSET(EVENTLOGEOF, BeginRecord))
typedef	PVOID (NTAPI *PELF_ALLOCATE_ROUTINE)(IN SIZE_T Size
NTSTATUS NTAPI	ElfCreateFile (IN OUT PEVTLOGFILE LogFile, IN PUNICODE_STRING FileName OPTIONAL, IN ULONG FileSize, IN ULONG MaxSize, IN ULONG Retention, IN BOOLEAN CreateNew, IN BOOLEAN ReadOnly, IN PELF_ALLOCATE_ROUTINE Allocate, IN PELF_FREE_ROUTINE Free, IN PELF_FILE_SET_SIZE_ROUTINE FileSetSize, IN PELF_FILE_WRITE_ROUTINE FileWrite, IN PELF_FILE_READ_ROUTINE FileRead, IN PELF_FILE_FLUSH_ROUTINE FileFlush)
NTSTATUS NTAPI	ElfReCreateFile (IN PEVTLOGFILE LogFile)
NTSTATUS NTAPI	ElfBackupFile (IN PEVTLOGFILE LogFile, IN PEVTLOGFILE BackupLogFile)
NTSTATUS NTAPI	ElfFlushFile (IN PEVTLOGFILE LogFile)
VOID NTAPI	ElfCloseFile (IN PEVTLOGFILE LogFile)
NTSTATUS NTAPI	ElfReadRecord (IN PEVTLOGFILE LogFile, IN ULONG RecordNumber, OUT PEVENTLOGRECORD Record, IN SIZE_T BufSize, OUT PSIZE_T BytesRead OPTIONAL, OUT PSIZE_T BytesNeeded OPTIONAL)
NTSTATUS NTAPI	ElfWriteRecord (IN PEVTLOGFILE LogFile, IN PEVENTLOGRECORD Record, IN SIZE_T BufSize)
ULONG NTAPI	ElfGetOldestRecord (IN PEVTLOGFILE LogFile)
ULONG NTAPI	ElfGetCurrentRecord (IN PEVTLOGFILE LogFile)
ULONG NTAPI	ElfGetFlags (IN PEVTLOGFILE LogFile)

Macro Definition Documentation

ELF_LOGFILE_ARCHIVE_SET

#define ELF_LOGFILE_ARCHIVE_SET   8

Definition at line 51 of file evtlib.h.

ELF_LOGFILE_HEADER_DIRTY

#define ELF_LOGFILE_HEADER_DIRTY   1

Definition at line 48 of file evtlib.h.

ELF_LOGFILE_HEADER_WRAP

#define ELF_LOGFILE_HEADER_WRAP   2

Definition at line 49 of file evtlib.h.

ELF_LOGFILE_LOGFULL_WRITTEN

#define ELF_LOGFILE_LOGFULL_WRITTEN   4

Definition at line 50 of file evtlib.h.

EVENTLOG_AUDIT_FAILURE

#define EVENTLOG_AUDIT_FAILURE   16

Definition at line 88 of file evtlib.h.

EVENTLOG_AUDIT_SUCCESS

#define EVENTLOG_AUDIT_SUCCESS   8

Definition at line 87 of file evtlib.h.

EVENTLOG_ERROR_TYPE

#define EVENTLOG_ERROR_TYPE   1

Definition at line 84 of file evtlib.h.

EVENTLOG_INFORMATION_TYPE

#define EVENTLOG_INFORMATION_TYPE   4

Definition at line 86 of file evtlib.h.

EVENTLOG_SUCCESS

#define EVENTLOG_SUCCESS   0

Definition at line 83 of file evtlib.h.

EVENTLOG_WARNING_TYPE

#define EVENTLOG_WARNING_TYPE   2

Definition at line 85 of file evtlib.h.

EVENTLOGEOF_SIZE_FIXED

#define EVENTLOGEOF_SIZE_FIXED   (5 * sizeof(ULONG))

Definition at line 139 of file evtlib.h.

LOGFILE_SIGNATURE

#define LOGFILE_SIGNATURE   0x654c664c

Definition at line 43 of file evtlib.h.

MAJORVER

#define MAJORVER   1

Definition at line 41 of file evtlib.h.

MINORVER

#define MINORVER   1

Definition at line 42 of file evtlib.h.

NTOS_MODE_USER

#define NTOS_MODE_USER

Definition at line 27 of file evtlib.h.

ROUND_DOWN

#define ROUND_DOWN	(		n,
			align
	)		(((ULONG)n) & ~((align) - 1l))

Definition at line 31 of file evtlib.h.

ROUND_UP

#define ROUND_UP	(		n,
			align
	)		ROUND_DOWN(((ULONG)n) + (align) - 1, (align))

Definition at line 35 of file evtlib.h.

TAG_ELF

#define TAG_ELF   ' flE'

Definition at line 151 of file evtlib.h.

TAG_ELF_BUF

#define TAG_ELF_BUF   'BflE'

Definition at line 152 of file evtlib.h.

Typedef Documentation

EVENT_OFFSET_INFO

typedef struct _EVENT_OFFSET_INFO EVENT_OFFSET_INFO

EVENTLOGEOF

typedef struct _EVENTLOGEOF EVENTLOGEOF

EVENTLOGHEADER

typedef struct _EVENTLOGHEADER EVENTLOGHEADER

EVENTLOGRECORD

typedef struct _EVENTLOGRECORD EVENTLOGRECORD

EVTLOGFILE

typedef struct _EVTLOGFILE EVTLOGFILE

Flags

typedef IN ULONG Flags

Definition at line 159 of file evtlib.h.

PELF_FILE_FLUSH_ROUTINE

typedef NTSTATUS(NTAPI * PELF_FILE_FLUSH_ROUTINE) (IN struct _EVTLOGFILE *LogFile, IN PLARGE_INTEGER FileOffset, IN ULONG Length)

Definition at line 196 of file evtlib.h.

PELF_FILE_READ_ROUTINE

typedef NTSTATUS(NTAPI * PELF_FILE_READ_ROUTINE) (IN struct _EVTLOGFILE *LogFile, IN PLARGE_INTEGER FileOffset, OUT PVOID Buffer, IN SIZE_T Length, OUT PSIZE_T ReadLength OPTIONAL)

Definition at line 171 of file evtlib.h.

PELF_FILE_SET_SIZE_ROUTINE

typedef NTSTATUS(NTAPI * PELF_FILE_SET_SIZE_ROUTINE) (IN struct _EVTLOGFILE *LogFile, IN ULONG FileSize, IN ULONG OldFileSize)

Definition at line 189 of file evtlib.h.

PELF_FILE_WRITE_ROUTINE

typedef NTSTATUS(NTAPI * PELF_FILE_WRITE_ROUTINE) (IN struct _EVTLOGFILE *LogFile, IN PLARGE_INTEGER FileOffset, IN PVOID Buffer, IN SIZE_T Length, OUT PSIZE_T WrittenLength OPTIONAL)

Definition at line 180 of file evtlib.h.

PELF_FREE_ROUTINE

typedef VOID(NTAPI * PELF_FREE_ROUTINE) (IN PVOID Ptr, IN ULONG Flags, IN ULONG Tag)

Definition at line 164 of file evtlib.h.

PEVENT_OFFSET_INFO

typedef struct _EVENT_OFFSET_INFO * PEVENT_OFFSET_INFO

PEVENTLOGEOF

typedef struct _EVENTLOGEOF * PEVENTLOGEOF

PEVENTLOGHEADER

typedef struct _EVENTLOGHEADER * PEVENTLOGHEADER

PEVENTLOGRECORD

typedef struct _EVENTLOGRECORD * PEVENTLOGRECORD

PEVTLOGFILE

typedef struct _EVTLOGFILE * PEVTLOGFILE

Tag

_In_ ULONG _In_opt_ PACCESS_STATE _In_ ACCESS_MASK _In_opt_ POBJECT_TYPE _In_ KPROCESSOR_MODE _In_ ULONG Tag

Definition at line 159 of file evtlib.h.

Function Documentation

C_ASSERT()

C_ASSERT

(

EVENTLOGEOF_SIZE_FIXED

= =FIELD_OFFSET(EVENTLOGEOF, BeginRecord)

)

ElfBackupFile()

NTSTATUS NTAPI ElfBackupFile	(	IN PEVTLOGFILE	LogFile,
		IN PEVTLOGFILE	BackupLogFile
	)

Definition at line 979 of file evtlib.c.

{
    NTSTATUS Status;

    LARGE_INTEGER FileOffset;
    SIZE_T ReadLength, WrittenLength;
    PEVENTLOGHEADER Header;
    EVENTLOGRECORD RecBuf;
    EVENTLOGEOF EofRec;
    ULONG i;
    ULONG RecOffset;
    PVOID Buffer = NULL;

    ASSERT(LogFile);

    RtlZeroMemory(BackupLogFile, sizeof(*BackupLogFile));

    BackupLogFile->FileSetSize = LogFile->FileSetSize;
    BackupLogFile->FileWrite = LogFile->FileWrite;
    BackupLogFile->FileFlush = LogFile->FileFlush;

    // BackupLogFile->CurrentSize = LogFile->CurrentSize;

    BackupLogFile->ReadOnly = FALSE;

    /* Initialize the (dirty) log file header */
    Header = &BackupLogFile->Header;
    Header->HeaderSize = sizeof(EVENTLOGHEADER);
    Header->Signature = LOGFILE_SIGNATURE;
    Header->MajorVersion = MAJORVER;
    Header->MinorVersion = MINORVER;
    Header->StartOffset = sizeof(EVENTLOGHEADER);
    Header->EndOffset = sizeof(EVENTLOGHEADER);
    Header->CurrentRecordNumber = 1;
    Header->OldestRecordNumber = 0;
    Header->MaxSize = LogFile->Header.MaxSize;
    Header->Flags = ELF_LOGFILE_HEADER_DIRTY;
    Header->Retention = LogFile->Header.Retention;
    Header->EndHeaderSize = sizeof(EVENTLOGHEADER);

    /* Write the (dirty) log file header */
    FileOffset.QuadPart = 0LL;
    Status = BackupLogFile->FileWrite(BackupLogFile,
                                      &FileOffset,
                                      Header,
                                      sizeof(EVENTLOGHEADER),
                                      &WrittenLength);
    if (!NT_SUCCESS(Status))
    {
        EVTLTRACE1("Failed to write the log file header (Status 0x%08lx)\n", Status);
        goto Quit;
    }

    for (i = LogFile->Header.OldestRecordNumber; i < LogFile->Header.CurrentRecordNumber; i++)
    {
        RecOffset = ElfpOffsetByNumber(LogFile, i);
        if (RecOffset == 0)
            break;

        /* Read the next EVENTLOGRECORD header at once (it cannot be split) */
        FileOffset.QuadPart = RecOffset;
        Status = LogFile->FileRead(LogFile,
                                   &FileOffset,
                                   &RecBuf,
                                   sizeof(RecBuf),
                                   &ReadLength);
        if (!NT_SUCCESS(Status))
        {
            EVTLTRACE1("FileRead() failed (Status 0x%08lx)\n", Status);
            goto Quit;
        }

        // if (ReadLength != sizeof(RecBuf))
            // break;

        Buffer = LogFile->Allocate(RecBuf.Length, 0, TAG_ELF_BUF);
        if (Buffer == NULL)
        {
            EVTLTRACE1("Allocate() failed!\n");
            goto Quit;
        }

        /* Read the full EVENTLOGRECORD (header + data) with wrapping */
        Status = ReadLogBuffer(LogFile,
                               Buffer,
                               RecBuf.Length,
                               &ReadLength,
                               &FileOffset,
                               NULL);
        if (!NT_SUCCESS(Status))
        {
            EVTLTRACE1("ReadLogBuffer failed (Status 0x%08lx)\n", Status);
            LogFile->Free(Buffer, 0, TAG_ELF_BUF);
            // Status = STATUS_EVENTLOG_FILE_CORRUPT;
            goto Quit;
        }

        /* Write the event record (no wrap for the backup log) */
        Status = BackupLogFile->FileWrite(BackupLogFile,
                                          NULL,
                                          Buffer,
                                          RecBuf.Length,
                                          &WrittenLength);
        if (!NT_SUCCESS(Status))
        {
            EVTLTRACE1("FileWrite() failed (Status 0x%08lx)\n", Status);
            LogFile->Free(Buffer, 0, TAG_ELF_BUF);
            goto Quit;
        }

        /* Update the header information */
        Header->EndOffset += RecBuf.Length;

        /* Free the buffer */
        LogFile->Free(Buffer, 0, TAG_ELF_BUF);
        Buffer = NULL;
    }

// Quit:

    /* Initialize the ELF_EOF_RECORD and write it (no wrap for the backup log) */
    RtlCopyMemory(&EofRec, &EOFRecord, sizeof(EOFRecord));
    EofRec.BeginRecord = Header->StartOffset;
    EofRec.EndRecord   = Header->EndOffset;
    EofRec.CurrentRecordNumber = LogFile->Header.CurrentRecordNumber;
    EofRec.OldestRecordNumber  = LogFile->Header.OldestRecordNumber;

    Status = BackupLogFile->FileWrite(BackupLogFile,
                                      NULL,
                                      &EofRec,
                                      sizeof(EofRec),
                                      &WrittenLength);
    if (!NT_SUCCESS(Status))
    {
        EVTLTRACE1("FileWrite() failed (Status 0x%08lx)\n", Status);
        goto Quit;
    }

    /* Update the header information */
    Header->CurrentRecordNumber = LogFile->Header.CurrentRecordNumber;
    Header->OldestRecordNumber  = LogFile->Header.OldestRecordNumber;
    Header->MaxSize = ROUND_UP(Header->EndOffset + sizeof(EofRec), sizeof(ULONG));
    Header->Flags = 0; // FIXME?

    /* Flush the log file - Write the (clean) log file header */
    Status = ElfFlushFile(BackupLogFile);

Quit:
    return Status;
}

Referenced by LogfBackupFile().

ElfCloseFile()

VOID NTAPI ElfCloseFile

(

IN PEVTLOGFILE

LogFile

)

Definition at line 1179 of file evtlib.c.

{
    ASSERT(LogFile);

    /* Flush the log file */
    ElfFlushFile(LogFile);

    /* Free the data */
    LogFile->Free(LogFile->OffsetInfo, 0, TAG_ELF);

    if (LogFile->FileName.Buffer)
        LogFile->Free(LogFile->FileName.Buffer, 0, TAG_ELF);
    RtlInitEmptyUnicodeString(&LogFile->FileName, NULL, 0);
}

Referenced by LogfClose().

ElfCreateFile()

NTSTATUS NTAPI ElfCreateFile	(	IN OUT PEVTLOGFILE	LogFile,
		IN PUNICODE_STRING FileName	OPTIONAL,
		IN ULONG	FileSize,
		IN ULONG	MaxSize,
		IN ULONG	Retention,
		IN BOOLEAN	CreateNew,
		IN BOOLEAN	ReadOnly,
		IN PELF_ALLOCATE_ROUTINE	Allocate,
		IN PELF_FREE_ROUTINE	Free,
		IN PELF_FILE_SET_SIZE_ROUTINE	FileSetSize,
		IN PELF_FILE_WRITE_ROUTINE	FileWrite,
		IN PELF_FILE_READ_ROUTINE	FileRead,
		IN PELF_FILE_FLUSH_ROUTINE	FileFlush
	)

Definition at line 876 of file evtlib.c.

{
    NTSTATUS Status = STATUS_SUCCESS;

    ASSERT(LogFile);

    /* Creating a new log file with the 'ReadOnly' flag set is incompatible */
    if (CreateNew && ReadOnly)
        return STATUS_INVALID_PARAMETER;

    RtlZeroMemory(LogFile, sizeof(*LogFile));

    LogFile->Allocate  = Allocate;
    LogFile->Free      = Free;
    LogFile->FileSetSize = FileSetSize;
    LogFile->FileWrite = FileWrite;
    LogFile->FileRead  = FileRead;
    LogFile->FileFlush = FileFlush;

    /* Copy the log file name if provided (optional) */
    RtlInitEmptyUnicodeString(&LogFile->FileName, NULL, 0);
    if (FileName && FileName->Buffer && FileName->Length &&
        (FileName->Length <= FileName->MaximumLength))
    {
        LogFile->FileName.Buffer = LogFile->Allocate(FileName->Length,
                                                     HEAP_ZERO_MEMORY,
                                                     TAG_ELF);
        if (LogFile->FileName.Buffer)
        {
            LogFile->FileName.MaximumLength = FileName->Length;
            RtlCopyUnicodeString(&LogFile->FileName, FileName);
        }
    }

    LogFile->OffsetInfo = LogFile->Allocate(OFFSET_INFO_INCREMENT * sizeof(EVENT_OFFSET_INFO),
                                            HEAP_ZERO_MEMORY,
                                            TAG_ELF);
    if (LogFile->OffsetInfo == NULL)
    {
        EVTLTRACE1("Cannot allocate heap\n");
        Status = STATUS_NO_MEMORY;
        goto Quit;
    }
    LogFile->OffsetInfoSize = OFFSET_INFO_INCREMENT;
    LogFile->OffsetInfoNext = 0;

    // FIXME: Always use the regitry values for MaxSize,
    // even for existing logs!

    // FIXME: On Windows, EventLog uses the MaxSize setting
    // from the registry itself; the MaxSize from the header
    // is just for information purposes.

    EVTLTRACE("Initializing log file `%wZ'\n", &LogFile->FileName);

    LogFile->ReadOnly = ReadOnly; // !CreateNew && ReadOnly;

    if (CreateNew)
        Status = ElfpInitNewFile(LogFile, FileSize, MaxSize, Retention);
    else
        Status = ElfpInitExistingFile(LogFile, FileSize, /* MaxSize, */ Retention);

Quit:
    if (!NT_SUCCESS(Status))
    {
        if (LogFile->OffsetInfo)
            LogFile->Free(LogFile->OffsetInfo, 0, TAG_ELF);

        if (LogFile->FileName.Buffer)
            LogFile->Free(LogFile->FileName.Buffer, 0, TAG_ELF);
    }

    return Status;
}

Referenced by LogfCreate().

ElfFlushFile()

NTSTATUS NTAPI ElfFlushFile

(

IN PEVTLOGFILE

LogFile

)

Definition at line 1134 of file evtlib.c.

{
    NTSTATUS Status;
    LARGE_INTEGER FileOffset;
    SIZE_T WrittenLength;

    ASSERT(LogFile);

    if (LogFile->ReadOnly)
        return STATUS_SUCCESS; // STATUS_ACCESS_DENIED;

    /*
     * NOTE that both the EOF record *AND* the log file header
     * are supposed to be already updated!
     * We just remove the dirty log bit.
     */
    LogFile->Header.Flags &= ~ELF_LOGFILE_HEADER_DIRTY;

    /* Update the log file header */
    FileOffset.QuadPart = 0LL;
    Status = LogFile->FileWrite(LogFile,
                                &FileOffset,
                                &LogFile->Header,
                                sizeof(EVENTLOGHEADER),
                                &WrittenLength);
    if (!NT_SUCCESS(Status))
    {
        EVTLTRACE1("FileWrite() failed (Status 0x%08lx)\n", Status);
        return Status;
    }

    /* Flush the log file */
    Status = LogFile->FileFlush(LogFile, NULL, 0);
    if (!NT_SUCCESS(Status))
    {
        EVTLTRACE1("FileFlush() failed (Status 0x%08lx)\n", Status);
        return Status;
    }

    return STATUS_SUCCESS;
}

Referenced by ElfBackupFile(), ElfCloseFile(), ElfpInitExistingFile(), ElfrFlushEL(), and ElfWriteRecord().

ElfGetCurrentRecord()

ULONG NTAPI ElfGetCurrentRecord

(

IN PEVTLOGFILE

LogFile

)

Definition at line 1598 of file evtlib.c.

{
    ASSERT(LogFile);
    return LogFile->Header.CurrentRecordNumber;
}

Referenced by ElfrNumberOfRecords(), and LogfReadEvents().

ElfGetFlags()

ULONG NTAPI ElfGetFlags

(

IN PEVTLOGFILE

LogFile

)

Definition at line 1607 of file evtlib.c.

{
    ASSERT(LogFile);
    return LogFile->Header.Flags;
}

Referenced by ElfrGetLogInformation().

ElfGetOldestRecord()

ULONG NTAPI ElfGetOldestRecord

(

IN PEVTLOGFILE

LogFile

)

Definition at line 1589 of file evtlib.c.

{
    ASSERT(LogFile);
    return LogFile->Header.OldestRecordNumber;
}

Referenced by ElfrNumberOfRecords(), ElfrOldestRecord(), and LogfReadEvents().

ElfReadRecord()

NTSTATUS NTAPI ElfReadRecord	(	IN PEVTLOGFILE	LogFile,
		IN ULONG	RecordNumber,
		OUT PEVENTLOGRECORD	Record,
		IN SIZE_T	BufSize,
		OUT PSIZE_T BytesRead	OPTIONAL,
		OUT PSIZE_T BytesNeeded	OPTIONAL
	)

Definition at line 1197 of file evtlib.c.

{
    NTSTATUS Status;
    LARGE_INTEGER FileOffset;
    ULONG RecOffset;
    SIZE_T RecSize;
    SIZE_T ReadLength;

    ASSERT(LogFile);

    if (BytesRead)
        *BytesRead = 0;

    if (BytesNeeded)
        *BytesNeeded = 0;

    /* Retrieve the offset of the event record */
    RecOffset = ElfpOffsetByNumber(LogFile, RecordNumber);
    if (RecOffset == 0)
        return STATUS_NOT_FOUND;

    /* Retrieve its full size */
    FileOffset.QuadPart = RecOffset;
    Status = LogFile->FileRead(LogFile,
                               &FileOffset,
                               &RecSize,
                               sizeof(RecSize),
                               &ReadLength);
    if (!NT_SUCCESS(Status))
    {
        EVTLTRACE1("FileRead() failed (Status 0x%08lx)\n", Status);
        // Status = STATUS_EVENTLOG_FILE_CORRUPT;
        return Status;
    }

    /* Check whether the buffer is big enough to hold the event record */
    if (BufSize < RecSize)
    {
        if (BytesNeeded)
            *BytesNeeded = RecSize;

        return STATUS_BUFFER_TOO_SMALL;
    }

    /* Read the event record into the buffer */
    FileOffset.QuadPart = RecOffset;
    Status = ReadLogBuffer(LogFile,
                           Record,
                           RecSize,
                           &ReadLength,
                           &FileOffset,
                           NULL);
    if (!NT_SUCCESS(Status))
    {
        EVTLTRACE1("ReadLogBuffer failed (Status 0x%08lx)\n", Status);
        // Status = STATUS_EVENTLOG_FILE_CORRUPT;
    }

    if (BytesRead)
        *BytesRead = ReadLength;

    return Status;
}

Referenced by ReadRecord().

ElfReCreateFile()

NTSTATUS NTAPI ElfReCreateFile

(

IN PEVTLOGFILE

LogFile

)

Definition at line 966 of file evtlib.c.

{
    ASSERT(LogFile);

    return ElfpInitNewFile(LogFile,
                           LogFile->CurrentSize,
                           LogFile->Header.MaxSize,
                           LogFile->Header.Retention);
}

Referenced by LogfClearFile().

ElfWriteRecord()

NTSTATUS NTAPI ElfWriteRecord	(	IN PEVTLOGFILE	LogFile,
		IN PEVENTLOGRECORD	Record,
		IN SIZE_T	BufSize
	)

Definition at line 1269 of file evtlib.c.

{
    NTSTATUS Status;
    LARGE_INTEGER FileOffset, NextOffset;
    SIZE_T ReadLength, WrittenLength;
    EVENTLOGEOF EofRec;
    EVENTLOGRECORD RecBuf;
    ULONG FreeSpace = 0;
    ULONG UpperBound;
    ULONG RecOffset, WriteOffset;

    ASSERT(LogFile);

    if (LogFile->ReadOnly)
        return STATUS_ACCESS_DENIED;

    // ASSERT(sizeof(*Record) == sizeof(RecBuf));

    if (!Record || BufSize < sizeof(*Record))
        return STATUS_INVALID_PARAMETER;

    Record->RecordNumber = LogFile->Header.CurrentRecordNumber;

    /* Compute the available log free space */
    if (LogFile->Header.StartOffset <= LogFile->Header.EndOffset)
        FreeSpace = LogFile->Header.MaxSize - LogFile->Header.EndOffset + LogFile->Header.StartOffset - sizeof(EVENTLOGHEADER);
    else // if (LogFile->Header.StartOffset > LogFile->Header.EndOffset)
        FreeSpace = LogFile->Header.StartOffset - LogFile->Header.EndOffset;

    LogFile->Header.Flags |= ELF_LOGFILE_HEADER_DIRTY;

    /* If the event log was empty, it will now contain one record */
    if (LogFile->Header.OldestRecordNumber == 0)
        LogFile->Header.OldestRecordNumber = 1;

    /* By default we append the new record at the old EOF record offset */
    WriteOffset = LogFile->Header.EndOffset;

    /*
     * Check whether the log is going to wrap (the events being overwritten).
     */

    if (LogFile->Header.StartOffset <= LogFile->Header.EndOffset)
        UpperBound = LogFile->Header.MaxSize;
    else // if (LogFile->Header.StartOffset > LogFile->Header.EndOffset)
        UpperBound = LogFile->Header.StartOffset;

    // if (LogFile->Header.MaxSize - WriteOffset < BufSize + sizeof(EofRec))
    if (UpperBound - WriteOffset < BufSize + sizeof(EofRec))
    {
        EVTLTRACE("The event log file has reached maximum size (0x%x), wrapping...\n"
               "UpperBound = 0x%x, WriteOffset = 0x%x, BufSize = 0x%x\n",
               LogFile->Header.MaxSize, UpperBound, WriteOffset, BufSize);
        /* This will be done later */
    }

    if ( (LogFile->Header.StartOffset < LogFile->Header.EndOffset) &&
         (LogFile->Header.MaxSize - WriteOffset < sizeof(RecBuf)) ) // (UpperBound - WriteOffset < sizeof(RecBuf))
    {
        // ASSERT(UpperBound  == LogFile->Header.MaxSize);
        // ASSERT(WriteOffset == LogFile->Header.EndOffset);

        /*
         * We cannot fit the EVENTLOGRECORD header of the buffer before
         * the end of the file. We need to pad the end of the log with
         * 0x00000027, normally we will need to pad at most 0x37 bytes
         * (corresponding to sizeof(EVENTLOGRECORD) - 1).
         */

        /* Rewind to the beginning of the log, just after the header */
        WriteOffset = sizeof(EVENTLOGHEADER);
        UpperBound = LogFile->Header.StartOffset;

        FreeSpace = LogFile->Header.StartOffset - WriteOffset;

        LogFile->Header.Flags |= ELF_LOGFILE_HEADER_WRAP;
    }
    /*
     * Otherwise, we can fit the header and only part
     * of the data will overwrite the oldest records.
     *
     * It might be possible that all the event record can fit in one piece,
     * but that the EOF record needs to be split. This is not a problem,
     * EVENTLOGEOF can be splitted while EVENTLOGRECORD cannot be.
     */

    if (UpperBound - WriteOffset < BufSize + sizeof(EofRec))
    {
        ULONG OrgOldestRecordNumber, OldestRecordNumber;

        // DPRINT("EventLogFile has reached maximum size, wrapping...\n");

        OldestRecordNumber = OrgOldestRecordNumber = LogFile->Header.OldestRecordNumber;

        // FIXME: Assert whether LogFile->Header.StartOffset is the beginning of a record???
        // NOTE: It should be, by construction (and this should have been checked when
        // initializing a new, or existing log).

        /*
         * Determine how many old records need to be overwritten.
         * Check the size of the record as the record added may be larger.
         * Need to take into account that we append the EOF record.
         */
        while (FreeSpace < BufSize + sizeof(EofRec))
        {
            /* Get the oldest record data */
            RecOffset = ElfpOffsetByNumber(LogFile, OldestRecordNumber);
            if (RecOffset == 0)
            {
                EVTLTRACE1("Record number %d cannot be found, or log file is full and cannot wrap!\n", OldestRecordNumber);
                LogFile->Header.Flags |= ELF_LOGFILE_LOGFULL_WRITTEN;
                return STATUS_LOG_FILE_FULL;
            }

            RtlZeroMemory(&RecBuf, sizeof(RecBuf));

            FileOffset.QuadPart = RecOffset;
            Status = LogFile->FileRead(LogFile,
                                       &FileOffset,
                                       &RecBuf,
                                       sizeof(RecBuf),
                                       &ReadLength);
            if (!NT_SUCCESS(Status))
            {
                EVTLTRACE1("FileRead() failed (Status 0x%08lx)\n", Status);
                // Status = STATUS_EVENTLOG_FILE_CORRUPT;
                return Status;
            }

            if (RecBuf.Reserved != LOGFILE_SIGNATURE)
            {
                EVTLTRACE1("The event log file is corrupted!\n");
                return STATUS_EVENTLOG_FILE_CORRUPT;
            }

            /*
             * Check whether this event can be overwritten by comparing its
             * written timestamp with the log's retention value. This value
             * is the time interval, in seconds, that events records are
             * protected from being overwritten.
             *
             * If the retention value is zero the events are always overwritten.
             *
             * If the retention value is non-zero, when the age of an event,
             * in seconds, reaches or exceeds this value, it can be overwritten.
             * Also if the events are in the future, we do not overwrite them.
             */
            if (LogFile->Header.Retention != 0 &&
                (Record->TimeWritten <  RecBuf.TimeWritten ||
                (Record->TimeWritten >= RecBuf.TimeWritten &&
                 Record->TimeWritten -  RecBuf.TimeWritten < LogFile->Header.Retention)))
            {
                EVTLTRACE1("The event log file is full and cannot wrap because of the retention policy.\n");
                LogFile->Header.Flags |= ELF_LOGFILE_LOGFULL_WRITTEN;
                return STATUS_LOG_FILE_FULL;
            }

            /*
             * Advance the oldest record number, add the event record length
             * (as long as it is valid...) then take account for the possible
             * paddind after the record, in case this is the last one at the
             * end of the file.
             */
            OldestRecordNumber++;
            RecOffset += RecBuf.Length;
            FreeSpace += RecBuf.Length;

            /*
             * If this was the last event record before the end of the log file,
             * the next one should start at the beginning of the log and the space
             * between the last event record and the end of the file is padded.
             */
            if (LogFile->Header.MaxSize - RecOffset < sizeof(EVENTLOGRECORD))
            {
                /* Add the padding size */
                FreeSpace += LogFile->Header.MaxSize - RecOffset;
            }
        }

        EVTLTRACE("Record will fit. FreeSpace %d, BufSize %d\n", FreeSpace, BufSize);

        /* The log records are wrapping */
        LogFile->Header.Flags |= ELF_LOGFILE_HEADER_WRAP;


        // FIXME: May lead to corruption if the other subsequent calls fail...

        /*
         * We have validated all the region of events to be discarded,
         * now we can perform their deletion.
         */
        ElfpDeleteOffsetInformation(LogFile, OrgOldestRecordNumber, OldestRecordNumber - 1);
        LogFile->Header.OldestRecordNumber = OldestRecordNumber;
        LogFile->Header.StartOffset = ElfpOffsetByNumber(LogFile, OldestRecordNumber);
        if (LogFile->Header.StartOffset == 0)
        {
            /*
             * We have deleted all the existing event records to make place
             * for the new one. We can put it at the start of the event log.
             */
            LogFile->Header.StartOffset = sizeof(EVENTLOGHEADER);
            WriteOffset = LogFile->Header.StartOffset;
            LogFile->Header.EndOffset = WriteOffset;
        }

        EVTLTRACE("MaxSize = 0x%x, StartOffset = 0x%x, WriteOffset = 0x%x, EndOffset = 0x%x, BufSize = 0x%x\n"
                  "OldestRecordNumber = %d\n",
                  LogFile->Header.MaxSize, LogFile->Header.StartOffset, WriteOffset, LogFile->Header.EndOffset, BufSize,
                  OldestRecordNumber);
    }

    /*
     * Expand the log file if needed.
     * NOTE: It may be needed to perform this task a bit sooner if we need
     * such a thing for performing read operations, in the future...
     * Or if this operation needs to modify 'FreeSpace'...
     */
    if (LogFile->CurrentSize < LogFile->Header.MaxSize)
    {
        EVTLTRACE1("Expanding the log file from %lu to %lu\n",
                LogFile->CurrentSize, LogFile->Header.MaxSize);

        LogFile->CurrentSize = LogFile->Header.MaxSize;
        LogFile->FileSetSize(LogFile, LogFile->CurrentSize, 0);
    }

    /* Since we can write events in the log, clear the log full flag */
    LogFile->Header.Flags &= ~ELF_LOGFILE_LOGFULL_WRITTEN;

    /* Pad the end of the log */
    // if (LogFile->Header.EndOffset + sizeof(RecBuf) > LogFile->Header.MaxSize)
    if (WriteOffset < LogFile->Header.EndOffset)
    {
        /* Pad all the space from LogFile->Header.EndOffset to LogFile->Header.MaxSize */
        WrittenLength = ROUND_DOWN(LogFile->Header.MaxSize - LogFile->Header.EndOffset, sizeof(ULONG));
        RtlFillMemoryUlong(&RecBuf, WrittenLength, 0x00000027);

        FileOffset.QuadPart = LogFile->Header.EndOffset;
        Status = LogFile->FileWrite(LogFile,
                                    &FileOffset,
                                    &RecBuf,
                                    WrittenLength,
                                    &WrittenLength);
        if (!NT_SUCCESS(Status))
        {
            EVTLTRACE1("FileWrite() failed (Status 0x%08lx)\n", Status);
            // return Status;
        }
    }

    /* Write the event record buffer with possible wrap at offset sizeof(EVENTLOGHEADER) */
    FileOffset.QuadPart = WriteOffset;
    Status = WriteLogBuffer(LogFile,
                            Record,
                            BufSize,
                            &WrittenLength,
                            &FileOffset,
                            &NextOffset);
    if (!NT_SUCCESS(Status))
    {
        EVTLTRACE1("WriteLogBuffer failed (Status 0x%08lx)\n", Status);
        return Status;
    }
    /* FileOffset now contains the offset just after the end of the record buffer */
    FileOffset = NextOffset;

    if (!ElfpAddOffsetInformation(LogFile,
                                  Record->RecordNumber,
                                  WriteOffset))
    {
        return STATUS_NO_MEMORY; // STATUS_EVENTLOG_FILE_CORRUPT;
    }

    LogFile->Header.CurrentRecordNumber++;
    if (LogFile->Header.CurrentRecordNumber == 0)
        LogFile->Header.CurrentRecordNumber = 1;

    /*
     * Write the new EOF record offset just after the event record.
     * The EOF record can wrap (be splitted) if less than sizeof(EVENTLOGEOF)
     * bytes remains between the end of the record and the end of the log file.
     */
    LogFile->Header.EndOffset = FileOffset.QuadPart;

    RtlCopyMemory(&EofRec, &EOFRecord, sizeof(EOFRecord));
    EofRec.BeginRecord = LogFile->Header.StartOffset;
    EofRec.EndRecord   = LogFile->Header.EndOffset;
    EofRec.CurrentRecordNumber = LogFile->Header.CurrentRecordNumber;
    EofRec.OldestRecordNumber  = LogFile->Header.OldestRecordNumber;

    // FileOffset.QuadPart = LogFile->Header.EndOffset;
    Status = WriteLogBuffer(LogFile,
                            &EofRec,
                            sizeof(EofRec),
                            &WrittenLength,
                            &FileOffset,
                            &NextOffset);
    if (!NT_SUCCESS(Status))
    {
        EVTLTRACE1("WriteLogBuffer failed (Status 0x%08lx)\n", Status);
        return Status;
    }
    FileOffset = NextOffset;

    /* Flush the log file */
    Status = ElfFlushFile(LogFile);
    if (!NT_SUCCESS(Status))
    {
        EVTLTRACE1("ElfFlushFile() failed (Status 0x%08lx)\n", Status);
        return STATUS_EVENTLOG_FILE_CORRUPT; // Status;
    }

    return Status;
}

Referenced by LogfWriteRecord().

PVOID()

typedef PVOID

(

NTAPI *

PELF_ALLOCATE_ROUTINE

)