Download
Getting Started
Members
Projects
Community
Marketplace
Events
Planet Eclipse
Newsletter
Videos
Participate
Report a Bug
Forums
Mailing Lists
Wiki
IRC
How to Contribute
Working Groups
Automotive
Internet of Things
LocationTech
Long-Term Support
PolarSys
Science
OpenMDM
More
Community
Marketplace
Events
Planet Eclipse
Newsletter
Videos
Participate
Report a Bug
Forums
Mailing Lists
Wiki
IRC
How to Contribute
Working Groups
Automotive
Internet of Things
LocationTech
Long-Term Support
PolarSys
Science
OpenMDM
Toggle navigation
Bugzilla – Attachment 65613 Details for
Bug 168855
[Vista] Parser cannot read Windows Security log without extra security controls
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
Terms of Use
|
Copyright Agent
Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read
this important communication.
EventLogReader2.cpp
EventLogReader2.cpp (text/plain), 21.08 KB, created by
Cindy Jin
on 2007-05-02 10:39:15 EDT
(
hide
)
Description:
EventLogReader2.cpp
Filename:
MIME Type:
Creator:
Cindy Jin
Created:
2007-05-02 10:39:15 EDT
Size:
21.08 KB
patch
obsolete
>/********************************************************************** > * Copyright (c) 2007 IBM Corporation and others. > * All rights reserved. This program and the accompanying materials > * are made available under the terms of the Eclipse Public License v1.0 > * which accompanies this distribution, and is available at > * http://www.eclipse.org/legal/epl-v10.html > * $Id: EventLogReader2.cpp,v 1.1 2007/04/23 20:39:23 dnsmith Exp $ > * > * Contributors: > * IBM - Initial implementation > **********************************************************************/ > >#include <windows.h> >#include <iostream> >#include <wchar.h> >#include <winevt.h> //EventLog Header >#include <vector> >#include <locale.h> >#include <mbstring.h> ># pragma comment(lib, "wevtapi.lib") ># pragma comment(lib, "Advapi32.lib") > > >#define QUERY_TIMEOUT 5000 > >/*************************************************************************** > * Description: > * EvenLogReader receives the source Windows Event log name as a parameter > * and reads events from it using Windows Event Log API. The events are > * then transformed into strings and written to the standard output and > * to a file whose name is passed as the second parameter. > * This program can only be executed on a Windows Vista (TM) system. > * > ***************************************************************************/ > >const LPWSTR cSeperateToken = L"@;@"; >const LPWSTR cRecordIdPref = L"RecordId: "; >const LPWSTR cProviderPref = L"Provider: "; >const LPWSTR cEventLevelPref = L"EventLevel: "; >const LPWSTR cEventTaskPref = L"TaskCategory: "; >const LPWSTR cEventKeywordPref = L"EventKeyword: "; >const LPWSTR cUsernamePref = L"Username: "; >const LPWSTR cCreationTimePref = L"CreationTime: "; >const LPWSTR cGUIDPref = L"GUID: "; >const LPWSTR cEventIDPref = L"EventID: "; >const LPWSTR cQualifierIdPref = L"QualifierId: "; >const LPWSTR cOperationalCodePref = L"OperationalCode: "; >const LPWSTR cActivityPref = L"ActivityStr: "; >const LPWSTR cRelatedActivityPref = L"RelatedActivityStr: "; >const LPWSTR cProcessIDPref = L"ProcessID: "; >const LPWSTR cThreadIDPref = L"ThreadID: "; >const LPWSTR cChannelIDPref = L"Channel: "; >const LPWSTR cComputerNamePref = L"Computername: "; >const LPWSTR cLocationTypePref = L"LocationType: "; >const LPWSTR cLocationType = L"Hostname"; >const LPWSTR cMessagesPref = L"Message: "; >const LPWSTR cDefaultValue = L"N/A "; >wchar_t * cDefaultErrMsg = L"The description for Event ID %d from source %s cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. If the event originated on another computer, the display information had to be saved with the event."; > > > >FILE *fpOut = NULL; > >BOOL writeNextRecord(EVT_HANDLE hEvent); >LPCWSTR getProviderName(EVT_HANDLE hEvent); >DWORD getProperties(EVT_HANDLE hEvent,DWORD renderContextFlag,PBYTE sysValues,DWORD *dwValueSize); >LPWSTR getEventProperty(EVT_HANDLE hEvent,DWORD sysPropertyCount, PEVT_VARIANT valArray,DWORD eventFormatFlag,EVT_HANDLE publisherConfig); >void getUserName(LPWSTR username,DWORD cUsernameSize,PEVT_VARIANT valArray,DWORD sysPropertyCount); >void getCreationTime(LPWSTR creationTime,DWORD creationTimeSize,PEVT_VARIANT valArray,DWORD sysPropertyCount); >void getGUIDStr(LPWSTR guidStr,PEVT_VARIANT valArray, DWORD varIndex, DWORD sysPropertyCount); >BOOL renderEvent(EVT_HANDLE hEvent,EVT_HANDLE renderContext, PBYTE* outBufPtr,DWORD* outBufSizePtr,DWORD* propertyCountPtr, DWORD renderFlag); >void removeNewLine(LPWSTR str); > >void __cdecl wmain(int argc , wchar_t *argv[ ]) >{ > > if(argc < 2) > { > printf("Usage: EventLogReader.exe logName <outputFilenam>\n"); > return; > } > EVT_HANDLE eventQuery = NULL; // Handle to the log query results. > EVT_HANDLE hEvent = NULL; // Events array. > wchar_t *logChannel = argv[1]; // Query channel > wchar_t *logQuery = L"*"; // Get all events. > DWORD numOfEvents = 0; // Number of events returned. > > fpOut = _wfopen(argv[2], L"w"); > if(!fpOut) > { > printf("Failed to open the output file!. Error = 0x%x", GetLastError()); > return; > } > > // Query the log. > eventQuery = EvtQuery(NULL, // query local winodws machine. > logChannel, // Channel. > logQuery, // Query. > EvtQueryChannelPath // Flag. > ); > > if( !eventQuery ) > { > printf("Failed to query the event log!. Error = 0x%x", GetLastError()); > fclose(fpOut); > return; > } > > > while (EvtNext( eventQuery, // QueryResult. > 1, // Desired number of elements from the result set. > &hEvent, // Event array that contains the result events. > QUERY_TIMEOUT, // TimeOut. > 0, // flag, must be 0 > &numOfEvents) ) // Returned. > { > if(!writeNextRecord(hEvent)) > { > EvtClose(hEvent); > EvtClose(eventQuery); > fclose(fpOut); > return; > } > EvtClose(hEvent); > > } > EvtClose(eventQuery); > fclose(fpOut); > return; > >} > >/** > * Get user name from a given window event log's system data value set. > * > */ >void getUserName(LPWSTR username,DWORD cUsernameSize,PEVT_VARIANT valArray,DWORD sysPropertyCount) >{ > if(sysPropertyCount <= EvtSystemUserID ||valArray[EvtSystemUserID].Type == EvtVarTypeNull ) > { > wcscpy(username, cDefaultValue); > return; > } > PSID sidValue = valArray[EvtSystemUserID].SidVal; > wchar_t referencedDomainName[500]; > DWORD domainLength = sizeof(referencedDomainName); > SID_NAME_USE eUse; > > > if(! LookupAccountSid( NULL, // system name > sidValue, // the SID structure > username, // the buffer receiving the account name > &cUsernameSize, // the buffer length for the account name > referencedDomainName, // domain name > &domainLength, // the buffer length for the domain name > &eUse //the type of the account > )) > > { > wcscpy (username, cDefaultValue); > } > >} >/** > * Transforms the event into strings and written to the standard output and to the file. > * It first gets the event's system value set, fetch the arrtibute value for each field, then > * gets the event's user value set, formats the user message based on event provider's message template. > * > */ >BOOL writeNextRecord(EVT_HANDLE hEvent) >{ > //Renders event system properties > EVT_HANDLE renderContext = EvtCreateRenderContext(NULL, 0, EvtRenderContextSystem); > //Renders event user properties > EVT_HANDLE renderUserContext = EvtCreateRenderContext(NULL, 0, EvtRenderContextUser); > > BYTE valuesBuff[1]; > PBYTE sysValues = valuesBuff; > DWORD sysValuesSize = sizeof(valuesBuff); > DWORD sysPropertyCount; > > PBYTE usrValues = valuesBuff; > DWORD usrValueSize = sizeof(valuesBuff); > DWORD usrPropertyCount; > > LPCWSTR msgProvider = NULL; > LPWSTR eventLevel = NULL; > LPWSTR eventTask = NULL; > LPWSTR eventOpcode = NULL; > LPWSTR eventKeyword = NULL; > > LPCWSTR eventChannel = NULL; > LPCWSTR computer = NULL; > unsigned __int16 eventId = 0; > unsigned __int16 qualifierId = 0; > DWORD64 recordId = 0; > unsigned __int32 processId = 0; > unsigned __int32 threadId = 0; > unsigned __int8 priority = 0; > > LPWSTR formatBuff = new WCHAR[1]; > DWORD formatValueSize = sizeof(formatBuff); > > wchar_t username[500]; > DWORD cUsernameSize = sizeof(username); > > wchar_t creationTime[500]; > DWORD creationTimeSize = sizeof(creationTime); > > wchar_t guidStr[500]; > wchar_t activityIdStr[500]; > wchar_t relatedActivityIdStr[500]; > > > > EVT_HANDLE publisherConfig = NULL; > > > // Set all of the current program locale information specified to the system default. > // This is required to retrieve all of the messages in the local language. > _wsetlocale(LC_ALL, L""); > > //format the event's system property values > if(renderEvent(hEvent,renderContext,&sysValues,&sysValuesSize,&sysPropertyCount,EvtRenderEventValues)) > { > if(sysPropertyCount != 18) > { > //system attributes should be 18 > delete []sysValues; > return FALSE; > } > PEVT_VARIANT valArray = PEVT_VARIANT(sysValues); > > //get the providerName, it is the first element in the PEVT_VARIANT > msgProvider = valArray[0].StringVal; > publisherConfig = EvtOpenPublisherMetadata( NULL,msgProvider, NULL,0, 0); > > //get event task EvtFormatMessageTask > eventTask = getEventProperty(hEvent,0,valArray,EvtFormatMessageTask,NULL); > > //get event opcode EvtFormatMessageOpcode > > eventOpcode = getEventProperty(hEvent,0,valArray,EvtFormatMessageOpcode ,NULL); > > //get event keyword EvtFormatMessageKeyword > eventKeyword = getEventProperty(hEvent,sysPropertyCount,valArray,EvtFormatMessageKeyword ,NULL); > > > //get user name > getUserName(username,cUsernameSize,valArray,sysPropertyCount); > > //creation time > getCreationTime(creationTime,creationTimeSize,valArray,sysPropertyCount); > > //guid > getGUIDStr(guidStr,valArray,EvtSystemProviderGuid,sysPropertyCount); > > if(valArray[EvtSystemEventID].Type!= EvtVarTypeNull ) > { > eventId = valArray[EvtSystemEventID].Int16Val; > > } > > //get gualifier ID > if(valArray[EvtSystemQualifiers].Type!= EvtVarTypeNull ) > { > qualifierId = valArray[EvtSystemQualifiers].Int16Val; > > } > // get event record ID > if(valArray[EvtSystemEventRecordId ].Type!= EvtVarTypeNull ) > { > recordId = valArray[EvtSystemEventRecordId ].Int64Val; > > } > // get activity ID > getGUIDStr(activityIdStr,valArray,EvtSystemActivityID,sysPropertyCount); > // get related activity ID > getGUIDStr(relatedActivityIdStr,valArray,EvtSystemRelatedActivityID ,sysPropertyCount); > > // process ID > if(valArray[EvtSystemProcessID ].Type!= EvtVarTypeNull ) > { > processId = valArray[EvtSystemProcessID ].Int32Val; > > } > // thread ID > if(valArray[EvtSystemThreadID].Type!= EvtVarTypeNull ) > { > threadId = valArray[EvtSystemThreadID].Int32Val; > > } > //get severity , and map it to Common Base Event severity value. > if(valArray[EvtSystemLevel ].Type!= EvtVarTypeNull ) > { > DWORD levelValue = (DWORD)valArray[EvtSystemLevel].ByteVal; > switch (levelValue) > { > case 0: > priority = 20; > break; > > case 2: > priority = 50; > break; > > case 3: > > priority = 30; > break; > > default: > priority = 10; > } > > } > > if(valArray[EvtSystemChannel].Type!= EvtVarTypeNull ) > { > eventChannel = valArray[EvtSystemChannel].StringVal; > if(eventChannel == NULL) > { > eventChannel = cDefaultValue; > } > } > // get computer Information > if(valArray[EvtSystemComputer].Type!= EvtVarTypeNull ) > { > computer = valArray[EvtSystemComputer].StringVal; > > if(computer == NULL) > { > computer = cDefaultValue; > } > } > //format event description from event's user property values > if(renderEvent(hEvent,renderUserContext,&usrValues,&usrValueSize,&usrPropertyCount,EvtRenderEventValues )) > { > > PEVT_VARIANT usrValArray = NULL; > > DWORD lerr; > DWORD formatFlag = EvtFormatMessageEvent; > if(publisherConfig == NULL) > { > > formatValueSize = wcslen(cDefaultErrMsg)+wcslen(msgProvider)+sizeof(DWORD); > formatBuff = new WCHAR[formatValueSize]; > swprintf(formatBuff,cDefaultErrMsg, > eventId, > msgProvider); > > > } > else > { > if(usrValueSize != 0) > { > usrValArray = PEVT_VARIANT(usrValues); > > } > > BOOL format = EvtFormatMessage( > publisherConfig, > hEvent, > eventId, > usrPropertyCount, > usrValArray, > formatFlag , > formatValueSize, > formatBuff, > &formatValueSize > ); > > if (!format) > { > > lerr = GetLastError(); > > if( lerr == ERROR_INSUFFICIENT_BUFFER ) > { > //Allocate the BufferSize needed > formatBuff = new WCHAR[formatValueSize]; > > //Render the Event > format = EvtFormatMessage( > publisherConfig, > hEvent, > eventId, > usrPropertyCount, > usrValArray, > formatFlag, > formatValueSize, > formatBuff, > &formatValueSize > ); > if( !format ) > { > > // LPVOID lpMsgBuf; > // FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS, // NULL, > // GetLastError(), > // 0,// Default language > // (LPTSTR) &lpMsgBuf, > // 0, > // NULL > // ); > // LPWSTR appendFmt = L"%S"; > // DWORD newErrMsgSize = wcslen(cDefaultErrMsg)+wcslen(appendFmt); > // LPWSTR newErrMsg = new WCHAR[newErrMsgSize]; > // newErrMsg = wmemset(newErrMsg,NULL,newErrMsgSize); > // wcscat(newErrMsg,cDefaultErrMsg); > // wcscat(newErrMsg,appendFmt); > // formatValueSize = wcslen(newErrMsg)+wcslen(msgProvider)+sizeof(DWORD)+wcslen((LPTSTR)lpMsgBuf); > // formatBuff = new WCHAR[formatValueSize]; > // swprintf(formatBuff,newErrMsg, > // eventId, > // msgProvider, > // (LPTSTR)lpMsgBuf); > //printf("FormatMessage last error is %d \n", GetLastError()); > formatValueSize = wcslen(cDefaultErrMsg)+wcslen(msgProvider)+sizeof(DWORD); > formatBuff = new WCHAR[formatValueSize]; > swprintf(formatBuff,cDefaultErrMsg, > eventId, > msgProvider); > } > > } > else > { > //printf("FormatMessage last error is %d \n", GetLastError()); > formatValueSize = wcslen(cDefaultErrMsg)+wcslen(msgProvider)+sizeof(DWORD); > formatBuff = new WCHAR[formatValueSize]; > swprintf(formatBuff,cDefaultErrMsg, > eventId, > msgProvider); > } > } > } > > } > } > if(usrValueSize !=0) > { > delete[] usrValues; > } > EvtClose(publisherConfig); > > removeNewLine(formatBuff); > > if(fpOut) > { > fwprintf(fpOut,L"%s%I64u%s\t%s%6hu%s\t%s%6hu%s\t%s%10u%s\t%s%10u%s\t%s%2hu%s\t%s%s%s\t%s%s%s\t%s%s%s\t%s%s%s\t%s%s%s\t%s%s%s\t%s%s%s\t%s%s%s\t%s%s%s\t%s%s%s\t%s%s%s\t%s%s%s\t%s%s%s\n", > cRecordIdPref,recordId,cSeperateToken, > cEventIDPref,eventId,cSeperateToken, > cQualifierIdPref,qualifierId,cSeperateToken, > cProcessIDPref,processId,cSeperateToken, > cThreadIDPref, threadId,cSeperateToken, > cEventLevelPref, priority,cSeperateToken, > cProviderPref,msgProvider,cSeperateToken, > cCreationTimePref,creationTime,cSeperateToken, > cEventTaskPref,eventTask,cSeperateToken, > cOperationalCodePref,eventOpcode,cSeperateToken, > cEventKeywordPref,eventKeyword,cSeperateToken, > cUsernamePref,username,cSeperateToken, > cGUIDPref,guidStr,cSeperateToken, > cActivityPref,activityIdStr,cSeperateToken, > cRelatedActivityPref,relatedActivityIdStr,cSeperateToken, > cChannelIDPref,eventChannel,cSeperateToken, > cComputerNamePref,computer,cSeperateToken, > cLocationTypePref,cLocationType,cSeperateToken, > cMessagesPref,formatBuff,cSeperateToken > ) ; > > _flushall( ); > } > delete[]formatBuff; > > return TRUE; > >} > > >/** > * Get event property message. > */ >LPWSTR getEventProperty(EVT_HANDLE hEvent,DWORD sysPropertyCount, PEVT_VARIANT valArray,DWORD eventFormatFlag,EVT_HANDLE publisherConfig) >{ > LPWSTR formatBuff = new WCHAR[1]; > DWORD formatValueSize = sizeof(formatBuff); > BOOL format = EvtFormatMessage(publisherConfig, > hEvent, > NULL, > sysPropertyCount, > valArray, > eventFormatFlag , > formatValueSize, > formatBuff, > &formatValueSize); > > if (!format) > { > DWORD lerr = GetLastError(); > if( lerr == ERROR_INSUFFICIENT_BUFFER ) > { > //Allocate the BufferSize needed > formatBuff = new WCHAR[formatValueSize]; > > //Render the Event > format = EvtFormatMessage(publisherConfig, > hEvent, > NULL, > sysPropertyCount, > valArray, > eventFormatFlag, > formatValueSize, > formatBuff, > &formatValueSize); > if( !format ) > { > > delete []formatBuff; > return cDefaultValue; > } > > return formatBuff; > }else > { > > delete []formatBuff; > return cDefaultValue; > } > } > > return cDefaultValue; >} > > > >/** > * Retrieve event creation time string. > */ > >void getCreationTime(LPWSTR creationTime,DWORD creationTimeSize,PEVT_VARIANT valArray,DWORD sysPropertyCount) >{ > if(sysPropertyCount <= EvtSystemTimeCreated ||valArray[EvtSystemTimeCreated ].Type == EvtVarTypeNull ) > { > wcscpy(creationTime, cDefaultValue); > return; > } > FILETIME FileTime,LocalFileTime; > __int64 lgTemp; > > lgTemp = valArray[EvtSystemTimeCreated ].FileTimeVal; > > FileTime.dwLowDateTime = (DWORD) lgTemp; > FileTime.dwHighDateTime = (DWORD)(lgTemp >> 32); > > SYSTEMTIME SysTime; > > FileTimeToLocalFileTime(&FileTime, &LocalFileTime); > FileTimeToSystemTime(&LocalFileTime, &SysTime); > > > swprintf(creationTime,L"%02d/%02d/%02d %02d:%02d:%02d.%06d", > SysTime.wMonth, > SysTime.wDay, > SysTime.wYear, > SysTime.wHour, > SysTime.wMinute, > SysTime.wSecond, > SysTime.wMilliseconds); > >} > >/** > * Get GUID sring for a given event system value set. > */ >void getGUIDStr(LPWSTR guidStr,PEVT_VARIANT valArray, DWORD varIndex, DWORD sysPropertyCount) > { > if(sysPropertyCount <= varIndex ||valArray[varIndex].Type != EvtVarTypeGuid) > { > wcscpy(guidStr, cDefaultValue); > return; > } > GUID* guid = valArray[varIndex].GuidVal; > if(guid != NULL) > { > swprintf(guidStr,L"%08lX-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X", > guid->Data1, > guid->Data2, > guid->Data3, > guid->Data4[0], > guid->Data4[1], > guid->Data4[2], > guid->Data4[3], > guid->Data4[4], > guid->Data4[5], > guid->Data4[6], > guid->Data4[7]); > > } > else > { > wcscpy(guidStr, cDefaultValue); > } > > } > >/** > * Format the event's properties. > */ >BOOL renderEvent(EVT_HANDLE hEvent,EVT_HANDLE renderContext, PBYTE* outBufPtr,DWORD* outBufSizePtr,DWORD* propertyCountPtr, DWORD renderFlag) >{ > > //Get the buffer size needed to render the event. > BOOL result = EvtRender( > renderContext, // Context. > hEvent, // HANDLE. > renderFlag, // Flags. > *outBufSizePtr, // BufferSize. > *outBufPtr, // Buffer. > outBufSizePtr, // Buffer size used or required. > propertyCountPtr); > > if (!result) > { > DWORD lerr = GetLastError(); > if( lerr == ERROR_INSUFFICIENT_BUFFER ) > { > //Allocate the BufferSize needed > *outBufPtr = new BYTE[*outBufSizePtr]; > > //Render the Event > result = EvtRender( > renderContext, // Context. > hEvent, // HANDLE. > renderFlag, // Flags. > *outBufSizePtr, // BufferSize. > *outBufPtr, // Buffer > outBufSizePtr, // Buffersize used or required. > propertyCountPtr); > > if( !result ) > { > wprintf(L"Couldn't render event!. Error = 0x%x", GetLastError()); > > return FALSE; > } > > return TRUE; > > } > wprintf(L"EventRender failed !. Error = 0x%x \n", GetLastError()); > > return FALSE; > } > return TRUE; > >} > > void removeNewLine(LPWSTR str) >{ > for (int i=0; str[i] != L'\0'; i++) > { > if (str[i] == L'\n' || str[i] == L'\r') > { > > str[i] = L' '; > } > } >}
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=65613">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 168855
:
65141
|
65142
|
65547
|
65613
|
65727
|
65800
|
66227
|
66228
