|
|
#include "stdafx.h"
// #include "winbase.h"
#define MAX_INSERT_STRS 5
TCHAR *aszTSEventSources[] = { _T("TermService"), _T("TermDD"), _T("TermServDevices") };
BOOL ExtractEvents();BOOL ExtractAllTSEvents(){ cout << endl; return ExtractEvents ();}
BOOL ExtractEvents (){ USES_CONVERSION; BOOL bFoundEvents = FALSE;
HANDLE hEventLog = OpenEventLog(NULL, _T("System")); if (hEventLog) {
const DWORD dwBytesToRead = 1024*10;
char *pBuff = new char[dwBytesToRead]; if (pBuff) { DWORD dwBytesRead, dwBytesNeeded;
while (ReadEventLog(hEventLog, EVENTLOG_BACKWARDS_READ | EVENTLOG_SEQUENTIAL_READ, 0, PVOID(pBuff), dwBytesToRead, &dwBytesRead, &dwBytesNeeded)) { if (dwBytesRead == 0) break;
for (PEVENTLOGRECORD pEventLogRecord = ( PEVENTLOGRECORD ) pBuff; PCHAR(pEventLogRecord) + pEventLogRecord->Length < pBuff + dwBytesRead; pEventLogRecord = (EVENTLOGRECORD *)(PCHAR(pEventLogRecord) + pEventLogRecord->Length) ) { LPCTSTR szSource = LPCTSTR(PBYTE(pEventLogRecord) + sizeof(EVENTLOGRECORD));
//
// check if event source is among interesting ones.
//
LPCTSTR szEventSource = NULL; for (int i = 0; i < (sizeof(aszTSEventSources) / sizeof(aszTSEventSources[0])); i++) { if (_tcsicmp(szSource, aszTSEventSources[i]) == 0) szEventSource = aszTSEventSources[i]; }
if (!szEventSource) continue;
//
// prepare the array of insert strings for FormatMessage - the
// insert strings are in the log entry.
//
char *aInsertStrings[MAX_INSERT_STRS];
char *p = (char *) ((LPBYTE) pEventLogRecord + pEventLogRecord->StringOffset); for (i = 0; i < pEventLogRecord->NumStrings && i < MAX_INSERT_STRS; i++) { aInsertStrings[i] = p; p += strlen(p) + 1; // point to next string
}
//
// Get the binaries to look message in from registry.
//
TCHAR szSourceKey[1024]; _tcscpy(szSourceKey, _T("SYSTEM\\CurrentControlSet\\Services\\EventLog\\System\\")); _tcscat(szSourceKey, szEventSource);
CRegistry oReg; TCHAR szSourcePath[MAX_PATH];
if (oReg.OpenKey(HKEY_LOCAL_MACHINE, szSourceKey, KEY_READ) == ERROR_SUCCESS) { LPTSTR str; DWORD dwSize; if (ERROR_SUCCESS == oReg.ReadRegString(_T("EventMessageFile"), &str, &dwSize)) {
ExpandEnvironmentStrings(str, szSourcePath, MAX_PATH); } else { cout << " Error Reading Registry (" << T2A(szSourceKey) << ")/(EventMessageFiles)" << endl; continue; }
} else { cout << " Error Reading Registry (" << T2A(szSourceKey) << endl; continue; }
//
// Binary String in registry could contain multipal binaries seperated by ;
//
TCHAR *szModule; szModule = _tcstok(szSourcePath, _T(";"));
//
// for each binary found
//
DWORD dwBytesTransfered = 0; do { HINSTANCE hModule = LoadLibrary(szModule);
TCHAR szMessage[1024]; dwBytesTransfered = FormatMessage( FORMAT_MESSAGE_FROM_HMODULE | FORMAT_MESSAGE_ARGUMENT_ARRAY, hModule, pEventLogRecord->EventID, 0, szMessage, 1024, (va_list *)aInsertStrings);
if (dwBytesTransfered) { bFoundEvents = TRUE; TCHAR szTimeString[512]; time_t timeGenerated = pEventLogRecord->TimeGenerated; _tcsftime(szTimeString, 512, _T("%c"), localtime( (const time_t *)&timeGenerated )); cout << " " << T2A(szTimeString) << ": ( " << T2A(szEventSource) << " ) : " << T2A(szMessage); } else { cout << " FormatMessage Failed. lasterror = " << GetLastError() << endl; }
szModule = _tcstok(NULL, _T(";"));
} while (!dwBytesTransfered && szModule);
}
}
}
} else { cout << " Failed to Open Event log." << endl; return FALSE; }
return bFoundEvents;}
|
