|
|
/*++
Copyright (c) 1998-1999 Microsoft Corporation
Module Name:
logdump.c
Abstract:
this file implements functrionality to read and dump the sr logs
Author:
Kanwaljit Marok (kmarok) 01-May-2000
Revision History:
--*/
#include <nt.h>
#include <ntrtl.h>
#include <nturtl.h>
#include <windows.h>
#include <stdio.h>
#include "logfmt.h"
#include "srapi.h"
struct _EVENT_STR_MAP { DWORD EventId; PCHAR pEventStr;} EventMap[ 13 ] = { {SrEventInvalid , "INVALID " }, {SrEventStreamChange, "FILE-MODIFY" }, {SrEventAclChange, "ACL-CHANGE " }, {SrEventAttribChange, "ATTR-CHANGE" }, {SrEventStreamOverwrite,"FILE-MODIFY" }, {SrEventFileDelete, "FILE-DELETE" }, {SrEventFileCreate, "FILE-CREATE" }, {SrEventFileRename, "FILE-RENAME" }, {SrEventDirectoryCreate,"DIR-CREATE " }, {SrEventDirectoryRename,"DIR-RENAME " }, {SrEventDirectoryDelete,"DIR-DELETE " }, {SrEventMountCreate, "MNT-CREATE " }, {SrEventMountDelete, "MNT-DELETE " } };
BYTE Buffer[4096];
PCHAR GetEventString( DWORD EventId ){ PCHAR pStr = NULL; static CHAR EventStringBuffer[8];
for( int i=0; i<sizeof(EventMap)/sizeof(_EVENT_STR_MAP);i++) { if ( EventMap[i].EventId == EventId ) { pStr = EventMap[i].pEventStr; } }
if (pStr == NULL) { pStr = &EventStringBuffer[0]; wsprintf(pStr, "0x%X", EventId); }
return pStr;}
BOOLEANProcessLogEntry( BOOLEAN bPrintDebug, LPCSTR pszSerNo, LPCSTR pszSize, LPCSTR pszEndSize, LPCSTR pszSeqNo, LPCSTR pszFlags, LPCSTR pszProcess, LPCSTR pszOperation, LPCSTR pszAttr, LPCSTR pszTmpFile, LPCSTR pszPath1, LPCSTR pszPath2, LPCSTR pszAcl, LPCSTR pszShortName, LPCSTR pszProcessHandle, LPCSTR pszThreadHandle){ BOOLEAN Status = TRUE;
if( bPrintDebug == FALSE ) { printf( "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t", pszSerNo, pszSize, pszSeqNo, pszOperation, pszAttr, pszAcl, pszPath1, pszShortName); } else { printf( "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t", pszSerNo, pszSize, pszSeqNo, pszOperation, pszAttr, pszProcess, pszProcessHandle, pszThreadHandle, pszAcl, pszPath1, pszShortName); }
if(pszTmpFile) { printf( "%s\t", pszTmpFile); }
if(pszPath2) { printf( "%s\t", pszPath2); }
printf("\n");
return Status;}
#define SR_MAX_PATH ((1000) + sizeof (CHAR)) // Name will always be at most 1000 characters plus a NULL.
BOOLEANReadLogData( BOOLEAN bPrintDebugInfo, LPTSTR pszFileName ){ BOOLEAN Status = FALSE; BOOLEAN bHaveDebugInfo = FALSE;
HANDLE hFile; DWORD nRead; DWORD cbSize = 0, dwEntries = 0, dwEntriesAdded = 0; DWORD dwSizeLow , dwSizeHigh;
CHAR szSerNo [10]; CHAR szSize [10]; CHAR szEndSize[10]; CHAR szSeqNo [20]; CHAR szOperation[50]; CHAR szAttr[50]; CHAR szFlags[10]; PCHAR szPath1 = NULL; PCHAR szPath2 = NULL; CHAR szTmpFile[MAX_PATH]; CHAR szAcl[MAX_PATH]; CHAR szShortName[MAX_PATH]; CHAR szProcess[32]; CHAR szProcessHandle[16]; CHAR szThreadHandle[16];
BYTE LogHeader[2048];
PSR_LOG_HEADER pLogHeader = (PSR_LOG_HEADER)LogHeader;
static INT s_dwEntries = -1;
szPath1 = (PCHAR) LocalAlloc( LMEM_FIXED, SR_MAX_PATH ); if (szPath1 == NULL ) { fprintf( stderr, "Insufficient memory\n" ); } szPath2 = (PCHAR) LocalAlloc( LMEM_FIXED, SR_MAX_PATH ); if (szPath2 == NULL ) { fprintf( stderr, "Insufficient memory\n" ); }
hFile = CreateFile( pszFileName, GENERIC_READ, FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL );
if ( hFile != INVALID_HANDLE_VALUE ) { PBYTE pLoc = NULL;
dwSizeLow = GetFileSize( hFile, &dwSizeHigh );
//
// Read the header size
//
ReadFile( hFile, &cbSize, sizeof(DWORD), &nRead, NULL );
SetFilePointer( hFile, - (INT)sizeof(DWORD), NULL, FILE_CURRENT );
// make sure that cbSize does not exceed the size of the
// buffer we have.
if (cbSize > sizeof(LogHeader)) { fprintf( stderr, "Invalid header or Corrupt log\n" ); CloseHandle(hFile); goto End; }
//
// Read the whole header entry
//
ReadFile( hFile, pLogHeader, cbSize, &nRead, NULL );
pLoc = (PBYTE)(&pLogHeader->SubRecords);
fprintf( stderr, "Header Size: %ld, Version: %ld, Tool Version: %ld\n%S\n", pLogHeader->Header.RecordSize, pLogHeader->LogVersion, SR_LOG_VERSION, (LPWSTR)(pLoc + sizeof(RECORD_HEADER)) );
if( pLogHeader->LogVersion != SR_LOG_VERSION || pLogHeader->MagicNum != SR_LOG_MAGIC_NUMBER ) { fprintf( stderr, "Invalid version or Corrupt log\n" ); CloseHandle(hFile); goto End; }
dwSizeLow -= pLogHeader->Header.RecordSize;
SetFilePointer (hFile, pLogHeader->Header.RecordSize, NULL, FILE_BEGIN);
//
// Start reading the log entries
//
while( dwSizeLow ) { PSR_LOG_ENTRY pLogEntry = (PSR_LOG_ENTRY)Buffer;
ZeroMemory(pLogEntry, sizeof(Buffer));
//
// Read the size of the entry
//
if ( !ReadFile( hFile, &pLogEntry->Header.RecordSize, sizeof(DWORD), &nRead, NULL ) ) { break; }
cbSize = pLogEntry->Header.RecordSize;
if (cbSize == 0 ) { //
// Zero size indicates end of the log
//
break; }
SetFilePointer( hFile, - (INT)sizeof(DWORD), NULL, FILE_CURRENT );
//
// Read the rest of the entry
//
if ( !ReadFile( hFile, ((PBYTE)pLogEntry), cbSize, &nRead, NULL ) ) { break; }
//
// Check the magic number
//
if( pLogEntry->MagicNum != SR_LOG_MAGIC_NUMBER ) { fprintf(stderr, "Invalid Entry ( Magic num )\n"); break; }
//
// Read the entries in to the buffer
//
sprintf( szSerNo , "%05d" , dwEntries + 1);
sprintf( szSize , "%04d" , pLogEntry->Header.RecordSize ); sprintf( szOperation, "%s" , GetEventString( pLogEntry->EntryType ));
sprintf( szFlags , "%08x" , pLogEntry->EntryFlags ); sprintf( szSeqNo , "%010d" , pLogEntry->SequenceNum); sprintf( szAttr , "%08x" , pLogEntry->Attributes ); sprintf( szProcess , "%12.12s" , pLogEntry->ProcName );
//
// get the first path
//
PBYTE pLoc = (PBYTE)&pLogEntry->SubRecords; sprintf( szPath1 , "%S" , pLoc + sizeof(RECORD_HEADER) );
if (pLogEntry->EntryFlags & ENTRYFLAGS_TEMPPATH) { pLoc += RECORD_SIZE(pLoc); sprintf( szTmpFile , "%S" , pLoc + sizeof(RECORD_HEADER) ); } else { sprintf( szTmpFile , "" ); }
if (pLogEntry->EntryFlags & ENTRYFLAGS_SECONDPATH) { pLoc += RECORD_SIZE(pLoc); sprintf( szPath2 , "%S" , pLoc + sizeof(RECORD_HEADER) ); } else { sprintf( szPath2 , "" ); }
if (pLogEntry->EntryFlags & ENTRYFLAGS_ACLINFO) { ULONG AclInfoSize;
pLoc += RECORD_SIZE(pLoc);
AclInfoSize = RECORD_SIZE(pLoc); sprintf( szAcl , "ACL(%04d)%" , AclInfoSize ); } else { sprintf( szAcl , "" ); }
if (pLogEntry->EntryFlags & ENTRYFLAGS_DEBUGINFO) { bHaveDebugInfo = TRUE; pLoc += RECORD_SIZE(pLoc); sprintf( szProcess , "%12.12s", ((PSR_LOG_DEBUG_INFO)pLoc)->ProcessName );
sprintf( szProcessHandle,"0x%08X", ((PSR_LOG_DEBUG_INFO)pLoc)->ProcessId );
sprintf( szThreadHandle,"0x%08X", ((PSR_LOG_DEBUG_INFO)pLoc)->ThreadId ); } else { bHaveDebugInfo = FALSE; sprintf( szProcess , "" ); sprintf( szThreadHandle , "" ); sprintf( szProcessHandle , "" ); }
if (pLogEntry->EntryFlags & ENTRYFLAGS_SHORTNAME) { pLoc += RECORD_SIZE(pLoc); sprintf( szShortName , "%S" , pLoc + sizeof(RECORD_HEADER) ); } else { sprintf( szShortName , "" ); }
//
// read the trailing record size
//
sprintf( szEndSize , "%04d", GET_END_SIZE(pLogEntry));
ProcessLogEntry( bPrintDebugInfo && bHaveDebugInfo, szSerNo, szSize, szEndSize, szSeqNo, szFlags, szProcess, szOperation, szAttr, szTmpFile, szPath1, szPath2, szAcl, szShortName, szProcessHandle, szThreadHandle);
dwEntries++;
dwSizeLow -= cbSize; cbSize = 0;
}
CloseHandle( hFile ); Status = TRUE; } else { fprintf( stderr, "Error opening LogFile %s\n", pszFileName ); }
End: fprintf( stderr, "Number of entries read :%d\n", dwEntries );
if (szPath1 != NULL) LocalFree( szPath1 );
if (szPath2 != NULL) LocalFree( szPath2 );
return Status;}
INT __cdecl main( int argc, char *argv[] ){ if( argc < 2 || argc > 3 ) { fprintf( stderr, "USAGE: %s [-d] <LogFile> \n\t -d : debug info\n", argv[0] ); } else { int i = 1; if ( argc == 3 && !strcmp( argv[i], "-d" ) ) { i++; ReadLogData(TRUE, argv[i] ); } else { ReadLogData(FALSE, argv[i] ); } }
return 0;}
|
