You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
225 lines
5.8 KiB
225 lines
5.8 KiB
/*++
|
|
|
|
Copyright (c) 1990 Microsoft Corporation
|
|
|
|
Module Name:
|
|
|
|
DATA.C
|
|
|
|
Abstract:
|
|
|
|
This file contains all the global data elements of the eventlog service.
|
|
|
|
Author:
|
|
|
|
Rajen Shah (rajens) 10-Jul-1991
|
|
|
|
[Environment:]
|
|
|
|
User Mode - Win32, except for NTSTATUS returned by some functions.
|
|
|
|
Revision History:
|
|
|
|
10-Jul-1991 RajenS
|
|
created
|
|
|
|
--*/
|
|
|
|
//
|
|
// INCLUDES
|
|
//
|
|
|
|
#include <eventp.h>
|
|
#include <elfcfg.h>
|
|
|
|
|
|
#if DBG
|
|
|
|
//
|
|
// Always write errors to the debugger on checked builds
|
|
//
|
|
DWORD ElfDebugLevel = DEBUG_ERROR;
|
|
|
|
#endif // DBG
|
|
|
|
|
|
//
|
|
// Handles used for the LPC port.
|
|
//
|
|
HANDLE ElfConnectionPortHandle;
|
|
HANDLE ElfCommunicationPortHandle;
|
|
|
|
// The heads of various linked lists
|
|
//
|
|
LIST_ENTRY LogFilesHead; // Log files
|
|
|
|
RTL_CRITICAL_SECTION LogFileCritSec; // Accessing log files
|
|
|
|
LIST_ENTRY LogModuleHead; // Modules registered for logging
|
|
|
|
RTL_CRITICAL_SECTION LogModuleCritSec; // Accessing log files
|
|
|
|
LIST_ENTRY LogHandleListHead; // Context-handles for log handles
|
|
|
|
RTL_CRITICAL_SECTION LogHandleCritSec; // Accessing log handles
|
|
|
|
LIST_ENTRY QueuedEventListHead; // Deferred events to write
|
|
|
|
RTL_CRITICAL_SECTION QueuedEventCritSec; // Accessing the deferred events
|
|
|
|
LIST_ENTRY QueuedMessageListHead; // Deferred messagebox
|
|
|
|
RTL_CRITICAL_SECTION QueuedMessageCritSec; // Accessing the deferred mb's
|
|
|
|
//
|
|
// Service-related global data
|
|
//
|
|
|
|
SERVICE_STATUS_HANDLE ElfServiceStatusHandle;
|
|
|
|
//
|
|
// The following resource is used to serialize access to the resources
|
|
// of the Eventlog service at the highest level. It is used to make sure
|
|
// that the threads that write/read/clear the log file(s) do not step over
|
|
// the threads that monitor the registry and deal with service control
|
|
// operations.
|
|
//
|
|
// The threads that operate on the log file(s) have Shared access to the
|
|
// resource, since they are further serialized on the file that they are
|
|
// working on.
|
|
//
|
|
// The threads that will modify the internal data structures, or the state
|
|
// of the service, need Exclusive access to the resource so that we can
|
|
// control access to the data structures and log files.
|
|
//
|
|
|
|
RTL_RESOURCE GlobalElfResource;
|
|
|
|
//
|
|
// This is used by the Backup API to signify which 4K block of the log it's
|
|
// currently reading. This is used to prevent a writer from overwriting this
|
|
// block while it is reading it. The event is used to let a writer block if
|
|
// it was going to overwrite the current backup block, and get pulsed when
|
|
// the backup thread moves to the next block.
|
|
|
|
PVOID ElfBackupPointer;
|
|
HANDLE ElfBackupEvent;
|
|
|
|
//
|
|
// Handle for the LPC thread
|
|
//
|
|
HANDLE LPCThreadHandle;
|
|
|
|
//
|
|
// Handle for the MessageBox thread
|
|
//
|
|
HANDLE MBThreadHandle;
|
|
|
|
//
|
|
// Handle and ID for the registry monitor thread
|
|
//
|
|
HANDLE RegistryThreadHandle;
|
|
DWORD RegistryThreadId;
|
|
|
|
//
|
|
// Bitmask of things that have been allocated and/or started by the
|
|
// service. When the service terminates, this is what needs to be
|
|
// cleaned.
|
|
//
|
|
ULONG EventFlags; // Keep track of what is allocated
|
|
|
|
//
|
|
// Record used to indicate the end of the event records in the file.
|
|
//
|
|
ELF_EOF_RECORD EOFRecord = { ELFEOFRECORDSIZE,
|
|
0x11111111,
|
|
0x22222222,
|
|
0x33333333,
|
|
0x44444444,
|
|
FILEHEADERBUFSIZE,
|
|
FILEHEADERBUFSIZE,
|
|
1,
|
|
1,
|
|
ELFEOFRECORDSIZE
|
|
};
|
|
|
|
//
|
|
// Default module to use if no match is found, APPLICATION
|
|
//
|
|
|
|
PLOGMODULE ElfDefaultLogModule;
|
|
|
|
//
|
|
// Module for the eventlog service itself
|
|
//
|
|
|
|
PLOGMODULE ElfModule;
|
|
|
|
//
|
|
// Module for security
|
|
//
|
|
|
|
PLOGMODULE ElfSecModule;
|
|
|
|
//
|
|
// Handle (key) to the event log node in the registry.
|
|
// This is set up by the service main function.
|
|
//
|
|
|
|
HANDLE hEventLogNode;
|
|
|
|
//
|
|
// Handle (key) to the ComputerName node in the registry.
|
|
// This is set up by the service main function.
|
|
//
|
|
|
|
HANDLE hComputerNameNode;
|
|
|
|
//
|
|
// Used to create a unigue module name for backup logs
|
|
//
|
|
|
|
DWORD BackupModuleNumber;
|
|
|
|
//
|
|
// NT well-known SIDs
|
|
//
|
|
PSVCS_GLOBAL_DATA ElfGlobalData;
|
|
|
|
//
|
|
// Shutdown Flag
|
|
//
|
|
BOOL EventlogShutdown;
|
|
|
|
HANDLE ElfGlobalSvcRefHandle;
|
|
|
|
//
|
|
// This is the string used as the title of the log full message box.
|
|
// GlobalMessageBoxTitle will either point to the default string or
|
|
// to the string allocated in the format Message function.
|
|
//
|
|
LPWSTR GlobalMessageBoxTitle;
|
|
BOOL bGlobalMessageBoxTitleNeedFree = FALSE;
|
|
|
|
//SS:start of changes for clustering
|
|
BOOL gbClustering=FALSE; //the cluster service has registered for replication of events
|
|
RTL_CRITICAL_SECTION gClPropCritSec; // for using the global glClPackedEventInfo structure
|
|
HMODULE ghClusDll=NULL;
|
|
PROPAGATEEVENTSPROC gpfnPropagateEvents=NULL;
|
|
BINDTOCLUSTERPROC gpfnBindToCluster=NULL;
|
|
UNBINDFROMCLUSTERPROC gpfnUnbindFromCluster=NULL;
|
|
HANDLE ghCluster=NULL;
|
|
//SS: end of changes for clustering
|
|
|
|
// changes to support various auditing dcrs
|
|
|
|
int giWarningLevel = 0; // level at which the warning is to be given
|
|
|
|
IELF_HANDLE gElfSecurityHandle = 0;
|
|
|
|
// When reading through the registry during an update, it is possible that a key may
|
|
// be only partially written due to a race condition. If an attempt to read fails, then
|
|
// the read will be retried after a delay. This variable is intended to prevent multiple
|
|
// delays
|
|
|
|
DWORD g_dwLastDelayTickCount = 0;
|