Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

393 lines
10 KiB

  1. //+---------------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. // Copyright (C) Microsoft Corporation, 1999-2001.
  5. //
  6. // File: GetSREvent.cxx
  7. //
  8. // Contents: Gets SR related system events
  9. //
  10. // Classes: n/a
  11. //
  12. // Coupling:
  13. //
  14. // Notes:
  15. //
  16. // History: 20-04-2001 weiyouc Created
  17. //
  18. //----------------------------------------------------------------------------
  19. //--------------------------------------------------------------------------
  20. // Headers
  21. //--------------------------------------------------------------------------
  22. #include "SrHeader.hxx"
  23. //--------------------------------------------------------------------------
  24. // Defines
  25. //--------------------------------------------------------------------------
  26. #define MAX_BUF_SIZE 1000
  27. #define SR_SERVICE_SRC TEXT("SrService")
  28. #define SR_FILTER_SRC TEXT("sr")
  29. #define SR_SERVICE_EVENTID_BASE 0x00000067
  30. #define SR_FILTER_EVENTID_BASE 0x00000001
  31. //--------------------------------------------------------------------------
  32. // Function prototypes
  33. //--------------------------------------------------------------------------
  34. HRESULT DumpSREvent(LPTSTR ptszLog, EVENTLOGRECORD* pEvent);
  35. HRESULT DumpSREventMsg(FILE* fpLog, EVENTLOGRECORD* pEvent);
  36. LPCTSTR GetSrEventStr(WORD wEventType);
  37. //--------------------------------------------------------------------------
  38. // Some global variables
  39. //--------------------------------------------------------------------------
  40. LPCTSTR g_tszEventType[] =
  41. {
  42. TEXT("UNKNOWN_EVENT"),
  43. TEXT("EVENTLOG_ERROR_TYPE"),
  44. TEXT("EVENTLOG_WARNING_TYPE"),
  45. TEXT("EVENTLOG_INFORMATION_TYPE"),
  46. TEXT("EVENTLOG_AUDIT_SUCCESS"),
  47. TEXT("EVENTLOG_AUDIT_FAILURE")
  48. };
  49. LPCSTR g_szSrServiceEventMsg[] =
  50. {
  51. "The System Restore control handler could not be installed.",
  52. "The System Restore initialization process failed.",
  53. "The System Restore service received an unsupported request.",
  54. "The System Restore service was started.",
  55. "The System Restore service has been suspended because there is not "
  56. "enough disk space available on the drive %S. System Restore will "
  57. "automatically resume service once at least %S MB of free disk space "
  58. "is available on the system drive.",
  59. "The System Restore service has resumed monitoring due to space freed "
  60. "on the system drive.",
  61. "The System Restore service was stopped.",
  62. "A restoration to \"%S\" restore point occurred successfully.",
  63. "A restoration to \"%S\" restore point failed. "
  64. "No changes have been made to the system.",
  65. "A restoration to \"%S\" restore point was incomplete due to an "
  66. "improper shutdown.",
  67. "System Restore monitoring was enabled on drive %S.",
  68. "System Restore monitoring was disabled on drive %S.",
  69. "System Restore monitoring was enabled on all drives.",
  70. "System Restore monitoring was disabled on all drives.",
  71. };
  72. //+---------------------------------------------------------------------------
  73. //
  74. // Function: GetSREvents
  75. //
  76. // Synopsis: Get SR related event to a log file
  77. //
  78. // Arguments: ptszLogFile -- log file name
  79. //
  80. // Returns: HRESULT
  81. //
  82. // History: 20-04-2001 weiyouc Created
  83. //
  84. // Notes:
  85. //
  86. //----------------------------------------------------------------------------
  87. HRESULT GetSREvents(LPTSTR ptszLogFile)
  88. {
  89. HRESULT hr = S_OK;
  90. HANDLE hEventLog = NULL;
  91. EVENTLOGRECORD* pelrEvent = NULL;
  92. FILE* fpLog = NULL;
  93. BOOL fOK = FALSE;
  94. DWORD dwBytesRead = 0;
  95. DWORD dwBytesNeeded = 0;
  96. LPTSTR ptszSrcName = NULL;
  97. BYTE bEventBuf[MAX_BUF_SIZE];
  98. DH_VDATEPTRIN(ptszLogFile, TCHAR);
  99. hEventLog = OpenEventLog(NULL, TEXT("System"));
  100. DH_ABORTIF(NULL == hEventLog,
  101. HRESULT_FROM_WIN32(GetLastError()),
  102. TEXT("OpenEventLog"));
  103. ZeroMemory(&bEventBuf, MAX_BUF_SIZE);
  104. pelrEvent = (EVENTLOGRECORD *) &bEventBuf;
  105. while (ReadEventLog(hEventLog,
  106. EVENTLOG_BACKWARDS_READ | EVENTLOG_SEQUENTIAL_READ,
  107. 0,
  108. pelrEvent,
  109. MAX_BUF_SIZE,
  110. &dwBytesRead,
  111. &dwBytesNeeded))
  112. {
  113. //
  114. // Since there might be multiple logs packed in the buffer,
  115. // we need to unpack them.
  116. //
  117. while (dwBytesRead > 0)
  118. {
  119. //
  120. // If the source name is what we are interested,
  121. // we dump the event log
  122. //
  123. ptszSrcName = (LPTSTR)((LPBYTE) pelrEvent + sizeof(EVENTLOGRECORD));
  124. if ((0 == _tcsicmp(ptszSrcName, SR_SERVICE_SRC)) ||
  125. (0 == _tcsicmp(ptszSrcName, SR_FILTER_SRC)))
  126. {
  127. hr = DumpSREvent(ptszLogFile, pelrEvent);
  128. DH_HRCHECK_ABORT(hr, TEXT("DumpSREvent"));
  129. }
  130. dwBytesRead -= pelrEvent->Length;
  131. pelrEvent = (EVENTLOGRECORD*)((LPBYTE) pelrEvent + pelrEvent->Length);
  132. }
  133. ZeroMemory(&bEventBuf, MAX_BUF_SIZE);
  134. pelrEvent = (EVENTLOGRECORD *) &bEventBuf;
  135. }
  136. ErrReturn:
  137. if (NULL != hEventLog)
  138. {
  139. CloseEventLog(hEventLog);
  140. }
  141. if (NULL != fpLog)
  142. {
  143. fclose(fpLog);
  144. }
  145. return hr;
  146. }
  147. //+---------------------------------------------------------------------------
  148. //
  149. // Function: DumpSREvent
  150. //
  151. // Synopsis: Dump an SR-related event to the log file
  152. //
  153. // Arguments: ptszLogFile -- log file name
  154. // pEvent -- pointer to a system event
  155. //
  156. // Returns: HRESULT
  157. //
  158. // History: 20-04-2001 weiyouc Created
  159. //
  160. // Notes:
  161. //
  162. //----------------------------------------------------------------------------
  163. HRESULT DumpSREvent(LPTSTR ptszLog,
  164. EVENTLOGRECORD* pEvent)
  165. {
  166. HRESULT hr = S_OK;
  167. FILE* fpLog = NULL;
  168. WORD wEventType = 0;
  169. __int64 llTemp = 0;
  170. __int64 llSecsTo1970 = 116444736000000000;
  171. FILETIME FileTime;
  172. FILETIME LocalFileTime;
  173. SYSTEMTIME SysTime;
  174. DH_VDATEPTRIN(ptszLog, TCHAR);
  175. DH_VDATEPTRIN(pEvent, EVENTLOGRECORD);
  176. fpLog = _tfopen(ptszLog, TEXT("a"));
  177. DH_ABORTIF(NULL == fpLog,
  178. E_FAIL,
  179. TEXT("_tfopen"));
  180. //
  181. // Dump the event source
  182. //
  183. fprintf(fpLog,
  184. "Event Source: %S \n",
  185. (LPTSTR)((LPBYTE) pEvent + sizeof(EVENTLOGRECORD)));
  186. //
  187. // Dump the event number
  188. //
  189. fprintf(fpLog, "Event Number: %u \n", pEvent->RecordNumber);
  190. //
  191. // Dump the event ID
  192. //
  193. fprintf(fpLog, "Event ID: %x \n", (0xFFFF & pEvent->EventID));
  194. //
  195. // Dump the event
  196. //
  197. wEventType = pEvent->EventType;
  198. if ((wEventType >= EVENTLOG_ERROR_TYPE) &&
  199. (wEventType <= EVENTLOG_AUDIT_FAILURE))
  200. {
  201. fprintf(fpLog,
  202. "Event Type: %S \n",
  203. GetSrEventStr(wEventType));
  204. }
  205. //
  206. // Now dump the event message
  207. //
  208. hr = DumpSREventMsg(fpLog, pEvent);
  209. DH_HRCHECK_ABORT(hr, TEXT("DumpSREventMsg"));
  210. //
  211. // Dump the event time
  212. //
  213. llTemp = Int32x32To64(pEvent->TimeGenerated, 10000000) + llSecsTo1970;
  214. FileTime.dwLowDateTime = (DWORD) llTemp;
  215. FileTime.dwHighDateTime = (DWORD)(llTemp >> 32);
  216. FileTimeToLocalFileTime(&FileTime, &LocalFileTime);
  217. FileTimeToSystemTime(&LocalFileTime, &SysTime);
  218. fprintf(fpLog,
  219. "Time Generated: %02d/%02d/%02d %02d:%02d:%02d\n",
  220. SysTime.wMonth,
  221. SysTime.wDay,
  222. SysTime.wYear,
  223. SysTime.wHour,
  224. SysTime.wMinute,
  225. SysTime.wSecond);
  226. //
  227. // Finally we put an extra line break
  228. //
  229. fprintf(fpLog, "\n");
  230. ErrReturn:
  231. if (NULL != fpLog)
  232. {
  233. fclose(fpLog);
  234. }
  235. return hr;
  236. }
  237. //+---------------------------------------------------------------------------
  238. //
  239. // Function: DumpSREventMsg
  240. //
  241. // Synopsis: Dump an SR-related event message to the log file
  242. //
  243. // Arguments: fpLog -- file pointer to the log file
  244. // pEvent -- pointer to a system event
  245. //
  246. // Returns: HRESULT
  247. //
  248. // History: 20-04-2001 weiyouc Created
  249. //
  250. // Notes:
  251. //
  252. //----------------------------------------------------------------------------
  253. HRESULT DumpSREventMsg(FILE* fpLog,
  254. EVENTLOGRECORD* pEvent)
  255. {
  256. HRESULT hr = S_OK;
  257. DWORD dwEventID = 0;
  258. DH_VDATEPTRIN(fpLog, FILE);
  259. DH_VDATEPTRIN(pEvent, EVENTLOGRECORD);
  260. fprintf(fpLog, "Message: ");
  261. //
  262. // If this is a filter type event log
  263. //
  264. dwEventID = 0xFFFF & pEvent->EventID;
  265. if (dwEventID == SR_FILTER_EVENTID_BASE)
  266. {
  267. fprintf(fpLog, "SR filter has encountered a volume error");
  268. }
  269. else
  270. {
  271. fprintf(fpLog,
  272. g_szSrServiceEventMsg[dwEventID - SR_SERVICE_EVENTID_BASE],
  273. (LPTSTR)(pEvent->StringOffset + (LPBYTE) pEvent));
  274. }
  275. fprintf(fpLog, "\n");
  276. return hr;
  277. }
  278. //+---------------------------------------------------------------------------
  279. //
  280. // Function: GetSrEventStr
  281. //
  282. // Synopsis: Translate an event to an event string
  283. //
  284. // Arguments: wEventType -- event type
  285. //
  286. // Returns: HRESULT
  287. //
  288. // History: 20-04-2001 weiyouc Created
  289. //
  290. // Notes:
  291. //
  292. //----------------------------------------------------------------------------
  293. LPCTSTR GetSrEventStr(WORD wEventType)
  294. {
  295. WORD wIndex = 0;
  296. switch (wEventType)
  297. {
  298. case EVENTLOG_ERROR_TYPE:
  299. wIndex = 1;
  300. break;
  301. case EVENTLOG_WARNING_TYPE:
  302. wIndex = 2;
  303. break;
  304. case EVENTLOG_INFORMATION_TYPE:
  305. wIndex = 3;
  306. break;
  307. case EVENTLOG_AUDIT_SUCCESS:
  308. wIndex = 4;
  309. break;
  310. case EVENTLOG_AUDIT_FAILURE:
  311. wIndex = 5;
  312. break;
  313. default:
  314. break;
  315. }
  316. return g_tszEventType[wIndex];
  317. }