|
|
/*****************************************************************************\
Copyright (c) Microsoft Corporation. All rights reserved.
\*****************************************************************************/
#include <assert.h>
#include <windows.h>
#include <string.h>
#include <tchar.h>
#include <stdio.h>
#include <stdlib.h>
#include <pdh.h>
#include <pdhp.h>
#include <ntsecapi.h>
#include <shlwapi.h>
#include <shlwapip.h>
#include "plogman.h"
PDH_FUNCTIONPlaiReadRegistryPlaTime ( HKEY hKey, LPCWSTR cwszValueName, PPLA_TIME_INFO pstiData){ DWORD dwStatus = ERROR_SUCCESS; DWORD dwType = 0; DWORD dwBufferSize = 0; PLA_TIME_INFO slqLocal;
memset (&slqLocal, 0, sizeof(PLA_TIME_INFO));
dwStatus = RegQueryValueExW ( hKey, cwszValueName, NULL, &dwType, NULL, &dwBufferSize );
if ( ERROR_SUCCESS == dwStatus ) { if ( (dwBufferSize == sizeof(PLA_TIME_INFO)) && ( REG_BINARY == dwType ) ) { // then there's something to read
dwType = 0; dwStatus = RegQueryValueExW ( hKey, cwszValueName, NULL, &dwType, (LPBYTE)&slqLocal, &dwBufferSize); } else { // nothing to read
dwStatus = ERROR_NO_DATA; } }
if ( ERROR_SUCCESS == dwStatus ) { *pstiData = slqLocal; }
return PlaiErrorToPdhStatus( dwStatus );}
PDH_FUNCTIONPlaiWriteRegistryPlaTime ( HKEY hKey, LPCWSTR cwszValueName, PPLA_TIME_INFO pstiData){ DWORD dwStatus = ERROR_SUCCESS; DWORD dwValue = sizeof(PLA_TIME_INFO);
dwStatus = RegSetValueExW ( hKey, cwszValueName, 0L, REG_BINARY, (CONST BYTE *)pstiData, dwValue);
return PlaiErrorToPdhStatus( dwStatus );}
PDH_FUNCTIONPlaiReadRegistryDwordValue ( HKEY hKey, LPCWSTR cwszValueName, LPDWORD pdwValue){ DWORD dwStatus = ERROR_SUCCESS; DWORD dwValue = sizeof(DWORD); DWORD dwType = 0; DWORD dwBufferSize = 0;
dwStatus = RegQueryValueExW ( hKey, cwszValueName, NULL, &dwType, NULL, &dwBufferSize );
if ( ERROR_SUCCESS == dwStatus ) { if ( ( dwBufferSize == sizeof(DWORD) ) && ( ( REG_DWORD == dwType ) || ( REG_BINARY == dwType ) ) ) { // then there's something to read
dwType = 0; dwStatus = RegQueryValueExW ( hKey, cwszValueName, NULL, &dwType, (LPBYTE)&dwValue, &dwBufferSize); } else { // nothing to read
dwStatus = ERROR_NO_DATA; } } // else hr has error.
if ( ERROR_SUCCESS == dwStatus ) { *pdwValue = dwValue; }
return PlaiErrorToPdhStatus( dwStatus );}
PDH_FUNCTIONPlaiWriteRegistryDwordValue ( HKEY hKey, LPCWSTR cwszValueName, LPDWORD pdwValue){ DWORD dwType = REG_DWORD; DWORD dwStatus = ERROR_SUCCESS; DWORD dwValue = sizeof(DWORD);
dwStatus = RegSetValueExW ( hKey, cwszValueName, 0L, dwType, (CONST BYTE *)pdwValue, dwValue);
return PlaiErrorToPdhStatus( dwStatus );}
PDH_FUNCTIONPlaiReadRegistryStringValue( HKEY hKey, LPCWSTR strKey, DWORD dwFlags, LPWSTR* pszBuffer, DWORD* dwBufLen ){ DWORD dwStatus = ERROR_SUCCESS; DWORD dwDataType; DWORD dwDataSize = 0; LPWSTR pBuffer; dwStatus = RegQueryValueExW( hKey, strKey, NULL, &dwDataType, (LPBYTE)NULL, (LPDWORD)&dwDataSize );
if( (dwFlags & READ_REG_MUI) ){ if( dwDataSize < 1024 ){ dwDataSize = 1024; } dwStatus = ERROR_SUCCESS; }
if( ERROR_SUCCESS == dwStatus ){
pBuffer = *pszBuffer;
if( pBuffer == NULL || dwDataSize > G_SIZE(pBuffer) ){ if( pBuffer != NULL ){ pBuffer = (LPWSTR)G_REALLOC( pBuffer, dwDataSize ); }else{ pBuffer = (LPWSTR)G_ALLOC( dwDataSize ); }
if( pBuffer ){ *pszBuffer = pBuffer; }else{ G_FREE( (*pszBuffer) ); return ERROR_OUTOFMEMORY; } } if( dwFlags & READ_REG_MUI ){ WCHAR strKeyIndirect[1024]; wsprintf( strKeyIndirect, L"%s Indirect", strKey );
dwStatus = SHLoadRegUIStringW ( hKey, strKeyIndirect, *pszBuffer, dwDataSize );
if( ERROR_SUCCESS == dwStatus ){ *dwBufLen = (DWORD)((char*)&(*pszBuffer)[wcslen(*pszBuffer)] - (char*)&(*pszBuffer)[0]); *dwBufLen += sizeof(WCHAR); }else{ *dwBufLen = 0; }
} if( !(dwFlags & READ_REG_MUI) || ((dwFlags & READ_REG_MUI) && ERROR_SUCCESS != dwStatus) ){ dwStatus = RegQueryValueExW( hKey, strKey, NULL, &dwDataType, (LPBYTE)*pszBuffer, (LPDWORD)&dwDataSize ); if( dwStatus == ERROR_SUCCESS ){ *dwBufLen = dwDataSize; }else{ *dwBufLen = 0; } } }
return PlaiErrorToPdhStatus( dwStatus );}
PDH_FUNCTIONPlaiWriteRegistryStringValue ( HKEY hKey, LPCWSTR cwszValueName, DWORD dwType, LPCWSTR pszBuffer, DWORD cbBufferLength){ // writes the contents of pszBuffer to szValue under hKey
DWORD dwStatus = ERROR_SUCCESS; CONST BYTE *pLclBuffer;
if ( NULL == pszBuffer ) { // substitute an empty string
pLclBuffer = (CONST BYTE *)L"\0"; cbBufferLength = sizeof(WCHAR); } else { // use args passed in
pLclBuffer = (CONST BYTE *)pszBuffer; if( cbBufferLength == 0 ){ cbBufferLength = BYTE_SIZE( pszBuffer ) + (DWORD)sizeof(UNICODE_NULL); } }
dwStatus = RegSetValueExW (hKey, cwszValueName, 0L, dwType, (CONST BYTE *)pLclBuffer, cbBufferLength );
return PlaiErrorToPdhStatus( dwStatus );}
PDH_FUNCTIONPlaiWriteRegistryLastModified( HKEY hkeyQuery ){ DWORD dwStatus = ERROR_SUCCESS;
PLA_TIME_INFO plqLastModified; SYSTEMTIME stLocalTime; FILETIME ftModified;
RegFlushKey( hkeyQuery );
dwStatus = RegQueryInfoKey ( hkeyQuery, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, &ftModified );
if( ERROR_SUCCESS != dwStatus ) { GetLocalTime (&stLocalTime); SystemTimeToFileTime (&stLocalTime, &ftModified); }
plqLastModified.wDataType = PLA_TT_DTYPE_DATETIME; plqLastModified.wTimeType = PLA_TT_TTYPE_LAST_MODIFIED; plqLastModified.dwAutoMode = PLA_AUTO_MODE_NONE; plqLastModified.llDateTime = *(LONGLONG *)&ftModified;
if( ERROR_SUCCESS == dwStatus ){ return PlaiWriteRegistryPlaTime ( hkeyQuery, L"Last Modified", &plqLastModified ); }
return PlaiErrorToPdhStatus( dwStatus );}
DWORD PlaiCreateQuery( HKEY hkeyMachine, HKEY& rhkeyLogQueries ){ DWORD dwStatus = ERROR_SUCCESS; HKEY hkeySysmonLog; DWORD dwDisposition; rhkeyLogQueries = NULL;
dwStatus = RegOpenKeyExW ( hkeyMachine, L"System\\CurrentControlSet\\Services\\SysmonLog", 0, KEY_READ | KEY_WRITE, &hkeySysmonLog); if ( ERROR_SUCCESS == dwStatus ) { // Create registry subkey for Log Queries
dwStatus = RegCreateKeyExW ( hkeySysmonLog, L"Log Queries", 0, NULL, REG_OPTION_NON_VOLATILE, KEY_READ | KEY_WRITE, NULL, &rhkeyLogQueries, &dwDisposition); }
return dwStatus;}
PDH_FUNCTIONPdhiPlaGetVersion( LPCWSTR strComputer, PPLA_VERSION pVersion ){ DWORD dwStatus = ERROR_SUCCESS; HKEY hkeyMachine = HKEY_LOCAL_MACHINE; HKEY hkeyQuery = NULL; DWORD cbBufferSize = 0; DWORD dwType; WCHAR szRegValue[MAX_PATH]; PLA_VERSION version;
ZeroMemory( &version, sizeof(PLA_VERSION) );
if ( NULL != strComputer ) { if ( wcslen( strComputer) ) {
dwStatus = RegConnectRegistryW ( strComputer, HKEY_LOCAL_MACHINE, &hkeyMachine ); } }
if ( ERROR_SUCCESS == dwStatus ) {
dwStatus = RegOpenKeyExW ( hkeyMachine, L"Software\\Microsoft\\Windows NT\\CurrentVersion", 0, KEY_READ, &hkeyQuery );
if( ERROR_SUCCESS == dwStatus ){ dwStatus = RegQueryValueExW ( hkeyQuery, L"CurrentVersion", NULL, &dwType, NULL, &cbBufferSize );
if( ERROR_SUCCESS == dwStatus ) { if( (MAX_PATH*sizeof(WCHAR) > cbBufferSize ) && (sizeof(WCHAR) < cbBufferSize) && (REG_SZ == dwType ) ) { ZeroMemory ( szRegValue, MAX_PATH );
dwStatus = RegQueryValueExW ( hkeyQuery, L"CurrentVersion", NULL, &dwType, (LPBYTE)szRegValue, &cbBufferSize );
if ( ERROR_SUCCESS == dwStatus ) { version.dwMajorVersion = _wtol ( szRegValue ); } } } }
if( ERROR_SUCCESS == dwStatus ){ dwStatus = RegQueryValueExW ( hkeyQuery, L"CurrentBuildNumber", NULL, &dwType, NULL, &cbBufferSize );
if( ERROR_SUCCESS == dwStatus ) { if( (MAX_PATH*sizeof(WCHAR) > cbBufferSize ) && (sizeof(WCHAR) < cbBufferSize) && (REG_SZ == dwType ) ) { ZeroMemory ( szRegValue, MAX_PATH );
dwStatus = RegQueryValueExW ( hkeyQuery, L"CurrentBuildNumber", NULL, &dwType, (LPBYTE)szRegValue, &cbBufferSize );
if ( ERROR_SUCCESS == dwStatus ) { version.dwBuild = _wtol ( szRegValue ); } } } } }
memcpy( pVersion, &version, sizeof(PLA_VERSION) ); if ( NULL != hkeyMachine ) { RegCloseKey ( hkeyMachine ); } if( NULL != hkeyQuery ){ RegCloseKey( hkeyQuery ); }
return PlaiErrorToPdhStatus( dwStatus );}
PDH_FUNCTIONPlaiConnectToRegistry( LPCWSTR strComputer, HKEY& rhkeyLogQueries, BOOL bQueries, BOOL bWrite){ DWORD dwStatus = ERROR_SUCCESS; HKEY hkeyMachine = HKEY_LOCAL_MACHINE;
if ( NULL != strComputer ) { if( wcslen( strComputer ) ){ dwStatus = RegConnectRegistryW ( strComputer, HKEY_LOCAL_MACHINE, &hkeyMachine ); } }
if ( ERROR_SUCCESS == dwStatus ) { if( bQueries ){ if ( bWrite ) { dwStatus = RegOpenKeyExW ( hkeyMachine, L"System\\CurrentControlSet\\Services\\SysmonLog\\Log Queries", 0, KEY_READ | KEY_WRITE, &rhkeyLogQueries ); }else{ dwStatus = RegOpenKeyExW ( hkeyMachine, L"System\\CurrentControlSet\\Services\\SysmonLog\\Log Queries", 0, KEY_READ, &rhkeyLogQueries ); } }else{ dwStatus = RegOpenKeyExW ( hkeyMachine, L"System\\CurrentControlSet\\Services\\SysmonLog", 0, KEY_READ, &rhkeyLogQueries ); }
if ( ERROR_SUCCESS != dwStatus ) { dwStatus = PlaiCreateQuery( hkeyMachine, rhkeyLogQueries ); } } if ( NULL != hkeyMachine ) { RegCloseKey ( hkeyMachine ); }
return PlaiErrorToPdhStatus( dwStatus );}
PDH_FUNCTIONPlaiConnectAndLockQuery ( LPCWSTR strComputer, LPCWSTR strQuery, HKEY& rhkeyQuery, BOOL bWrite ){ DWORD dwStatus = ERROR_SUCCESS; PDH_STATUS pdhStatus = ERROR_SUCCESS; HKEY hkeyQuery = NULL; HKEY hkeyLogQueries = NULL;
rhkeyQuery = NULL; dwStatus = WAIT_FOR_AND_LOCK_MUTEX(hPdhPlaMutex); if( ERROR_SUCCESS == dwStatus || WAIT_ABANDONED == dwStatus ){
pdhStatus = PlaiConnectToRegistry ( strComputer, hkeyLogQueries, TRUE, bWrite );
if( ERROR_SUCCESS == pdhStatus ){ DWORD nCollections = 0; DWORD nMaxSubKeyLength = 0;
dwStatus = RegQueryInfoKey( hkeyLogQueries, NULL, NULL, NULL, &nCollections, &nMaxSubKeyLength, NULL, NULL, NULL, NULL, NULL, NULL );
if( ERROR_SUCCESS == dwStatus ){ LPWSTR strCollection; LPWSTR strQueryName = NULL; DWORD dwQueryName = 0;
DWORD dwSize = (sizeof(WCHAR)*(nMaxSubKeyLength+1));
strCollection = (LPWSTR)G_ALLOC( dwSize );
if( strCollection ){
dwStatus = ERROR_FILE_NOT_FOUND; for( ULONG i = 0; i<nCollections; i++ ){ dwStatus = RegEnumKey( hkeyLogQueries, i, strCollection, dwSize ); if( ERROR_SUCCESS == dwStatus ) {
dwStatus = RegOpenKeyExW ( hkeyLogQueries, strCollection, 0, bWrite ? KEY_READ | KEY_WRITE : KEY_READ, &hkeyQuery );
if( ERROR_SUCCESS == dwStatus ){ if( !_wcsicmp( strCollection, strQuery ) ){ break; }
PlaiReadRegistryStringValue( hkeyQuery, szCollection, READ_REG_MUI, &strQueryName, &dwQueryName ); if( strQueryName != NULL && !_wcsicmp( strQueryName, strQuery ) ){ break; } dwStatus = ERROR_FILE_NOT_FOUND; if ( NULL != hkeyQuery ) { RegCloseKey ( hkeyQuery ); } } } }
G_FREE( strQueryName ); G_FREE( strCollection );
}else{ dwStatus = ERROR_OUTOFMEMORY; } } }
RegCloseKey ( hkeyLogQueries );
if( ERROR_SUCCESS != dwStatus || ERROR_SUCCESS != pdhStatus){ RELEASE_MUTEX( hPdhPlaMutex ); }else{ rhkeyQuery = hkeyQuery; } }
if( ERROR_SUCCESS != pdhStatus ){ return pdhStatus; }else{ return PlaiErrorToPdhStatus( dwStatus ); }}
|
