|
|
/////////////////////////////////////////////////////////////////////////////
//
// Copyright: Microsoft Corp. 1997-1999. All rights reserved
//
/////////////////////////////////////////////////////////////////////////////
// Event.cpp : Implementation of CEvent
#include "stdafx.h"
#include "Evntutl.h"
#include "Event.h"
/////////////////////////////////////////////////////////////////////////////
// CEvent
STDMETHODIMP CEvent::InterfaceSupportsErrorInfo(REFIID riid){ static const IID* arr[] = { &IID_IEvent }; for (int i=0; i < sizeof(arr) / sizeof(arr[0]); i++) { if (InlineIsEqualGUID(*arr[i],riid)) return S_OK; } return S_FALSE;}
/*
Function: get_Server Inputs: empty BSTR Outputs: BSTR containing the Description for the Event (calculated) Purpose: Allows user to access the description for an Event*/STDMETHODIMP CEvent::get_Description(BSTR *pVal){ HRESULT hr = S_OK; unsigned int i;
if (pVal) { if (m_Description.length() == 0) { hr = CheckDefaultDescription(m_ppArgList); if (SUCCEEDED(hr)) *pVal = m_Description.copy();
if (m_ppArgList) { // delete the ArgList
for (i=0;i<m_NumberOfStrings;i++) delete [] m_ppArgList[i]; delete []m_ppArgList; m_ppArgList = NULL; } } } else hr = E_POINTER;
return hr;}
/*
Function: get_Source Inputs: empty BSTR Outputs: BSTR containing the name of the component which caused the Event Purpose: Allows user to access the name of the component which caused the Event*/STDMETHODIMP CEvent::get_Source(BSTR *pVal){ HRESULT hr = S_OK;
if (pVal) *pVal = m_SourceName.copy(); else hr = E_POINTER;
return hr;}
/*
Function: get_User Inputs: empty BSTR Outputs: BSTR containing the name and domain of the user who caused the Event Purpose: Allows user to access the name and domain of the user who caused the Event Notes: The first time this function is called, it will do a SID lookup*/STDMETHODIMP CEvent::get_User(BSTR *pVal){ HRESULT hr = S_OK;
if (pVal) { if (m_UserName.length() == 0) { SetUser(); } *pVal = m_UserName.copy(); } else hr = E_POINTER;
return hr;}
/*
Function: get_ComputerName Inputs: empty BSTR Outputs: BSTR containing the name of the server on which the Event occured Purpose: Allows user to access the name of the the server on which the Event occured*/STDMETHODIMP CEvent::get_ComputerName(BSTR *pVal){ HRESULT hr = S_OK;
if (pVal) *pVal = m_ComputerName.copy(); else hr = E_POINTER;
return hr;}
/*
Function: get_EventID Inputs: empty long Outputs: long containing the ID of the Event Purpose: Allows user to access the ID which can be used to lookup a message for the event Notes: Since description is provided, this function is not very useful, however, it is provided for completeness*/STDMETHODIMP CEvent::get_EventID(long *pVal){ HRESULT hr = S_OK;// m_EventID = m_EventID & 0xFFFF; // The EventLog viewer uses this mask before displaying ID's
if (pVal) *pVal = m_EventID; else hr = E_POINTER;
return hr;}
/*
Function: get_Category Inputs: empty long Outputs: long containing the category ID for the event Purpose: Allows user to access the category ID for the event*/STDMETHODIMP CEvent::get_Category(long *pVal){ HRESULT hr = S_OK;
if (pVal) *pVal = m_EventCategory; else hr = E_POINTER;
return hr;}
/*
Function: get_EventType Inputs: empty enumeration Outputs: enumeration containing the type of event that occured Purpose: Allows user to access the type of event that occured*/STDMETHODIMP CEvent::get_EventType(eEventType *pVal){ HRESULT hr = S_OK;
if (pVal) *pVal = m_EventType; else hr = E_POINTER;
return hr;}
/*
Function: get_OccurenceTime Inputs: empty DATE structure Outputs: DATE structure containing the local system time when the event occured Purpose: Allows user to access the time when the event occured*/STDMETHODIMP CEvent::get_OccurrenceTime(DATE *pVal){ HRESULT hr = S_OK;
if (pVal) *pVal = m_OccurrenceTime; else hr = E_POINTER;
return hr;}
/*
Function: get_Data Inputs: empty variant Outputs: variant containing an array of bytes Purpose: Allows user to access the data set by the event. This may or may not be set, and is frequently not useful*/STDMETHODIMP CEvent::get_Data(VARIANT *pVal){ HRESULT hr = S_OK;
if (pVal) { pVal->vt = VT_ARRAY | VT_UI1; pVal->parray = m_pDataArray; } else hr = E_POINTER;
return hr;}
/*
Function: Init Inputs: pointer to an EVENTLOGRECORD structure Outputs: does not modify input Purpose: fill Event object properties which do not require loading external libs*/HRESULT CEvent::Init(EVENTLOGRECORD* pEventStructure, const LPCTSTR szEventLogName){ HRESULT hr = S_OK; m_EventLogName = szEventLogName; hr = ParseEventBlob(pEventStructure);
return hr;}
/*
Function: ParseEventBlob Inputs: pointer to an EVENTLOGRECORD structure Outputs: does not modify input Purpose: Parse an EVENTLOGRECORD and set the appropriate internal structures of Event*/HRESULT CEvent::ParseEventBlob(EVENTLOGRECORD* pEventStructure){ HRESULT hr = S_OK; wchar_t* wTempString; BYTE* pSourceName; BYTE* pComputerName; SAFEARRAYBOUND rgsabound[1]; ULONG StringsToRetrieve = 0, CharsRead = 0, i = 0; long Index[1]; BYTE pTemp;
m_EventID = pEventStructure->EventID; m_EventCategory = pEventStructure->EventCategory;
switch (pEventStructure->EventType) { case EVENTLOG_ERROR_TYPE: m_EventType = ErrorEvent; break; case EVENTLOG_WARNING_TYPE: m_EventType = WarningEvent; break; case EVENTLOG_INFORMATION_TYPE: m_EventType = InformationEvent; break; case EVENTLOG_AUDIT_SUCCESS: m_EventType = AuditSuccess; break; case EVENTLOG_AUDIT_FAILURE: m_EventType = AuditFailure; break; default: hr = E_FAIL; }
// parse strings from the memory blob
// Set source name
pSourceName = (BYTE*) &(pEventStructure->DataOffset) + sizeof(pEventStructure->DataOffset); wTempString = (wchar_t*)pSourceName; m_SourceName = wTempString; // Set computer name
pComputerName = (BYTE*)pSourceName + ((wcslen(wTempString)+1) * sizeof(wchar_t)); wTempString = (wchar_t*)pComputerName; m_ComputerName = wTempString;
// Set SID
if ((pEventStructure->StringOffset - pEventStructure->UserSidOffset) != 0) { m_pSid = new BYTE[pEventStructure->UserSidLength]; // scope = CEvent, deleted in ~CEvent() or SetSID() whichever comes first
if (m_pSid != NULL) { for (i = 0; i<pEventStructure->UserSidLength; i++) m_pSid[i] = (BYTE)(*((BYTE*)pEventStructure + pEventStructure->UserSidOffset + i * sizeof(BYTE))); } }
// Set Occurence time
// this code is copied from MSDN
FILETIME FileTime, LocalFileTime; SYSTEMTIME SysTime; __int64 lgTemp; __int64 SecsTo1970 = 116444736000000000;
lgTemp = Int32x32To64(pEventStructure->TimeGenerated,10000000) + SecsTo1970;
FileTime.dwLowDateTime = (DWORD) lgTemp; FileTime.dwHighDateTime = (DWORD)(lgTemp >> 32);
FileTimeToLocalFileTime(&FileTime, &LocalFileTime); FileTimeToSystemTime(&LocalFileTime, &SysTime); if(!SystemTimeToVariantTime(&SysTime, &m_OccurrenceTime)) hr = GetLastError();
// Set Data (create and fill a SafeArray)
if (pEventStructure->DataLength>0) { rgsabound[0].lLbound = 0; rgsabound[0].cElements = pEventStructure->DataLength; m_pDataArray = SafeArrayCreate(VT_UI1, 1, rgsabound);
for (i=0;i<pEventStructure->DataLength;i++) { Index[0] = i; pTemp = (BYTE) (pEventStructure->DataOffset + i * sizeof(BYTE)); hr = SafeArrayPutElement(m_pDataArray, Index, &pTemp); if (FAILED(hr)) i = pEventStructure->DataLength; } }
// Set the description
m_Description = ""; if (m_SourceName.length() != 0) { // prepare the ArgList
m_NumberOfStrings = pEventStructure->NumStrings; m_ppArgList = new wchar_t*[m_NumberOfStrings]; // scope = CEvent, deleted when ~CEvent or get_Description is called whichever is first
for (i=0;i<m_NumberOfStrings;i++) m_ppArgList[i] = new wchar_t[(pEventStructure->DataOffset - pEventStructure->StringOffset)]; // can't be larger than the length of all the strings we got
for (i=0;i<m_NumberOfStrings;i++) { wTempString = (wchar_t*) (((BYTE*)(pEventStructure)) + pEventStructure->StringOffset + CharsRead * sizeof(wchar_t)); wcscpy(m_ppArgList[i], wTempString); CharsRead = CharsRead + wcslen(wTempString) + 1; // + 1 for the null
} } else // if there is no module to load a default description, just put all the string args in the description
{ StringsToRetrieve = pEventStructure->NumStrings; while (StringsToRetrieve > 0) { wTempString = (wchar_t*) (((BYTE*)(pEventStructure)) + pEventStructure->StringOffset + CharsRead * sizeof(wchar_t)); m_Description = m_Description + " " + wTempString; CharsRead = CharsRead + wcslen(wTempString) + 1; // + 1 for the null
StringsToRetrieve--; } }
return hr;}
/*
Function: CheckDefaultDescription Inputs: pointer pointer to a wide character Outputs: does not modify input Purpose: format a message from an EventID, set of input strings, and a source module*/HRESULT CEvent::CheckDefaultDescription(wchar_t** Arguments){ HRESULT hr = S_OK; BYTE* wMessagePath = NULL; ULONG BufferSize = 40000; ULONG* lPathLength = NULL; wchar_t* wOrigionalPath = NULL; wchar_t* wExpandedPath = NULL; wchar_t* pBuffer = NULL; _bstr_t btRegKey; _bstr_t btTempString; HMODULE hiLib; HKEY hKey; try{ lPathLength = new ULONG; if (lPathLength) { *lPathLength = 256*2; wMessagePath = new BYTE[*lPathLength]; if (wMessagePath) { // get registry value for Source module path
btRegKey = "SYSTEM\\CurrentControlSet\\Services\\Eventlog\\" + m_EventLogName; btRegKey = btRegKey + "\\"; btRegKey = btRegKey + m_SourceName; hr = RegOpenKey(HKEY_LOCAL_MACHINE, btRegKey, &hKey); if (hKey) { hr = RegQueryValueEx(hKey, L"EventMessageFile", NULL, NULL, wMessagePath, lPathLength); if (hr == 0) { wOrigionalPath = (wchar_t*) wMessagePath; wExpandedPath = new wchar_t[(int)*lPathLength]; if (wExpandedPath) { ExpandEnvironmentStrings(wOrigionalPath, wExpandedPath, *lPathLength); btTempString = wExpandedPath;
// open the Source module
hiLib = LoadLibraryEx(btTempString, NULL, LOAD_LIBRARY_AS_DATAFILE); hr = GetLastError(); if (hiLib) { pBuffer = new wchar_t[BufferSize]; if (pBuffer) { SetLastError(0); FormatMessage(FORMAT_MESSAGE_FROM_HMODULE | FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ARGUMENT_ARRAY, hiLib, m_EventID, 0, pBuffer, BufferSize, reinterpret_cast<va_list*>(Arguments)); hr = HRESULT_FROM_WIN32(GetLastError()); m_Description = m_Description + pBuffer;
delete []pBuffer; pBuffer = NULL; } else hr = E_OUTOFMEMORY;
FreeLibrary(hiLib); } delete [] wExpandedPath; wExpandedPath = NULL; } else hr = E_OUTOFMEMORY; } else hr = HRESULT_FROM_WIN32(hr);
RegCloseKey(hKey); } else hr = HRESULT_FROM_WIN32(hr);
delete []wMessagePath; wMessagePath = NULL; } else hr = E_OUTOFMEMORY;
delete lPathLength; lPathLength = NULL; } else hr = E_OUTOFMEMORY;
} catch(...){ if (lPathLength != NULL) { delete lPathLength; } if (wMessagePath != NULL) { delete []wMessagePath; } if (wExpandedPath != NULL) { delete [] wExpandedPath; } if (pBuffer != NULL) { delete []pBuffer; } }
return hr;}
/*
Function: SetUser Inputs: none Outputs: HRESULT indicating what error if any occured Purpose: finds alias and domain for a given SID*/HRESULT CEvent::SetUser(){ HRESULT hr = S_OK; SID_NAME_USE SidNameUse; wchar_t* wUserName; wchar_t* wDomainName; SID* pSid; unsigned long UserNameLength = 256;
// Set user name and sid
if (m_pSid !=NULL) { pSid = (SID*)m_pSid; wUserName = new wchar_t[UserNameLength]; if (wUserName) { wDomainName = new wchar_t[UserNameLength]; if (wDomainName) { m_UserName = ""; if (LookupAccountSid(NULL, pSid, wUserName, &UserNameLength, wDomainName, &UserNameLength, &SidNameUse)) m_UserName = m_UserName + wDomainName + L"\\" + wUserName; else hr = HRESULT_FROM_WIN32(GetLastError()); delete []wDomainName; } else hr = E_OUTOFMEMORY; delete []wUserName; } else hr = E_OUTOFMEMORY; delete []m_pSid; m_pSid = NULL; }
return hr;}
|
