Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

177 lines
5.8 KiB

  1. #include "stdafx.h"
  2. // #include "winbase.h"
  3. #define MAX_INSERT_STRS 5
  4. TCHAR *aszTSEventSources[] = { _T("TermService"), _T("TermDD"), _T("TermServDevices") };
  5. BOOL ExtractEvents();
  6. BOOL ExtractAllTSEvents()
  7. {
  8. cout << endl;
  9. return ExtractEvents ();
  10. }
  11. BOOL ExtractEvents ()
  12. {
  13. USES_CONVERSION;
  14. BOOL bFoundEvents = FALSE;
  15. HANDLE hEventLog = OpenEventLog(NULL, _T("System"));
  16. if (hEventLog)
  17. {
  18. const DWORD dwBytesToRead = 1024*10;
  19. char *pBuff = new char[dwBytesToRead];
  20. if (pBuff)
  21. {
  22. DWORD dwBytesRead, dwBytesNeeded;
  23. while (ReadEventLog(hEventLog,
  24. EVENTLOG_BACKWARDS_READ | EVENTLOG_SEQUENTIAL_READ,
  25. 0,
  26. PVOID(pBuff),
  27. dwBytesToRead,
  28. &dwBytesRead,
  29. &dwBytesNeeded))
  30. {
  31. if (dwBytesRead == 0)
  32. break;
  33. for (PEVENTLOGRECORD pEventLogRecord = ( PEVENTLOGRECORD ) pBuff;
  34. PCHAR(pEventLogRecord) + pEventLogRecord->Length < pBuff + dwBytesRead;
  35. pEventLogRecord = (EVENTLOGRECORD *)(PCHAR(pEventLogRecord) + pEventLogRecord->Length)
  36. )
  37. {
  38. LPCTSTR szSource = LPCTSTR(PBYTE(pEventLogRecord) + sizeof(EVENTLOGRECORD));
  39. //
  40. // check if event source is among interesting ones.
  41. //
  42. LPCTSTR szEventSource = NULL;
  43. for (int i = 0; i < (sizeof(aszTSEventSources) / sizeof(aszTSEventSources[0])); i++)
  44. {
  45. if (_tcsicmp(szSource, aszTSEventSources[i]) == 0)
  46. szEventSource = aszTSEventSources[i];
  47. }
  48. if (!szEventSource)
  49. continue;
  50. //
  51. // prepare the array of insert strings for FormatMessage - the
  52. // insert strings are in the log entry.
  53. //
  54. char *aInsertStrings[MAX_INSERT_STRS];
  55. char *p = (char *) ((LPBYTE) pEventLogRecord + pEventLogRecord->StringOffset);
  56. for (i = 0; i < pEventLogRecord->NumStrings && i < MAX_INSERT_STRS; i++)
  57. {
  58. aInsertStrings[i] = p;
  59. p += strlen(p) + 1; // point to next string
  60. }
  61. //
  62. // Get the binaries to look message in from registry.
  63. //
  64. TCHAR szSourceKey[1024];
  65. _tcscpy(szSourceKey, _T("SYSTEM\\CurrentControlSet\\Services\\EventLog\\System\\"));
  66. _tcscat(szSourceKey, szEventSource);
  67. CRegistry oReg;
  68. TCHAR szSourcePath[MAX_PATH];
  69. if (oReg.OpenKey(HKEY_LOCAL_MACHINE, szSourceKey, KEY_READ) == ERROR_SUCCESS)
  70. {
  71. LPTSTR str;
  72. DWORD dwSize;
  73. if (ERROR_SUCCESS == oReg.ReadRegString(_T("EventMessageFile"), &str, &dwSize))
  74. {
  75. ExpandEnvironmentStrings(str, szSourcePath, MAX_PATH);
  76. }
  77. else
  78. {
  79. cout << " Error Reading Registry (" << T2A(szSourceKey) << ")/(EventMessageFiles)" << endl;
  80. continue;
  81. }
  82. }
  83. else
  84. {
  85. cout << " Error Reading Registry (" << T2A(szSourceKey) << endl;
  86. continue;
  87. }
  88. //
  89. // Binary String in registry could contain multipal binaries seperated by ;
  90. //
  91. TCHAR *szModule;
  92. szModule = _tcstok(szSourcePath, _T(";"));
  93. //
  94. // for each binary found
  95. //
  96. DWORD dwBytesTransfered = 0;
  97. do
  98. {
  99. HINSTANCE hModule = LoadLibrary(szModule);
  100. TCHAR szMessage[1024];
  101. dwBytesTransfered = FormatMessage(
  102. FORMAT_MESSAGE_FROM_HMODULE |
  103. FORMAT_MESSAGE_ARGUMENT_ARRAY,
  104. hModule,
  105. pEventLogRecord->EventID,
  106. 0,
  107. szMessage,
  108. 1024,
  109. (va_list *)aInsertStrings);
  110. if (dwBytesTransfered)
  111. {
  112. bFoundEvents = TRUE;
  113. TCHAR szTimeString[512];
  114. time_t timeGenerated = pEventLogRecord->TimeGenerated;
  115. _tcsftime(szTimeString, 512, _T("%c"), localtime( (const time_t *)&timeGenerated ));
  116. cout << " " << T2A(szTimeString) << ": ( " << T2A(szEventSource) << " ) : " << T2A(szMessage);
  117. }
  118. else
  119. {
  120. cout << " FormatMessage Failed. lasterror = " << GetLastError() << endl;
  121. }
  122. szModule = _tcstok(NULL, _T(";"));
  123. }
  124. while (!dwBytesTransfered && szModule);
  125. }
  126. }
  127. }
  128. }
  129. else
  130. {
  131. cout << " Failed to Open Event log." << endl;
  132. return FALSE;
  133. }
  134. return bFoundEvents;
  135. }