mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1485 lines
41 KiB
1485 lines
41 KiB
/*++
|
|
|
|
Copyright (c) 1990 Microsoft Corporation
|
|
|
|
Module Name:
|
|
|
|
CONFIG.C
|
|
|
|
Abstract:
|
|
|
|
This file contains the routines that walk the configuration registry.
|
|
|
|
Author:
|
|
|
|
Rajen Shah (rajens) 1-Jul-1991
|
|
|
|
|
|
Revision History:
|
|
|
|
29-Aug-1994 Danl
|
|
We no longer grow log files in place. Therefore, the MaxSize value
|
|
in the registery ends up being advisory only. We don't try to reserve
|
|
that much memory at init time. So it could happen that when we need
|
|
a larger file size that we may not have enough memory to allocate
|
|
MaxSize bytes.
|
|
28-Mar-1994 Danl
|
|
ReadRegistryInfo: LogFileInfo->LogFileName wasn't getting updated
|
|
when using the default (generated) LogFileName.
|
|
16-Mar-1994 Danl
|
|
Fixed Memory Leaks in ReadRegistryInfo(). Call to
|
|
RtlDosPathNameToNtPathName allocates memory that wasn't being free'd.
|
|
03-Mar-1995 MarkBl
|
|
Added GuestAccessRestriction flag initialization in ReadRegistryInfo.
|
|
|
|
--*/
|
|
|
|
//
|
|
// INCLUDES
|
|
//
|
|
|
|
#include <eventp.h>
|
|
#include <elfcfg.h>
|
|
#include <stdlib.h>
|
|
#include <malloc.h>
|
|
#include <memory.h>
|
|
|
|
//
|
|
// STRUCTURES
|
|
//
|
|
|
|
//
|
|
// This structure contains all the information used to setup and
|
|
// for listening to registry changes in the eventlog tree.
|
|
//
|
|
typedef struct _REG_MONITOR_INFO
|
|
{
|
|
HANDLE NotifyEventHandle;
|
|
DWORD Timeout;
|
|
HANDLE WorkItemHandle;
|
|
HANDLE RegMonitorHandle;
|
|
}
|
|
REG_MONITOR_INFO, *LPREG_MONITOR_INFO;
|
|
|
|
|
|
//
|
|
// GLOBALS
|
|
//
|
|
|
|
//
|
|
// IMPORTANT: If NUM_KEYS_MONITORED is changed, be sure to update the initialization of GlRegMonitorInfo and
|
|
// the ElfAllEventsCleared macro accordingly.
|
|
//
|
|
#define NUM_KEYS_MONITORED 2
|
|
REG_MONITOR_INFO GlRegMonitorInfo[NUM_KEYS_MONITORED] = { {NULL, 0, NULL, NULL}, {NULL, 0, NULL, NULL} };
|
|
|
|
#define ElfAllEventsCleared() (GlRegMonitorInfo[0].NotifyEventHandle == NULL && \
|
|
GlRegMonitorInfo[1].NotifyEventHandle == NULL )
|
|
//
|
|
// LOCAL FUNCTIONS
|
|
//
|
|
VOID
|
|
ElfRegistryMonitor(
|
|
PVOID pParms,
|
|
BOOLEAN fWaitStatus
|
|
);
|
|
|
|
BOOL
|
|
ElfSetupMonitor(
|
|
LPREG_MONITOR_INFO pMonitorInfo
|
|
);
|
|
|
|
|
|
|
|
VOID
|
|
ProcessChange (
|
|
HANDLE hLogFile,
|
|
PUNICODE_STRING ModuleName,
|
|
PUNICODE_STRING LogFileName,
|
|
ULONG MaxSize,
|
|
ULONG Retention,
|
|
ULONG GuestAccessRestriction,
|
|
LOGPOPUP logpLogPopup,
|
|
DWORD dwAutoBackup
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine is called by ProcessRegistryChanges for each log file.
|
|
|
|
Arguments:
|
|
|
|
|
|
Return Value:
|
|
|
|
None
|
|
|
|
--*/
|
|
{
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
PLOGMODULE pModule;
|
|
PLOGFILE pLogFile;
|
|
ULONG Size;
|
|
PVOID BaseAddress;
|
|
PUNICODE_STRING pFileNameString;
|
|
LPWSTR FileName;
|
|
PVOID FreeAddress;
|
|
|
|
|
|
pModule = GetModuleStruc (ModuleName);
|
|
|
|
//
|
|
// If this module didn't exist, this was a brand new log file and
|
|
// we need to create all the structures
|
|
//
|
|
if (pModule == ElfDefaultLogModule &&
|
|
wcscmp(ModuleName->Buffer, ELF_DEFAULT_MODULE_NAME))
|
|
{
|
|
ELF_LOG1(MODULES,
|
|
"ProcessChange: %ws log doesn't exist -- creating\n",
|
|
ModuleName->Buffer);
|
|
|
|
Status = SetUpDataStruct(LogFileName,
|
|
MaxSize,
|
|
Retention,
|
|
GuestAccessRestriction,
|
|
ModuleName,
|
|
hLogFile,
|
|
ElfNormalLog,
|
|
logpLogPopup,
|
|
dwAutoBackup);
|
|
return;
|
|
}
|
|
|
|
//
|
|
// Update values
|
|
//
|
|
|
|
pLogFile = pModule->LogFile;
|
|
|
|
pLogFile->Retention = Retention;
|
|
pLogFile->logpLogPopup = logpLogPopup;
|
|
pLogFile->AutoBackupLogFiles = dwAutoBackup;
|
|
|
|
//
|
|
// Check to see if the name has changed. If it has, and the log
|
|
// hasn't been used yet, then use the new name. Be sure to free
|
|
// memory that was used for the old name.
|
|
//
|
|
if ((wcscmp(pLogFile->LogFileName->Buffer, LogFileName->Buffer) != 0)
|
|
&&
|
|
(pLogFile->BeginRecord == pLogFile->EndRecord))
|
|
{
|
|
pFileNameString = ElfpAllocateBuffer(sizeof(UNICODE_STRING)
|
|
+ LogFileName->MaximumLength);
|
|
|
|
if (pFileNameString != NULL)
|
|
{
|
|
FileName = (LPWSTR)(pFileNameString + 1);
|
|
wcscpy(FileName, LogFileName->Buffer);
|
|
RtlInitUnicodeString(pFileNameString, FileName);
|
|
|
|
ElfpFreeBuffer(pLogFile->LogFileName);
|
|
pLogFile->LogFileName = pFileNameString;
|
|
}
|
|
}
|
|
|
|
//
|
|
// The log file can only be grown dynamically. To shrink it,
|
|
// it has to be cleared.
|
|
//
|
|
if (pLogFile->ConfigMaxFileSize < ELFFILESIZE(MaxSize))
|
|
{
|
|
/*
|
|
Description of recent changes. Problem and Solution:
|
|
A couple of problems exist. (1) There is no error
|
|
checking if memory can't be allocated or mapped, and
|
|
therefore, no error paths exist for handling these
|
|
situations. (2) Now that the eventlog is in services.exe
|
|
there isn't a good way to synchronize memory allocations.
|
|
|
|
Solution:
|
|
I considered having some utility routines for managing
|
|
memory in the eventlog. These would attempt to
|
|
extend a reserved block, or get a new reserved block.
|
|
However, there are so many places where that could fail,
|
|
it seemed very cumbersome to support the reserved blocks.
|
|
So the current design only deals with mapped views.
|
|
The ConfigMaxFileSize is only used to limit the size of
|
|
the mapped view, and doesn't reserve anything. This
|
|
means you are not guaranteed to be operating with a file as
|
|
large as the MaxSize specified in the registry. But then,
|
|
you weren't guarenteed that it would even work with the
|
|
original design.
|
|
*/
|
|
|
|
ELF_LOG3(TRACE,
|
|
"ProcessChange: Growing %ws log from %x bytes to %x bytes\n",
|
|
ModuleName->Buffer,
|
|
pLogFile->ConfigMaxFileSize,
|
|
ELFFILESIZE(MaxSize));
|
|
|
|
pLogFile->ConfigMaxFileSize = ELFFILESIZE(MaxSize);
|
|
pLogFile->NextClearMaxFileSize = ELFFILESIZE(MaxSize);
|
|
}
|
|
else if (pLogFile->ConfigMaxFileSize > ELFFILESIZE(MaxSize))
|
|
{
|
|
//
|
|
// They're shrinking the size of the log file.
|
|
// Next time we clear the log file, we'll use the new size
|
|
// and new retention.
|
|
//
|
|
ELF_LOG3(TRACE,
|
|
"ProcessChange: Shrinking %ws log from %x bytes to %x bytes at next clear\n",
|
|
ModuleName->Buffer,
|
|
pLogFile->ConfigMaxFileSize,
|
|
ELFFILESIZE(MaxSize));
|
|
|
|
pLogFile->NextClearMaxFileSize = ELFFILESIZE(MaxSize);
|
|
}
|
|
|
|
//
|
|
// Now see if they've added any new modules for this log file
|
|
//
|
|
SetUpModules(hLogFile, pLogFile, TRUE);
|
|
|
|
return;
|
|
}
|
|
|
|
VOID
|
|
ProcessRegistryChanges (
|
|
VOID
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine processes that changes that have occurred in the
|
|
eventlog node. It does this by rescanning the whole Eventlog node
|
|
and then comparing with what it has as the current configuration.
|
|
|
|
Arguments:
|
|
|
|
NONE.
|
|
|
|
Return Value:
|
|
|
|
NONE
|
|
|
|
--*/
|
|
{
|
|
NTSTATUS Status;
|
|
HANDLE hLogFile;
|
|
UNICODE_STRING SubKeyName;
|
|
ULONG Index = 0;
|
|
BYTE Buffer[ELF_MAX_REG_KEY_INFO_SIZE];
|
|
PKEY_NODE_INFORMATION KeyBuffer = (PKEY_NODE_INFORMATION) Buffer;
|
|
ULONG ActualSize;
|
|
LOG_FILE_INFO LogFileInfo;
|
|
PWCHAR SubKeyString;
|
|
OBJECT_ATTRIBUTES ObjectAttributes;
|
|
PLOGMODULE pModule;
|
|
LOGPOPUP logpLogPopup;
|
|
|
|
#if DBG
|
|
|
|
ULONG ulActualSize;
|
|
|
|
#endif // DBG
|
|
|
|
|
|
ELF_LOG0(TRACE,
|
|
"ProcessRegistryChanges: Handling change in Eventlog service key\n");
|
|
|
|
//
|
|
// Take the global resource so that nobody is making changes or
|
|
// using the existing configured information.
|
|
//
|
|
|
|
GetGlobalResource (ELF_GLOBAL_SHARED);
|
|
|
|
|
|
#if DBG
|
|
|
|
//
|
|
// See if the Debug flag changed
|
|
//
|
|
|
|
RtlInitUnicodeString(&SubKeyName, VALUE_DEBUG);
|
|
|
|
Status = NtQueryValueKey(hEventLogNode,
|
|
&SubKeyName,
|
|
KeyValuePartialInformation,
|
|
KeyBuffer,
|
|
ELF_MAX_REG_KEY_INFO_SIZE,
|
|
&ulActualSize);
|
|
|
|
if (NT_SUCCESS(Status))
|
|
{
|
|
if (((PKEY_VALUE_PARTIAL_INFORMATION) KeyBuffer)->Type == REG_DWORD)
|
|
{
|
|
ElfDebugLevel = *(LPDWORD) (((PKEY_VALUE_PARTIAL_INFORMATION) KeyBuffer)->Data);
|
|
}
|
|
}
|
|
else
|
|
{
|
|
ELF_LOG1(TRACE,
|
|
"ProcessRegistryChanges: NtQueryValueKey for ElfDebugLevel failed %#x\n",
|
|
Status);
|
|
}
|
|
|
|
ELF_LOG1(TRACE,
|
|
"ProcessRegistryChanges: New ElfDebugLevel is %#x\n",
|
|
ElfDebugLevel);
|
|
|
|
#endif // DBG
|
|
|
|
|
|
Status = STATUS_SUCCESS;
|
|
|
|
//
|
|
// Loop thru the subkeys under Eventlog and set up each logfile
|
|
//
|
|
|
|
while (NT_SUCCESS(Status))
|
|
{
|
|
Status = NtEnumerateKey(hEventLogNode,
|
|
Index++,
|
|
KeyNodeInformation,
|
|
KeyBuffer,
|
|
ELF_MAX_REG_KEY_INFO_SIZE,
|
|
&ActualSize);
|
|
|
|
if (NT_SUCCESS(Status))
|
|
{
|
|
//
|
|
// It turns out the Name isn't null terminated, so we need
|
|
// to copy it somewhere and null terminate it before we use it
|
|
//
|
|
SubKeyString = ElfpAllocateBuffer(KeyBuffer->NameLength + sizeof (WCHAR));
|
|
|
|
if (!SubKeyString)
|
|
{
|
|
//
|
|
// No one to notify, just give up till next time.
|
|
//
|
|
ELF_LOG0(ERROR,
|
|
"ProcessRegistryChanges: Unable to allocate subkey -- returning\n");
|
|
|
|
ReleaseGlobalResource();
|
|
return;
|
|
}
|
|
|
|
memcpy(SubKeyString, KeyBuffer->Name, KeyBuffer->NameLength);
|
|
SubKeyString[KeyBuffer->NameLength / sizeof(WCHAR)] = L'\0' ;
|
|
|
|
//
|
|
// Open the node for this logfile and extract the information
|
|
// required by SetupDataStruct, and then call it.
|
|
//
|
|
|
|
RtlInitUnicodeString(&SubKeyName, SubKeyString);
|
|
|
|
InitializeObjectAttributes(&ObjectAttributes,
|
|
&SubKeyName,
|
|
OBJ_CASE_INSENSITIVE,
|
|
hEventLogNode,
|
|
NULL
|
|
);
|
|
|
|
Status = NtOpenKey(&hLogFile,
|
|
KEY_READ | KEY_SET_VALUE,
|
|
&ObjectAttributes);
|
|
|
|
//
|
|
// Should always succeed since I just enum'ed it, but if it
|
|
// doesn't, just skip it
|
|
//
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
ELF_LOG2(ERROR,
|
|
"ProcessRegistryChanges: NtOpenKey for subkey %ws failed %#x\n",
|
|
SubKeyName,
|
|
Status);
|
|
|
|
ElfpFreeBuffer(SubKeyString);
|
|
Status = STATUS_SUCCESS; // to keep the enum going
|
|
continue;
|
|
}
|
|
|
|
//
|
|
// Get the updated information from the registry. Note that we
|
|
// have to initialize the "log full" popup policy before doing
|
|
// so since ReadRegistryInfo will compare the value found in the
|
|
// registry (if there is one) to the current value.
|
|
//
|
|
|
|
pModule = GetModuleStruc(&SubKeyName);
|
|
|
|
LogFileInfo.logpLogPopup = pModule->LogFile->logpLogPopup;
|
|
|
|
Status = ReadRegistryInfo(hLogFile,
|
|
&SubKeyName,
|
|
&LogFileInfo);
|
|
|
|
if (NT_SUCCESS(Status))
|
|
{
|
|
//
|
|
// Now process any changes for the log file.
|
|
// ProcessChange deals with any errors.
|
|
//
|
|
ProcessChange (
|
|
hLogFile,
|
|
&SubKeyName,
|
|
LogFileInfo.LogFileName,
|
|
LogFileInfo.MaxFileSize,
|
|
LogFileInfo.Retention,
|
|
LogFileInfo.GuestAccessRestriction,
|
|
LogFileInfo.logpLogPopup,
|
|
LogFileInfo.dwAutoBackup);
|
|
|
|
//
|
|
// Free the buffer that was allocated in ReadRegistryInfo.
|
|
//
|
|
ElfpFreeBuffer(LogFileInfo.LogFileName);
|
|
}
|
|
else
|
|
{
|
|
ELF_LOG2(ERROR,
|
|
"ProcessRegistryChanges: ReadRegistryInfo for subkey %ws failed %#x\n",
|
|
SubKeyString,
|
|
Status);
|
|
}
|
|
|
|
ElfpFreeBuffer(SubKeyString);
|
|
NtClose(hLogFile);
|
|
}
|
|
}
|
|
|
|
//
|
|
// Release the global resource.
|
|
//
|
|
ReleaseGlobalResource();
|
|
|
|
} // ProcessRegistryChanges
|
|
|
|
|
|
NTSTATUS
|
|
ElfCheckForComputerNameChange(
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine checks to determine if the computer name has changed. If
|
|
it has, then it generates an event.
|
|
Arguments:
|
|
|
|
NONE
|
|
|
|
Return Value:
|
|
|
|
NONE
|
|
|
|
--*/
|
|
{
|
|
LPWSTR Dates[2];
|
|
NTSTATUS Status;
|
|
UNICODE_STRING ValueName;
|
|
ULONG ulActualSize;
|
|
DWORD dwLen;
|
|
WCHAR wElfComputerName[MAX_COMPUTERNAME_LENGTH + 1];
|
|
WCHAR wComputerName[MAX_COMPUTERNAME_LENGTH + 1];
|
|
DWORD dwComputerNameLen = MAX_COMPUTERNAME_LENGTH + 1;
|
|
BYTE Buffer[ELF_MAX_REG_KEY_INFO_SIZE];
|
|
PKEY_VALUE_PARTIAL_INFORMATION ValueBuffer =
|
|
(PKEY_VALUE_PARTIAL_INFORMATION) Buffer;
|
|
|
|
RtlInitUnicodeString(&ValueName, VALUE_COMPUTERNAME);
|
|
|
|
// Read the name that the event log stored.
|
|
|
|
Status = NtQueryValueKey(hEventLogNode,
|
|
&ValueName,
|
|
KeyValuePartialInformation,
|
|
ValueBuffer,
|
|
ELF_MAX_REG_KEY_INFO_SIZE,
|
|
&ulActualSize);
|
|
if (!NT_SUCCESS(Status) || ValueBuffer->DataLength == 0)
|
|
{
|
|
ELF_LOG1(ERROR,
|
|
"ElfCheckForComputerNameChange: NtQueryValueKey for current name failed %#x\n",
|
|
Status);
|
|
return Status;
|
|
}
|
|
wcscpy(wElfComputerName, (WCHAR *)ValueBuffer->Data);
|
|
|
|
// Read the active name.
|
|
|
|
Status = NtQueryValueKey(hComputerNameNode,
|
|
&ValueName,
|
|
KeyValuePartialInformation,
|
|
ValueBuffer,
|
|
ELF_MAX_REG_KEY_INFO_SIZE,
|
|
&ulActualSize);
|
|
if (!NT_SUCCESS(Status) || ValueBuffer->DataLength == 0)
|
|
{
|
|
ELF_LOG1(ERROR,
|
|
"ElfCheckForComputerNameChange: NtQueryValueKey for active name failed %#x\n",
|
|
Status);
|
|
return Status;
|
|
}
|
|
wcscpy(wComputerName, (WCHAR *)ValueBuffer->Data);
|
|
|
|
// If the names are the same, just return STATUS_SUCCESS
|
|
|
|
if (!_wcsicmp(wElfComputerName, wComputerName))
|
|
return STATUS_SUCCESS;
|
|
|
|
Dates[0] = wElfComputerName;
|
|
Dates[1] = wComputerName;
|
|
ElfpCreateElfEvent(EVENT_ComputerNameChange,
|
|
EVENTLOG_INFORMATION_TYPE,
|
|
0, // EventCategory
|
|
2, // NumberOfStrings
|
|
Dates, // Strings
|
|
NULL, // Data
|
|
0, // Datalength
|
|
0,
|
|
FALSE); // flags
|
|
|
|
dwLen = sizeof(WCHAR) * (wcslen(wComputerName) + 1);
|
|
Status = NtSetValueKey(hEventLogNode,
|
|
&ValueName,
|
|
0,
|
|
REG_SZ,
|
|
wComputerName,
|
|
dwLen);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
ELF_LOG1(ERROR,
|
|
"ElfCheckForComputerNameChange: NtSetValueKey failed %#x\n",
|
|
Status);
|
|
|
|
return Status;
|
|
|
|
}
|
|
|
|
VOID
|
|
ElfRegistryMonitor (
|
|
PVOID pParms,
|
|
BOOLEAN fWaitStatus
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This is the entry point for the thread that will monitor changes in
|
|
the registry. If anything changes, it will have to scan the change
|
|
and then make the appropriate changes to the data structures in the
|
|
service to reflect the new information.
|
|
|
|
Arguments:
|
|
|
|
NONE
|
|
|
|
Return Value:
|
|
|
|
NONE
|
|
|
|
--*/
|
|
{
|
|
NTSTATUS ntStatus;
|
|
LPREG_MONITOR_INFO pMonitorInfo = (LPREG_MONITOR_INFO)pParms;
|
|
|
|
ELF_LOG0(TRACE,
|
|
"ElfRegistryMonitor: Registry monitor thread waking up\n");
|
|
|
|
//
|
|
// Deregister the work item (must be done even if the
|
|
// WT_EXECUTEONLYONCE flag is specified)
|
|
//
|
|
if (pMonitorInfo->WorkItemHandle != NULL)
|
|
{
|
|
ntStatus = RtlDeregisterWait(pMonitorInfo->WorkItemHandle);
|
|
pMonitorInfo->WorkItemHandle = NULL;
|
|
|
|
if (!NT_SUCCESS(ntStatus))
|
|
{
|
|
ELF_LOG1(ERROR,
|
|
"ElfRegistryMonitor: RtlDeregisterWorkItem failed %#x\n",
|
|
ntStatus);
|
|
}
|
|
}
|
|
|
|
if (GetElState() == STOPPING)
|
|
{
|
|
//
|
|
// If the eventlog is shutting down, then we need
|
|
// to terminate this thread.
|
|
//
|
|
ELF_LOG0(TRACE, "ElfRegistryMonitor: Shutdown\n");
|
|
|
|
//
|
|
// Close the registry handle and registry event handle.
|
|
//
|
|
if( pMonitorInfo->NotifyEventHandle != NULL )
|
|
{
|
|
NtClose( pMonitorInfo->NotifyEventHandle );
|
|
pMonitorInfo->NotifyEventHandle = NULL;
|
|
}
|
|
|
|
if( pMonitorInfo->RegMonitorHandle != NULL )
|
|
{
|
|
NtClose(pMonitorInfo->RegMonitorHandle);
|
|
pMonitorInfo->RegMonitorHandle = NULL;
|
|
}
|
|
|
|
//
|
|
// This thread will perform the final cleanup for the eventlog.
|
|
// Cleanup is not initiated until all events have been signaled
|
|
// and closed
|
|
//
|
|
if( ElfAllEventsCleared() )
|
|
{
|
|
ElfpCleanUp(EventFlags);
|
|
}
|
|
return;
|
|
}
|
|
|
|
if (fWaitStatus == TRUE)
|
|
{
|
|
ELF_LOG0(TRACE,
|
|
"ElfRegistryMonitor: Running because of a timeout -- running queued list\n");
|
|
|
|
//
|
|
// Timer popped, try running the list
|
|
//
|
|
if (!IsListEmpty(&QueuedEventListHead))
|
|
{
|
|
//
|
|
// There are things queued up to write, do it
|
|
//
|
|
WriteQueuedEvents();
|
|
}
|
|
|
|
//
|
|
// Don't wait again
|
|
//
|
|
pMonitorInfo->Timeout = INFINITE;
|
|
}
|
|
else
|
|
{
|
|
ELF_LOG0(TRACE,
|
|
"ElfRegistryMonitor: Running because of notification\n");
|
|
|
|
ProcessRegistryChanges ();
|
|
ElfCheckForComputerNameChange();
|
|
}
|
|
|
|
if (!ElfSetupMonitor(pMonitorInfo))
|
|
{
|
|
ELF_LOG0(ERROR,
|
|
"ElfRegistryMonitor: ElfSetupMonitor failed -- "
|
|
"no longer listening for reg changes\n");
|
|
}
|
|
|
|
ELF_LOG0(TRACE,
|
|
"ElfRegistryMonitor: Returning\n");
|
|
|
|
return;
|
|
|
|
} // ElfRegistryMonitor
|
|
|
|
VOID
|
|
InitNotify(
|
|
PVOID pData
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
|
|
Arguments:
|
|
|
|
|
|
Return Value:
|
|
|
|
|
|
--*/
|
|
{
|
|
NTSTATUS NtStatus = STATUS_SUCCESS;
|
|
DWORD status = NO_ERROR;
|
|
DWORD Buffer;
|
|
PVOID pBuffer = &Buffer;
|
|
LPREG_MONITOR_INFO pMonitorInfo;
|
|
|
|
static IO_STATUS_BLOCK IoStatusBlock;
|
|
|
|
ELF_LOG0(TRACE,
|
|
"InitNotify: Registering Eventlog key with NtNotifyChangeKey\n");
|
|
|
|
pMonitorInfo = (LPREG_MONITOR_INFO)pData;
|
|
|
|
NtStatus = NtNotifyChangeKey (
|
|
pMonitorInfo->RegMonitorHandle,
|
|
pMonitorInfo->NotifyEventHandle,
|
|
NULL,
|
|
NULL,
|
|
&IoStatusBlock,
|
|
REG_NOTIFY_CHANGE_LAST_SET |
|
|
REG_NOTIFY_CHANGE_NAME,
|
|
TRUE,
|
|
pBuffer,
|
|
1,
|
|
TRUE); // return and wait on event
|
|
|
|
if (!NT_SUCCESS(NtStatus))
|
|
{
|
|
ELF_LOG1(ERROR,
|
|
"InitNotify: NtNotifyChangeKey on Eventlog key failed %#x\n",
|
|
NtStatus);
|
|
|
|
status = RtlNtStatusToDosError(NtStatus);
|
|
}
|
|
|
|
ELF_LOG0( TRACE, "InitNotify: Returning\n" );
|
|
|
|
return;
|
|
|
|
} // InitNotify
|
|
|
|
BOOL
|
|
ElfSetupMonitor(
|
|
LPREG_MONITOR_INFO pMonitorInfo
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This function submits a request for a registry NotifyChangeKey
|
|
and then submits a work item to the service controller thread
|
|
management system to wait for the Notification handle to become
|
|
signaled.
|
|
|
|
Arguments:
|
|
|
|
pMonitorInfo - This is a pointer to a MONITOR_INFO structure. This
|
|
function fills in the WorkItemHandle member of that structure
|
|
if successfully adds a new work item.
|
|
|
|
Return Value:
|
|
|
|
TRUE - if successful in setting up.
|
|
FALSE - if unsuccessful. A work item hasn't been submitted, and
|
|
we won't be listening for registry changes.
|
|
|
|
--*/
|
|
{
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
|
|
//
|
|
// Call NtNotifyChange Key via the thread pool
|
|
// and make sure the thread that created the I/O
|
|
// request will always be around.
|
|
//
|
|
Status = RtlQueueWorkItem(InitNotify, // Callback
|
|
pMonitorInfo, // pContext
|
|
WT_EXECUTEONLYONCE |
|
|
WT_EXECUTEINPERSISTENTIOTHREAD);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
ELF_LOG1(ERROR,
|
|
"ElfSetupMonitor: RtlQueueWorkItem failed %#x\n",
|
|
Status);
|
|
|
|
return FALSE;
|
|
}
|
|
|
|
//
|
|
// Add the work item that is to be called when the
|
|
// NotifyEventHandle is signalled.
|
|
//
|
|
|
|
Status = RtlRegisterWait(&pMonitorInfo->WorkItemHandle,
|
|
pMonitorInfo->NotifyEventHandle, // Waitable handle
|
|
ElfRegistryMonitor, // Callback
|
|
pMonitorInfo, // pContext
|
|
pMonitorInfo->Timeout, // Timeout
|
|
WT_EXECUTEONLYONCE |
|
|
WT_EXECUTEINPERSISTENTIOTHREAD);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
ELF_LOG1(ERROR,
|
|
"ElfSetupMonitor: RtlRegisterWait failed %#x\n",
|
|
Status);
|
|
|
|
return FALSE;
|
|
}
|
|
|
|
return TRUE;
|
|
|
|
} // ElfSetupMonitor
|
|
|
|
BOOL
|
|
ElfStartRegistryMonitor()
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine starts up the thread that monitors changes in the registry.
|
|
|
|
This function calls ElfSetupMonitor() to register for the change
|
|
notification and to submit a work item to wait for the registry
|
|
change event to get signaled. When signalled, the ElfRegistryMonitor()
|
|
callback function is called by a thread from the services thread pool.
|
|
This callback function services the notification.
|
|
|
|
Arguments:
|
|
|
|
NONE
|
|
|
|
Return Value:
|
|
|
|
TRUE if thread creation succeeded, FALSE otherwise.
|
|
|
|
Note:
|
|
|
|
|
|
--*/
|
|
{
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
DWORD LoopCounter = 0;
|
|
BOOL ReturnStatus = TRUE;
|
|
DWORD LoopCount;
|
|
|
|
ELF_LOG0(TRACE, "ElfStartRegistryMonitor: Setting up registry change notification\n");
|
|
|
|
if (hEventLogNode == NULL)
|
|
{
|
|
ELF_LOG0(ERROR, "ElfStartRegistryMonitor: No Eventlog key -- exiting\n");
|
|
|
|
return FALSE;
|
|
}
|
|
|
|
if (hComputerNameNode == NULL)
|
|
{
|
|
ELF_LOG0(ERROR,
|
|
"ElfStartRegistryMonitor: No ComputerName key -- exiting\n");
|
|
|
|
return FALSE;
|
|
}
|
|
|
|
GlRegMonitorInfo[0].RegMonitorHandle = hEventLogNode;
|
|
GlRegMonitorInfo[1].RegMonitorHandle = hComputerNameNode;
|
|
|
|
//
|
|
// Create the events on which to wait
|
|
//
|
|
|
|
for( LoopCount = 0; LoopCount < NUM_KEYS_MONITORED; LoopCount++ )
|
|
{
|
|
|
|
Status = NtCreateEvent(&GlRegMonitorInfo[LoopCount].NotifyEventHandle,
|
|
EVENT_ALL_ACCESS,
|
|
NULL,
|
|
NotificationEvent,
|
|
FALSE);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
ELF_LOG1(ERROR, "ElfStartRegistryMonitor: NtCreateEvent failed %#x\n",
|
|
Status);
|
|
|
|
GlRegMonitorInfo[LoopCount].NotifyEventHandle = NULL;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
//
|
|
// Fill in the Monitor info structure with the event handle
|
|
// and a 5 minute timeout.
|
|
//
|
|
GlRegMonitorInfo[LoopCount].Timeout = 5 * 60 * 1000;
|
|
GlRegMonitorInfo[LoopCount].WorkItemHandle = NULL;
|
|
}
|
|
|
|
//
|
|
// Cleanup all events, its all or nothing
|
|
//
|
|
if(!NT_SUCCESS(Status))
|
|
{
|
|
for( LoopCount = 0; LoopCount < NUM_KEYS_MONITORED; LoopCount++ )
|
|
{
|
|
if( GlRegMonitorInfo[LoopCount].NotifyEventHandle != NULL )
|
|
{
|
|
NtClose( GlRegMonitorInfo[LoopCount].NotifyEventHandle );
|
|
GlRegMonitorInfo[LoopCount].NotifyEventHandle = NULL;
|
|
}
|
|
|
|
}
|
|
|
|
return FALSE;
|
|
}
|
|
|
|
|
|
//
|
|
// Setup for the change notify and
|
|
// submit the work item to the eventlog threadpool.
|
|
//
|
|
for( LoopCount = 0; LoopCount < NUM_KEYS_MONITORED; LoopCount++ )
|
|
{
|
|
|
|
if (!ElfSetupMonitor(&GlRegMonitorInfo[LoopCount]))
|
|
{
|
|
ELF_LOG0(ERROR,
|
|
"ElfStartRegistryMonitor: ElfSetupMonitor failed -- exiting\n");
|
|
|
|
//
|
|
// Note that it's OK to close this handle as there's no way
|
|
// the handle was used for a registered wait at this point
|
|
// (since ElfSetupMonitor failed).
|
|
//
|
|
NtClose( GlRegMonitorInfo[LoopCount].NotifyEventHandle );
|
|
GlRegMonitorInfo[LoopCount].NotifyEventHandle = NULL;
|
|
|
|
return FALSE;
|
|
}
|
|
|
|
//
|
|
//Set this flag since we have at least one success
|
|
//If any startup fails, then this setting will ensure that all
|
|
// started monitors are shutdown
|
|
//
|
|
EventFlags |= ELF_STARTED_REGISTRY_MONITOR;
|
|
}
|
|
|
|
ELF_LOG0(TRACE, "ElfStartRegistryMonitor: Exiting after successful call\n");
|
|
|
|
return TRUE;
|
|
|
|
} // ElfStartRegistryMonitor
|
|
|
|
VOID
|
|
StopRegistryMonitor ()
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine wakes up the work item that has been submitted for the
|
|
purpose of monitoring registry eventlog changes. The thread created
|
|
to service that work item will actually do the clean-up of the monitor
|
|
thread.
|
|
|
|
|
|
Arguments:
|
|
|
|
NONE
|
|
|
|
Return Value:
|
|
|
|
NONE
|
|
|
|
--*/
|
|
|
|
{
|
|
DWORD LoopCount = 0;
|
|
|
|
ELF_LOG0(TRACE, "StopRegistryMonitor: Stopping registry monitor\n");
|
|
|
|
//
|
|
// Wake up the RegistryMonitorThread.
|
|
//
|
|
for( LoopCount = 0; LoopCount < NUM_KEYS_MONITORED; LoopCount++ )
|
|
{
|
|
if (GlRegMonitorInfo[LoopCount].NotifyEventHandle != NULL)
|
|
{
|
|
SetEvent(GlRegMonitorInfo[LoopCount].NotifyEventHandle);
|
|
}
|
|
}
|
|
|
|
return;
|
|
|
|
} // StopRegistryMonitor
|
|
|
|
|
|
NTSTATUS
|
|
ReadRegistryInfo (
|
|
HANDLE hLogFile,
|
|
PUNICODE_STRING SubKeyName,
|
|
PLOG_FILE_INFO LogFileInfo
|
|
)
|
|
|
|
/*++
|
|
|
|
Routine Description:
|
|
|
|
This routine reads in the information from the node pointed to by
|
|
hLogFile and stores it in the a structure so that the
|
|
necessary data structures can be set up for the service.
|
|
|
|
ALLOCATIONS: If successful, this function allocates memory for
|
|
LogFileInfo->LogFileName. It is the responsiblilty of the caller
|
|
to free this memory.
|
|
|
|
Arguments:
|
|
|
|
hLogFile - A handle to the Eventlog\<somelogfile> node in the registry
|
|
KeyName - The subkey for this logfile to open
|
|
LogFileInfo - The structure to fill in with the data
|
|
|
|
Return Value:
|
|
|
|
NTSTATUS
|
|
|
|
--*/
|
|
{
|
|
|
|
#define EXPAND_BUFFER_SIZE 64
|
|
|
|
NTSTATUS Status;
|
|
BOOLEAN RegistryCorrupt = FALSE;
|
|
BYTE Buffer[ELF_MAX_REG_KEY_INFO_SIZE];
|
|
ULONG ActualSize;
|
|
UNICODE_STRING ValueName;
|
|
UNICODE_STRING UnexpandedName;
|
|
UNICODE_STRING ExpandedName;
|
|
ULONG NumberOfBytes = 0;
|
|
BYTE ExpandNameBuffer[EXPAND_BUFFER_SIZE];
|
|
PUNICODE_STRING FileNameString;
|
|
LPWSTR FileName;
|
|
BOOL ExpandedBufferWasAllocated=FALSE;
|
|
PKEY_VALUE_FULL_INFORMATION ValueBuffer =
|
|
(PKEY_VALUE_FULL_INFORMATION) Buffer;
|
|
|
|
ASSERT(hLogFile != NULL);
|
|
|
|
ELF_LOG1(TRACE,
|
|
"ReadRegistryInfo: Reading information for %ws log\n",
|
|
SubKeyName->Buffer);
|
|
|
|
//
|
|
// MaxSize
|
|
//
|
|
RtlInitUnicodeString(&ValueName, VALUE_MAXSIZE);
|
|
|
|
Status = NtQueryValueKey(hLogFile,
|
|
&ValueName,
|
|
KeyValueFullInformation,
|
|
ValueBuffer,
|
|
ELF_MAX_REG_KEY_INFO_SIZE,
|
|
&ActualSize);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
ELF_LOG2(ERROR,
|
|
"ReadRegistryInfo: Can't read MaxSize value for %ws log %#x\n",
|
|
SubKeyName->Buffer,
|
|
Status);
|
|
|
|
LogFileInfo->MaxFileSize = ELF_DEFAULT_MAX_FILE_SIZE;
|
|
RegistryCorrupt = TRUE;
|
|
}
|
|
else
|
|
{
|
|
LogFileInfo->MaxFileSize = *((PULONG)(Buffer +
|
|
ValueBuffer->DataOffset));
|
|
|
|
ELF_LOG2(TRACE,
|
|
"ReadRegistryInfo: New MaxSize value for %ws log is %#x\n",
|
|
SubKeyName->Buffer,
|
|
LogFileInfo->MaxFileSize);
|
|
}
|
|
|
|
//
|
|
// Retention period
|
|
//
|
|
RtlInitUnicodeString(&ValueName, VALUE_RETENTION);
|
|
|
|
Status = NtQueryValueKey(hLogFile,
|
|
&ValueName,
|
|
KeyValueFullInformation,
|
|
ValueBuffer,
|
|
ELF_MAX_REG_KEY_INFO_SIZE,
|
|
&ActualSize);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
ELF_LOG2(ERROR,
|
|
"ReadRegistryInfo: Can't read Retention value for %ws log %#x\n",
|
|
SubKeyName->Buffer,
|
|
Status);
|
|
|
|
LogFileInfo->Retention = ELF_DEFAULT_RETENTION_PERIOD;
|
|
RegistryCorrupt = TRUE;
|
|
}
|
|
else
|
|
{
|
|
LogFileInfo->Retention = *((PULONG)(Buffer +
|
|
ValueBuffer->DataOffset));
|
|
|
|
ELF_LOG2(TRACE,
|
|
"ReadRegistryInfo: New Retention value for %ws log is %#x\n",
|
|
SubKeyName->Buffer,
|
|
LogFileInfo->Retention);
|
|
}
|
|
|
|
//
|
|
// RestrictGuestAccess
|
|
//
|
|
RtlInitUnicodeString(&ValueName, VALUE_RESTRICT_GUEST_ACCESS);
|
|
|
|
Status = NtQueryValueKey(hLogFile,
|
|
&ValueName,
|
|
KeyValueFullInformation,
|
|
ValueBuffer,
|
|
ELF_MAX_REG_KEY_INFO_SIZE,
|
|
&ActualSize);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
//
|
|
// TRACE rather than ERROR as this value is optional
|
|
//
|
|
ELF_LOG2(TRACE,
|
|
"ReadRegistryInfo: Can't read GuestAccessRestriction value for %ws log %#x\n",
|
|
SubKeyName->Buffer,
|
|
Status);
|
|
|
|
LogFileInfo->GuestAccessRestriction = ELF_GUEST_ACCESS_UNRESTRICTED;
|
|
}
|
|
else
|
|
{
|
|
if (*((PULONG)(Buffer + ValueBuffer->DataOffset)) == 1)
|
|
{
|
|
ELF_LOG1(TRACE,
|
|
"ReadRegistryInfo: Restricting Guest access to %ws log\n",
|
|
SubKeyName->Buffer);
|
|
|
|
LogFileInfo->GuestAccessRestriction = ELF_GUEST_ACCESS_RESTRICTED;
|
|
}
|
|
else
|
|
{
|
|
ELF_LOG1(TRACE,
|
|
"ReadRegistryInfo: NOT restricting Guest access to %ws log\n",
|
|
SubKeyName->Buffer);
|
|
|
|
LogFileInfo->GuestAccessRestriction = ELF_GUEST_ACCESS_UNRESTRICTED;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Autobackup value (optional!)
|
|
//
|
|
|
|
RtlInitUnicodeString(&ValueName, REGSTR_VAL_AUTOBACKUPLOGFILES);
|
|
|
|
Status = NtQueryValueKey(hLogFile,
|
|
&ValueName,
|
|
KeyValueFullInformation,
|
|
ValueBuffer,
|
|
ELF_MAX_REG_KEY_INFO_SIZE,
|
|
&ActualSize);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
//
|
|
// TRACE rather than ERROR as this value is optional
|
|
//
|
|
ELF_LOG2(TRACE,
|
|
"ReadRegistryInfo: Can't read AutoBackupLogFiles value for %ws log %#x\n",
|
|
SubKeyName->Buffer,
|
|
Status);
|
|
|
|
LogFileInfo->dwAutoBackup = ELF_DEFAULT_AUTOBACKUP;
|
|
}
|
|
else
|
|
{
|
|
LogFileInfo->dwAutoBackup = *((PULONG)(Buffer +
|
|
ValueBuffer->DataOffset));
|
|
|
|
ELF_LOG2(TRACE,
|
|
"ReadRegistryInfo: AutoBackupLogFiles for %ws log is %#x\n",
|
|
SubKeyName->Buffer,
|
|
LogFileInfo->dwAutoBackup);
|
|
}
|
|
|
|
//
|
|
// Filename
|
|
//
|
|
RtlInitUnicodeString(&ValueName, VALUE_FILENAME);
|
|
|
|
Status = NtQueryValueKey(hLogFile,
|
|
&ValueName,
|
|
KeyValueFullInformation,
|
|
ValueBuffer,
|
|
ELF_MAX_REG_KEY_INFO_SIZE,
|
|
&ActualSize);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
ELF_LOG2(ERROR,
|
|
"ReadRegistryInfo: Can't read Filename value for %ws log %#x\n",
|
|
SubKeyName->Buffer,
|
|
Status);
|
|
|
|
//
|
|
// Allocate the buffer for the UNICODE_STRING for the filename and
|
|
// initialize it. (41 = \Systemroot\system32\config\xxxxxxxx.evt)
|
|
//
|
|
FileNameString = ElfpAllocateBuffer(41 * sizeof(WCHAR) + sizeof(UNICODE_STRING));
|
|
|
|
if (!FileNameString)
|
|
{
|
|
ELF_LOG0(ERROR,
|
|
"ReadRegistryInfo: Unable to allocate FileNameString\n");
|
|
|
|
return STATUS_NO_MEMORY;
|
|
}
|
|
|
|
LogFileInfo->LogFileName = FileNameString;
|
|
FileName = (LPWSTR)(FileNameString + 1);
|
|
wcscpy(FileName, L"\\Systemroot\\System32\\Config\\");
|
|
wcsncat(FileName, SubKeyName->Buffer, 8);
|
|
wcscat(FileName, L".evt");
|
|
RtlInitUnicodeString(FileNameString, FileName);
|
|
|
|
RegistryCorrupt = TRUE;
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// If it's a REG_EXPAND_SZ expand it
|
|
//
|
|
|
|
if (ValueBuffer->Type == REG_EXPAND_SZ)
|
|
{
|
|
ELF_LOG0(TRACE,
|
|
"ReadRegistryInfo: Filename is a REG_EXPAND_SZ -- expanding\n");
|
|
|
|
//
|
|
// Initialize the UNICODE_STRING, when the string isn't null
|
|
// terminated
|
|
//
|
|
UnexpandedName.MaximumLength = UnexpandedName.Length =
|
|
(USHORT) ValueBuffer->DataLength;
|
|
|
|
UnexpandedName.Buffer = (PWSTR) ((PBYTE) ValueBuffer +
|
|
ValueBuffer->DataOffset);
|
|
|
|
//
|
|
// Call the magic expand-o api
|
|
//
|
|
ExpandedName.Length = ExpandedName.MaximumLength = EXPAND_BUFFER_SIZE;
|
|
ExpandedName.Buffer = (LPWSTR) ExpandNameBuffer;
|
|
|
|
Status = RtlExpandEnvironmentStrings_U(NULL,
|
|
&UnexpandedName,
|
|
&ExpandedName,
|
|
&NumberOfBytes);
|
|
|
|
if (Status == STATUS_BUFFER_TOO_SMALL)
|
|
{
|
|
ELF_LOG0(TRACE,
|
|
"ReadRegistryInfo: Expansion buffer too small -- retrying\n");
|
|
|
|
//
|
|
// The default buffer wasn't big enough. Allocate a
|
|
// bigger one and try again
|
|
//
|
|
ExpandedName.Length = ExpandedName.MaximumLength = (USHORT) NumberOfBytes;
|
|
|
|
ExpandedName.Buffer = ElfpAllocateBuffer(ExpandedName.Length);
|
|
|
|
if (!ExpandedName.Buffer)
|
|
{
|
|
ELF_LOG0(ERROR,
|
|
"ReadRegistryInfo: Unable to allocate larger Filename buffer\n");
|
|
|
|
return(STATUS_NO_MEMORY);
|
|
}
|
|
|
|
ExpandedBufferWasAllocated = TRUE;
|
|
|
|
Status = RtlExpandEnvironmentStrings_U(NULL,
|
|
&UnexpandedName,
|
|
&ExpandedName,
|
|
&NumberOfBytes);
|
|
}
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
ELF_LOG1(ERROR,
|
|
"ReadRegistryInfo: RtlExpandEnvironmentStrings_U failed %#x\n",
|
|
Status);
|
|
|
|
if (ExpandedBufferWasAllocated)
|
|
{
|
|
ElfpFreeBuffer(ExpandedName.Buffer);
|
|
}
|
|
|
|
return Status;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// It doesn't need to be expanded, just set up the UNICODE_STRING
|
|
// for the conversion to an NT pathname
|
|
//
|
|
ExpandedName.MaximumLength = ExpandedName.Length =
|
|
(USHORT) ValueBuffer->DataLength;
|
|
|
|
ExpandedName.Buffer = (PWSTR) ((PBYTE) ValueBuffer +
|
|
ValueBuffer->DataOffset);
|
|
}
|
|
|
|
//
|
|
// Now convert from a DOS pathname to an NT pathname
|
|
//
|
|
// NOTE: this allocates a buffer for ValueName.Buffer.
|
|
//
|
|
if (!RtlDosPathNameToNtPathName_U(ExpandedName.Buffer,
|
|
&ValueName,
|
|
NULL,
|
|
NULL))
|
|
{
|
|
ELF_LOG0(ERROR,
|
|
"ReadRegistryInfo: RtlDosPathNameToNtPathName_U failed\n");
|
|
|
|
if (ExpandedBufferWasAllocated)
|
|
{
|
|
ElfpFreeBuffer(ExpandedName.Buffer);
|
|
}
|
|
|
|
return STATUS_UNSUCCESSFUL;
|
|
}
|
|
|
|
//
|
|
// Allocate memory for the unicode string structure and the buffer
|
|
// so that it can be free'd with a single call.
|
|
//
|
|
FileNameString = ElfpAllocateBuffer(
|
|
sizeof(UNICODE_STRING) +
|
|
((ValueName.Length + 1) * sizeof(WCHAR)));
|
|
|
|
if (FileNameString == NULL)
|
|
{
|
|
ELF_LOG0(ERROR,
|
|
"ReadRegistryInfo: Unable to allocate copy of NT filename\n");
|
|
|
|
if (ExpandedBufferWasAllocated)
|
|
{
|
|
ElfpFreeBuffer(ExpandedName.Buffer);
|
|
}
|
|
|
|
//
|
|
// RtlDosPathNameToNtPathName_U allocates off the process heap
|
|
//
|
|
RtlFreeHeap(RtlProcessHeap(), 0, ValueName.Buffer);
|
|
|
|
return STATUS_NO_MEMORY;
|
|
}
|
|
|
|
//
|
|
// Copy the NtPathName string into the new buffer, and initialize
|
|
// the unicode string.
|
|
//
|
|
FileName = (LPWSTR)(FileNameString + 1);
|
|
wcsncpy(FileName, ValueName.Buffer, ValueName.Length);
|
|
*(FileName+ValueName.Length) = L'\0';
|
|
RtlInitUnicodeString(FileNameString, FileName);
|
|
|
|
//
|
|
// RtlDosPathNameToNtPathName_U allocates off the process heap
|
|
//
|
|
RtlFreeHeap(RtlProcessHeap(), 0, ValueName.Buffer);
|
|
|
|
//
|
|
// Clean up if I had to allocate a bigger buffer than the default
|
|
//
|
|
|
|
if (ExpandedBufferWasAllocated)
|
|
{
|
|
ElfpFreeBuffer(ExpandedName.Buffer);
|
|
}
|
|
}
|
|
|
|
//
|
|
// Add the LogFileName to the LogFileInfo structure.
|
|
//
|
|
LogFileInfo->LogFileName = FileNameString;
|
|
|
|
ELF_LOG2(TRACE,
|
|
"ReadRegistryInfo: New (expanded) Filename value for %ws log is %ws\n",
|
|
SubKeyName->Buffer,
|
|
LogFileInfo->LogFileName->Buffer);
|
|
|
|
|
|
//
|
|
// "Log full" popup policy -- never change the security log
|
|
//
|
|
if (_wcsicmp(SubKeyName->Buffer, ELF_SECURITY_MODULE_NAME) != 0)
|
|
{
|
|
RtlInitUnicodeString(&ValueName, VALUE_LOGPOPUP);
|
|
|
|
Status = NtQueryValueKey(hLogFile,
|
|
&ValueName,
|
|
KeyValueFullInformation,
|
|
ValueBuffer,
|
|
ELF_MAX_REG_KEY_INFO_SIZE,
|
|
&ActualSize);
|
|
|
|
if (NT_SUCCESS(Status))
|
|
{
|
|
LOGPOPUP logpRegValue = *(PULONG)(Buffer + ValueBuffer->DataOffset);
|
|
|
|
//
|
|
// Only update the value if this constitutes a change in the current policy
|
|
//
|
|
if (LogFileInfo->logpLogPopup == LOGPOPUP_NEVER_SHOW
|
|
||
|
|
logpRegValue == LOGPOPUP_NEVER_SHOW)
|
|
{
|
|
LogFileInfo->logpLogPopup =
|
|
(logpRegValue == LOGPOPUP_NEVER_SHOW ? LOGPOPUP_NEVER_SHOW :
|
|
LOGPOPUP_CLEARED);
|
|
}
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// TRACE rather than ERROR as this value is optional
|
|
//
|
|
ELF_LOG2(TRACE,
|
|
"ReadRegistryInfo: Can't read LogPopup value for %ws log %#x\n",
|
|
SubKeyName->Buffer,
|
|
Status);
|
|
}
|
|
}
|
|
|
|
//
|
|
// If we didn't find all the required values, tell someone
|
|
//
|
|
|
|
if (RegistryCorrupt)
|
|
{
|
|
ELF_LOG1(ERROR,
|
|
"ReadRegistryInfo: One or more registry values for %ws log invalid\n",
|
|
SubKeyName->Buffer);
|
|
}
|
|
|
|
return STATUS_SUCCESS;
|
|
}
|