Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

837 lines
26 KiB

/*****************************************************************/
/** Microsoft Windows NT **/
/** Copyright(c) Microsoft Corp., 1991 **/
/*****************************************************************/
/*
* lognt.hxx
* This file contains class definitions of NT event log objects.
* NT_EVENT_LOG
*
* History:
* Yi-HsinS 10/15/91 Created
* terryk 12/20/91 Added WriteTextEntry
* Yi-HsinS 01/15/92 Added Backup, SeekOldestLogEntry,
* SeekNewestLogEntry and modified
* parameters to WriteTextEntry
* Yi-HsinS 02/25/92 Added helper methods to get log
* descriptions from the registry
* Yi-HsinS 04/25/92 Added caching for message dlls
* Yi-HsinS 10/13/92 Added support for parameter message file
* RaviR 02/28/95 Added support to get description &
* source name for Cairo Alerts
* JonN 6/22/00 WriteTextEntry no longer supported
*
*/
#ifndef _LOGNT_HXX_
#define _LOGNT_HXX_
#include "eventlog.hxx"
#include "uatom.hxx"
#include "regkey.hxx"
#include "array.hxx"
#include "uintlsa.hxx"
//
// The maximum number of libraries that are opened at any one time.
//
#define MAX_LIBRARY_OPENED 10
//
// The following is used to get the alert description and source name
// for Cairo alerts.
//
typedef long (*PASGETALERTDESCRIPTION)(ULONG, const BYTE*, LPWSTR *);
typedef long (*PASGETALERTSOURCENAME)(ULONG, const BYTE*, LPWSTR *);
/*************************************************************************
NAME: DLL_NAME_HANDLE_PAIR
SYNOPSIS: The class stores the name and opened handle
of a dll.
INTERFACE : DLL_HANDLE() - Constructor
Set() - Set the name and handle
QueryName() - Return the full path name of the dll
QueryHandle() - Return the handle of the dll
PARENT: BASE
USES:
CAVEATS:
NOTES:
HISTORY:
Yi-HsinS 4/25/92 Created
**************************************************************************/
DLL_CLASS DLL_NAME_HANDLE_PAIR: public BASE
{
private:
// Name of the dll
NLS_STR _nlsName;
// Opened handle of the above dll
HMODULE _handle;
public:
DLL_NAME_HANDLE_PAIR();
DLL_NAME_HANDLE_PAIR( const TCHAR *pszName, HMODULE handle = 0 );
APIERR Set( const TCHAR *pszName, HMODULE handle )
{ _nlsName = pszName; _handle = handle; return _nlsName.QueryError(); }
NLS_STR *QueryName( VOID )
{ return &_nlsName; }
HMODULE QueryHandle( VOID )
{ return _handle; }
};
//
// An array of DLL_NAME_HANDLE_PAIR
//
DECL_ARRAY_OF( DLL_NAME_HANDLE_PAIR, DLL_BASED )
/*************************************************************************
NAME: DLL_HANDLE_CACHE_ARRAY
SYNOPSIS: Wrapper class containing an array of DLL_NAME_HANDLE_PAIR.
This class contains all methods in dealing with caching
the opened handles of dlls.
INTERFACE : DLL_HANDLE_CACHE_ARRAY() - Constructor
QueryHandle() - Query the handle of the given dll
QuerySize() - Query the number of elements
that is allocated for the array.
QueryCount() - Query the actual number of elements
contained in the array.
operator[]() - Return the ith element in the array
Cache() - Store the dll and handle into the
array.
PARENT: BASE
USES: ARRAY_OF( DLL_NAME_HANDLE_PAIR )
CAVEATS:
NOTES:
HISTORY:
Yi-HsinS 4/25/92 Created
**************************************************************************/
DLL_CLASS DLL_HANDLE_CACHE_ARRAY: public BASE
{
private:
ARRAY_OF( DLL_NAME_HANDLE_PAIR ) _aDllNameHandle;
// The next slot to fill in the dll name/handle
UINT _cNext;
// Flag indicating whether the array is full or not
BOOL _fFull;
public:
DLL_HANDLE_CACHE_ARRAY( UINT cElem );
HMODULE QueryHandle( const NLS_STR &nls );
INT QuerySize() const
{ return _aDllNameHandle.QueryCount(); }
INT QueryCount() const
{ return ( _fFull? _aDllNameHandle.QueryCount() : _cNext ); }
DLL_NAME_HANDLE_PAIR &operator[]( INT iIndex ) const
{ return _aDllNameHandle[ iIndex ]; }
APIERR Cache( const NLS_STR &nls, HMODULE handle );
};
/*************************************************************************
NAME: SOURCE_INFO_ITEM
SYNOPSIS: The class for storing the information contained in the registry
of each source under the module.
INTERFACE : SOURCE_INFO_ITEM() - Constructor
~SOURCE_INFO_ITEM() - Destructor
Set() - Set the information contain in the item
IsInitialized() - See if the all the information
contained in this item is initialized
or not.
QuerySource() - Return the source name
QueryTypeMask() - Return the type mask
QueryCategoryDllName() - Return the full path name of
the category dll
QueryCategoryCount() - Return the number of categories used
in the source.
QueryCategoryList() - Return the list of categories supported
in this source.
SetCategoryList() - Set the category list.
QueryEventsDllList() - Return the list of full path names of
the events dll
QueryParameterMessageDllName() - Return the dll name containing
strings for language independent
insertion strings
PARENT: BASE
USES: NLS_STR, STRLIST
CAVEATS:
NOTES:
HISTORY:
Yi-HsinS 2/25/92 Created
**************************************************************************/
DLL_CLASS SOURCE_INFO_ITEM : public BASE
{
private:
// The name of the source
NLS_STR _nlsSource;
// Flag indicating whether the information in this item is initialized
// or not
BOOL _fInitialized;
// The type mask supported by the source
USHORT _usTypeMask;
// The category dll name supported by the source
NLS_STR _nlsCategoryDllName;
// The number of categories in the above dll
USHORT _cCategoryCount;
// Pointer to a list of categories names
STRLIST *_pstrlstCategory;
// Pointer to a list of dlls containing descriptions
STRLIST *_pstrlstEventsDll;
// The name of the parameter message dll supported by the source
NLS_STR _nlsParameterMessageDllName;
public:
SOURCE_INFO_ITEM();
SOURCE_INFO_ITEM( const TCHAR *pszSource,
USHORT usTypeMask = 0,
const TCHAR *pszCategoryDllName = NULL,
USHORT cCategoryCount = 0,
STRLIST *pstrlstEventsDll = NULL,
const TCHAR *pszParameterMessageDllName = NULL );
~SOURCE_INFO_ITEM();
APIERR Set( USHORT usTypeMask,
const TCHAR *pszCategoryDllName,
USHORT cCategoryCount,
STRLIST *pstrlstEventsDll,
const TCHAR *pszParameterMessageDllName );
BOOL IsInitialized( VOID ) const
{ return _fInitialized; }
const NLS_STR *QuerySource( VOID ) const
{ return &_nlsSource; }
USHORT QueryTypeMask( VOID ) const
{ UIASSERT( IsInitialized() ); return _usTypeMask; }
const NLS_STR *QueryCategoryDllName( VOID ) const
{ UIASSERT( IsInitialized() ); return &_nlsCategoryDllName; }
USHORT QueryCategoryCount( VOID ) const
{ UIASSERT( IsInitialized() ); return _cCategoryCount; }
STRLIST *QueryCategoryList( VOID )
{ UIASSERT( IsInitialized() ); return _pstrlstCategory; }
VOID SetCategoryList( STRLIST *pstrlstCategory )
{ _pstrlstCategory = pstrlstCategory; }
STRLIST *QueryEventDllList( VOID )
{ UIASSERT( IsInitialized() ); return _pstrlstEventsDll; }
const NLS_STR *QueryParameterMessageDllName( VOID ) const
{ UIASSERT( IsInitialized() ); return &_nlsParameterMessageDllName; }
};
/*************************************************************************
NAME: SOURCE_INFO_ITEM_PTR
SYNOPSIS: Item that contains a pointer to SOURCE_INFO_ITEM
INTERFACE: SOURCE_INFO_ITEM_PTR() - Constructor
~SOURCE_INFO_ITEM_PTR() - Destructor
operator=() - Assignment operator
operator->() - Return a pointer to SOURCE_INFO_ITEM
Compare() - Compare two SOURCE_INFO_ITEM_PTR to
see if they contain the same source.
QuerySourceItem() - Return the SOURCE_INFO_ITEM contained
in the object.
PARENT:
USES: SOURCE_INFO_ITEM
CAVEATS:
NOTES:
HISTORY:
Yi-HsinS 2/25/92 Created
**************************************************************************/
DLL_CLASS SOURCE_INFO_ITEM_PTR
{
private:
SOURCE_INFO_ITEM *_pSrcInfoItem;
// If _fDestroy is TRUE, we will destroy _pSrcInfoItem when this
// item gets destructed. Otherwise, we will leave it alone.
BOOL _fDestroy;
public:
SOURCE_INFO_ITEM_PTR()
: _pSrcInfoItem( NULL ),
_fDestroy( TRUE ) {}
SOURCE_INFO_ITEM_PTR( SOURCE_INFO_ITEM *pSrcInfoItem, BOOL fDestroy )
: _pSrcInfoItem( pSrcInfoItem ),
_fDestroy( fDestroy ) {}
~SOURCE_INFO_ITEM_PTR()
{ if ( _fDestroy )
delete _pSrcInfoItem;
_pSrcInfoItem = NULL;
}
SOURCE_INFO_ITEM_PTR &operator=( const SOURCE_INFO_ITEM_PTR &s )
{ _pSrcInfoItem = s._pSrcInfoItem; return *this; }
SOURCE_INFO_ITEM *operator->()
{ return _pSrcInfoItem; }
INT Compare( const SOURCE_INFO_ITEM_PTR *pSrcInfoItemPtr ) const ;
SOURCE_INFO_ITEM *QuerySourceItem() const
{ return _pSrcInfoItem; }
};
//
// An array of pointers to SOURCE_INFO_ITEM
//
DECL_ARRAY_LIST_OF( SOURCE_INFO_ITEM_PTR, DLL_BASED )
/*************************************************************************
NAME: SOURCE_INFO_ARRAY
SYNOPSIS: Wrapper class for the array of SOURCE_INFO_ITEM. Access
methods are added to get the information for the nth
item in the array.
INTERFACE : SOURCE_INFO_ARRAY() - Constructor
QuerySource() - Return the source name of the ith item
QueryTypeMask() - Return the type mask of the ith item
QueryCategoryDllName() - Return the full path name of
the category dll of the ith item
QueryCategoryCount() - Return the number of categories
of the ith item
QueryCategoryList() - Return the list of categories supported
by the ith source.
QueryEventsDllList() - Return the list of full path names of
the events dll of the ith item
QueryParameterMessageDllName() - Return the dll name containing
strings for language independent
insertion strings of the ith item
PARENT: ARRAY_LIST_OF( SOURCE_INFO_ITEM )
USES:
CAVEATS:
NOTES:
HISTORY:
Yi-HsinS 8/25/92 Created
**************************************************************************/
DLL_CLASS SOURCE_INFO_ARRAY : public ARRAY_LIST_OF( SOURCE_INFO_ITEM_PTR )
{
public:
SOURCE_INFO_ARRAY( UINT cElem )
: ARRAY_LIST_OF(SOURCE_INFO_ITEM_PTR )( cElem )
{ }
const NLS_STR *QuerySource( INT i ) const
{ return ((*this)[i])->QuerySource(); }
USHORT QueryTypeMask( INT i ) const
{ return ((*this)[i])->QueryTypeMask(); }
const NLS_STR *QueryCategoryDllName( INT i ) const
{ return ((*this)[i])->QueryCategoryDllName(); }
USHORT QueryCategoryCount( INT i ) const
{ return ((*this)[i])->QueryCategoryCount(); }
STRLIST *QueryCategoryList( INT i ) const
{ return ((*this)[i])->QueryCategoryList(); }
STRLIST *QueryEventDllList( INT i ) const
{ return ((*this)[i])->QueryEventDllList(); }
const NLS_STR *QueryParameterMessageDllName( INT i ) const
{ return ((*this)[i])->QueryParameterMessageDllName(); }
};
/*************************************************************************
NAME: LOG_REGISTRY_INFO
SYNOPSIS: The class for storing all the information contained in the
registry under the given module (system, security...).
INTERFACE: LOG_REGISTRY_INFO() - Constructor
~LOG_REGISTRY_INFO() - Destructor
Init() - 2nd stage constructor
SubstituteParameterID - Find all %%num in the given string
with appropriate strings.
MapEventIDToString() - Get the description associated with
the string
MapCategoryToString() - Get the string associated with
the string
GetSrcSupportedTypeMask() - Get the type mask supported by
the given source
GetSrcSupportedCategoryList() - Get all categories supported by
the given source
GetSourceList() - Get the sources supported under
the given module
PARENT: BASE
USES: NLS_STR, STRLIST, DLL_HANDLE_CACHE_ARRAY, REG_KEY,
SOURCE_INFO_ARRAY
CAVEATS:
NOTES:
HISTORY:
Yi-HsinS 2/25/92 Created
**************************************************************************/
DLL_CLASS LOG_REGISTRY_INFO : public BASE
{
private:
//
// The server that we are reading the registry from
//
NLS_STR _nlsServer;
//
// The module in the registry
//
NLS_STR _nlsModule;
//
// If the server points to a remote machine,
// then this will contain the path to %SystemRoot%.
// Else this will contain a NULL string which will not be used.
//
NLS_STR _nlsRemoteSystemRoot;
//
// The array to cache the handles used by the eventlog to get the
// description of each log entry.
//
DLL_HANDLE_CACHE_ARRAY _aDllHandleCache;
//
// Pointer to an array of SOURCE_INFO_ITEM
//
SOURCE_INFO_ARRAY *_paSourceInfo;
//
// The index of the primary module in the array pointed by _paSourceInfo
//
INT _iPrimarySource;
//
// Pointer to a strlst containing all sources under the module
//
STRLIST *_pstrlstSource;
//
// Pointer to the registry key of module
//
REG_KEY *_pRegKeyFocusModule;
//
// Get the registry key of module on the server
//
APIERR GetRegKeyModule( const TCHAR *pszServer,
REG_KEY **ppRegKeyModule );
//
// Get the handle of the given dll
//
APIERR GetLibHandle( const TCHAR *pszLibName, HMODULE *pHandle );
//
// Expand %SystemRoot% that is contained in pszPath
//
APIERR ExpandSystemRoot( const TCHAR *pszPath, NLS_STR *pnls );
//
// Get %SystemRoot% from the remote registry. This is used only
// if we are reading the registry from the remote machine.
//
APIERR GetRemoteSystemRoot( NLS_STR *pnls );
//
// Initialize the SOURCE_INFO_ITEM at (*_paSourceInfo)[index]
//
APIERR InitSource( INT index );
//
// Initialize the category list at (*_paSourceInfo)[index]
//
APIERR InitCategoryList( INT index );
//
// Get the source name at (*_paSourceInfo)[index]
//
INT QuerySourceIndex( const TCHAR *pszSource );
//
// Returns TRUE if the primary source exists in the registry
//
BOOL PrimarySourceExist( VOID )
{ return _iPrimarySource >= 0; }
//
// Returns TRUE if the index is the same as the primary source index
//
BOOL IsPrimarySource( INT index )
{ return index == _iPrimarySource; }
//
// Get the string associated with the id in the dll
//
APIERR RetrieveMessage( HMODULE handle,
ULONG nID,
NLS_STR *pnls );
//
// Get the string associated with nMessageID in the source
//
APIERR MapParameterToString( const TCHAR *pszSource,
ULONG nMessageID,
NLS_STR *pnls );
public:
LOG_REGISTRY_INFO( const NLS_STR &nlsServer,
const NLS_STR &nlsModule );
~LOG_REGISTRY_INFO();
APIERR Init( VOID );
APIERR SubstituteParameterID( const TCHAR *pszSource,
NLS_STR *pnls );
APIERR MapEventIDToString ( const TCHAR *pszSource,
ULONG ulEventID,
NLS_STR *pnls );
APIERR MapCategoryToString ( const TCHAR *pszSource,
USHORT usCategory,
NLS_STR *pnls );
APIERR GetSrcSupportedTypeMask( const TCHAR *pszSource,
USHORT *pusTypeMask );
APIERR GetSrcSupportedCategoryList( const TCHAR *pszSource,
STRLIST **ppstrlstCategory );
STRLIST *GetSourceList( VOID )
{ return _pstrlstSource; }
};
/*************************************************************************
NAME: NT_EVENT_LOG
SYNOPSIS: The class for NT Event Log
INTERFACE:
protected:
I_Next() - Helper method for reading the log file
I_Open() - Helper method for opening the handle
to the event log
I_Close()- Helper method for closing the handle
to the event log
CreateCurrentRawEntry() - Create a RAW_LOG_ENTRY for the current
log entry. This is used when filtering log files.
SetPos() - Set the position for the next read.
QueryCurrentEntryCategory() -
Get the category of the current log entry
QueryCurrentEntryTypeString() -
Retrieve the type of the current log entry
QueryCurrentEntryUser() -
Get the user of the current log entry
NextString() - Iterator for returning the strings in the
current log entry.
public:
NT_EVENT_LOG() - Constructor
~NT_EVENT_LOG() - Destructor
Clear() - Clear the event log
Backup() - Back up the event log without clearing the log file
Reset() - Reset to the beginning or end of log depending
on direction
QueryPos() - Get the position of the current event log entry
Direction is not important on NT.
SeekOldestLogEntry() - Get the oldest log entry in the log
SeekNewestLogEntry() - Get the newest log entry in the log
QueryNumberOfEntries() - Get the number of entries in the log
CreateCurrentFormatEntry() - Create a FORMATTED_LOG_ENTRY for
the current log entry.
WriteTextEntry() - Write the current log entry to a text file
JonN 6/22/00 WriteTextEntry no longer supported
QueryCurrentEntryData() -
Retrieve the raw data of the current log entry
QueryCurrentEntryDesc() -
Get the description of the current log entry
QueryCurrentEntryTime() -
Get the time of the current log entry
IsBackup() - True if we want to open a backup log file
QuerySourceList() - Return the sources supported by the module
QuerySrcSupportedTypeMask() - Query the type mask supported
by the given source
QuerySrcSupportedCategoryList() - Query the category list
supported by the given source
PARENT: EVENT_LOG
USES:
CAVEATS:
NOTES:
HISTORY:
Yi-HsinS 10/15/91 Created
**************************************************************************/
DLL_CLASS NT_EVENT_LOG : public EVENT_LOG
{
private:
//
// Handle to the NT event log
//
HANDLE _handle;
//
// Buffer containing a whole amount of event log entries returned
// by a net API call.
//
BUFFER _buf;
//
// Points to the current log entry inside the buffer _buf
//
EVENTLOGRECORD *_pEL;
//
// the offset(bytes) in the buffer in which the next log entry starts
//
ULONG _cbOffset;
//
// the number of bytes returned from the last read
//
ULONG _cbReturned;
//
// the minimum number of bytes needed for the next read
//
ULONG _cbMinBytesNeeded;
//
// The index of the next string to be retrieved by NextString()
//
UINT _iStrings;
//
// The log number to read in the case of seek read
//
ULONG _ulRecSeek;
//
// TRUE if we want to open a backup file
//
BOOL _fBackup;
//
// Registry Information needed to get the description of log entries
//
LOG_REGISTRY_INFO _logRegistryInfo;
//
// The following for translating SIDS to readable names
//
LSA_POLICY _lsaPolicy;
LSA_TRANSLATED_NAME_MEM _lsatnm;
LSA_REF_DOMAIN_MEM _lsardm;
NLS_STR _nlsAccountDomain;
UINT _cCountUsers;
//
// The following is used to get the alert description and source name
// for Cairo alerts.
//
HINSTANCE _hinstanceSysmgmt;
PASGETALERTDESCRIPTION _pAsGetAlertDescription;
PASGETALERTSOURCENAME _pAsGetAlertSourceName;
protected:
virtual APIERR I_Next( BOOL *pfContinue,
ULONG ulBufferSize = BIG_BUF_DEFAULT_SIZE );
virtual APIERR I_Open( VOID );
virtual APIERR I_Close( VOID );
virtual APIERR CreateCurrentRawEntry( RAW_LOG_ENTRY *pRawLogEntry );
virtual VOID SetPos( const LOG_ENTRY_NUMBER &logEntryNum, BOOL fForceRead );
APIERR QueryCurrentEntryCategory( NLS_STR *pnlsCategory );
APIERR QueryCurrentEntryTypeString( NLS_STR *pnlsType );
APIERR QueryCurrentEntryUser( NLS_STR *pnlsUser );
//
// Iterator to return the next string in the current log.
// Returns FALSE if some error occurs or if there are no more strings left.
// Need to QueryLastError() to distinguish between the two cases.
//
APIERR NextString( BOOL *pfContinue, NLS_STR **ppnlsString );
//
// The following method is used to get the proc address of alert functions
// AsGetAlertdescription and AsGetAlertSourceName
//
APIERR GetProcAddressOfAlertFuctions( VOID );
public:
//
// Constructor : takes a server name,
// an optional direction which defaults to EVLOG_FWD,
// a module name needed for NT Event Log,
// and a module name needed for reading the registry.
// If pszModule and pszRegistryModule don't point to the
// same place, then we are reading a backup event log.
//
NT_EVENT_LOG( const TCHAR *pszServer,
EVLOG_DIRECTION evdir = EVLOG_FWD,
const TCHAR *pszModule = NULL,
const TCHAR *pszRegistryModule = NULL );
virtual ~NT_EVENT_LOG();
//
// See comments in EVENT_LOG
//
virtual APIERR Clear( const TCHAR *pszBackupFile = NULL );
virtual APIERR Backup( const TCHAR *pszBackupFile );
virtual VOID Reset( VOID );
virtual APIERR QueryPos( LOG_ENTRY_NUMBER *plogEntryNum );
virtual APIERR SeekOldestLogEntry( VOID );
virtual APIERR SeekNewestLogEntry( VOID );
virtual APIERR QueryNumberOfEntries( ULONG *pcEntries );
virtual APIERR CreateCurrentFormatEntry( FORMATTED_LOG_ENTRY
**ppFmtLogEntry );
// JonN 6/22/00 WriteTextEntry no longer supported
virtual APIERR WriteTextEntry( ULONG ulFileHandle, INTL_PROFILE &intlprof,
TCHAR chSeparator );
virtual ULONG QueryCurrentEntryData( BYTE **ppbDataOut );
virtual APIERR QueryCurrentEntryDesc( NLS_STR *pnlsDesc );
virtual ULONG QueryCurrentEntryTime( VOID );
BOOL IsBackup( VOID )
{ return _fBackup; }
virtual STRLIST *QuerySourceList( VOID );
virtual APIERR QuerySrcSupportedTypeMask( const NLS_STR &nlsSource,
USHORT *pusTypeMask );
virtual APIERR QuerySrcSupportedCategoryList( const NLS_STR &nlsSource,
STRLIST **ppstrlstCategory );
};
#endif