| 
									
										
										
										
											2014-08-13 10:39:27 +01:00
										 |  |  | // | 
					
						
							|  |  |  | // System.Diagnostics.Win32EventLog.cs | 
					
						
							|  |  |  | // | 
					
						
							|  |  |  | // Author: | 
					
						
							|  |  |  | //	Gert Driesen <driesen@users.sourceforge.net> | 
					
						
							|  |  |  | // | 
					
						
							|  |  |  | // Copyright (C) 2006 Novell, Inc (http://www.novell.com) | 
					
						
							|  |  |  | // | 
					
						
							|  |  |  | // | 
					
						
							|  |  |  | // a copy of this software and associated documentation files (the | 
					
						
							|  |  |  | // "Software"), to deal in the Software without restriction, including | 
					
						
							|  |  |  | // without limitation the rights to use, copy, modify, merge, publish, | 
					
						
							|  |  |  | // distribute, sublicense, and/or sell copies of the Software, and to | 
					
						
							|  |  |  | // permit persons to whom the Software is furnished to do so, subject to | 
					
						
							|  |  |  | // the following conditions: | 
					
						
							|  |  |  | //  | 
					
						
							|  |  |  | // The above copyright notice and this permission notice shall be | 
					
						
							|  |  |  | // included in all copies or substantial portions of the Software. | 
					
						
							|  |  |  | //  | 
					
						
							|  |  |  | // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, | 
					
						
							|  |  |  | // EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF | 
					
						
							|  |  |  | // MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND | 
					
						
							|  |  |  | // NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE | 
					
						
							|  |  |  | // LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION | 
					
						
							|  |  |  | // OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION | 
					
						
							|  |  |  | // WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. | 
					
						
							|  |  |  | // | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | using System; | 
					
						
							| 
									
										
										
										
											2015-01-13 10:44:36 +00:00
										 |  |  | using System.Collections.Generic; | 
					
						
							| 
									
										
										
										
											2014-08-13 10:39:27 +01:00
										 |  |  | using System.ComponentModel; | 
					
						
							|  |  |  | using System.Diagnostics; | 
					
						
							|  |  |  | using System.Globalization; | 
					
						
							|  |  |  | using System.IO; | 
					
						
							|  |  |  | using System.Runtime.InteropServices; | 
					
						
							|  |  |  | using System.Text; | 
					
						
							|  |  |  | using System.Threading; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | using Microsoft.Win32; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | namespace System.Diagnostics | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  | 	internal class Win32EventLog : EventLogImpl | 
					
						
							|  |  |  | 	{ | 
					
						
							|  |  |  | 		private const int MESSAGE_NOT_FOUND = 317; | 
					
						
							|  |  |  | 		private ManualResetEvent _notifyResetEvent; | 
					
						
							|  |  |  | 		private IntPtr _readHandle; | 
					
						
							|  |  |  | 		private Thread _notifyThread; | 
					
						
							|  |  |  | 		private int _lastEntryWritten; | 
					
						
							| 
									
										
										
										
											2017-04-10 11:41:01 +00:00
										 |  |  | 		private Object _eventLock = new object(); | 
					
						
							| 
									
										
										
										
											2014-08-13 10:39:27 +01:00
										 |  |  | 
 | 
					
						
							|  |  |  | 		public Win32EventLog (EventLog coreEventLog) | 
					
						
							|  |  |  | 			: base (coreEventLog) | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		public override void BeginInit () | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		public override void Clear () | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 			int ret = PInvoke.ClearEventLog (ReadHandle, null); | 
					
						
							|  |  |  | 			if (ret != 1) | 
					
						
							|  |  |  | 				throw new Win32Exception (Marshal.GetLastWin32Error ()); | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		public override void Close () | 
					
						
							|  |  |  | 		{ | 
					
						
							| 
									
										
										
										
											2017-04-10 11:41:01 +00:00
										 |  |  | 			lock (_eventLock) { | 
					
						
							|  |  |  | 				if (_readHandle != IntPtr.Zero) { | 
					
						
							|  |  |  | 					CloseEventLog (_readHandle); | 
					
						
							|  |  |  | 					_readHandle = IntPtr.Zero; | 
					
						
							|  |  |  | 				} | 
					
						
							| 
									
										
										
										
											2014-08-13 10:39:27 +01:00
										 |  |  | 			} | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		public override void CreateEventSource (EventSourceCreationData sourceData) | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 			using (RegistryKey eventLogKey = GetEventLogKey (sourceData.MachineName, true)) { | 
					
						
							|  |  |  | 				if (eventLogKey == null) | 
					
						
							|  |  |  | 					throw new InvalidOperationException ("EventLog registry key is missing."); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 				bool logKeyCreated = false; | 
					
						
							|  |  |  | 				RegistryKey logKey = null; | 
					
						
							|  |  |  | 				try { | 
					
						
							|  |  |  | 					logKey = eventLogKey.OpenSubKey (sourceData.LogName, true); | 
					
						
							|  |  |  | 					if (logKey == null) { | 
					
						
							|  |  |  | 						ValidateCustomerLogName (sourceData.LogName,  | 
					
						
							|  |  |  | 							sourceData.MachineName); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 						logKey = eventLogKey.CreateSubKey (sourceData.LogName); | 
					
						
							|  |  |  | 						logKey.SetValue ("Sources", new string [] { sourceData.LogName, | 
					
						
							|  |  |  | 							sourceData.Source }); | 
					
						
							|  |  |  | 						UpdateLogRegistry (logKey); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 						using (RegistryKey sourceKey = logKey.CreateSubKey (sourceData.LogName)) { | 
					
						
							|  |  |  | 							UpdateSourceRegistry (sourceKey, sourceData); | 
					
						
							|  |  |  | 						} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 						logKeyCreated = true; | 
					
						
							|  |  |  | 					} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 					if (sourceData.LogName != sourceData.Source) { | 
					
						
							|  |  |  | 						if (!logKeyCreated) { | 
					
						
							|  |  |  | 							string [] sources = (string []) logKey.GetValue ("Sources"); | 
					
						
							|  |  |  | 							if (sources == null) { | 
					
						
							|  |  |  | 								logKey.SetValue ("Sources", new string [] { sourceData.LogName, | 
					
						
							|  |  |  | 									sourceData.Source }); | 
					
						
							|  |  |  | 							} else { | 
					
						
							|  |  |  | 								bool found = false; | 
					
						
							|  |  |  | 								for (int i = 0; i < sources.Length; i++) { | 
					
						
							|  |  |  | 									if (sources [i] == sourceData.Source) { | 
					
						
							|  |  |  | 										found = true; | 
					
						
							|  |  |  | 										break; | 
					
						
							|  |  |  | 									} | 
					
						
							|  |  |  | 								} | 
					
						
							|  |  |  | 								if (!found) { | 
					
						
							|  |  |  | 									string [] newSources = new string [sources.Length + 1]; | 
					
						
							|  |  |  | 									Array.Copy (sources, 0, newSources, 0, sources.Length); | 
					
						
							|  |  |  | 									newSources [sources.Length] = sourceData.Source; | 
					
						
							|  |  |  | 									logKey.SetValue ("Sources", newSources); | 
					
						
							|  |  |  | 								} | 
					
						
							|  |  |  | 							} | 
					
						
							|  |  |  | 						} | 
					
						
							|  |  |  | 						using (RegistryKey sourceKey = logKey.CreateSubKey (sourceData.Source)) { | 
					
						
							|  |  |  | 							UpdateSourceRegistry (sourceKey, sourceData); | 
					
						
							|  |  |  | 						} | 
					
						
							|  |  |  | 					} | 
					
						
							|  |  |  | 				} finally { | 
					
						
							|  |  |  | 					if (logKey != null) | 
					
						
							|  |  |  | 						logKey.Close (); | 
					
						
							|  |  |  | 				} | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		public override void Delete (string logName, string machineName) | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 			using (RegistryKey eventLogKey = GetEventLogKey (machineName, true)) { | 
					
						
							|  |  |  | 				if (eventLogKey == null) | 
					
						
							|  |  |  | 					throw new InvalidOperationException ("The event log key does not exist."); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 				using (RegistryKey logKey = eventLogKey.OpenSubKey (logName, false)) { | 
					
						
							|  |  |  | 					if (logKey == null) | 
					
						
							|  |  |  | 						throw new InvalidOperationException (string.Format ( | 
					
						
							|  |  |  | 							CultureInfo.InvariantCulture, "Event Log '{0}'" | 
					
						
							|  |  |  | 							+ " does not exist on computer '{1}'.", logName, | 
					
						
							|  |  |  | 							machineName)); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 					// remove all eventlog entries for specified log | 
					
						
							|  |  |  | 					CoreEventLog.Clear (); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 					// remove file holding event log entries | 
					
						
							|  |  |  | 					string file = (string) logKey.GetValue ("File"); | 
					
						
							|  |  |  | 					if (file != null) { | 
					
						
							|  |  |  | 						try { | 
					
						
							|  |  |  | 							File.Delete (file); | 
					
						
							|  |  |  | 						} catch (Exception) { | 
					
						
							|  |  |  | 							// .NET seems to ignore failures here | 
					
						
							|  |  |  | 						} | 
					
						
							|  |  |  | 					} | 
					
						
							|  |  |  | 				} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 				eventLogKey.DeleteSubKeyTree (logName); | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		public override void DeleteEventSource (string source, string machineName) | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 			using (RegistryKey logKey = FindLogKeyBySource (source, machineName, true)) { | 
					
						
							|  |  |  | 				if (logKey == null) { | 
					
						
							|  |  |  | 					throw new ArgumentException (string.Format ( | 
					
						
							|  |  |  | 						CultureInfo.InvariantCulture, "The source '{0}' is not" | 
					
						
							|  |  |  | 						+ " registered on computer '{1}'.", source, machineName)); | 
					
						
							|  |  |  | 				} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 				logKey.DeleteSubKeyTree (source); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 				string [] sources = (string []) logKey.GetValue ("Sources"); | 
					
						
							|  |  |  | 				if (sources != null) { | 
					
						
							| 
									
										
										
										
											2015-01-13 10:44:36 +00:00
										 |  |  | 					var temp = new List<string> (); | 
					
						
							| 
									
										
										
										
											2014-08-13 10:39:27 +01:00
										 |  |  | 					for (int i = 0; i < sources.Length; i++) | 
					
						
							|  |  |  | 						if (sources [i] != source) | 
					
						
							|  |  |  | 							temp.Add (sources [i]); | 
					
						
							| 
									
										
										
										
											2015-01-13 10:44:36 +00:00
										 |  |  | 					string [] newSources = temp.ToArray (); | 
					
						
							| 
									
										
										
										
											2014-08-13 10:39:27 +01:00
										 |  |  | 					logKey.SetValue ("Sources", newSources); | 
					
						
							|  |  |  | 				} | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		public override void Dispose (bool disposing) | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 			Close (); | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		public override void EndInit () | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		public override bool Exists (string logName, string machineName) | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 			using (RegistryKey logKey = FindLogKeyByName (logName, machineName, false)) { | 
					
						
							|  |  |  | 				return (logKey != null); | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		[MonoTODO] // ParameterResourceFile ?? | 
					
						
							|  |  |  | 		protected override string FormatMessage (string source, uint messageID, string [] replacementStrings) | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 			string formattedMessage = null; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			string [] msgResDlls = GetMessageResourceDlls (source, "EventMessageFile"); | 
					
						
							|  |  |  | 			for (int i = 0; i < msgResDlls.Length; i++) { | 
					
						
							|  |  |  | 				formattedMessage = FetchMessage (msgResDlls [i], | 
					
						
							|  |  |  | 					messageID, replacementStrings); | 
					
						
							|  |  |  | 				if (formattedMessage != null) | 
					
						
							|  |  |  | 					break; | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			return formattedMessage != null ? formattedMessage : string.Join ( | 
					
						
							|  |  |  | 				", ", replacementStrings); | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		private string FormatCategory (string source, int category) | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 			string formattedCategory = null; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			string [] msgResDlls = GetMessageResourceDlls (source, "CategoryMessageFile"); | 
					
						
							|  |  |  | 			for (int i = 0; i < msgResDlls.Length; i++) { | 
					
						
							|  |  |  | 				formattedCategory = FetchMessage (msgResDlls [i], | 
					
						
							|  |  |  | 					(uint) category, new string [0]); | 
					
						
							|  |  |  | 				if (formattedCategory != null) | 
					
						
							|  |  |  | 					break; | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			return formattedCategory != null ? formattedCategory : "(" + | 
					
						
							|  |  |  | 				category.ToString (CultureInfo.InvariantCulture) + ")"; | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		protected override int GetEntryCount () | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 			int entryCount = 0; | 
					
						
							|  |  |  | 			int retVal = PInvoke.GetNumberOfEventLogRecords (ReadHandle, ref entryCount); | 
					
						
							|  |  |  | 			if (retVal != 1) | 
					
						
							|  |  |  | 				throw new Win32Exception (Marshal.GetLastWin32Error ()); | 
					
						
							|  |  |  | 			return entryCount; | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		protected override EventLogEntry GetEntry (int index) | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 			// http://msdn.microsoft.com/library/en-us/eventlog/base/readeventlog.asp | 
					
						
							|  |  |  | 			// http://msdn.microsoft.com/library/en-us/eventlog/base/eventlogrecord_str.asp | 
					
						
							|  |  |  | 			// http://www.whitehats.ca/main/members/Malik/malik_eventlogs/malik_eventlogs.html | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			index += OldestEventLogEntry; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			int bytesRead = 0; | 
					
						
							|  |  |  | 			int minBufferNeeded = 0; | 
					
						
							|  |  |  | 			byte [] buffer = new byte [0x7ffff]; // according to MSDN this is the max size of the buffer | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			ReadEventLog (index, buffer, ref bytesRead, ref minBufferNeeded); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			MemoryStream ms = new MemoryStream (buffer); | 
					
						
							|  |  |  | 			BinaryReader br = new BinaryReader (ms); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			// skip first 8 bytes | 
					
						
							|  |  |  | 			br.ReadBytes (8); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			int recordNumber = br.ReadInt32 (); // 8 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			int timeGeneratedSeconds = br.ReadInt32 (); // 12 | 
					
						
							|  |  |  | 			int timeWrittenSeconds = br.ReadInt32 (); // 16 | 
					
						
							|  |  |  | 			uint instanceID = br.ReadUInt32 (); | 
					
						
							|  |  |  | 			int eventID = EventLog.GetEventID (instanceID); | 
					
						
							|  |  |  | 			short eventType = br.ReadInt16 (); // 24 | 
					
						
							|  |  |  | 			short numStrings = br.ReadInt16 (); ; // 26 | 
					
						
							|  |  |  | 			short categoryNumber = br.ReadInt16 (); ; // 28 | 
					
						
							|  |  |  | 			// skip reservedFlags | 
					
						
							|  |  |  | 			br.ReadInt16 (); // 30 | 
					
						
							|  |  |  | 			// skip closingRecordNumber | 
					
						
							|  |  |  | 			br.ReadInt32 (); // 32 | 
					
						
							|  |  |  | 			int stringOffset = br.ReadInt32 (); // 36 | 
					
						
							|  |  |  | 			int userSidLength = br.ReadInt32 (); // 40 | 
					
						
							|  |  |  | 			int userSidOffset = br.ReadInt32 (); // 44 | 
					
						
							|  |  |  | 			int dataLength = br.ReadInt32 (); // 48 | 
					
						
							|  |  |  | 			int dataOffset = br.ReadInt32 (); // 52 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			DateTime timeGenerated = new DateTime (1970, 1, 1).AddSeconds ( | 
					
						
							|  |  |  | 				timeGeneratedSeconds); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			DateTime timeWritten = new DateTime (1970, 1, 1).AddSeconds ( | 
					
						
							|  |  |  | 				timeWrittenSeconds); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			StringBuilder sb = new StringBuilder (); | 
					
						
							|  |  |  | 			while (br.PeekChar () != '\0') | 
					
						
							|  |  |  | 				sb.Append (br.ReadChar ()); | 
					
						
							|  |  |  | 			br.ReadChar (); // skip the null-char | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			string sourceName = sb.ToString (); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			sb.Length = 0; | 
					
						
							|  |  |  | 			while (br.PeekChar () != '\0') | 
					
						
							|  |  |  | 				sb.Append (br.ReadChar ()); | 
					
						
							|  |  |  | 			br.ReadChar (); // skip the null-char | 
					
						
							|  |  |  | 			string machineName = sb.ToString (); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			sb.Length = 0; | 
					
						
							|  |  |  | 			while (br.PeekChar () != '\0') | 
					
						
							|  |  |  | 				sb.Append (br.ReadChar ()); | 
					
						
							|  |  |  | 			br.ReadChar (); // skip the null-char | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			string userName = null; | 
					
						
							|  |  |  | 			if (userSidLength != 0) { | 
					
						
							|  |  |  | 				// TODO: lazy init ? | 
					
						
							|  |  |  | 				ms.Position = userSidOffset; | 
					
						
							|  |  |  | 				byte [] sid = br.ReadBytes (userSidLength); | 
					
						
							|  |  |  | 				userName = LookupAccountSid (machineName, sid); | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			ms.Position = stringOffset; | 
					
						
							|  |  |  | 			string [] replacementStrings = new string [numStrings]; | 
					
						
							|  |  |  | 			for (int i = 0; i < numStrings; i++) { | 
					
						
							|  |  |  | 				sb.Length = 0; | 
					
						
							|  |  |  | 				while (br.PeekChar () != '\0') | 
					
						
							|  |  |  | 					sb.Append (br.ReadChar ()); | 
					
						
							|  |  |  | 				br.ReadChar (); // skip the null-char | 
					
						
							|  |  |  | 				replacementStrings [i] = sb.ToString (); | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			byte [] data = new byte [dataLength]; | 
					
						
							|  |  |  | 			ms.Position = dataOffset; | 
					
						
							|  |  |  | 			br.Read (data, 0, dataLength); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			// TODO: lazy fetch ?? | 
					
						
							|  |  |  | 			string message = this.FormatMessage (sourceName, instanceID, replacementStrings); | 
					
						
							|  |  |  | 			string category = FormatCategory (sourceName, categoryNumber); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			return new EventLogEntry (category, (short) categoryNumber, recordNumber, | 
					
						
							|  |  |  | 				eventID, sourceName, message, userName, machineName, | 
					
						
							|  |  |  | 				(EventLogEntryType) eventType, timeGenerated, timeWritten, | 
					
						
							|  |  |  | 				data, replacementStrings, instanceID); | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		[MonoTODO] | 
					
						
							|  |  |  | 		protected override string GetLogDisplayName () | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 			return CoreEventLog.Log; | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		protected override string [] GetLogNames (string machineName) | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 			using (RegistryKey eventLogKey = GetEventLogKey (machineName, true)) { | 
					
						
							|  |  |  | 				if (eventLogKey == null) | 
					
						
							|  |  |  | 					return new string [0]; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 				return eventLogKey.GetSubKeyNames (); | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		public override string LogNameFromSourceName (string source, string machineName) | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 			using (RegistryKey logKey = FindLogKeyBySource (source, machineName, false)) { | 
					
						
							|  |  |  | 				if (logKey == null) | 
					
						
							|  |  |  | 					return string.Empty; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 				return GetLogName (logKey); | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		public override bool SourceExists (string source, string machineName) | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 			RegistryKey logKey = FindLogKeyBySource (source, machineName, false); | 
					
						
							|  |  |  | 			if (logKey != null) { | 
					
						
							|  |  |  | 				logKey.Close (); | 
					
						
							|  |  |  | 				return true; | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 			return false; | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		public override void WriteEntry (string [] replacementStrings, EventLogEntryType type, uint instanceID, short category, byte [] rawData) | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 			IntPtr hEventLog = RegisterEventSource (); | 
					
						
							|  |  |  | 			try { | 
					
						
							|  |  |  | 				int ret = PInvoke.ReportEvent (hEventLog, (ushort) type, | 
					
						
							|  |  |  | 					(ushort) category, instanceID, IntPtr.Zero, | 
					
						
							|  |  |  | 					(ushort) replacementStrings.Length, | 
					
						
							|  |  |  | 					(uint) rawData.Length, replacementStrings, rawData); | 
					
						
							|  |  |  | 				if (ret != 1) { | 
					
						
							|  |  |  | 					throw new Win32Exception (Marshal.GetLastWin32Error ()); | 
					
						
							|  |  |  | 				} | 
					
						
							|  |  |  | 			} finally { | 
					
						
							|  |  |  | 				DeregisterEventSource (hEventLog); | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		private static void UpdateLogRegistry (RegistryKey logKey) | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 			// TODO: write other Log values: | 
					
						
							|  |  |  | 			// - MaxSize | 
					
						
							|  |  |  | 			// - Retention | 
					
						
							|  |  |  | 			// - AutoBackupLogFiles | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			if (logKey.GetValue ("File") == null) { | 
					
						
							|  |  |  | 				string logName = GetLogName (logKey); | 
					
						
							|  |  |  | 				string file; | 
					
						
							|  |  |  | 				if (logName.Length > 8) { | 
					
						
							|  |  |  | 					file = logName.Substring (0, 8) + ".evt"; | 
					
						
							|  |  |  | 				} else { | 
					
						
							|  |  |  | 					file = logName + ".evt"; | 
					
						
							|  |  |  | 				} | 
					
						
							|  |  |  | 				string configPath = Path.Combine (Environment.GetFolderPath ( | 
					
						
							|  |  |  | 					Environment.SpecialFolder.System), "config"); | 
					
						
							|  |  |  | 				logKey.SetValue ("File", Path.Combine (configPath, file)); | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		private static void UpdateSourceRegistry (RegistryKey sourceKey, EventSourceCreationData data) | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 			if (data.CategoryCount > 0) | 
					
						
							|  |  |  | 				sourceKey.SetValue ("CategoryCount", data.CategoryCount); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			if (data.CategoryResourceFile != null && data.CategoryResourceFile.Length > 0) | 
					
						
							|  |  |  | 				sourceKey.SetValue ("CategoryMessageFile", data.CategoryResourceFile); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			if (data.MessageResourceFile != null && data.MessageResourceFile.Length > 0) { | 
					
						
							|  |  |  | 				sourceKey.SetValue ("EventMessageFile", data.MessageResourceFile); | 
					
						
							|  |  |  | 			} else { | 
					
						
							|  |  |  | 				// FIXME: write default once we have approval for shipping EventLogMessages.dll | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			if (data.ParameterResourceFile != null && data.ParameterResourceFile.Length > 0) | 
					
						
							|  |  |  | 				sourceKey.SetValue ("ParameterMessageFile", data.ParameterResourceFile); | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		private static string GetLogName (RegistryKey logKey) | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 			string logName = logKey.Name; | 
					
						
							|  |  |  | 			return logName.Substring (logName.LastIndexOf ("\\") + 1); | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		private void ReadEventLog (int index, byte [] buffer, ref int bytesRead, ref int minBufferNeeded) | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 			const int max_retries = 3; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			// if the eventlog file changed since the handle was | 
					
						
							|  |  |  | 			// obtained, then we need to re-try multiple times | 
					
						
							|  |  |  | 			for (int i = 0; i < max_retries; i++) { | 
					
						
							|  |  |  | 				int ret = PInvoke.ReadEventLog (ReadHandle,  | 
					
						
							|  |  |  | 					ReadFlags.Seek | ReadFlags.ForwardsRead, | 
					
						
							|  |  |  | 					index, buffer, buffer.Length, ref bytesRead, | 
					
						
							|  |  |  | 					ref minBufferNeeded); | 
					
						
							|  |  |  | 				if (ret != 1) { | 
					
						
							|  |  |  | 					int error = Marshal.GetLastWin32Error (); | 
					
						
							|  |  |  | 					if (i < (max_retries - 1)) { | 
					
						
							|  |  |  | 						CoreEventLog.Reset (); | 
					
						
							|  |  |  | 					} else { | 
					
						
							|  |  |  | 						throw new Win32Exception (error); | 
					
						
							|  |  |  | 					} | 
					
						
							|  |  |  | 				} | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		[MonoTODO ("Support remote machines")] | 
					
						
							|  |  |  | 		private static RegistryKey GetEventLogKey (string machineName, bool writable) | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 			return Registry.LocalMachine.OpenSubKey (@"SYSTEM\CurrentControlSet\Services\EventLog", writable); | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		private static RegistryKey FindSourceKeyByName (string source, string machineName, bool writable) | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 			if (source == null || source.Length == 0) | 
					
						
							|  |  |  | 				return null; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			RegistryKey eventLogKey = null; | 
					
						
							|  |  |  | 			try { | 
					
						
							|  |  |  | 				eventLogKey = GetEventLogKey (machineName, writable); | 
					
						
							|  |  |  | 				if (eventLogKey == null) | 
					
						
							|  |  |  | 					return null; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 				string [] subKeys = eventLogKey.GetSubKeyNames (); | 
					
						
							|  |  |  | 				for (int i = 0; i < subKeys.Length; i++) { | 
					
						
							|  |  |  | 					using (RegistryKey logKey = eventLogKey.OpenSubKey (subKeys [i], writable)) { | 
					
						
							|  |  |  | 						if (logKey == null) | 
					
						
							|  |  |  | 							break; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 						RegistryKey sourceKey = logKey.OpenSubKey (source, writable); | 
					
						
							|  |  |  | 						if (sourceKey != null) | 
					
						
							|  |  |  | 							return sourceKey; | 
					
						
							|  |  |  | 					} | 
					
						
							|  |  |  | 				} | 
					
						
							|  |  |  | 				return null; | 
					
						
							|  |  |  | 			} finally { | 
					
						
							|  |  |  | 				if (eventLogKey != null) | 
					
						
							|  |  |  | 					eventLogKey.Close (); | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		private static RegistryKey FindLogKeyByName (string logName, string machineName, bool writable) | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 			using (RegistryKey eventLogKey = GetEventLogKey (machineName, writable)) { | 
					
						
							|  |  |  | 				if (eventLogKey == null) { | 
					
						
							|  |  |  | 					return null; | 
					
						
							|  |  |  | 				} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 				return eventLogKey.OpenSubKey (logName, writable); | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		private static RegistryKey FindLogKeyBySource (string source, string machineName, bool writable) | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 			if (source == null || source.Length == 0) | 
					
						
							|  |  |  | 				return null; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			RegistryKey eventLogKey = null; | 
					
						
							|  |  |  | 			try { | 
					
						
							|  |  |  | 				eventLogKey = GetEventLogKey (machineName, writable); | 
					
						
							|  |  |  | 				if (eventLogKey == null) | 
					
						
							|  |  |  | 					return null; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 				string [] subKeys = eventLogKey.GetSubKeyNames (); | 
					
						
							|  |  |  | 				for (int i = 0; i < subKeys.Length; i++) { | 
					
						
							|  |  |  | 					RegistryKey sourceKey = null; | 
					
						
							|  |  |  | 					try { | 
					
						
							|  |  |  | 						RegistryKey logKey = eventLogKey.OpenSubKey (subKeys [i], writable); | 
					
						
							|  |  |  | 						if (logKey != null) { | 
					
						
							|  |  |  | 							sourceKey = logKey.OpenSubKey (source, writable); | 
					
						
							|  |  |  | 							if (sourceKey != null) | 
					
						
							|  |  |  | 								return logKey; | 
					
						
							|  |  |  | 						} | 
					
						
							|  |  |  | 					} finally { | 
					
						
							|  |  |  | 						if (sourceKey != null) | 
					
						
							|  |  |  | 							sourceKey.Close (); | 
					
						
							|  |  |  | 					} | 
					
						
							|  |  |  | 				} | 
					
						
							|  |  |  | 				return null; | 
					
						
							|  |  |  | 			} finally { | 
					
						
							|  |  |  | 				if (eventLogKey != null) | 
					
						
							|  |  |  | 					eventLogKey.Close (); | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		private int OldestEventLogEntry { | 
					
						
							|  |  |  | 			get { | 
					
						
							|  |  |  | 				int oldestEventLogEntry = 0; | 
					
						
							|  |  |  | 				int ret = PInvoke.GetOldestEventLogRecord (ReadHandle, ref oldestEventLogEntry); | 
					
						
							|  |  |  | 				if (ret != 1) { | 
					
						
							|  |  |  | 					throw new Win32Exception (Marshal.GetLastWin32Error ()); | 
					
						
							|  |  |  | 				} | 
					
						
							|  |  |  | 				return oldestEventLogEntry; | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		private void CloseEventLog (IntPtr hEventLog) | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 			int ret = PInvoke.CloseEventLog (hEventLog); | 
					
						
							|  |  |  | 			if (ret != 1) { | 
					
						
							|  |  |  | 				throw new Win32Exception (Marshal.GetLastWin32Error ()); | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		private void DeregisterEventSource (IntPtr hEventLog) | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 			int ret = PInvoke.DeregisterEventSource (hEventLog); | 
					
						
							|  |  |  | 			if (ret != 1) { | 
					
						
							|  |  |  | 				throw new Win32Exception (Marshal.GetLastWin32Error ()); | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		private static string LookupAccountSid (string machineName, byte [] sid) | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 			// http://www.pinvoke.net/default.aspx/advapi32/LookupAccountSid.html | 
					
						
							|  |  |  | 			// http://msdn.microsoft.com/library/en-us/secauthz/security/lookupaccountsid.asp | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			StringBuilder name = new StringBuilder (); | 
					
						
							|  |  |  | 			uint cchName = (uint) name.Capacity; | 
					
						
							|  |  |  | 			StringBuilder referencedDomainName = new StringBuilder (); | 
					
						
							|  |  |  | 			uint cchReferencedDomainName = (uint) referencedDomainName.Capacity; | 
					
						
							|  |  |  | 			SidNameUse sidUse; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			string accountName = null; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			while (accountName == null) { | 
					
						
							|  |  |  | 				bool retOk = PInvoke.LookupAccountSid (machineName, sid, name, ref cchName, | 
					
						
							|  |  |  | 					referencedDomainName, ref cchReferencedDomainName, | 
					
						
							|  |  |  | 					out sidUse); | 
					
						
							|  |  |  | 				if (!retOk) { | 
					
						
							|  |  |  | 					int err = Marshal.GetLastWin32Error (); | 
					
						
							|  |  |  | 					if (err == PInvoke.ERROR_INSUFFICIENT_BUFFER) { | 
					
						
							|  |  |  | 						name.EnsureCapacity ((int) cchName); | 
					
						
							|  |  |  | 						referencedDomainName.EnsureCapacity ((int) cchReferencedDomainName); | 
					
						
							|  |  |  | 					} else { | 
					
						
							|  |  |  | 						// TODO: write warning ? | 
					
						
							|  |  |  | 						accountName = string.Empty; | 
					
						
							|  |  |  | 					} | 
					
						
							|  |  |  | 				} else { | 
					
						
							|  |  |  | 					accountName = string.Format ("{0}\\{1}", referencedDomainName.ToString (), | 
					
						
							|  |  |  | 						name.ToString ()); | 
					
						
							|  |  |  | 				} | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 			return accountName; | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		private static string FetchMessage (string msgDll, uint messageID, string [] replacementStrings) | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 			// http://msdn.microsoft.com/library/en-us/debug/base/formatmessage.asp | 
					
						
							|  |  |  | 			// http://msdn.microsoft.com/msdnmag/issues/02/08/CQA/ | 
					
						
							|  |  |  | 			// http://msdn.microsoft.com/netframework/programming/netcf/cffaq/default.aspx | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			IntPtr msgDllHandle = PInvoke.LoadLibraryEx (msgDll, IntPtr.Zero, | 
					
						
							|  |  |  | 				LoadFlags.LibraryAsDataFile); | 
					
						
							|  |  |  | 			if (msgDllHandle == IntPtr.Zero) | 
					
						
							|  |  |  | 				// TODO: write warning | 
					
						
							|  |  |  | 				return null; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			IntPtr lpMsgBuf = IntPtr.Zero; | 
					
						
							|  |  |  | 			IntPtr [] arguments = new IntPtr [replacementStrings.Length]; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			try { | 
					
						
							|  |  |  | 				for (int i = 0; i < replacementStrings.Length; i++) { | 
					
						
							|  |  |  | 					arguments [i] = Marshal.StringToHGlobalAuto ( | 
					
						
							|  |  |  | 						replacementStrings [i]); | 
					
						
							|  |  |  | 				} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 				int ret = PInvoke.FormatMessage (FormatMessageFlags.ArgumentArray | | 
					
						
							|  |  |  | 					FormatMessageFlags.FromHModule | FormatMessageFlags.AllocateBuffer, | 
					
						
							|  |  |  | 					msgDllHandle, messageID, 0, ref lpMsgBuf, 0, arguments); | 
					
						
							|  |  |  | 				if (ret != 0) { | 
					
						
							|  |  |  | 					string sRet = Marshal.PtrToStringAuto (lpMsgBuf); | 
					
						
							|  |  |  | 					lpMsgBuf = PInvoke.LocalFree (lpMsgBuf); | 
					
						
							|  |  |  | 					// remove trailing whitespace (CRLF) | 
					
						
							|  |  |  | 					return sRet.TrimEnd (null); | 
					
						
							|  |  |  | 				} else { | 
					
						
							|  |  |  | 					int err = Marshal.GetLastWin32Error (); | 
					
						
							|  |  |  | 					if (err == MESSAGE_NOT_FOUND) { | 
					
						
							|  |  |  | 						// do not consider this a failure (or even warning) as | 
					
						
							|  |  |  | 						// multiple message resource DLLs may have been configured | 
					
						
							|  |  |  | 						// and as such we just need to try the next library if | 
					
						
							|  |  |  | 						// the current one does not contain a message for this | 
					
						
							|  |  |  | 						// ID | 
					
						
							|  |  |  | 					} else { | 
					
						
							|  |  |  | 						// TODO: report warning | 
					
						
							|  |  |  | 					} | 
					
						
							|  |  |  | 				} | 
					
						
							|  |  |  | 			} finally { | 
					
						
							|  |  |  | 				// release unmanaged memory allocated for replacement strings | 
					
						
							|  |  |  | 				for (int i = 0; i < arguments.Length; i++) { | 
					
						
							|  |  |  | 					IntPtr argument = arguments [i]; | 
					
						
							|  |  |  | 					if (argument != IntPtr.Zero) | 
					
						
							|  |  |  | 						Marshal.FreeHGlobal (argument); | 
					
						
							|  |  |  | 				} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 				PInvoke.FreeLibrary (msgDllHandle); | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 			return null; | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		private string [] GetMessageResourceDlls (string source, string valueName) | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 			// Some event sources (such as Userenv) have multiple message | 
					
						
							|  |  |  | 			// resource DLLs, delimited by a semicolon. | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			RegistryKey sourceKey = FindSourceKeyByName (source, | 
					
						
							|  |  |  | 				CoreEventLog.MachineName, false); | 
					
						
							|  |  |  | 			if (sourceKey != null) { | 
					
						
							|  |  |  | 				string value = sourceKey.GetValue (valueName) as string; | 
					
						
							|  |  |  | 				if (value != null) { | 
					
						
							|  |  |  | 					string [] msgResDlls = value.Split (';'); | 
					
						
							|  |  |  | 					return msgResDlls; | 
					
						
							|  |  |  | 				} | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 			return new string [0]; | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		private IntPtr ReadHandle { | 
					
						
							|  |  |  | 			get { | 
					
						
							|  |  |  | 				if (_readHandle != IntPtr.Zero) | 
					
						
							|  |  |  | 					return _readHandle; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 				string logName = CoreEventLog.GetLogName (); | 
					
						
							|  |  |  | 				_readHandle = PInvoke.OpenEventLog (CoreEventLog.MachineName, | 
					
						
							|  |  |  | 					logName); | 
					
						
							|  |  |  | 				if (_readHandle == IntPtr.Zero) | 
					
						
							|  |  |  | 					throw new InvalidOperationException (string.Format ( | 
					
						
							|  |  |  | 						CultureInfo.InvariantCulture, "Event Log '{0}' on computer" | 
					
						
							|  |  |  | 						+ " '{1}' cannot be opened.", logName, CoreEventLog.MachineName), | 
					
						
							|  |  |  | 						new Win32Exception ()); | 
					
						
							|  |  |  | 				return _readHandle; | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		private IntPtr RegisterEventSource () | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 			IntPtr hEventLog = PInvoke.RegisterEventSource ( | 
					
						
							|  |  |  | 				CoreEventLog.MachineName, CoreEventLog.Source); | 
					
						
							|  |  |  | 			if (hEventLog == IntPtr.Zero) { | 
					
						
							|  |  |  | 				throw new InvalidOperationException (string.Format ( | 
					
						
							|  |  |  | 					CultureInfo.InvariantCulture, "Event source '{0}' on computer" | 
					
						
							|  |  |  | 					+ " '{1}' cannot be opened.", CoreEventLog.Source, | 
					
						
							|  |  |  | 					CoreEventLog.MachineName), new Win32Exception ()); | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 			return hEventLog; | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		public override void DisableNotification () | 
					
						
							|  |  |  | 		{ | 
					
						
							| 
									
										
										
										
											2017-04-10 11:41:01 +00:00
										 |  |  | 			lock (_eventLock) { | 
					
						
							|  |  |  | 				if (_notifyResetEvent != null) { | 
					
						
							|  |  |  | 					_notifyResetEvent.Close (); | 
					
						
							|  |  |  | 					_notifyResetEvent = null; | 
					
						
							|  |  |  | 				} | 
					
						
							| 
									
										
										
										
											2014-08-13 10:39:27 +01:00
										 |  |  | 				_notifyThread = null; | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		public override void EnableNotification () | 
					
						
							|  |  |  | 		{ | 
					
						
							| 
									
										
										
										
											2017-04-10 11:41:01 +00:00
										 |  |  | 			lock (_eventLock) { | 
					
						
							|  |  |  | 				if (_notifyResetEvent != null) | 
					
						
							|  |  |  | 					return; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 				_notifyResetEvent = new ManualResetEvent (false); | 
					
						
							|  |  |  | 				_lastEntryWritten = OldestEventLogEntry + EntryCount; | 
					
						
							|  |  |  | 				if (PInvoke.NotifyChangeEventLog (ReadHandle, _notifyResetEvent.SafeWaitHandle.DangerousGetHandle ()) == 0) | 
					
						
							|  |  |  | 					throw new InvalidOperationException (string.Format ( | 
					
						
							|  |  |  | 						CultureInfo.InvariantCulture, "Unable to receive notifications" | 
					
						
							|  |  |  | 						+ " for log '{0}' on computer '{1}'.", CoreEventLog.GetLogName (), | 
					
						
							|  |  |  | 						CoreEventLog.MachineName), new Win32Exception ()); | 
					
						
							|  |  |  | 				_notifyThread = new Thread (() => NotifyEventThread(_notifyResetEvent)); | 
					
						
							|  |  |  | 				_notifyThread.IsBackground = true; | 
					
						
							|  |  |  | 				_notifyThread.Start (); | 
					
						
							|  |  |  | 			} | 
					
						
							| 
									
										
										
										
											2014-08-13 10:39:27 +01:00
										 |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-04-10 11:41:01 +00:00
										 |  |  | 		private void NotifyEventThread (ManualResetEvent resetEvent) | 
					
						
							| 
									
										
										
										
											2014-08-13 10:39:27 +01:00
										 |  |  | 		{ | 
					
						
							| 
									
										
										
										
											2018-01-24 17:04:36 +00:00
										 |  |  | 			if (resetEvent == null) | 
					
						
							|  |  |  | 				return; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-08-13 10:39:27 +01:00
										 |  |  | 			while (true) { | 
					
						
							| 
									
										
										
										
											2017-04-10 11:41:01 +00:00
										 |  |  | 				try { | 
					
						
							|  |  |  | 					resetEvent.WaitOne (); | 
					
						
							|  |  |  | 				} catch (ObjectDisposedException) { | 
					
						
							|  |  |  | 					// Notifications have been disabled and event  | 
					
						
							|  |  |  | 					// has been closed but not yet nulled. End thread. | 
					
						
							|  |  |  | 					break; | 
					
						
							| 
									
										
										
										
											2014-08-13 10:39:27 +01:00
										 |  |  | 				} | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-04-10 11:41:01 +00:00
										 |  |  | 				lock (_eventLock) { | 
					
						
							|  |  |  | 					if (resetEvent != _notifyResetEvent) { | 
					
						
							|  |  |  | 						// A new thread has started with another reset event instance | 
					
						
							|  |  |  |  						// or DisableNotifications has been called, setting | 
					
						
							|  |  |  |  						// _notifyResetEvent to null. In both cases end this thread. | 
					
						
							|  |  |  | 						break; | 
					
						
							|  |  |  | 					} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 					if (_readHandle == IntPtr.Zero) | 
					
						
							|  |  |  | 						break; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2014-08-13 10:39:27 +01:00
										 |  |  | 					int oldest_entry = OldestEventLogEntry; | 
					
						
							|  |  |  | 					if (_lastEntryWritten < oldest_entry) | 
					
						
							|  |  |  | 						_lastEntryWritten = oldest_entry; | 
					
						
							|  |  |  | 					int current_entry = _lastEntryWritten - oldest_entry; | 
					
						
							|  |  |  | 					int last_entry = EntryCount + oldest_entry; | 
					
						
							|  |  |  | 					for (int i = current_entry; i < (last_entry - 1); i++) { | 
					
						
							|  |  |  | 						EventLogEntry entry = GetEntry (i); | 
					
						
							|  |  |  | 						CoreEventLog.OnEntryWritten (entry); | 
					
						
							|  |  |  | 					} | 
					
						
							|  |  |  | 					_lastEntryWritten = last_entry; | 
					
						
							|  |  |  | 				} | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		public override OverflowAction OverflowAction { | 
					
						
							|  |  |  | 			get { throw new NotImplementedException (); } | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		public override int MinimumRetentionDays { | 
					
						
							|  |  |  | 			get { throw new NotImplementedException (); } | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		public override long MaximumKilobytes { | 
					
						
							|  |  |  | 			get { throw new NotImplementedException (); } | 
					
						
							|  |  |  | 			set { throw new NotImplementedException (); } | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		public override void ModifyOverflowPolicy (OverflowAction action, int retentionDays) | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 			throw new NotImplementedException (); | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		public override void RegisterDisplayName (string resourceFile, long resourceId) | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 			throw new NotImplementedException (); | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		private class PInvoke | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 			[DllImport ("advapi32.dll", SetLastError=true)] | 
					
						
							|  |  |  | 			public static extern int ClearEventLog (IntPtr hEventLog, string lpBackupFileName); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			[DllImport ("advapi32.dll", SetLastError=true)] | 
					
						
							|  |  |  | 			public static extern int CloseEventLog (IntPtr hEventLog); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			[DllImport ("advapi32.dll", SetLastError=true)] | 
					
						
							|  |  |  | 			public static extern int DeregisterEventSource (IntPtr hEventLog); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			[DllImport ("kernel32", CharSet=CharSet.Auto, SetLastError=true)] | 
					
						
							|  |  |  | 			public static extern int FormatMessage (FormatMessageFlags dwFlags, IntPtr lpSource, uint dwMessageId, int dwLanguageId, ref IntPtr lpBuffer, int nSize, IntPtr [] arguments); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			[DllImport ("kernel32", SetLastError=true)] | 
					
						
							|  |  |  | 			public static extern bool FreeLibrary (IntPtr hModule); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			[DllImport ("advapi32.dll", SetLastError=true)] | 
					
						
							|  |  |  | 			public static extern int GetNumberOfEventLogRecords (IntPtr hEventLog, ref int NumberOfRecords); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			[DllImport ("advapi32.dll", SetLastError=true)] | 
					
						
							|  |  |  | 			public static extern int GetOldestEventLogRecord (IntPtr hEventLog, ref int OldestRecord); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			[DllImport ("kernel32", SetLastError=true)] | 
					
						
							|  |  |  | 			public static extern IntPtr LoadLibraryEx (string lpFileName, IntPtr hFile, LoadFlags dwFlags); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			[DllImport ("kernel32", SetLastError=true)] | 
					
						
							|  |  |  | 			public static extern IntPtr LocalFree (IntPtr hMem); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			[DllImport ("advapi32.dll", SetLastError=true)] | 
					
						
							|  |  |  | 			public static extern bool LookupAccountSid ( | 
					
						
							|  |  |  | 				string lpSystemName, | 
					
						
							|  |  |  | 				[MarshalAs (UnmanagedType.LPArray)] byte [] Sid, | 
					
						
							|  |  |  | 				StringBuilder lpName, | 
					
						
							|  |  |  | 				ref uint cchName, | 
					
						
							|  |  |  | 				StringBuilder ReferencedDomainName, | 
					
						
							|  |  |  | 				ref uint cchReferencedDomainName, | 
					
						
							|  |  |  | 				out SidNameUse peUse); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			[DllImport ("advapi32.dll", SetLastError = true)] | 
					
						
							|  |  |  | 			public static extern int NotifyChangeEventLog (IntPtr hEventLog, IntPtr hEvent); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			[DllImport ("advapi32.dll", SetLastError=true)] | 
					
						
							|  |  |  | 			public static extern IntPtr OpenEventLog (string machineName, string logName); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			[DllImport ("advapi32.dll", SetLastError=true)] | 
					
						
							|  |  |  | 			public static extern IntPtr RegisterEventSource (string machineName, string sourceName); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			[DllImport ("advapi32.dll", SetLastError=true)] | 
					
						
							|  |  |  | 			public static extern int ReportEvent (IntPtr hHandle, ushort wType, | 
					
						
							|  |  |  | 				ushort wCategory, uint dwEventID, IntPtr sid, ushort wNumStrings, | 
					
						
							|  |  |  | 				uint dwDataSize, string [] lpStrings, byte [] lpRawData); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			[DllImport ("advapi32.dll", SetLastError=true)] | 
					
						
							|  |  |  | 			public static extern int ReadEventLog (IntPtr hEventLog, ReadFlags dwReadFlags, int dwRecordOffset, byte [] buffer, int nNumberOfBytesToRead, ref int pnBytesRead, ref int pnMinNumberOfBytesNeeded); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 			public const int ERROR_INSUFFICIENT_BUFFER = 122; | 
					
						
							|  |  |  | 			public const int ERROR_EVENTLOG_FILE_CHANGED = 1503; | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		private enum ReadFlags | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 			Sequential = 0x001, | 
					
						
							|  |  |  | 			Seek = 0x002, | 
					
						
							|  |  |  | 			ForwardsRead = 0x004, | 
					
						
							|  |  |  | 			BackwardsRead = 0x008 | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		private enum LoadFlags: uint | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 			LibraryAsDataFile = 0x002 | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		[Flags] | 
					
						
							|  |  |  | 		private enum FormatMessageFlags | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 			AllocateBuffer = 0x100, | 
					
						
							|  |  |  | 			IgnoreInserts = 0x200, | 
					
						
							|  |  |  | 			FromHModule = 0x0800, | 
					
						
							|  |  |  | 			FromSystem = 0x1000, | 
					
						
							|  |  |  | 			ArgumentArray = 0x2000 | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		private enum SidNameUse | 
					
						
							|  |  |  | 		{ | 
					
						
							|  |  |  | 			User = 1, | 
					
						
							|  |  |  | 			Group, | 
					
						
							|  |  |  | 			Domain, | 
					
						
							|  |  |  | 			lias, | 
					
						
							|  |  |  | 			WellKnownGroup, | 
					
						
							|  |  |  | 			DeletedAccount, | 
					
						
							|  |  |  | 			Invalid, | 
					
						
							|  |  |  | 			Unknown, | 
					
						
							|  |  |  | 			Computer | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | // http://msdn.microsoft.com/library/en-us/eventlog/base/eventlogrecord_str.asp: | 
					
						
							|  |  |  | // | 
					
						
							|  |  |  | // struct EVENTLOGRECORD { | 
					
						
							|  |  |  | //	int Length; | 
					
						
							|  |  |  | //	int Reserved; | 
					
						
							|  |  |  | //	int RecordNumber; | 
					
						
							|  |  |  | //	int TimeGenerated; | 
					
						
							|  |  |  | //	int TimeWritten; | 
					
						
							|  |  |  | //	int EventID; | 
					
						
							|  |  |  | //	short EventType; | 
					
						
							|  |  |  | //	short NumStrings; | 
					
						
							|  |  |  | //	short EventCategory; | 
					
						
							|  |  |  | //	short ReservedFlags; | 
					
						
							|  |  |  | //	int ClosingRecordNumber; | 
					
						
							|  |  |  | //	int StringOffset; | 
					
						
							|  |  |  | //	int UserSidLength; | 
					
						
							|  |  |  | //	int UserSidOffset; | 
					
						
							|  |  |  | //	int DataLength; | 
					
						
							|  |  |  | //	int DataOffset; | 
					
						
							|  |  |  | // } | 
					
						
							|  |  |  | // | 
					
						
							|  |  |  | // http://www.whitehats.ca/main/members/Malik/malik_eventlogs/malik_eventlogs.html |