2014-08-13 10:39:27 +01:00
|
|
|
//
|
|
|
|
// System.Diagnostics.Win32EventLog.cs
|
|
|
|
//
|
|
|
|
// Author:
|
|
|
|
// Gert Driesen <driesen@users.sourceforge.net>
|
|
|
|
//
|
|
|
|
// Copyright (C) 2006 Novell, Inc (http://www.novell.com)
|
|
|
|
//
|
|
|
|
//
|
|
|
|
// a copy of this software and associated documentation files (the
|
|
|
|
// "Software"), to deal in the Software without restriction, including
|
|
|
|
// without limitation the rights to use, copy, modify, merge, publish,
|
|
|
|
// distribute, sublicense, and/or sell copies of the Software, and to
|
|
|
|
// permit persons to whom the Software is furnished to do so, subject to
|
|
|
|
// the following conditions:
|
|
|
|
//
|
|
|
|
// The above copyright notice and this permission notice shall be
|
|
|
|
// included in all copies or substantial portions of the Software.
|
|
|
|
//
|
|
|
|
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
|
|
|
// EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
|
|
// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
|
|
|
// NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
|
|
|
// LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
|
|
|
// OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
|
|
|
// WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
|
|
//
|
|
|
|
|
|
|
|
using System;
|
2015-01-13 10:44:36 +00:00
|
|
|
using System.Collections.Generic;
|
2014-08-13 10:39:27 +01:00
|
|
|
using System.ComponentModel;
|
|
|
|
using System.Diagnostics;
|
|
|
|
using System.Globalization;
|
|
|
|
using System.IO;
|
|
|
|
using System.Runtime.InteropServices;
|
|
|
|
using System.Text;
|
|
|
|
using System.Threading;
|
|
|
|
|
|
|
|
using Microsoft.Win32;
|
|
|
|
|
|
|
|
namespace System.Diagnostics
|
|
|
|
{
|
|
|
|
internal class Win32EventLog : EventLogImpl
|
|
|
|
{
|
|
|
|
private const int MESSAGE_NOT_FOUND = 317;
|
|
|
|
private ManualResetEvent _notifyResetEvent;
|
|
|
|
private IntPtr _readHandle;
|
|
|
|
private Thread _notifyThread;
|
|
|
|
private int _lastEntryWritten;
|
2017-04-10 11:41:01 +00:00
|
|
|
private Object _eventLock = new object();
|
2014-08-13 10:39:27 +01:00
|
|
|
|
|
|
|
public Win32EventLog (EventLog coreEventLog)
|
|
|
|
: base (coreEventLog)
|
|
|
|
{
|
|
|
|
}
|
|
|
|
|
|
|
|
public override void BeginInit ()
|
|
|
|
{
|
|
|
|
}
|
|
|
|
|
|
|
|
public override void Clear ()
|
|
|
|
{
|
|
|
|
int ret = PInvoke.ClearEventLog (ReadHandle, null);
|
|
|
|
if (ret != 1)
|
|
|
|
throw new Win32Exception (Marshal.GetLastWin32Error ());
|
|
|
|
}
|
|
|
|
|
|
|
|
public override void Close ()
|
|
|
|
{
|
2017-04-10 11:41:01 +00:00
|
|
|
lock (_eventLock) {
|
|
|
|
if (_readHandle != IntPtr.Zero) {
|
|
|
|
CloseEventLog (_readHandle);
|
|
|
|
_readHandle = IntPtr.Zero;
|
|
|
|
}
|
2014-08-13 10:39:27 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
public override void CreateEventSource (EventSourceCreationData sourceData)
|
|
|
|
{
|
|
|
|
using (RegistryKey eventLogKey = GetEventLogKey (sourceData.MachineName, true)) {
|
|
|
|
if (eventLogKey == null)
|
|
|
|
throw new InvalidOperationException ("EventLog registry key is missing.");
|
|
|
|
|
|
|
|
bool logKeyCreated = false;
|
|
|
|
RegistryKey logKey = null;
|
|
|
|
try {
|
|
|
|
logKey = eventLogKey.OpenSubKey (sourceData.LogName, true);
|
|
|
|
if (logKey == null) {
|
|
|
|
ValidateCustomerLogName (sourceData.LogName,
|
|
|
|
sourceData.MachineName);
|
|
|
|
|
|
|
|
logKey = eventLogKey.CreateSubKey (sourceData.LogName);
|
|
|
|
logKey.SetValue ("Sources", new string [] { sourceData.LogName,
|
|
|
|
sourceData.Source });
|
|
|
|
UpdateLogRegistry (logKey);
|
|
|
|
|
|
|
|
using (RegistryKey sourceKey = logKey.CreateSubKey (sourceData.LogName)) {
|
|
|
|
UpdateSourceRegistry (sourceKey, sourceData);
|
|
|
|
}
|
|
|
|
|
|
|
|
logKeyCreated = true;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (sourceData.LogName != sourceData.Source) {
|
|
|
|
if (!logKeyCreated) {
|
|
|
|
string [] sources = (string []) logKey.GetValue ("Sources");
|
|
|
|
if (sources == null) {
|
|
|
|
logKey.SetValue ("Sources", new string [] { sourceData.LogName,
|
|
|
|
sourceData.Source });
|
|
|
|
} else {
|
|
|
|
bool found = false;
|
|
|
|
for (int i = 0; i < sources.Length; i++) {
|
|
|
|
if (sources [i] == sourceData.Source) {
|
|
|
|
found = true;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (!found) {
|
|
|
|
string [] newSources = new string [sources.Length + 1];
|
|
|
|
Array.Copy (sources, 0, newSources, 0, sources.Length);
|
|
|
|
newSources [sources.Length] = sourceData.Source;
|
|
|
|
logKey.SetValue ("Sources", newSources);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
using (RegistryKey sourceKey = logKey.CreateSubKey (sourceData.Source)) {
|
|
|
|
UpdateSourceRegistry (sourceKey, sourceData);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
} finally {
|
|
|
|
if (logKey != null)
|
|
|
|
logKey.Close ();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
public override void Delete (string logName, string machineName)
|
|
|
|
{
|
|
|
|
using (RegistryKey eventLogKey = GetEventLogKey (machineName, true)) {
|
|
|
|
if (eventLogKey == null)
|
|
|
|
throw new InvalidOperationException ("The event log key does not exist.");
|
|
|
|
|
|
|
|
using (RegistryKey logKey = eventLogKey.OpenSubKey (logName, false)) {
|
|
|
|
if (logKey == null)
|
|
|
|
throw new InvalidOperationException (string.Format (
|
|
|
|
CultureInfo.InvariantCulture, "Event Log '{0}'"
|
|
|
|
+ " does not exist on computer '{1}'.", logName,
|
|
|
|
machineName));
|
|
|
|
|
|
|
|
// remove all eventlog entries for specified log
|
|
|
|
CoreEventLog.Clear ();
|
|
|
|
|
|
|
|
// remove file holding event log entries
|
|
|
|
string file = (string) logKey.GetValue ("File");
|
|
|
|
if (file != null) {
|
|
|
|
try {
|
|
|
|
File.Delete (file);
|
|
|
|
} catch (Exception) {
|
|
|
|
// .NET seems to ignore failures here
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
eventLogKey.DeleteSubKeyTree (logName);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
public override void DeleteEventSource (string source, string machineName)
|
|
|
|
{
|
|
|
|
using (RegistryKey logKey = FindLogKeyBySource (source, machineName, true)) {
|
|
|
|
if (logKey == null) {
|
|
|
|
throw new ArgumentException (string.Format (
|
|
|
|
CultureInfo.InvariantCulture, "The source '{0}' is not"
|
|
|
|
+ " registered on computer '{1}'.", source, machineName));
|
|
|
|
}
|
|
|
|
|
|
|
|
logKey.DeleteSubKeyTree (source);
|
|
|
|
|
|
|
|
string [] sources = (string []) logKey.GetValue ("Sources");
|
|
|
|
if (sources != null) {
|
2015-01-13 10:44:36 +00:00
|
|
|
var temp = new List<string> ();
|
2014-08-13 10:39:27 +01:00
|
|
|
for (int i = 0; i < sources.Length; i++)
|
|
|
|
if (sources [i] != source)
|
|
|
|
temp.Add (sources [i]);
|
2015-01-13 10:44:36 +00:00
|
|
|
string [] newSources = temp.ToArray ();
|
2014-08-13 10:39:27 +01:00
|
|
|
logKey.SetValue ("Sources", newSources);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
public override void Dispose (bool disposing)
|
|
|
|
{
|
|
|
|
Close ();
|
|
|
|
}
|
|
|
|
|
|
|
|
public override void EndInit ()
|
|
|
|
{
|
|
|
|
}
|
|
|
|
|
|
|
|
public override bool Exists (string logName, string machineName)
|
|
|
|
{
|
|
|
|
using (RegistryKey logKey = FindLogKeyByName (logName, machineName, false)) {
|
|
|
|
return (logKey != null);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
[MonoTODO] // ParameterResourceFile ??
|
|
|
|
protected override string FormatMessage (string source, uint messageID, string [] replacementStrings)
|
|
|
|
{
|
|
|
|
string formattedMessage = null;
|
|
|
|
|
|
|
|
string [] msgResDlls = GetMessageResourceDlls (source, "EventMessageFile");
|
|
|
|
for (int i = 0; i < msgResDlls.Length; i++) {
|
|
|
|
formattedMessage = FetchMessage (msgResDlls [i],
|
|
|
|
messageID, replacementStrings);
|
|
|
|
if (formattedMessage != null)
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
return formattedMessage != null ? formattedMessage : string.Join (
|
|
|
|
", ", replacementStrings);
|
|
|
|
}
|
|
|
|
|
|
|
|
private string FormatCategory (string source, int category)
|
|
|
|
{
|
|
|
|
string formattedCategory = null;
|
|
|
|
|
|
|
|
string [] msgResDlls = GetMessageResourceDlls (source, "CategoryMessageFile");
|
|
|
|
for (int i = 0; i < msgResDlls.Length; i++) {
|
|
|
|
formattedCategory = FetchMessage (msgResDlls [i],
|
|
|
|
(uint) category, new string [0]);
|
|
|
|
if (formattedCategory != null)
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
return formattedCategory != null ? formattedCategory : "(" +
|
|
|
|
category.ToString (CultureInfo.InvariantCulture) + ")";
|
|
|
|
}
|
|
|
|
|
|
|
|
protected override int GetEntryCount ()
|
|
|
|
{
|
|
|
|
int entryCount = 0;
|
|
|
|
int retVal = PInvoke.GetNumberOfEventLogRecords (ReadHandle, ref entryCount);
|
|
|
|
if (retVal != 1)
|
|
|
|
throw new Win32Exception (Marshal.GetLastWin32Error ());
|
|
|
|
return entryCount;
|
|
|
|
}
|
|
|
|
|
|
|
|
protected override EventLogEntry GetEntry (int index)
|
|
|
|
{
|
|
|
|
// http://msdn.microsoft.com/library/en-us/eventlog/base/readeventlog.asp
|
|
|
|
// http://msdn.microsoft.com/library/en-us/eventlog/base/eventlogrecord_str.asp
|
|
|
|
// http://www.whitehats.ca/main/members/Malik/malik_eventlogs/malik_eventlogs.html
|
|
|
|
|
|
|
|
index += OldestEventLogEntry;
|
|
|
|
|
|
|
|
int bytesRead = 0;
|
|
|
|
int minBufferNeeded = 0;
|
|
|
|
byte [] buffer = new byte [0x7ffff]; // according to MSDN this is the max size of the buffer
|
|
|
|
|
|
|
|
ReadEventLog (index, buffer, ref bytesRead, ref minBufferNeeded);
|
|
|
|
|
|
|
|
MemoryStream ms = new MemoryStream (buffer);
|
|
|
|
BinaryReader br = new BinaryReader (ms);
|
|
|
|
|
|
|
|
// skip first 8 bytes
|
|
|
|
br.ReadBytes (8);
|
|
|
|
|
|
|
|
int recordNumber = br.ReadInt32 (); // 8
|
|
|
|
|
|
|
|
int timeGeneratedSeconds = br.ReadInt32 (); // 12
|
|
|
|
int timeWrittenSeconds = br.ReadInt32 (); // 16
|
|
|
|
uint instanceID = br.ReadUInt32 ();
|
|
|
|
int eventID = EventLog.GetEventID (instanceID);
|
|
|
|
short eventType = br.ReadInt16 (); // 24
|
|
|
|
short numStrings = br.ReadInt16 (); ; // 26
|
|
|
|
short categoryNumber = br.ReadInt16 (); ; // 28
|
|
|
|
// skip reservedFlags
|
|
|
|
br.ReadInt16 (); // 30
|
|
|
|
// skip closingRecordNumber
|
|
|
|
br.ReadInt32 (); // 32
|
|
|
|
int stringOffset = br.ReadInt32 (); // 36
|
|
|
|
int userSidLength = br.ReadInt32 (); // 40
|
|
|
|
int userSidOffset = br.ReadInt32 (); // 44
|
|
|
|
int dataLength = br.ReadInt32 (); // 48
|
|
|
|
int dataOffset = br.ReadInt32 (); // 52
|
|
|
|
|
|
|
|
DateTime timeGenerated = new DateTime (1970, 1, 1).AddSeconds (
|
|
|
|
timeGeneratedSeconds);
|
|
|
|
|
|
|
|
DateTime timeWritten = new DateTime (1970, 1, 1).AddSeconds (
|
|
|
|
timeWrittenSeconds);
|
|
|
|
|
|
|
|
StringBuilder sb = new StringBuilder ();
|
|
|
|
while (br.PeekChar () != '\0')
|
|
|
|
sb.Append (br.ReadChar ());
|
|
|
|
br.ReadChar (); // skip the null-char
|
|
|
|
|
|
|
|
string sourceName = sb.ToString ();
|
|
|
|
|
|
|
|
sb.Length = 0;
|
|
|
|
while (br.PeekChar () != '\0')
|
|
|
|
sb.Append (br.ReadChar ());
|
|
|
|
br.ReadChar (); // skip the null-char
|
|
|
|
string machineName = sb.ToString ();
|
|
|
|
|
|
|
|
sb.Length = 0;
|
|
|
|
while (br.PeekChar () != '\0')
|
|
|
|
sb.Append (br.ReadChar ());
|
|
|
|
br.ReadChar (); // skip the null-char
|
|
|
|
|
|
|
|
string userName = null;
|
|
|
|
if (userSidLength != 0) {
|
|
|
|
// TODO: lazy init ?
|
|
|
|
ms.Position = userSidOffset;
|
|
|
|
byte [] sid = br.ReadBytes (userSidLength);
|
|
|
|
userName = LookupAccountSid (machineName, sid);
|
|
|
|
}
|
|
|
|
|
|
|
|
ms.Position = stringOffset;
|
|
|
|
string [] replacementStrings = new string [numStrings];
|
|
|
|
for (int i = 0; i < numStrings; i++) {
|
|
|
|
sb.Length = 0;
|
|
|
|
while (br.PeekChar () != '\0')
|
|
|
|
sb.Append (br.ReadChar ());
|
|
|
|
br.ReadChar (); // skip the null-char
|
|
|
|
replacementStrings [i] = sb.ToString ();
|
|
|
|
}
|
|
|
|
|
|
|
|
byte [] data = new byte [dataLength];
|
|
|
|
ms.Position = dataOffset;
|
|
|
|
br.Read (data, 0, dataLength);
|
|
|
|
|
|
|
|
// TODO: lazy fetch ??
|
|
|
|
string message = this.FormatMessage (sourceName, instanceID, replacementStrings);
|
|
|
|
string category = FormatCategory (sourceName, categoryNumber);
|
|
|
|
|
|
|
|
return new EventLogEntry (category, (short) categoryNumber, recordNumber,
|
|
|
|
eventID, sourceName, message, userName, machineName,
|
|
|
|
(EventLogEntryType) eventType, timeGenerated, timeWritten,
|
|
|
|
data, replacementStrings, instanceID);
|
|
|
|
}
|
|
|
|
|
|
|
|
[MonoTODO]
|
|
|
|
protected override string GetLogDisplayName ()
|
|
|
|
{
|
|
|
|
return CoreEventLog.Log;
|
|
|
|
}
|
|
|
|
|
|
|
|
protected override string [] GetLogNames (string machineName)
|
|
|
|
{
|
|
|
|
using (RegistryKey eventLogKey = GetEventLogKey (machineName, true)) {
|
|
|
|
if (eventLogKey == null)
|
|
|
|
return new string [0];
|
|
|
|
|
|
|
|
return eventLogKey.GetSubKeyNames ();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
public override string LogNameFromSourceName (string source, string machineName)
|
|
|
|
{
|
|
|
|
using (RegistryKey logKey = FindLogKeyBySource (source, machineName, false)) {
|
|
|
|
if (logKey == null)
|
|
|
|
return string.Empty;
|
|
|
|
|
|
|
|
return GetLogName (logKey);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
public override bool SourceExists (string source, string machineName)
|
|
|
|
{
|
|
|
|
RegistryKey logKey = FindLogKeyBySource (source, machineName, false);
|
|
|
|
if (logKey != null) {
|
|
|
|
logKey.Close ();
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
public override void WriteEntry (string [] replacementStrings, EventLogEntryType type, uint instanceID, short category, byte [] rawData)
|
|
|
|
{
|
|
|
|
IntPtr hEventLog = RegisterEventSource ();
|
|
|
|
try {
|
|
|
|
int ret = PInvoke.ReportEvent (hEventLog, (ushort) type,
|
|
|
|
(ushort) category, instanceID, IntPtr.Zero,
|
|
|
|
(ushort) replacementStrings.Length,
|
|
|
|
(uint) rawData.Length, replacementStrings, rawData);
|
|
|
|
if (ret != 1) {
|
|
|
|
throw new Win32Exception (Marshal.GetLastWin32Error ());
|
|
|
|
}
|
|
|
|
} finally {
|
|
|
|
DeregisterEventSource (hEventLog);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
private static void UpdateLogRegistry (RegistryKey logKey)
|
|
|
|
{
|
|
|
|
// TODO: write other Log values:
|
|
|
|
// - MaxSize
|
|
|
|
// - Retention
|
|
|
|
// - AutoBackupLogFiles
|
|
|
|
|
|
|
|
if (logKey.GetValue ("File") == null) {
|
|
|
|
string logName = GetLogName (logKey);
|
|
|
|
string file;
|
|
|
|
if (logName.Length > 8) {
|
|
|
|
file = logName.Substring (0, 8) + ".evt";
|
|
|
|
} else {
|
|
|
|
file = logName + ".evt";
|
|
|
|
}
|
|
|
|
string configPath = Path.Combine (Environment.GetFolderPath (
|
|
|
|
Environment.SpecialFolder.System), "config");
|
|
|
|
logKey.SetValue ("File", Path.Combine (configPath, file));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
private static void UpdateSourceRegistry (RegistryKey sourceKey, EventSourceCreationData data)
|
|
|
|
{
|
|
|
|
if (data.CategoryCount > 0)
|
|
|
|
sourceKey.SetValue ("CategoryCount", data.CategoryCount);
|
|
|
|
|
|
|
|
if (data.CategoryResourceFile != null && data.CategoryResourceFile.Length > 0)
|
|
|
|
sourceKey.SetValue ("CategoryMessageFile", data.CategoryResourceFile);
|
|
|
|
|
|
|
|
if (data.MessageResourceFile != null && data.MessageResourceFile.Length > 0) {
|
|
|
|
sourceKey.SetValue ("EventMessageFile", data.MessageResourceFile);
|
|
|
|
} else {
|
|
|
|
// FIXME: write default once we have approval for shipping EventLogMessages.dll
|
|
|
|
}
|
|
|
|
|
|
|
|
if (data.ParameterResourceFile != null && data.ParameterResourceFile.Length > 0)
|
|
|
|
sourceKey.SetValue ("ParameterMessageFile", data.ParameterResourceFile);
|
|
|
|
}
|
|
|
|
|
|
|
|
private static string GetLogName (RegistryKey logKey)
|
|
|
|
{
|
|
|
|
string logName = logKey.Name;
|
|
|
|
return logName.Substring (logName.LastIndexOf ("\\") + 1);
|
|
|
|
}
|
|
|
|
|
|
|
|
private void ReadEventLog (int index, byte [] buffer, ref int bytesRead, ref int minBufferNeeded)
|
|
|
|
{
|
|
|
|
const int max_retries = 3;
|
|
|
|
|
|
|
|
// if the eventlog file changed since the handle was
|
|
|
|
// obtained, then we need to re-try multiple times
|
|
|
|
for (int i = 0; i < max_retries; i++) {
|
|
|
|
int ret = PInvoke.ReadEventLog (ReadHandle,
|
|
|
|
ReadFlags.Seek | ReadFlags.ForwardsRead,
|
|
|
|
index, buffer, buffer.Length, ref bytesRead,
|
|
|
|
ref minBufferNeeded);
|
|
|
|
if (ret != 1) {
|
|
|
|
int error = Marshal.GetLastWin32Error ();
|
|
|
|
if (i < (max_retries - 1)) {
|
|
|
|
CoreEventLog.Reset ();
|
|
|
|
} else {
|
|
|
|
throw new Win32Exception (error);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
[MonoTODO ("Support remote machines")]
|
|
|
|
private static RegistryKey GetEventLogKey (string machineName, bool writable)
|
|
|
|
{
|
|
|
|
return Registry.LocalMachine.OpenSubKey (@"SYSTEM\CurrentControlSet\Services\EventLog", writable);
|
|
|
|
}
|
|
|
|
|
|
|
|
private static RegistryKey FindSourceKeyByName (string source, string machineName, bool writable)
|
|
|
|
{
|
|
|
|
if (source == null || source.Length == 0)
|
|
|
|
return null;
|
|
|
|
|
|
|
|
RegistryKey eventLogKey = null;
|
|
|
|
try {
|
|
|
|
eventLogKey = GetEventLogKey (machineName, writable);
|
|
|
|
if (eventLogKey == null)
|
|
|
|
return null;
|
|
|
|
|
|
|
|
string [] subKeys = eventLogKey.GetSubKeyNames ();
|
|
|
|
for (int i = 0; i < subKeys.Length; i++) {
|
|
|
|
using (RegistryKey logKey = eventLogKey.OpenSubKey (subKeys [i], writable)) {
|
|
|
|
if (logKey == null)
|
|
|
|
break;
|
|
|
|
|
|
|
|
RegistryKey sourceKey = logKey.OpenSubKey (source, writable);
|
|
|
|
if (sourceKey != null)
|
|
|
|
return sourceKey;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return null;
|
|
|
|
} finally {
|
|
|
|
if (eventLogKey != null)
|
|
|
|
eventLogKey.Close ();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
private static RegistryKey FindLogKeyByName (string logName, string machineName, bool writable)
|
|
|
|
{
|
|
|
|
using (RegistryKey eventLogKey = GetEventLogKey (machineName, writable)) {
|
|
|
|
if (eventLogKey == null) {
|
|
|
|
return null;
|
|
|
|
}
|
|
|
|
|
|
|
|
return eventLogKey.OpenSubKey (logName, writable);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
private static RegistryKey FindLogKeyBySource (string source, string machineName, bool writable)
|
|
|
|
{
|
|
|
|
if (source == null || source.Length == 0)
|
|
|
|
return null;
|
|
|
|
|
|
|
|
RegistryKey eventLogKey = null;
|
|
|
|
try {
|
|
|
|
eventLogKey = GetEventLogKey (machineName, writable);
|
|
|
|
if (eventLogKey == null)
|
|
|
|
return null;
|
|
|
|
|
|
|
|
string [] subKeys = eventLogKey.GetSubKeyNames ();
|
|
|
|
for (int i = 0; i < subKeys.Length; i++) {
|
|
|
|
RegistryKey sourceKey = null;
|
|
|
|
try {
|
|
|
|
RegistryKey logKey = eventLogKey.OpenSubKey (subKeys [i], writable);
|
|
|
|
if (logKey != null) {
|
|
|
|
sourceKey = logKey.OpenSubKey (source, writable);
|
|
|
|
if (sourceKey != null)
|
|
|
|
return logKey;
|
|
|
|
}
|
|
|
|
} finally {
|
|
|
|
if (sourceKey != null)
|
|
|
|
sourceKey.Close ();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return null;
|
|
|
|
} finally {
|
|
|
|
if (eventLogKey != null)
|
|
|
|
eventLogKey.Close ();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
private int OldestEventLogEntry {
|
|
|
|
get {
|
|
|
|
int oldestEventLogEntry = 0;
|
|
|
|
int ret = PInvoke.GetOldestEventLogRecord (ReadHandle, ref oldestEventLogEntry);
|
|
|
|
if (ret != 1) {
|
|
|
|
throw new Win32Exception (Marshal.GetLastWin32Error ());
|
|
|
|
}
|
|
|
|
return oldestEventLogEntry;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
private void CloseEventLog (IntPtr hEventLog)
|
|
|
|
{
|
|
|
|
int ret = PInvoke.CloseEventLog (hEventLog);
|
|
|
|
if (ret != 1) {
|
|
|
|
throw new Win32Exception (Marshal.GetLastWin32Error ());
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
private void DeregisterEventSource (IntPtr hEventLog)
|
|
|
|
{
|
|
|
|
int ret = PInvoke.DeregisterEventSource (hEventLog);
|
|
|
|
if (ret != 1) {
|
|
|
|
throw new Win32Exception (Marshal.GetLastWin32Error ());
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
private static string LookupAccountSid (string machineName, byte [] sid)
|
|
|
|
{
|
|
|
|
// http://www.pinvoke.net/default.aspx/advapi32/LookupAccountSid.html
|
|
|
|
// http://msdn.microsoft.com/library/en-us/secauthz/security/lookupaccountsid.asp
|
|
|
|
|
|
|
|
StringBuilder name = new StringBuilder ();
|
|
|
|
uint cchName = (uint) name.Capacity;
|
|
|
|
StringBuilder referencedDomainName = new StringBuilder ();
|
|
|
|
uint cchReferencedDomainName = (uint) referencedDomainName.Capacity;
|
|
|
|
SidNameUse sidUse;
|
|
|
|
|
|
|
|
string accountName = null;
|
|
|
|
|
|
|
|
while (accountName == null) {
|
|
|
|
bool retOk = PInvoke.LookupAccountSid (machineName, sid, name, ref cchName,
|
|
|
|
referencedDomainName, ref cchReferencedDomainName,
|
|
|
|
out sidUse);
|
|
|
|
if (!retOk) {
|
|
|
|
int err = Marshal.GetLastWin32Error ();
|
|
|
|
if (err == PInvoke.ERROR_INSUFFICIENT_BUFFER) {
|
|
|
|
name.EnsureCapacity ((int) cchName);
|
|
|
|
referencedDomainName.EnsureCapacity ((int) cchReferencedDomainName);
|
|
|
|
} else {
|
|
|
|
// TODO: write warning ?
|
|
|
|
accountName = string.Empty;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
accountName = string.Format ("{0}\\{1}", referencedDomainName.ToString (),
|
|
|
|
name.ToString ());
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return accountName;
|
|
|
|
}
|
|
|
|
|
|
|
|
private static string FetchMessage (string msgDll, uint messageID, string [] replacementStrings)
|
|
|
|
{
|
|
|
|
// http://msdn.microsoft.com/library/en-us/debug/base/formatmessage.asp
|
|
|
|
// http://msdn.microsoft.com/msdnmag/issues/02/08/CQA/
|
|
|
|
// http://msdn.microsoft.com/netframework/programming/netcf/cffaq/default.aspx
|
|
|
|
|
|
|
|
IntPtr msgDllHandle = PInvoke.LoadLibraryEx (msgDll, IntPtr.Zero,
|
|
|
|
LoadFlags.LibraryAsDataFile);
|
|
|
|
if (msgDllHandle == IntPtr.Zero)
|
|
|
|
// TODO: write warning
|
|
|
|
return null;
|
|
|
|
|
|
|
|
IntPtr lpMsgBuf = IntPtr.Zero;
|
|
|
|
IntPtr [] arguments = new IntPtr [replacementStrings.Length];
|
|
|
|
|
|
|
|
try {
|
|
|
|
for (int i = 0; i < replacementStrings.Length; i++) {
|
|
|
|
arguments [i] = Marshal.StringToHGlobalAuto (
|
|
|
|
replacementStrings [i]);
|
|
|
|
}
|
|
|
|
|
|
|
|
int ret = PInvoke.FormatMessage (FormatMessageFlags.ArgumentArray |
|
|
|
|
FormatMessageFlags.FromHModule | FormatMessageFlags.AllocateBuffer,
|
|
|
|
msgDllHandle, messageID, 0, ref lpMsgBuf, 0, arguments);
|
|
|
|
if (ret != 0) {
|
|
|
|
string sRet = Marshal.PtrToStringAuto (lpMsgBuf);
|
|
|
|
lpMsgBuf = PInvoke.LocalFree (lpMsgBuf);
|
|
|
|
// remove trailing whitespace (CRLF)
|
|
|
|
return sRet.TrimEnd (null);
|
|
|
|
} else {
|
|
|
|
int err = Marshal.GetLastWin32Error ();
|
|
|
|
if (err == MESSAGE_NOT_FOUND) {
|
|
|
|
// do not consider this a failure (or even warning) as
|
|
|
|
// multiple message resource DLLs may have been configured
|
|
|
|
// and as such we just need to try the next library if
|
|
|
|
// the current one does not contain a message for this
|
|
|
|
// ID
|
|
|
|
} else {
|
|
|
|
// TODO: report warning
|
|
|
|
}
|
|
|
|
}
|
|
|
|
} finally {
|
|
|
|
// release unmanaged memory allocated for replacement strings
|
|
|
|
for (int i = 0; i < arguments.Length; i++) {
|
|
|
|
IntPtr argument = arguments [i];
|
|
|
|
if (argument != IntPtr.Zero)
|
|
|
|
Marshal.FreeHGlobal (argument);
|
|
|
|
}
|
|
|
|
|
|
|
|
PInvoke.FreeLibrary (msgDllHandle);
|
|
|
|
}
|
|
|
|
return null;
|
|
|
|
}
|
|
|
|
|
|
|
|
private string [] GetMessageResourceDlls (string source, string valueName)
|
|
|
|
{
|
|
|
|
// Some event sources (such as Userenv) have multiple message
|
|
|
|
// resource DLLs, delimited by a semicolon.
|
|
|
|
|
|
|
|
RegistryKey sourceKey = FindSourceKeyByName (source,
|
|
|
|
CoreEventLog.MachineName, false);
|
|
|
|
if (sourceKey != null) {
|
|
|
|
string value = sourceKey.GetValue (valueName) as string;
|
|
|
|
if (value != null) {
|
|
|
|
string [] msgResDlls = value.Split (';');
|
|
|
|
return msgResDlls;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return new string [0];
|
|
|
|
}
|
|
|
|
|
|
|
|
private IntPtr ReadHandle {
|
|
|
|
get {
|
|
|
|
if (_readHandle != IntPtr.Zero)
|
|
|
|
return _readHandle;
|
|
|
|
|
|
|
|
string logName = CoreEventLog.GetLogName ();
|
|
|
|
_readHandle = PInvoke.OpenEventLog (CoreEventLog.MachineName,
|
|
|
|
logName);
|
|
|
|
if (_readHandle == IntPtr.Zero)
|
|
|
|
throw new InvalidOperationException (string.Format (
|
|
|
|
CultureInfo.InvariantCulture, "Event Log '{0}' on computer"
|
|
|
|
+ " '{1}' cannot be opened.", logName, CoreEventLog.MachineName),
|
|
|
|
new Win32Exception ());
|
|
|
|
return _readHandle;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
private IntPtr RegisterEventSource ()
|
|
|
|
{
|
|
|
|
IntPtr hEventLog = PInvoke.RegisterEventSource (
|
|
|
|
CoreEventLog.MachineName, CoreEventLog.Source);
|
|
|
|
if (hEventLog == IntPtr.Zero) {
|
|
|
|
throw new InvalidOperationException (string.Format (
|
|
|
|
CultureInfo.InvariantCulture, "Event source '{0}' on computer"
|
|
|
|
+ " '{1}' cannot be opened.", CoreEventLog.Source,
|
|
|
|
CoreEventLog.MachineName), new Win32Exception ());
|
|
|
|
}
|
|
|
|
return hEventLog;
|
|
|
|
}
|
|
|
|
|
|
|
|
public override void DisableNotification ()
|
|
|
|
{
|
2017-04-10 11:41:01 +00:00
|
|
|
lock (_eventLock) {
|
|
|
|
if (_notifyResetEvent != null) {
|
|
|
|
_notifyResetEvent.Close ();
|
|
|
|
_notifyResetEvent = null;
|
|
|
|
}
|
2014-08-13 10:39:27 +01:00
|
|
|
_notifyThread = null;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
public override void EnableNotification ()
|
|
|
|
{
|
2017-04-10 11:41:01 +00:00
|
|
|
lock (_eventLock) {
|
|
|
|
if (_notifyResetEvent != null)
|
|
|
|
return;
|
|
|
|
|
|
|
|
_notifyResetEvent = new ManualResetEvent (false);
|
|
|
|
_lastEntryWritten = OldestEventLogEntry + EntryCount;
|
|
|
|
if (PInvoke.NotifyChangeEventLog (ReadHandle, _notifyResetEvent.SafeWaitHandle.DangerousGetHandle ()) == 0)
|
|
|
|
throw new InvalidOperationException (string.Format (
|
|
|
|
CultureInfo.InvariantCulture, "Unable to receive notifications"
|
|
|
|
+ " for log '{0}' on computer '{1}'.", CoreEventLog.GetLogName (),
|
|
|
|
CoreEventLog.MachineName), new Win32Exception ());
|
|
|
|
_notifyThread = new Thread (() => NotifyEventThread(_notifyResetEvent));
|
|
|
|
_notifyThread.IsBackground = true;
|
|
|
|
_notifyThread.Start ();
|
|
|
|
}
|
2014-08-13 10:39:27 +01:00
|
|
|
}
|
|
|
|
|
2017-04-10 11:41:01 +00:00
|
|
|
private void NotifyEventThread (ManualResetEvent resetEvent)
|
2014-08-13 10:39:27 +01:00
|
|
|
{
|
|
|
|
while (true) {
|
2017-04-10 11:41:01 +00:00
|
|
|
try {
|
|
|
|
resetEvent.WaitOne ();
|
|
|
|
} catch (ObjectDisposedException) {
|
|
|
|
// Notifications have been disabled and event
|
|
|
|
// has been closed but not yet nulled. End thread.
|
|
|
|
break;
|
2014-08-13 10:39:27 +01:00
|
|
|
}
|
|
|
|
|
2017-04-10 11:41:01 +00:00
|
|
|
lock (_eventLock) {
|
|
|
|
if (resetEvent != _notifyResetEvent) {
|
|
|
|
// A new thread has started with another reset event instance
|
|
|
|
// or DisableNotifications has been called, setting
|
|
|
|
// _notifyResetEvent to null. In both cases end this thread.
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (_readHandle == IntPtr.Zero)
|
|
|
|
break;
|
|
|
|
|
2014-08-13 10:39:27 +01:00
|
|
|
int oldest_entry = OldestEventLogEntry;
|
|
|
|
if (_lastEntryWritten < oldest_entry)
|
|
|
|
_lastEntryWritten = oldest_entry;
|
|
|
|
int current_entry = _lastEntryWritten - oldest_entry;
|
|
|
|
int last_entry = EntryCount + oldest_entry;
|
|
|
|
for (int i = current_entry; i < (last_entry - 1); i++) {
|
|
|
|
EventLogEntry entry = GetEntry (i);
|
|
|
|
CoreEventLog.OnEntryWritten (entry);
|
|
|
|
}
|
|
|
|
_lastEntryWritten = last_entry;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
public override OverflowAction OverflowAction {
|
|
|
|
get { throw new NotImplementedException (); }
|
|
|
|
}
|
|
|
|
|
|
|
|
public override int MinimumRetentionDays {
|
|
|
|
get { throw new NotImplementedException (); }
|
|
|
|
}
|
|
|
|
|
|
|
|
public override long MaximumKilobytes {
|
|
|
|
get { throw new NotImplementedException (); }
|
|
|
|
set { throw new NotImplementedException (); }
|
|
|
|
}
|
|
|
|
|
|
|
|
public override void ModifyOverflowPolicy (OverflowAction action, int retentionDays)
|
|
|
|
{
|
|
|
|
throw new NotImplementedException ();
|
|
|
|
}
|
|
|
|
|
|
|
|
public override void RegisterDisplayName (string resourceFile, long resourceId)
|
|
|
|
{
|
|
|
|
throw new NotImplementedException ();
|
|
|
|
}
|
|
|
|
|
|
|
|
private class PInvoke
|
|
|
|
{
|
|
|
|
[DllImport ("advapi32.dll", SetLastError=true)]
|
|
|
|
public static extern int ClearEventLog (IntPtr hEventLog, string lpBackupFileName);
|
|
|
|
|
|
|
|
[DllImport ("advapi32.dll", SetLastError=true)]
|
|
|
|
public static extern int CloseEventLog (IntPtr hEventLog);
|
|
|
|
|
|
|
|
[DllImport ("advapi32.dll", SetLastError=true)]
|
|
|
|
public static extern int DeregisterEventSource (IntPtr hEventLog);
|
|
|
|
|
|
|
|
[DllImport ("kernel32", CharSet=CharSet.Auto, SetLastError=true)]
|
|
|
|
public static extern int FormatMessage (FormatMessageFlags dwFlags, IntPtr lpSource, uint dwMessageId, int dwLanguageId, ref IntPtr lpBuffer, int nSize, IntPtr [] arguments);
|
|
|
|
|
|
|
|
[DllImport ("kernel32", SetLastError=true)]
|
|
|
|
public static extern bool FreeLibrary (IntPtr hModule);
|
|
|
|
|
|
|
|
[DllImport ("advapi32.dll", SetLastError=true)]
|
|
|
|
public static extern int GetNumberOfEventLogRecords (IntPtr hEventLog, ref int NumberOfRecords);
|
|
|
|
|
|
|
|
[DllImport ("advapi32.dll", SetLastError=true)]
|
|
|
|
public static extern int GetOldestEventLogRecord (IntPtr hEventLog, ref int OldestRecord);
|
|
|
|
|
|
|
|
[DllImport ("kernel32", SetLastError=true)]
|
|
|
|
public static extern IntPtr LoadLibraryEx (string lpFileName, IntPtr hFile, LoadFlags dwFlags);
|
|
|
|
|
|
|
|
[DllImport ("kernel32", SetLastError=true)]
|
|
|
|
public static extern IntPtr LocalFree (IntPtr hMem);
|
|
|
|
|
|
|
|
[DllImport ("advapi32.dll", SetLastError=true)]
|
|
|
|
public static extern bool LookupAccountSid (
|
|
|
|
string lpSystemName,
|
|
|
|
[MarshalAs (UnmanagedType.LPArray)] byte [] Sid,
|
|
|
|
StringBuilder lpName,
|
|
|
|
ref uint cchName,
|
|
|
|
StringBuilder ReferencedDomainName,
|
|
|
|
ref uint cchReferencedDomainName,
|
|
|
|
out SidNameUse peUse);
|
|
|
|
|
|
|
|
[DllImport ("advapi32.dll", SetLastError = true)]
|
|
|
|
public static extern int NotifyChangeEventLog (IntPtr hEventLog, IntPtr hEvent);
|
|
|
|
|
|
|
|
[DllImport ("advapi32.dll", SetLastError=true)]
|
|
|
|
public static extern IntPtr OpenEventLog (string machineName, string logName);
|
|
|
|
|
|
|
|
[DllImport ("advapi32.dll", SetLastError=true)]
|
|
|
|
public static extern IntPtr RegisterEventSource (string machineName, string sourceName);
|
|
|
|
|
|
|
|
[DllImport ("advapi32.dll", SetLastError=true)]
|
|
|
|
public static extern int ReportEvent (IntPtr hHandle, ushort wType,
|
|
|
|
ushort wCategory, uint dwEventID, IntPtr sid, ushort wNumStrings,
|
|
|
|
uint dwDataSize, string [] lpStrings, byte [] lpRawData);
|
|
|
|
|
|
|
|
[DllImport ("advapi32.dll", SetLastError=true)]
|
|
|
|
public static extern int ReadEventLog (IntPtr hEventLog, ReadFlags dwReadFlags, int dwRecordOffset, byte [] buffer, int nNumberOfBytesToRead, ref int pnBytesRead, ref int pnMinNumberOfBytesNeeded);
|
|
|
|
|
|
|
|
public const int ERROR_INSUFFICIENT_BUFFER = 122;
|
|
|
|
public const int ERROR_EVENTLOG_FILE_CHANGED = 1503;
|
|
|
|
}
|
|
|
|
|
|
|
|
private enum ReadFlags
|
|
|
|
{
|
|
|
|
Sequential = 0x001,
|
|
|
|
Seek = 0x002,
|
|
|
|
ForwardsRead = 0x004,
|
|
|
|
BackwardsRead = 0x008
|
|
|
|
}
|
|
|
|
|
|
|
|
private enum LoadFlags: uint
|
|
|
|
{
|
|
|
|
LibraryAsDataFile = 0x002
|
|
|
|
}
|
|
|
|
|
|
|
|
[Flags]
|
|
|
|
private enum FormatMessageFlags
|
|
|
|
{
|
|
|
|
AllocateBuffer = 0x100,
|
|
|
|
IgnoreInserts = 0x200,
|
|
|
|
FromHModule = 0x0800,
|
|
|
|
FromSystem = 0x1000,
|
|
|
|
ArgumentArray = 0x2000
|
|
|
|
}
|
|
|
|
|
|
|
|
private enum SidNameUse
|
|
|
|
{
|
|
|
|
User = 1,
|
|
|
|
Group,
|
|
|
|
Domain,
|
|
|
|
lias,
|
|
|
|
WellKnownGroup,
|
|
|
|
DeletedAccount,
|
|
|
|
Invalid,
|
|
|
|
Unknown,
|
|
|
|
Computer
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// http://msdn.microsoft.com/library/en-us/eventlog/base/eventlogrecord_str.asp:
|
|
|
|
//
|
|
|
|
// struct EVENTLOGRECORD {
|
|
|
|
// int Length;
|
|
|
|
// int Reserved;
|
|
|
|
// int RecordNumber;
|
|
|
|
// int TimeGenerated;
|
|
|
|
// int TimeWritten;
|
|
|
|
// int EventID;
|
|
|
|
// short EventType;
|
|
|
|
// short NumStrings;
|
|
|
|
// short EventCategory;
|
|
|
|
// short ReservedFlags;
|
|
|
|
// int ClosingRecordNumber;
|
|
|
|
// int StringOffset;
|
|
|
|
// int UserSidLength;
|
|
|
|
// int UserSidOffset;
|
|
|
|
// int DataLength;
|
|
|
|
// int DataOffset;
|
|
|
|
// }
|
|
|
|
//
|
|
|
|
// http://www.whitehats.ca/main/members/Malik/malik_eventlogs/malik_eventlogs.html
|