2 * PROJECT: ReactOS kernel
3 * LICENSE: GPL - See COPYING in the top level directory
4 * FILE: services/eventlog/eventlog.c
5 * PURPOSE: Event logging service
6 * COPYRIGHT: Copyright 2002 Eric Kohl
7 * Copyright 2005 Saveliy Tretiakov
10 /* INCLUDES *****************************************************************/
14 /* GLOBALS ******************************************************************/
16 static VOID CALLBACK
ServiceMain(DWORD
, LPWSTR
*);
17 static WCHAR ServiceName
[] = L
"EventLog";
18 static SERVICE_TABLE_ENTRYW ServiceTable
[2] =
20 { ServiceName
, ServiceMain
},
24 SERVICE_STATUS ServiceStatus
;
25 SERVICE_STATUS_HANDLE ServiceStatusHandle
;
27 BOOL onLiveCD
= FALSE
; // On livecd events will go to debug output only
30 /* FUNCTIONS ****************************************************************/
33 UpdateServiceStatus(DWORD dwState
)
35 ServiceStatus
.dwServiceType
= SERVICE_WIN32_OWN_PROCESS
;
36 ServiceStatus
.dwCurrentState
= dwState
;
37 ServiceStatus
.dwControlsAccepted
= 0;
38 ServiceStatus
.dwWin32ExitCode
= 0;
39 ServiceStatus
.dwServiceSpecificExitCode
= 0;
40 ServiceStatus
.dwCheckPoint
= 0;
42 if (dwState
== SERVICE_START_PENDING
||
43 dwState
== SERVICE_STOP_PENDING
||
44 dwState
== SERVICE_PAUSE_PENDING
||
45 dwState
== SERVICE_CONTINUE_PENDING
)
46 ServiceStatus
.dwWaitHint
= 10000;
48 ServiceStatus
.dwWaitHint
= 0;
50 SetServiceStatus(ServiceStatusHandle
,
55 ServiceControlHandler(DWORD dwControl
,
60 DPRINT("ServiceControlHandler() called\n");
64 case SERVICE_CONTROL_STOP
:
65 DPRINT(" SERVICE_CONTROL_STOP received\n");
66 /* Stop listening to incoming RPC messages */
67 RpcMgmtStopServerListening(NULL
);
68 UpdateServiceStatus(SERVICE_STOPPED
);
71 case SERVICE_CONTROL_PAUSE
:
72 DPRINT(" SERVICE_CONTROL_PAUSE received\n");
73 UpdateServiceStatus(SERVICE_PAUSED
);
76 case SERVICE_CONTROL_CONTINUE
:
77 DPRINT(" SERVICE_CONTROL_CONTINUE received\n");
78 UpdateServiceStatus(SERVICE_RUNNING
);
81 case SERVICE_CONTROL_INTERROGATE
:
82 DPRINT(" SERVICE_CONTROL_INTERROGATE received\n");
83 SetServiceStatus(ServiceStatusHandle
,
87 case SERVICE_CONTROL_SHUTDOWN
:
88 DPRINT(" SERVICE_CONTROL_SHUTDOWN received\n");
89 UpdateServiceStatus(SERVICE_STOPPED
);
93 DPRINT1(" Control %lu received\n");
94 return ERROR_CALL_NOT_IMPLEMENTED
;
104 hThread
= CreateThread(NULL
,
106 (LPTHREAD_START_ROUTINE
)
114 DPRINT("Can't create PortThread\n");
115 return GetLastError();
118 CloseHandle(hThread
);
120 hThread
= CreateThread(NULL
,
122 (LPTHREAD_START_ROUTINE
)
130 DPRINT("Can't create RpcThread\n");
131 return GetLastError();
134 CloseHandle(hThread
);
136 return ERROR_SUCCESS
;
141 ReportProductInfoEvent(VOID
)
143 OSVERSIONINFOW versionInfo
;
149 LONG lResult
= ERROR_SUCCESS
;
151 ZeroMemory(&versionInfo
, sizeof(OSVERSIONINFO
));
152 versionInfo
.dwOSVersionInfoSize
= sizeof(OSVERSIONINFO
);
154 /* Get version information */
155 if (!GetVersionExW(&versionInfo
))
158 ZeroMemory(szBuffer
, 512 * sizeof(WCHAR
));
160 /* Write version into the buffer */
161 dwLength
= swprintf(szBuffer
,
163 versionInfo
.dwMajorVersion
,
164 versionInfo
.dwMinorVersion
) + 1;
166 /* Write build number into the buffer */
167 dwLength
+= swprintf(&szBuffer
[dwLength
],
169 versionInfo
.dwBuildNumber
) + 1;
171 /* Write service pack info into the buffer */
172 wcscpy(&szBuffer
[dwLength
], versionInfo
.szCSDVersion
);
173 dwLength
+= wcslen(versionInfo
.szCSDVersion
) + 1;
175 /* Read 'CurrentType' from the registry and write it into the buffer */
176 lResult
= RegOpenKeyEx(HKEY_LOCAL_MACHINE
,
177 L
"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
181 if (lResult
== ERROR_SUCCESS
)
183 dwValueLength
= 512 - dwLength
;
184 lResult
= RegQueryValueEx(hKey
,
188 (LPBYTE
)&szBuffer
[dwLength
],
194 /* Log the product information */
195 LogfReportEvent(EVENTLOG_INFORMATION_TYPE
,
197 EVENT_EventLogProductInfo
,
206 ServiceMain(DWORD argc
,
211 UNREFERENCED_PARAMETER(argc
);
212 UNREFERENCED_PARAMETER(argv
);
214 DPRINT("ServiceMain() called\n");
216 ServiceStatusHandle
= RegisterServiceCtrlHandlerExW(ServiceName
,
217 ServiceControlHandler
,
219 if (!ServiceStatusHandle
)
221 dwError
= GetLastError();
222 DPRINT1("RegisterServiceCtrlHandlerW() failed! (Error %lu)\n", dwError
);
226 UpdateServiceStatus(SERVICE_START_PENDING
);
228 dwError
= ServiceInit();
229 if (dwError
!= ERROR_SUCCESS
)
231 DPRINT("Service stopped (dwError: %lu\n", dwError
);
232 UpdateServiceStatus(SERVICE_START_PENDING
);
236 DPRINT("Service started\n");
237 UpdateServiceStatus(SERVICE_RUNNING
);
239 ReportProductInfoEvent();
241 LogfReportEvent(EVENTLOG_INFORMATION_TYPE
,
243 EVENT_EventlogStarted
,
250 DPRINT("ServiceMain() done\n");
254 PLOGFILE
LoadLogFile(HKEY hKey
, WCHAR
* LogName
)
256 DWORD MaxValueLen
, ValueLen
, Type
, ExpandedLen
;
257 WCHAR
*Buf
= NULL
, *Expanded
= NULL
;
261 DPRINT("LoadLogFile: %S\n", LogName
);
263 RegQueryInfoKey(hKey
, NULL
, NULL
, NULL
, NULL
, NULL
, NULL
,
264 NULL
, NULL
, &MaxValueLen
, NULL
, NULL
);
266 Buf
= HeapAlloc(MyHeap
, 0, MaxValueLen
);
269 DPRINT1("Can't allocate heap!\n");
273 ValueLen
= MaxValueLen
;
275 Result
= RegQueryValueEx(hKey
,
281 if (Result
!= ERROR_SUCCESS
)
283 DPRINT1("RegQueryValueEx failed: %d\n", GetLastError());
284 HeapFree(MyHeap
, 0, Buf
);
288 if (Type
!= REG_EXPAND_SZ
&& Type
!= REG_SZ
)
290 DPRINT1("%S\\File - value of wrong type %x.\n", LogName
, Type
);
291 HeapFree(MyHeap
, 0, Buf
);
295 ExpandedLen
= ExpandEnvironmentStrings(Buf
, NULL
, 0);
296 Expanded
= HeapAlloc(MyHeap
, 0, ExpandedLen
* sizeof(WCHAR
));
299 DPRINT1("Can't allocate heap!\n");
300 HeapFree(MyHeap
, 0, Buf
);
304 ExpandEnvironmentStrings(Buf
, Expanded
, ExpandedLen
);
306 DPRINT("%S -> %S\n", Buf
, Expanded
);
308 pLogf
= LogfCreate(LogName
, Expanded
);
312 DPRINT1("Failed to create %S!\n", Expanded
);
315 HeapFree(MyHeap
, 0, Buf
);
316 HeapFree(MyHeap
, 0, Expanded
);
320 BOOL
LoadLogFiles(HKEY eventlogKey
)
323 DWORD MaxLognameLen
, LognameLen
;
328 RegQueryInfoKey(eventlogKey
,
329 NULL
, NULL
, NULL
, NULL
,
331 NULL
, NULL
, NULL
, NULL
, NULL
, NULL
);
335 Buf
= HeapAlloc(MyHeap
, 0, MaxLognameLen
* sizeof(WCHAR
));
339 DPRINT1("Error: can't allocate heap!\n");
344 LognameLen
= MaxLognameLen
;
346 while (RegEnumKeyEx(eventlogKey
,
350 NULL
, NULL
, NULL
, NULL
) == ERROR_SUCCESS
)
356 result
= RegOpenKeyEx(eventlogKey
, Buf
, 0, KEY_ALL_ACCESS
, &SubKey
);
357 if (result
!= ERROR_SUCCESS
)
359 DPRINT1("Failed to open %S key.\n", Buf
);
360 HeapFree(MyHeap
, 0, Buf
);
364 pLogFile
= LoadLogFile(SubKey
, Buf
);
365 if (pLogFile
!= NULL
)
367 DPRINT("Loaded %S\n", Buf
);
368 LoadEventSources(SubKey
, pLogFile
);
372 DPRINT1("Failed to load %S\n", Buf
);
376 LognameLen
= MaxLognameLen
;
380 HeapFree(MyHeap
, 0, Buf
);
386 WCHAR LogPath
[MAX_PATH
];
391 LogfListInitialize();
392 InitEventSourceList();
394 MyHeap
= HeapCreate(0, 1024 * 256, 0);
398 DPRINT1("FATAL ERROR, can't create heap.\n");
403 GetWindowsDirectory(LogPath
, MAX_PATH
);
405 if (GetDriveType(LogPath
) == DRIVE_CDROM
)
407 DPRINT("LiveCD detected\n");
412 result
= RegOpenKeyEx(HKEY_LOCAL_MACHINE
,
413 L
"SYSTEM\\CurrentControlSet\\Services\\EventLog",
418 if (result
!= ERROR_SUCCESS
)
420 DPRINT1("Fatal error: can't open eventlog registry key.\n");
425 LoadLogFiles(elogKey
);
428 StartServiceCtrlDispatcher(ServiceTable
);
439 VOID
EventTimeToSystemTime(DWORD EventTime
, SYSTEMTIME
* pSystemTime
)
441 SYSTEMTIME st1970
= { 1970, 1, 0, 1, 0, 0, 0, 0 };
449 uUCT
.ft
.dwHighDateTime
= 0;
450 uUCT
.ft
.dwLowDateTime
= EventTime
;
451 SystemTimeToFileTime(&st1970
, &u1970
.ft
);
452 uUCT
.ll
= uUCT
.ll
* 10000000 + u1970
.ll
;
453 FileTimeToLocalFileTime(&uUCT
.ft
, &ftLocal
);
454 FileTimeToSystemTime(&ftLocal
, pSystemTime
);
457 VOID
SystemTimeToEventTime(SYSTEMTIME
* pSystemTime
, DWORD
* pEventTime
)
459 SYSTEMTIME st1970
= { 1970, 1, 0, 1, 0, 0, 0, 0 };
466 SystemTimeToFileTime(pSystemTime
, &Time
.ft
);
467 SystemTimeToFileTime(&st1970
, &u1970
.ft
);
468 *pEventTime
= (DWORD
)((Time
.ll
- u1970
.ll
) / 10000000ull);
471 VOID
PRINT_HEADER(PEVENTLOGHEADER header
)
473 DPRINT("HeaderSize = %d\n", header
->HeaderSize
);
474 DPRINT("Signature = 0x%x\n", header
->Signature
);
475 DPRINT("MajorVersion = %d\n", header
->MajorVersion
);
476 DPRINT("MinorVersion = %d\n", header
->MinorVersion
);
477 DPRINT("StartOffset = %d\n", header
->StartOffset
);
478 DPRINT("EndOffset = 0x%x\n", header
->EndOffset
);
479 DPRINT("CurrentRecordNumber = %d\n", header
->CurrentRecordNumber
);
480 DPRINT("OldestRecordNumber = %d\n", header
->OldestRecordNumber
);
481 DPRINT("MaxSize = 0x%x\n", header
->MaxSize
);
482 DPRINT("Retention = 0x%x\n", header
->Retention
);
483 DPRINT("EndHeaderSize = %d\n", header
->EndHeaderSize
);
485 if (header
->Flags
& ELF_LOGFILE_HEADER_DIRTY
) DPRINT("ELF_LOGFILE_HEADER_DIRTY");
486 if (header
->Flags
& ELF_LOGFILE_HEADER_WRAP
) DPRINT("| ELF_LOGFILE_HEADER_WRAP ");
487 if (header
->Flags
& ELF_LOGGFILE_LOGFULL_WRITTEN
) DPRINT("| ELF_LOGGFILE_LOGFULL_WRITTEN ");
488 if (header
->Flags
& ELF_LOGFILE_ARCHIVE_SET
) DPRINT("| ELF_LOGFILE_ARCHIVE_SET ");
492 VOID
PRINT_RECORD(PEVENTLOGRECORD pRec
)
498 DPRINT("Length = %d\n", pRec
->Length
);
499 DPRINT("Reserved = 0x%x\n", pRec
->Reserved
);
500 DPRINT("RecordNumber = %d\n", pRec
->RecordNumber
);
502 EventTimeToSystemTime(pRec
->TimeGenerated
, &time
);
503 DPRINT("TimeGenerated = %d.%d.%d %d:%d:%d\n",
504 time
.wDay
, time
.wMonth
, time
.wYear
,
505 time
.wHour
, time
.wMinute
, time
.wSecond
);
507 EventTimeToSystemTime(pRec
->TimeWritten
, &time
);
508 DPRINT("TimeWritten = %d.%d.%d %d:%d:%d\n",
509 time
.wDay
, time
.wMonth
, time
.wYear
,
510 time
.wHour
, time
.wMinute
, time
.wSecond
);
512 DPRINT("EventID = %d\n", pRec
->EventID
);
514 switch (pRec
->EventType
)
516 case EVENTLOG_ERROR_TYPE
:
517 DPRINT("EventType = EVENTLOG_ERROR_TYPE\n");
519 case EVENTLOG_WARNING_TYPE
:
520 DPRINT("EventType = EVENTLOG_WARNING_TYPE\n");
522 case EVENTLOG_INFORMATION_TYPE
:
523 DPRINT("EventType = EVENTLOG_INFORMATION_TYPE\n");
525 case EVENTLOG_AUDIT_SUCCESS
:
526 DPRINT("EventType = EVENTLOG_AUDIT_SUCCESS\n");
528 case EVENTLOG_AUDIT_FAILURE
:
529 DPRINT("EventType = EVENTLOG_AUDIT_FAILURE\n");
532 DPRINT("EventType = %d\n", pRec
->EventType
);
535 DPRINT("NumStrings = %d\n", pRec
->NumStrings
);
536 DPRINT("EventCategory = %d\n", pRec
->EventCategory
);
537 DPRINT("ReservedFlags = 0x%x\n", pRec
->ReservedFlags
);
538 DPRINT("ClosingRecordNumber = %d\n", pRec
->ClosingRecordNumber
);
539 DPRINT("StringOffset = %d\n", pRec
->StringOffset
);
540 DPRINT("UserSidLength = %d\n", pRec
->UserSidLength
);
541 DPRINT("UserSidOffset = %d\n", pRec
->UserSidOffset
);
542 DPRINT("DataLength = %d\n", pRec
->DataLength
);
543 DPRINT("DataOffset = %d\n", pRec
->DataOffset
);
545 DPRINT("SourceName: %S\n", (WCHAR
*) (((PBYTE
) pRec
) + sizeof(EVENTLOGRECORD
)));
547 i
= (lstrlenW((WCHAR
*) (((PBYTE
) pRec
) + sizeof(EVENTLOGRECORD
))) + 1) *
550 DPRINT("ComputerName: %S\n", (WCHAR
*) (((PBYTE
) pRec
) + sizeof(EVENTLOGRECORD
) + i
));
552 if (pRec
->StringOffset
< pRec
->Length
&& pRec
->NumStrings
)
554 DPRINT("Strings:\n");
555 str
= (WCHAR
*) (((PBYTE
) pRec
) + pRec
->StringOffset
);
556 for (i
= 0; i
< pRec
->NumStrings
; i
++)
558 DPRINT("[%d] %S\n", i
, str
);
559 str
= str
+ lstrlenW(str
) + 1;
563 DPRINT("Length2 = %d\n", *(PDWORD
) (((PBYTE
) pRec
) + pRec
->Length
- 4));