Windows2003-3790/admin/snapin/smonlog/smlogsvc/smlogsvc.c

5122 lines
168 KiB
C
Raw Normal View History

2001-01-01 00:00:00 +01:00
/*++
Copyright (c) 1996-1999 Microsoft Corporation
Module Name:
smlogsvc.c
Abstract:
service to log performance counter and trace data,
and to scan for alert conditions.
--*/
#ifndef UNICODE
#define UNICODE 1
#endif
#ifndef _UNICODE
#define _UNICODE 1
#endif
#ifndef _IMPLEMENT_WMI
#define _IMPLEMENT_WMI 1
#endif
//
// Windows Include files
//
#pragma warning ( disable : 4201)
#pragma warning ( disable : 4127)
// Define the following to use the minimum of shlwapip.h
#include <nt.h>
#include <ntrtl.h>
#include <nturtl.h>
#include <wtypes.h>
#include <limits.h>
#if _IMPLEMENT_WMI
#include <wmistr.h>
#include <objbase.h>
#include <initguid.h>
#include <evntrace.h>
#include <wmiguid.h>
#include <wmium.h>
#include <pdhmsg.h> // For BuildCurrentLogFileName
#include <pdhp.h>
#endif
#include <assert.h>
#include <limits.h>
#include <strsafe.h>
#include "common.h"
#include "smlogsvc.h"
#include "smlogmsg.h"
#define DEFAULT_LOG_FILE_FOLDER L"%SystemDrive%\\PerfLogs"
#define STATUS_MASK ((DWORD)0x3FFFFFFF)
// todo: Move SECONDS_IN_DAY definition
#define SECONDS_IN_DAY ((LONGLONG)(86400))
// Global variables used by all modules
HANDLE hEventLog = NULL;
HINSTANCE hModule = NULL;
DWORD* arrPdhDataCollectSuccess = NULL;
INT iPdhDataCollectSuccessCount = 0;
WCHAR gszDefaultLogFileFolder[MAX_PATH+1] = L"";
// hNewQueryEvent is signalled when a new query is started. This tells the main
// thread to reconfigure its array of Wait objects.
HANDLE hNewQueryEvent = NULL;
SERVICE_STATUS_HANDLE hSmLogStatus;
SERVICE_STATUS ssSmLogStatus;
// Static variables used by this module only
static PLOG_QUERY_DATA pFirstQuery = NULL;
static CRITICAL_SECTION QueryDataLock;
static CRITICAL_SECTION ConfigurationLock;
// Active session count should match the number of query data objects.
static DWORD dwActiveSessionCount = 0;
static DWORD dwMaxActiveSessionCount = MAXIMUM_WAIT_OBJECTS - 1;
static HANDLE arrSessionHandle[MAXIMUM_WAIT_OBJECTS];
// Local function prototypes
DWORD
LoadCommonConfig(
IN PLOG_QUERY_DATA pQuery);
void
LockQueryData ( void );
void
UnlockQueryData ( void );
PLOG_QUERY_DATA
GetQueryData (
LPCWSTR szQueryName );
void
FreeQueryData (
IN PLOG_QUERY_DATA pQuery );
void
RemoveAndFreeQueryData (
HANDLE hThisQuery );
BOOL
AlertFieldsMatch (
IN PLOG_QUERY_DATA pFirstQuery,
IN PLOG_QUERY_DATA pSecondQuery );
BOOL
CommonFieldsMatch (
IN PLOG_QUERY_DATA pFirstQuery,
IN PLOG_QUERY_DATA pSecondQuery );
BOOL
FieldsMatch (
IN PLOG_QUERY_DATA pFirstQuery,
IN PLOG_QUERY_DATA pSecondQuery );
DWORD
ConfigureQuery (
HKEY hKeyLogQuery,
WCHAR* szQueryKeyNameBuffer,
WCHAR* szQueryNameBuffer );
void
ClearTraceProperties (
IN PLOG_QUERY_DATA pQuery );
BOOL
TraceStopRestartFieldsMatch (
IN PLOG_QUERY_DATA pOrigQuery,
IN PLOG_QUERY_DATA pNewQuery );
DWORD
ReconfigureQuery (
IN PLOG_QUERY_DATA pQuery );
DWORD
StartQuery (
IN PLOG_QUERY_DATA pQuery );
DWORD
HandleMaxQueriesExceeded (
IN PLOG_QUERY_DATA pQuery );
DWORD
InitTraceGuids(
IN PLOG_QUERY_DATA pQuery );
BOOL
IsKernelTraceMode (
IN DWORD dwTraceFlags );
DWORD
LoadPdhLogUpdateSuccess ( void );
void
LoadDefaultLogFileFolder ( void );
#if _IMPLEMENT_WMI
DWORD
IsCreateNewFile (
IN PLOG_QUERY_DATA pQuery,
OUT BOOL* pbValidBySize,
OUT BOOL* pbValidByTime );
ULONG
TraceNotificationCallback(
IN PWNODE_HEADER pWnode,
IN UINT_PTR LogFileIndex )
{
UNREFERENCED_PARAMETER(LogFileIndex);
if ( NULL != pWnode ) {
if ( (IsEqualGUID(& pWnode->Guid, & TraceErrorGuid))
&& (pWnode->BufferSize >= (sizeof(WNODE_HEADER) + sizeof(ULONG))))
{
ULONG LoggerId = (ULONG) pWnode->HistoricalContext;
PLOG_QUERY_DATA pQuery = pFirstQuery;
ULONG Status = * ((ULONG *)
(((PUCHAR) pWnode) + sizeof(WNODE_HEADER)));
LOG_QUERY_DATA lqdTemp;
HRESULT hr = ERROR_SUCCESS;
DWORD dwStatus = ERROR_SUCCESS;
LockQueryData();
while ( NULL != pQuery ) {
if (pQuery->Properties.Wnode.HistoricalContext == LoggerId) {
break;
}
pQuery = pQuery->next;
}
if ( NULL != pQuery ) {
if ( STATUS_LOG_FILE_FULL == Status) {
LPWSTR szStringArray[2];
szStringArray[0] = pQuery->szQueryName;
szStringArray[1] = FormatEventLogMessage(Status);
ReportEvent (hEventLog,
EVENTLOG_WARNING_TYPE,
0,
SMLOG_UNABLE_UPDATE_LOG,
NULL,
2,
sizeof(DWORD),
szStringArray,
(LPVOID)&Status);
LocalFree( szStringArray[1] );
} else if (STATUS_THREAD_IS_TERMINATING == Status) {
if (pQuery->bExitOnTermination) {
pQuery->bCallCloseTraceLogger = FALSE;
SetEvent (pQuery->hExitEvent);
} else {
pQuery->bExitOnTermination = TRUE;
}
} else if ( STATUS_MEDIA_CHANGED == Status ) {
BOOL bRun = TRUE;
if( pQuery->hUserToken == NULL ){
// see if we can get a user token
hr = PdhiPlaRunAs( pQuery->szQueryName, NULL, &pQuery->hUserToken );
if ( ERROR_SUCCESS != hr ){
LPWSTR szStringArray[1];
szStringArray[0] = pQuery->szQueryName;
ReportEvent (hEventLog,
EVENTLOG_WARNING_TYPE,
0,
SMLOG_INVALID_CREDENTIALS,
NULL,
1,
sizeof(HRESULT),
szStringArray,
(LPVOID)&hr
);
bRun = FALSE;
}
}
// Run command file, supplying previous filename
if ( bRun && NULL != pQuery->szCmdFileName ) {
DoLogCommandFile (pQuery, pQuery->szLogFileName, TRUE);
}
// Retrieve the current log file name for the next notification.
dwStatus = GetTraceQueryStatus ( pQuery, &lqdTemp );
if ( ERROR_SUCCESS == dwStatus ) {
size_t cchMaxBufLen;
//
// Truncation is not an error. Only used to record name
// in registry for display
//
hr = StringCchLength ( pQuery->szLogFileName, MAX_PATH+1, &cchMaxBufLen );
hr = StringCchCopy ( pQuery->szLogFileName, cchMaxBufLen, lqdTemp.szLogFileName );
RegisterCurrentFile( pQuery->hKeyQuery, pQuery->szLogFileName, 0 );
} // else todo: report error
// Query to get the new filename
} else {
// report error
}
}
UnlockQueryData();
}
}
return ERROR_SUCCESS;
}
#endif
// Functions
DWORD
GetSystemWideDefaultNullDataSource()
{
static BOOLEAN bRead = FALSE;
static DWORD dwNullDataSource = DATA_SOURCE_REGISTRY;
if (bRead == FALSE) {
HKEY hKeyPDH = NULL;
DWORD dwStatus;
DWORD dwType = 0;
DWORD dwSize = sizeof(DWORD);
//
// On failure, default to Registry.
//
dwStatus = RegOpenKeyExW(
HKEY_LOCAL_MACHINE,
L"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\PDH",
0L,
KEY_READ,
& hKeyPDH);
if (dwStatus == ERROR_SUCCESS) {
dwStatus = RegQueryValueExW(
hKeyPDH,
L"DefaultNullDataSource",
NULL,
& dwType,
(LPBYTE) & dwNullDataSource,
& dwSize);
if ( dwStatus == ERROR_SUCCESS
&& dwType == REG_DWORD
&& dwNullDataSource == DATA_SOURCE_WBEM) {
dwNullDataSource = DATA_SOURCE_WBEM;
} // else default to DATA_SOURCE_REGISTRY
RegCloseKey(hKeyPDH);
}
bRead = TRUE;
}
return dwNullDataSource;
}
DWORD
ScanHexFormat(
IN const WCHAR* Buffer,
IN ULONG MaximumLength,
IN const WCHAR* Format,
...)
/*++
Routine Description:
Scans a source Buffer and places values from that buffer into the parameters
as specified by Format.
Arguments:
Buffer -
Contains the source buffer which is to be scanned.
MaximumLength -
Contains the maximum length in characters for which Buffer is searched.
This implies that Buffer need not be UNICODE_NULL terminated.
Format -
Contains the format string which defines both the acceptable string format
contained in Buffer, and the variable parameters which follow.
NOTE: This code is from \ntos\rtl\guid.c
Return Value:
Returns the number of parameters filled if the end of the Buffer is reached,
else -1 on an error.
--*/
{
va_list ArgList;
int FormatItems;
va_start(ArgList, Format);
for (FormatItems = 0;;) {
switch (*Format) {
case 0:
return (*Buffer && MaximumLength) ? -1 : FormatItems;
case '%':
Format++;
if (*Format != '%') {
ULONG Number;
int Width;
int Long;
PVOID Pointer;
for (Long = 0, Width = 0;; Format++) {
if ((*Format >= '0') && (*Format <= '9')) {
Width = Width * 10 + *Format - '0';
} else if (*Format == 'l') {
Long++;
} else if ((*Format == 'X') || (*Format == 'x')) {
break;
}
}
Format++;
for (Number = 0; Width--; Buffer++, MaximumLength--) {
if (!MaximumLength)
return (DWORD)(-1);
Number *= 16;
if ((*Buffer >= '0') && (*Buffer <= '9')) {
Number += (*Buffer - '0');
} else if ((*Buffer >= 'a') && (*Buffer <= 'f')) {
Number += (*Buffer - 'a' + 10);
} else if ((*Buffer >= 'A') && (*Buffer <= 'F')) {
Number += (*Buffer - 'A' + 10);
} else {
return (DWORD)(-1);
}
}
Pointer = va_arg(ArgList, PVOID);
if (Long) {
*(PULONG)Pointer = Number;
} else {
*(PUSHORT)Pointer = (USHORT)Number;
}
FormatItems++;
break;
}
/* no break */
default:
if (!MaximumLength || (*Buffer != *Format)) {
return (DWORD)(-1);
}
Buffer++;
MaximumLength--;
Format++;
break;
}
}
}
DWORD
GUIDFromString(
IN PUNICODE_STRING GuidString,
OUT GUID* Guid
)
/*++
Routine Description:
Retrieves a the binary format of a textual GUID presented in the standard
string version of a GUID: "{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}".
Arguments:
GuidString -
Place from which to retrieve the textual form of the GUID.
Guid -
Place in which to put the binary form of the GUID.
NOTE: This code is from \ntos\rtl\guid.c
Return Value:
Returns ERROR_SUCCESS if the buffer contained a valid GUID, else
ERROR_INVALID_PARAMETER if the string was invalid.
--*/
{
USHORT Data4[8];
int Count;
WCHAR GuidFormat[] = L"{%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}";
for (Count = 0; Count < sizeof(Data4)/sizeof(Data4[0]); Count++) {
Data4[Count] = 0;
}
if (ScanHexFormat(GuidString->Buffer, GuidString->Length / sizeof(WCHAR), GuidFormat, &Guid->Data1, &Guid->Data2, &Guid->Data3, &Data4[0], &Data4[1], &Data4[2], &Data4[3], &Data4[4], &Data4[5], &Data4[6], &Data4[7]) == -1) {
return (DWORD)(ERROR_INVALID_PARAMETER);
}
for (Count = 0; Count < sizeof(Data4)/sizeof(Data4[0]); Count++) {
Guid->Data4[Count] = (UCHAR)Data4[Count];
}
return ERROR_SUCCESS;
}
LPWSTR
FormatEventLogMessage(DWORD dwStatus)
{
LPVOID lpMsgBuf = NULL;
HINSTANCE hPdh = NULL;
DWORD dwFlags = FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM;
hPdh = LoadLibrary (L"PDH.DLL");
if (NULL != hPdh){
dwFlags |= FORMAT_MESSAGE_FROM_HMODULE;
}
FormatMessage(
dwFlags,
hPdh,
dwStatus,
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPWSTR)&lpMsgBuf,
MAX_PATH,
NULL );
if ( NULL != hPdh ) {
FreeLibrary( hPdh );
}
return lpMsgBuf;
}
BOOL
IsKernelTraceMode (
IN DWORD dwTraceFlags )
{
BOOL bReturn = FALSE;
DWORD dwKernelMask = SLQ_TLI_ENABLE_KERNEL_TRACE
| SLQ_TLI_ENABLE_KERNEL_TRACE
| SLQ_TLI_ENABLE_MEMMAN_TRACE
| SLQ_TLI_ENABLE_FILEIO_TRACE
| SLQ_TLI_ENABLE_PROCESS_TRACE
| SLQ_TLI_ENABLE_THREAD_TRACE
| SLQ_TLI_ENABLE_DISKIO_TRACE
| SLQ_TLI_ENABLE_NETWORK_TCPIP_TRACE;
bReturn = ( dwKernelMask & dwTraceFlags ) ? TRUE : FALSE;
return bReturn;
}
long
JulianDateFromSystemTime(
SYSTEMTIME *pST )
{
static WORD wDaysInRegularMonth[] = {
31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334, 365
};
static WORD wDaysInLeapYearMonth[] = {
31, 60, 91, 121, 152, 182, 213, 244, 274, 305, 335, 366
};
long JDate = 0;
// Check for leap year.
if (pST->wMonth > 1) {
if ( ( pST->wYear % 400 == 0 )
|| ( pST->wYear % 100 != 0
&& pST->wYear % 4 == 0 ) ) {
// this is a leap year
JDate += wDaysInLeapYearMonth[pST->wMonth - 2];
} else {
// this is not a leap year
JDate += wDaysInRegularMonth[pST->wMonth - 2];
}
}
// Add in days for this month.
JDate += pST->wDay;
// Add in year.
JDate += (pST->wYear) * 1000;
return JDate;
}
DWORD
ReadRegistrySlqTime (
HKEY hKey,
LPCWSTR szQueryName, // For error logging
LPCWSTR szValueName,
PSLQ_TIME_INFO pPlqtDefault,
PSLQ_TIME_INFO pPlqtValue
)
//
// reads the time value "szValueName" from under hKey and
// returns it in the Value buffer
//
{
DWORD dwStatus = ERROR_SUCCESS;
DWORD dwType = 0;
DWORD dwBufferSize = 0;
SLQ_TIME_INFO plqLocal;
assert (pPlqtValue != NULL);
assert (szValueName != NULL);
if (hKey != NULL) {
// then there should be something to read
// find out the size of the required buffer
dwStatus = RegQueryValueExW (
hKey,
szValueName,
NULL,
&dwType,
NULL,
&dwBufferSize);
if (dwStatus == ERROR_SUCCESS) {
if ((dwBufferSize == sizeof(SLQ_TIME_INFO)) && (dwType == REG_BINARY)) {
// then there's something to read
dwType = 0;
memset (&plqLocal, 0, sizeof(SLQ_TIME_INFO));
dwStatus = RegQueryValueExW (
hKey,
szValueName,
NULL,
&dwType,
(LPBYTE)&plqLocal,
&dwBufferSize);
if ( ERROR_SUCCESS == dwStatus ) {
*pPlqtValue = plqLocal;
}
} else {
// nothing to read
dwStatus = ERROR_NO_DATA;
}
} else {
// unable to read buffer
// dwStatus has error
}
} else {
// null key
dwStatus = ERROR_BADKEY;
}
if (dwStatus != ERROR_SUCCESS) {
LPCWSTR szStringArray[2];
szStringArray[0] = szValueName;
szStringArray[1] = szQueryName;
// apply default if it exists
if (pPlqtDefault != NULL) {
ReportEvent (hEventLog,
EVENTLOG_WARNING_TYPE,
0,
SMLOG_UNABLE_READ_QUERY_VALUE,
NULL,
2,
sizeof(DWORD),
szStringArray,
(LPVOID)&dwStatus);
*pPlqtValue = *pPlqtDefault;
dwStatus = ERROR_SUCCESS;
}
// else no default.
// Leave it to the caller to log event.
}
return dwStatus;
}
DWORD
ReadRegistryDwordValue (
HKEY hKey,
LPCWSTR szQueryName,
LPCWSTR szValueName,
PDWORD pdwDefault,
LPDWORD pdwValue
)
//
// reads the DWORD value "szValueName" from under hKey and
// returns it in the Value buffer
//
{
DWORD dwStatus = ERROR_SUCCESS;
DWORD dwType = 0;
DWORD dwBufferSize = 0;
DWORD dwRegValue;
assert (pdwValue != NULL);
assert (szValueName != NULL);
if (hKey != NULL) {
// then there should be something to read
// find out the size of the required buffer
dwStatus = RegQueryValueExW (
hKey,
szValueName,
NULL,
&dwType,
NULL,
&dwBufferSize);
if (dwStatus == ERROR_SUCCESS) {
if ( (dwBufferSize == sizeof(DWORD))
&& ( (REG_DWORD == dwType) || ( REG_BINARY == dwType) ) ) {
// then there's something to read
dwType = 0;
dwStatus = RegQueryValueExW (
hKey,
szValueName,
NULL,
&dwType,
(LPBYTE)&dwRegValue,
&dwBufferSize);
if (dwStatus == ERROR_SUCCESS) {
*pdwValue = dwRegValue;
}
} else {
// nothing to read
dwStatus = ERROR_NO_DATA;
}
} else {
// unable to read buffer
// dwStatus has error
}
} else {
// null key
dwStatus = ERROR_BADKEY;
}
if (dwStatus != ERROR_SUCCESS) {
LPCWSTR szStringArray[2];
szStringArray[0] = szValueName;
szStringArray[1] = szQueryName;
if (pdwDefault != NULL) {
ReportEvent (hEventLog,
EVENTLOG_WARNING_TYPE,
0,
SMLOG_UNABLE_READ_QUERY_VALUE,
NULL,
2,
sizeof(DWORD),
szStringArray,
(LPVOID)&dwStatus);
*pdwValue = *pdwDefault;
dwStatus = ERROR_SUCCESS;
} // else no default.
// Leave it to the caller to log event.
}
return dwStatus;
}
DWORD
ReadRegistryStringValue (
HKEY hKey,
LPCWSTR szQueryName,
LPCWSTR szValueName,
LPCWSTR szDefault,
LPWSTR *pszBuffer,
LPDWORD pcbSize
)
//
// Reads the string value "szValueName" from under hKey and
// frees any existing buffer referenced by pszBuffer,
// then allocates a new buffer returning it with the
// string value read from the registry and the size of the
// buffer in bytes.
//
{
DWORD dwStatus = ERROR_SUCCESS;
DWORD dwType = 0;
DWORD dwBufferSize = 0;
size_t cchBufLen = 0;
WCHAR* szNewStringBuffer = NULL;
assert (pcbSize!= NULL);
assert (szValueName != NULL);
if ( NULL != pcbSize ) {
*pcbSize = 0;
}
if (hKey != NULL) {
//
// There should be something to read.
// Find out the size of the required buffer.
//
dwStatus = RegQueryValueExW (
hKey,
szValueName,
NULL,
&dwType,
NULL,
&dwBufferSize);
if (dwStatus == ERROR_SUCCESS) {
//
// NULL character size is 2 bytes
//
if (dwBufferSize > 2) {
//
// There's something to read
//
szNewStringBuffer = (WCHAR*) G_ALLOC ( dwBufferSize );
if (szNewStringBuffer != NULL) {
dwType = 0;
dwStatus = RegQueryValueExW (
hKey,
szValueName,
NULL,
&dwType,
(LPBYTE)szNewStringBuffer,
&dwBufferSize);
//
// Ensure that the registry string is null terminated.
//
cchBufLen = dwBufferSize/sizeof(WCHAR);
szNewStringBuffer[cchBufLen - 1] = L'\0';
if ( 0 == lstrlenW ( szNewStringBuffer ) ) {
dwStatus = ERROR_NO_DATA;
}
} else {
// Todo: Report event for this case.
dwStatus = ERROR_OUTOFMEMORY;
}
} else {
// nothing to read
dwStatus = ERROR_NO_DATA;
}
} // else unable to read buffer
// dwStatus has error
} else {
// null key
dwStatus = ERROR_BADKEY;
}
if (dwStatus != ERROR_SUCCESS) {
LPCWSTR szStringArray[2];
szStringArray[0] = szValueName;
szStringArray[1] = szQueryName;
if (szNewStringBuffer != NULL) {
G_FREE ( szNewStringBuffer );
szNewStringBuffer = NULL;
dwBufferSize = 0;
}
//
// Apply default
//
if ( szDefault != NULL ) {
HRESULT hr = S_OK;
cchBufLen = 0;
//
// StringCchLen fails if szDefault is null.
//
hr = StringCchLength ( szDefault, STRSAFE_MAX_CCH, &cchBufLen );
if ( SUCCEEDED (hr) ) {
// Null terminator.
cchBufLen++;
}
if ( 1 < cchBufLen ) {
dwBufferSize = cchBufLen * sizeof (WCHAR);
szNewStringBuffer = (WCHAR*) G_ALLOC ( dwBufferSize );
if (szNewStringBuffer != NULL) {
ReportEvent (hEventLog,
EVENTLOG_WARNING_TYPE,
0,
SMLOG_UNABLE_READ_QUERY_VALUE,
NULL,
2,
sizeof(DWORD),
szStringArray,
(LPVOID)&dwStatus);
StringCchCopy (
szNewStringBuffer,
cchBufLen,
szDefault);
dwStatus = ERROR_SUCCESS;
} else {
dwStatus = ERROR_OUTOFMEMORY;
ReportEvent (hEventLog,
EVENTLOG_WARNING_TYPE,
0,
SMLOG_UNABLE_READ_QUERY_DEF_VAL,
NULL,
2,
sizeof(DWORD),
szStringArray,
(LPVOID)&dwStatus);
}
}
} // else no default so no data returned
// Let the caller log the event if they want to.
}
if (dwStatus == ERROR_SUCCESS) {
//
// Delete the old buffer and replace it with
// the new one.
//
if (*pszBuffer != NULL) {
G_FREE (*pszBuffer );
}
*pszBuffer = szNewStringBuffer;
if ( NULL != pcbSize ) {
*pcbSize = dwBufferSize;
}
} else {
// if error then delete the buffer
if (szNewStringBuffer != NULL) {
G_FREE ( szNewStringBuffer );
if ( NULL != pcbSize ) {
*pcbSize = dwBufferSize;
}
}
}
return dwStatus;
}
DWORD
ReadRegistryIndirectStringValue (
HKEY hKey,
LPCWSTR szQueryName, // For error logging
LPCWSTR szValueName,
LPCWSTR szDefault,
LPWSTR* pszBuffer,
UINT* puiLength )
{
DWORD dwStatus = ERROR_SUCCESS;
UNREFERENCED_PARAMETER(szQueryName);
dwStatus = SmReadRegistryIndirectStringValue (
hKey,
szValueName,
szDefault,
pszBuffer,
puiLength );
/*
Todo: Report event on failure
LPCWSTR szStringArray[2];
szStringArray[0] = szValueName;
szStringArray[1] = szQueryName;
if ( NULL != szDefault ) {
ReportEvent (hEventLog,
EVENTLOG_WARNING_TYPE,
0,
SMLOG_UNABLE_READ_QUERY_VALUE_NODEF,
NULL,
2,
sizeof(DWORD),
szStringArray,
(LPVOID)&dwStatus);
}
*/
return dwStatus;
}
DWORD
WriteRegistryDwordValue (
HKEY hKey,
LPCWSTR szValueName,
LPDWORD pdwValue,
DWORD dwType
)
{
DWORD dwStatus = ERROR_SUCCESS;
DWORD dwValue = sizeof(DWORD);
assert ((dwType == REG_DWORD) ||
(dwType == REG_BINARY));
dwStatus = RegSetValueEx (
hKey,
szValueName,
0L,
dwType,
(CONST BYTE *)pdwValue,
dwValue);
return dwStatus;
}
DWORD
WriteRegistrySlqTime (
HKEY hKey,
LPCWSTR szValueName,
PSLQ_TIME_INFO pSlqTime
)
{
DWORD dwStatus = ERROR_SUCCESS;
DWORD dwValue = sizeof(SLQ_TIME_INFO);
dwStatus = RegSetValueEx (
hKey,
szValueName,
0L,
REG_BINARY,
(CONST BYTE *)pSlqTime,
dwValue);
return dwStatus;
}
DWORD
BuildCurrentLogFileName (
IN LPCWSTR szQueryName,
IN LPCWSTR szBaseFileName,
IN LPCWSTR szDefaultDir,
IN LPCWSTR szSqlLogName,
IN LPWSTR szOutFileBuffer,
IN LPDWORD lpdwSerialNumber,
IN DWORD dwAutoNameFormat,
IN DWORD dwLogFileType,
IN INT iCnfSerial
)
{
DWORD dwStatus = ERROR_SUCCESS;
HRESULT hr = S_OK;
PPDH_PLA_INFO pInfo = NULL;
DWORD cchStrBufLen = 0;
DWORD dwInfoSize = 0;
DWORD dwFlags = 0;
LPWSTR szFileNameBuffer = NULL;
// Todo: Presumes OutFileBuffer is large enough (i.e. >= MAX_PATH+1)
// Make buf length restriction explicit to calling code
dwStatus = PdhPlaGetInfo(
(LPWSTR)szQueryName,
NULL,
&dwInfoSize,
pInfo );
if( ERROR_SUCCESS == dwStatus && 0 != dwInfoSize ){
pInfo = (PPDH_PLA_INFO)G_ALLOC(dwInfoSize);
if( NULL != pInfo && (sizeof(PDH_PLA_INFO) <= dwInfoSize) ){
ZeroMemory( pInfo, dwInfoSize );
pInfo->dwMask = PLA_INFO_FLAG_FORMAT|
PLA_INFO_FLAG_FILENAME|
PLA_INFO_FLAG_AUTOFORMAT|
PLA_INFO_FLAG_TYPE|
PLA_INFO_FLAG_DEFAULTDIR|
PLA_INFO_FLAG_SRLNUMBER|
PLA_INFO_FLAG_SQLNAME|
PLA_INFO_FLAG_STATUS;
dwStatus = PdhPlaGetInfo(
(LPWSTR)szQueryName,
NULL,
&dwInfoSize,
pInfo );
pInfo->dwFileFormat = dwLogFileType;
pInfo->strBaseFileName = (LPWSTR)szBaseFileName;
pInfo->dwAutoNameFormat = dwAutoNameFormat;
// PLA_INFO_FLAG_TYPE is counter log vs trace log vs alert
pInfo->strDefaultDir = (LPWSTR)szDefaultDir;
pInfo->dwLogFileSerialNumber = *lpdwSerialNumber;
pInfo->strSqlName = (LPWSTR)szSqlLogName;
dwFlags = PLA_FILENAME_CREATEONLY;
// iCnfSerial = 0 - No serial suffix for Create New File
// iCnfSerial = -1 - Include format string for trace file serial number.
if ( 0 == iCnfSerial ) {
pInfo->ptCreateNewFile.dwAutoMode = SLQ_AUTO_MODE_NONE;
} else {
dwFlags |= PLA_FILENAME_USE_SUBEXT;
if ( -1 == iCnfSerial ) {
dwFlags |= PLA_FILENAME_GET_SUBFMT;
pInfo->ptCreateNewFile.dwAutoMode = SLQ_AUTO_MODE_SIZE;
} else {
pInfo->ptCreateNewFile.dwAutoMode = SLQ_AUTO_MODE_AFTER;
pInfo->dwReserved1 = iCnfSerial;
}
}
dwStatus = PdhPlaGetLogFileName (
(LPWSTR)szQueryName,
NULL,
pInfo,
dwFlags,
&cchStrBufLen,
NULL );
if ( ERROR_SUCCESS == dwStatus || PDH_INSUFFICIENT_BUFFER == dwStatus ) {
szFileNameBuffer = G_ALLOC ((cchStrBufLen + 1) * sizeof(WCHAR));
if (NULL != szFileNameBuffer ) {
dwStatus = PdhPlaGetLogFileName (
(LPWSTR)szQueryName,
NULL,
pInfo,
dwFlags,
&cchStrBufLen,
szFileNameBuffer );
// todo: Make buf length restriction explicit to calling code
hr = StringCchCopy ( szOutFileBuffer, (MAX_PATH + 1), szFileNameBuffer );
if ( FAILED ( hr ) ) {
// Todo: Truncation-specific error code.
dwStatus = HRESULT_CODE ( hr ) ;
}
G_FREE ( szFileNameBuffer );
} else {
dwStatus = ERROR_OUTOFMEMORY;
}
}
}
}
if ( NULL != pInfo ) {
G_FREE( pInfo );
}
return dwStatus;
}
BOOL
FileExists (
IN LPCWSTR szFileName )
{
DWORD dwStatus = ERROR_SUCCESS;
BOOL bFileExists = FALSE;
HANDLE hFile = NULL;
LONG lErrorMode;
if ( NULL != szFileName ) {
lErrorMode = SetErrorMode ( SEM_FAILCRITICALERRORS | SEM_NOOPENFILEERRORBOX );
hFile = CreateFile(
szFileName,
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL | FILE_FLAG_NO_BUFFERING,
NULL
);
if (INVALID_HANDLE_VALUE == hFile ) {
dwStatus = GetLastError();
}
if ( NULL != hFile
&& INVALID_HANDLE_VALUE != hFile
&& ERROR_SUCCESS == dwStatus )
{
bFileExists = TRUE;
}
CloseHandle(hFile);
SetErrorMode ( lErrorMode );
} else {
dwStatus = ERROR_INVALID_PARAMETER;
}
return bFileExists;
}
DWORD
LoadCommonConfig(
IN PLOG_QUERY_DATA pQuery)
{
DWORD dwStatus = ERROR_SUCCESS;
DWORD dwBufferSize = 0;
UINT uiBufferLen = 0;
SLQ_TIME_INFO stiDefault;
DWORD dwDefault = 0;
DWORD dwTempRestart;
LONGLONG ftLocalTime;
DWORD dwLocalAttributes = 0;
// Schedule
dwDefault = SLQ_QUERY_STOPPED;
dwStatus = ReadRegistryDwordValue (
pQuery->hKeyQuery,
pQuery->szQueryName,
L"Current State",
&dwDefault,
&pQuery->dwCurrentState);
if ( ERROR_SUCCESS == dwStatus ) {
//
// Pass NULL default to avoid warning message.
// A missing value here is normal, converting from Win2000 config.
//
dwStatus = ReadRegistryDwordValue (
pQuery->hKeyQuery,
pQuery->szQueryName,
L"RealTime DataSource",
NULL,
&pQuery->dwRealTimeQuery);
if ( ERROR_NO_DATA == dwStatus
|| ERROR_FILE_NOT_FOUND == dwStatus
|| ( 0 == pQuery->dwRealTimeQuery ) ) {
pQuery->dwRealTimeQuery = GetSystemWideDefaultNullDataSource();
dwStatus = ERROR_SUCCESS;
}
}
if ( ERROR_SUCCESS == dwStatus ) {
ftLocalTime = 0;
GetLocalFileTime ( &ftLocalTime );
stiDefault.wDataType = SLQ_TT_DTYPE_DATETIME;
stiDefault.wTimeType = SLQ_TT_TTYPE_START;
stiDefault.dwAutoMode = SLQ_AUTO_MODE_AT;
stiDefault.llDateTime = ftLocalTime;
dwStatus = ReadRegistrySlqTime (
pQuery->hKeyQuery,
pQuery->szQueryName,
L"Start",
&stiDefault,
&pQuery->stiRegStart);
}
if ( ERROR_SUCCESS == dwStatus ) {
stiDefault.wDataType = SLQ_TT_DTYPE_DATETIME;
stiDefault.wTimeType = SLQ_TT_TTYPE_STOP;
stiDefault.dwAutoMode = SLQ_AUTO_MODE_NONE;
stiDefault.llDateTime = MIN_TIME_VALUE;
dwStatus = ReadRegistrySlqTime (
pQuery->hKeyQuery,
pQuery->szQueryName,
L"Stop",
&stiDefault,
&pQuery->stiRegStop);
}
if ( ERROR_SUCCESS == dwStatus ) {
//
// Apply default value outside of Read method, to avoid
// error message. This value does not exist in Windows 2000
//
dwStatus = ReadRegistrySlqTime (
pQuery->hKeyQuery,
pQuery->szQueryName,
L"Create New File",
NULL,
&pQuery->stiCreateNewFile);
if ( ERROR_NO_DATA == dwStatus || ERROR_FILE_NOT_FOUND == dwStatus ) {
stiDefault.wDataType = SLQ_TT_DTYPE_UNITS;
stiDefault.wTimeType = SLQ_TT_TTYPE_CREATE_NEW_FILE;
stiDefault.dwAutoMode = SLQ_AUTO_MODE_NONE;
stiDefault.dwUnitType = SLQ_TT_UTYPE_SECONDS;
stiDefault.dwValue = 0;
pQuery->stiCreateNewFile = stiDefault;
dwStatus = ERROR_SUCCESS;
}
}
//
// Restart flag is replaced by the Repeat time structure after Windows 2000.
//
if ( ERROR_SUCCESS == dwStatus ) {
// If autostop, collect Restart value.
// Apply default value outside of Read method, to avoid
// error message. This value does not exist in Windows 2000
if ( pQuery->stiRegStop.dwAutoMode != SLQ_AUTO_MODE_NONE ) {
dwStatus = ReadRegistryDwordValue (
pQuery->hKeyQuery,
pQuery->szQueryName,
L"Restart",
NULL,
&dwTempRestart );
if ( ERROR_NO_DATA == dwStatus || ERROR_FILE_NOT_FOUND == dwStatus ) {
dwTempRestart = SLQ_AUTO_MODE_NONE;
dwStatus = ERROR_SUCCESS;
}
}
}
if ( ERROR_SUCCESS == dwStatus ) {
// If autostop, collect Repeat value.
// Apply default value outside of Read method, to avoid
// error message. This value does not exist in Windows 2000
if ( pQuery->stiRegStop.dwAutoMode != SLQ_AUTO_MODE_NONE ) {
dwStatus = ReadRegistrySlqTime (
pQuery->hKeyQuery,
pQuery->szQueryName,
L"Repeat Schedule",
NULL,
&pQuery->stiRepeat );
if ( ERROR_NO_DATA == dwStatus
|| ERROR_FILE_NOT_FOUND == dwStatus
|| SLQ_AUTO_MODE_NONE == pQuery->stiRepeat.dwAutoMode )
{
// If the repeat value doesn't exist or is set to NONE,
// default to the Restart mode value: NONE or AFTER
stiDefault.wDataType = SLQ_TT_DTYPE_UNITS;
stiDefault.wTimeType = SLQ_TT_TTYPE_REPEAT_SCHEDULE;
stiDefault.dwAutoMode = dwTempRestart;
stiDefault.dwUnitType = SLQ_TT_UTYPE_MINUTES;
stiDefault.dwValue = 0;
pQuery->stiRepeat = stiDefault;
dwStatus = ERROR_SUCCESS;
}
}
}
if ( ERROR_SUCCESS == dwStatus ) {
ReadRegistryIndirectStringValue (
pQuery->hKeyQuery,
pQuery->szQueryName,
L"Comment",
NULL,
&pQuery->szLogFileComment,
&uiBufferLen );
// Ignore status, default is empty.
}
// Todo: File attributes only for counter and trace logs
//
// File attributes
//
if ( ERROR_SUCCESS == dwStatus ) {
dwDefault = (DWORD)-1;
dwStatus = ReadRegistryDwordValue (
pQuery->hKeyQuery,
pQuery->szQueryName,
L"Log File Max Size",
&dwDefault,
&pQuery->dwMaxFileSize);
}
if ( ERROR_SUCCESS == dwStatus ) {
dwDefault = SLF_BIN_FILE;
dwStatus = ReadRegistryDwordValue (
pQuery->hKeyQuery,
pQuery->szQueryName,
L"Log File Type",
&dwDefault,
&pQuery->dwLogFileType);
if (dwStatus == ERROR_SUCCESS) {
pQuery->dwLogFileType = LOWORD(pQuery->dwLogFileType);
// For Whistler Beta 1, append mode stored in high word of
// the log type registry value
pQuery->dwAppendMode =
(pQuery->dwLogFileType & 0xFFFF0000) == SLF_FILE_APPEND;
}
}
if ( ERROR_SUCCESS == dwStatus ) {
// Pass NULL default to avoid warning message.
// A missing value here is normal, converting from Win2000 config.
dwLocalAttributes = 0;
dwStatus = ReadRegistryDwordValue (
pQuery->hKeyQuery,
pQuery->szQueryName,
L"Data Store Attributes",
NULL,
&dwLocalAttributes );
// Extract log file size units
if ( ERROR_NO_DATA == dwStatus
|| ERROR_FILE_NOT_FOUND == dwStatus
|| ( 0 == ( dwLocalAttributes & SLF_DATA_STORE_SIZE_MASK ) ) ) {
// If file size unit value is missing, default to Win2000 values
if ( SLQ_COUNTER_LOG == pQuery->dwLogType ) {
if ( SLF_SQL_LOG != pQuery->dwLogFileType ) {
pQuery->dwLogFileSizeUnit = ONE_KB;
} else {
pQuery->dwLogFileSizeUnit = ONE_RECORD;
}
} else if ( SLQ_TRACE_LOG == pQuery->dwLogType ) {
pQuery->dwLogFileSizeUnit = ONE_MB;
}
} else {
if ( dwLocalAttributes & SLF_DATA_STORE_SIZE_ONE_MB ) {
pQuery->dwLogFileSizeUnit = ONE_MB;
} else if ( dwLocalAttributes & SLF_DATA_STORE_SIZE_ONE_KB ) {
pQuery->dwLogFileSizeUnit = ONE_KB;
} else if ( dwLocalAttributes & SLF_DATA_STORE_SIZE_ONE_RECORD ) {
pQuery->dwLogFileSizeUnit = ONE_RECORD;
}
}
// Extract append flag if not already set by Whistler Beta 1 code
if ( 0 == pQuery->dwAppendMode ) {
if ( ERROR_NO_DATA == dwStatus
|| ERROR_FILE_NOT_FOUND == dwStatus
|| ( 0 == ( dwLocalAttributes & SLF_DATA_STORE_APPEND_MASK ) ) )
{
// If file append mode value is missing, default to Win2000 values
assert ( SLF_SQL_LOG != pQuery->dwLogFileType );
if ( SLF_SQL_LOG != pQuery->dwLogFileType ) {
pQuery->dwAppendMode = 0;
}
} else {
pQuery->dwAppendMode = ( dwLocalAttributes & SLF_DATA_STORE_APPEND );
}
}
dwStatus = ERROR_SUCCESS;
}
if ( ERROR_SUCCESS == dwStatus ) {
dwDefault = SLF_NAME_NNNNNN;
dwStatus = ReadRegistryDwordValue (
pQuery->hKeyQuery,
pQuery->szQueryName,
L"Log File Auto Format",
&dwDefault,
&pQuery->dwAutoNameFormat );
}
if ( ERROR_SUCCESS == dwStatus ) {
WCHAR szDefault[MAX_PATH+1];
// Dependent on AutoNameFormat setting.
if ( SLF_NAME_NONE == pQuery->dwAutoNameFormat ) {
//
// Default log file name is query name, if no autoformat.
// szDefault and szQueryName both have length MAX_PATH + 1
//
StringCchCopy ( szDefault, MAX_PATH + 1, pQuery->szQueryName );
} else {
szDefault[0] = L'\0';
}
dwStatus = ReadRegistryIndirectStringValue (
pQuery->hKeyQuery,
pQuery->szQueryName,
L"Log File Base Name",
szDefault,
&pQuery->szBaseFileName,
&uiBufferLen );
if ( NULL != pQuery->szBaseFileName ) {
ReplaceBlanksWithUnderscores ( pQuery->szBaseFileName );
}
//
// szDefault of length 0 indicates that auto format is enabled.
//
if ( 0 == lstrlen (szDefault) ) {
if ( NULL != pQuery->szBaseFileName ) {
if ( 0 == lstrlen ( pQuery->szBaseFileName ) ) {
// Ignore bad status if the base log file name
// is NULL and auto format is enabled.
dwStatus = ERROR_SUCCESS;
} else {
dwStatus = ERROR_SUCCESS;
}
} else {
dwStatus = ERROR_SUCCESS;
}
}
}
if ( ERROR_SUCCESS == dwStatus ) {
WCHAR* pszTemp = NULL;
DWORD cchLen = 0;
DWORD cchExpandedLen = 0;
dwStatus = ReadRegistryStringValue (
pQuery->hKeyQuery,
pQuery->szQueryName,
L"Log File Folder",
gszDefaultLogFileFolder,
&pszTemp,
&dwBufferSize );
//
// Parse all environment variables
//
if (pszTemp != NULL) {
cchLen = ExpandEnvironmentStrings ( pszTemp, NULL, 0 );
if ( 0 < cchLen ) {
//
// cchLen includes NULL.
//
if ( NULL != pQuery->szLogFileFolder ) {
G_FREE (pQuery->szLogFileFolder );
pQuery->szLogFileFolder = NULL;
}
pQuery->szLogFileFolder = G_ALLOC ( cchLen * sizeof(WCHAR) );
if ( NULL != pQuery->szLogFileFolder ) {
cchExpandedLen = ExpandEnvironmentStrings (
pszTemp,
pQuery->szLogFileFolder,
cchLen );
if ( 0 == cchExpandedLen ) {
dwStatus = GetLastError();
pQuery->szLogFileFolder[0] = L'\0';
}
} else {
dwStatus = ERROR_OUTOFMEMORY;
}
} else {
dwStatus = GetLastError();
}
}
if ( NULL != pszTemp ) {
G_FREE ( pszTemp );
}
}
if ( ERROR_SUCCESS == dwStatus ) {
ReadRegistryStringValue (
pQuery->hKeyQuery,
pQuery->szQueryName,
L"Sql Log Base Name",
NULL,
&pQuery->szSqlLogName,
&dwBufferSize );
// Ignore status, default is empty.
}
if ( ERROR_SUCCESS == dwStatus ) {
dwDefault = 1;
dwStatus = ReadRegistryDwordValue (
pQuery->hKeyQuery,
pQuery->szQueryName,
L"Log File Serial Number",
&dwDefault,
&pQuery->dwCurrentSerialNumber );
}
return dwStatus;
}
DWORD
LoadQueryConfig(
IN PLOG_QUERY_DATA pQuery )
{
DWORD dwStatus = ERROR_SUCCESS;
DWORD dwBufferSize;
UINT uiBufferLen = 0;
LPWSTR szStringArray[2];
SLQ_TIME_INFO stiDefault;
SLQ_TIME_INFO stiTemp;
DWORD dwDefault;
DWORD dwType;
dwType = REG_DWORD;
dwBufferSize = sizeof(DWORD);
dwStatus = RegQueryValueExW (
pQuery->hKeyQuery,
L"Log Type",
NULL,
&dwType,
(LPBYTE)&pQuery->dwLogType,
&dwBufferSize);
if ( SLQ_COUNTER_LOG == pQuery->dwLogType ) {
//
// Counters
//
dwStatus = ReadRegistryStringValue (
pQuery->hKeyQuery,
pQuery->szQueryName,
L"Counter List",
NULL,
&pQuery->mszCounterList,
&dwBufferSize );
if ( (ERROR_SUCCESS != dwStatus ) || ( 0 == dwBufferSize ) ) {
//
// No counter list retrieved so there's not much
// point in continuing
//
szStringArray[0] = pQuery->szQueryName;
ReportEvent (hEventLog,
EVENTLOG_WARNING_TYPE,
0,
SMLOG_UNABLE_READ_COUNTER_LIST,
NULL,
1,
sizeof(DWORD),
szStringArray,
(LPVOID)&dwStatus);
} else {
//
// EOF command file name.
// This is used for both Counter and Trace log files.
// Alerts use the Command file field for Alert command file.
//
if ( ERROR_SUCCESS == dwStatus ) {
ReadRegistryStringValue (
pQuery->hKeyQuery,
pQuery->szQueryName,
L"EOF Command File",
NULL,
&pQuery->szCmdFileName,
&dwBufferSize );
// Ignore status, default is empty.
}
//
// Sample interval
//
if ( ERROR_SUCCESS == dwStatus ) {
stiDefault.wDataType = SLQ_TT_DTYPE_UNITS;
stiDefault.wTimeType = SLQ_TT_TTYPE_SAMPLE;
stiDefault.dwAutoMode = SLQ_AUTO_MODE_AFTER;
stiDefault.dwUnitType = SLQ_TT_UTYPE_SECONDS;
stiDefault.dwValue = 15;
dwStatus = ReadRegistrySlqTime (
pQuery->hKeyQuery,
pQuery->szQueryName,
L"Sample Interval",
&stiDefault,
&stiTemp);
if ( ERROR_SUCCESS == dwStatus ) {
LONGLONG llMillisecInterval;
TimeInfoToMilliseconds( &stiTemp, &llMillisecInterval );
assert ( ULONG_MAX > llMillisecInterval );
if ( ULONG_MAX > llMillisecInterval ) {
pQuery->dwMillisecondSampleInterval = (DWORD)(llMillisecInterval);
} else {
pQuery->dwMillisecondSampleInterval = ULONG_MAX - 1;
}
}
}
}
} else if ( SLQ_ALERT == pQuery->dwLogType) {
//
// Counters & alert limits
//
dwStatus = ReadRegistryStringValue (
pQuery->hKeyQuery,
pQuery->szQueryName,
L"Counter List",
NULL,
&pQuery->mszCounterList,
&dwBufferSize );
if ( (ERROR_SUCCESS != dwStatus ) || ( 0 == dwBufferSize ) ) {
//
// No counter list retrieved so there's not much
// point in continuing
//
szStringArray[0] = pQuery->szQueryName;
ReportEvent (hEventLog,
EVENTLOG_WARNING_TYPE,
0,
SMLOG_UNABLE_READ_COUNTER_LIST,
NULL,
1,
sizeof(DWORD),
szStringArray,
(LPVOID)&dwStatus);
} else {
//
// Sample interval
//
if ( ERROR_SUCCESS == dwStatus ) {
stiDefault.wDataType = SLQ_TT_DTYPE_UNITS;
stiDefault.wTimeType = SLQ_TT_TTYPE_SAMPLE;
stiDefault.dwAutoMode = SLQ_AUTO_MODE_AFTER;
stiDefault.dwUnitType = SLQ_TT_UTYPE_SECONDS;
stiDefault.dwValue = 15;
dwStatus = ReadRegistrySlqTime (
pQuery->hKeyQuery,
pQuery->szQueryName,
L"Sample Interval",
&stiDefault,
&stiTemp );
if ( ERROR_SUCCESS == dwStatus ) {
LONGLONG llMillisecInterval;
TimeInfoToMilliseconds( &stiTemp, &llMillisecInterval );
assert ( ULONG_MAX > llMillisecInterval );
if ( ULONG_MAX > llMillisecInterval ) {
pQuery->dwMillisecondSampleInterval = (DWORD)(llMillisecInterval);
} else {
pQuery->dwMillisecondSampleInterval = ULONG_MAX - 1;
}
}
}
if ( ERROR_SUCCESS == dwStatus ) {
//
// Action flags
//
dwDefault = 0;
dwStatus = ReadRegistryDwordValue (
pQuery->hKeyQuery,
pQuery->szQueryName,
L"Action Flags",
&dwDefault,
&pQuery->dwAlertActionFlags);
}
if (( ERROR_SUCCESS == dwStatus ) &&
((pQuery->dwAlertActionFlags & ALRT_ACTION_SEND_MSG) != 0)) {
dwStatus = ReadRegistryStringValue (
pQuery->hKeyQuery,
pQuery->szQueryName,
L"Network Name",
L"",
&pQuery->szNetName,
&dwBufferSize );
}
if (( ERROR_SUCCESS == dwStatus ) &&
((pQuery->dwAlertActionFlags & ALRT_ACTION_EXEC_CMD) != 0)) {
ReadRegistryStringValue (
pQuery->hKeyQuery,
pQuery->szQueryName,
L"Command File",
NULL,
&pQuery->szCmdFileName,
&dwBufferSize );
if (( ERROR_SUCCESS == dwStatus ) &&
((pQuery->dwAlertActionFlags & ALRT_CMD_LINE_U_TEXT) != 0)) {
ReadRegistryIndirectStringValue (
pQuery->hKeyQuery,
pQuery->szQueryName,
L"User Text",
L"",
&pQuery->szUserText,
&uiBufferLen );
}
}
if (( ERROR_SUCCESS == dwStatus ) &&
((pQuery->dwAlertActionFlags & ALRT_ACTION_START_LOG) != 0)) {
dwStatus = ReadRegistryStringValue (
pQuery->hKeyQuery,
pQuery->szQueryName,
L"Perf Log Name",
L"",
&pQuery->szPerfLogName,
&dwBufferSize );
}
}
} else if ( SLQ_TRACE_LOG == pQuery->dwLogType ) {
DWORD dwProviderStatus;
dwDefault = 0;
dwStatus = ReadRegistryDwordValue (
pQuery->hKeyQuery,
pQuery->szQueryName,
L"Trace Flags",
&dwDefault,
&pQuery->dwFlags);
dwProviderStatus = ReadRegistryStringValue (
pQuery->hKeyQuery,
pQuery->szQueryName,
L"Trace Provider List",
NULL,
&pQuery->mszProviderList,
&dwBufferSize );
if ( 0 == dwBufferSize ) {
if ( (ERROR_SUCCESS != dwProviderStatus )
&& ( ! IsKernelTraceMode( pQuery->dwFlags ) ) ) {
//
// No provider list retrieved and not kernel trace so there's not much
// point in continuing
//
if ( ERROR_SUCCESS == dwStatus ) {
dwStatus = SMLOG_UNABLE_READ_PROVIDER_LIST;
}
szStringArray[0] = pQuery->szQueryName;
ReportEvent (hEventLog,
EVENTLOG_WARNING_TYPE,
0,
SMLOG_UNABLE_READ_PROVIDER_LIST,
NULL,
1,
sizeof(DWORD),
szStringArray,
(LPVOID)&dwStatus);
} else {
//
// Allocate a minimal buffer for the NULL character to simplify later logic.
//
pQuery->mszProviderList = G_ALLOC ( sizeof(WCHAR) );
if ( NULL != pQuery->mszProviderList ) {
pQuery->mszProviderList[0] = L'\0';
} else{
dwStatus = ERROR_OUTOFMEMORY;
szStringArray[0] = pQuery->szQueryName;
ReportEvent (hEventLog,
EVENTLOG_WARNING_TYPE,
0,
SMLOG_UNABLE_READ_PROVIDER_LIST,
NULL,
1,
sizeof(DWORD),
szStringArray,
(LPVOID)&dwStatus);
}
}
}
//
// It is possible the "Trace Provider Flags" list is not present
// or has nothing it
//
dwProviderStatus = ReadRegistryStringValue (
pQuery->hKeyQuery,
pQuery->szQueryName,
L"Trace Provider Flags",
L"",
&pQuery->mszProviderFlags,
&dwBufferSize );
//
// It is possible the "Trace Provider Levels" list is not present
// or has nothing it
//
dwProviderStatus = ReadRegistryStringValue (
pQuery->hKeyQuery,
pQuery->szQueryName,
L"Trace Provider Levels",
L"",
&pQuery->mszProviderLevels,
&dwBufferSize );
if ( ERROR_SUCCESS == dwStatus ) {
dwDefault = 4;
dwStatus = ReadRegistryDwordValue (
pQuery->hKeyQuery,
pQuery->szQueryName,
L"Trace Buffer Size",
&dwDefault,
&pQuery->dwBufferSize);
}
if ( ERROR_SUCCESS == dwStatus ) {
dwDefault = 2;
dwStatus = ReadRegistryDwordValue (
pQuery->hKeyQuery,
pQuery->szQueryName,
L"Trace Buffer Min Count",
&dwDefault,
&pQuery->dwBufferMinCount);
}
if ( ERROR_SUCCESS == dwStatus ) {
dwDefault = 25;
dwStatus = ReadRegistryDwordValue (
pQuery->hKeyQuery,
pQuery->szQueryName,
L"Trace Buffer Max Count",
&dwDefault,
&pQuery->dwBufferMaxCount);
}
if ( ERROR_SUCCESS == dwStatus ) {
dwDefault = 0;
dwStatus = ReadRegistryDwordValue (
pQuery->hKeyQuery,
pQuery->szQueryName,
L"Trace Buffer Flush Interval",
&dwDefault,
&pQuery->dwBufferFlushInterval);
}
//
// EOF Command file.
// This is used for both Counter and Trace log files.
// Alerts use the Command file field for Alert command file.
//
if ( ERROR_SUCCESS == dwStatus ) {
ReadRegistryStringValue (
pQuery->hKeyQuery,
pQuery->szQueryName,
L"EOF Command File",
NULL,
&pQuery->szCmdFileName,
&dwBufferSize );
// Ignore status, default is empty.
}
} else {
//
// Ignore partly created logs and alerts.
//
assert ( SLQ_NEW_LOG == pQuery->dwLogType );
if ( SLQ_NEW_LOG == pQuery->dwLogType ) {
dwStatus = SMLOG_LOG_TYPE_NEW;
} else {
dwStatus = SMLOG_INVALID_LOG_TYPE;
szStringArray[0] = pQuery->szQueryName;
ReportEvent (hEventLog,
EVENTLOG_WARNING_TYPE,
0,
SMLOG_INVALID_LOG_TYPE,
NULL,
1,
sizeof(DWORD),
szStringArray,
(LPVOID)&pQuery->dwLogType);
}
}
if ( ERROR_SUCCESS == dwStatus ) {
dwStatus = LoadCommonConfig ( pQuery );
}
return dwStatus;
}
void
LockQueryData ( void )
{
EnterCriticalSection ( &QueryDataLock );
}
void
UnlockQueryData ( void )
{
LeaveCriticalSection ( &QueryDataLock );
}
void
EnterConfigure ( void )
{
EnterCriticalSection ( &QueryDataLock );
}
void
ExitConfigure ( void )
{
LeaveCriticalSection ( &QueryDataLock );
}
PLOG_QUERY_DATA
GetQueryData (
LPCWSTR szQueryName )
{
PLOG_QUERY_DATA pQuery;
LockQueryData();
pQuery = pFirstQuery;
while ( NULL != pQuery ) {
if ( !lstrcmpi(pQuery->szQueryName, szQueryName ) ) {
// If the exit event isn't set, then this query is still active.
if ((WaitForSingleObject (pQuery->hExitEvent, 0)) != WAIT_OBJECT_0) {
break;
}
}
pQuery = pQuery->next;
}
UnlockQueryData();
return pQuery;
}
PLOG_QUERY_DATA
GetQueryDataPtr (
HANDLE hThisQuery
)
{
PLOG_QUERY_DATA pQuery = NULL;
LockQueryData();
// Find the query data block in the list.
if ( hThisQuery == pFirstQuery->hThread ) {
pQuery = pFirstQuery;
}
if ( NULL == pQuery ) {
for ( pQuery = pFirstQuery;
NULL != pQuery->next;
pQuery = pQuery->next ) {
if ( hThisQuery == pQuery->next->hThread ) {
pQuery = pQuery->next;
break;
}
}
}
UnlockQueryData();
return pQuery;
}
void
DeallocateQueryBuffers (
IN PLOG_QUERY_DATA pQuery )
{
//
// Deallocate the buffers that can be deleted when the collection
// thread is reconfigured.
//
if (( SLQ_COUNTER_LOG == pQuery->dwLogType ) ||
( SLQ_ALERT == pQuery->dwLogType)) {
if (pQuery->mszCounterList != NULL) {
G_FREE(pQuery->mszCounterList);
pQuery->mszCounterList = NULL;
}
}
if ( SLQ_ALERT == pQuery->dwLogType) {
if (pQuery->szNetName != NULL) {
G_FREE(pQuery->szNetName);
pQuery->szNetName = NULL;
}
if (pQuery->szPerfLogName != NULL) {
G_FREE(pQuery->szPerfLogName);
pQuery->szPerfLogName = NULL;
}
if (pQuery->szUserText != NULL) {
G_FREE (pQuery->szUserText);
pQuery->szUserText = NULL;
}
}
if ( SLQ_TRACE_LOG == pQuery->dwLogType) {
if (pQuery->mszProviderList != NULL) {
G_FREE(pQuery->mszProviderList);
pQuery->mszProviderList = NULL;
}
if (pQuery->mszProviderFlags != NULL) {
G_FREE(pQuery->mszProviderFlags);
pQuery->mszProviderFlags = NULL;
}
if (pQuery->mszProviderLevels != NULL) {
G_FREE(pQuery->mszProviderLevels);
pQuery->mszProviderLevels = NULL;
}
}
if (pQuery->szLogFileComment != NULL) {
G_FREE(pQuery->szLogFileComment);
pQuery->szLogFileComment = NULL;
}
if (pQuery->szBaseFileName != NULL) {
G_FREE(pQuery->szBaseFileName);
pQuery->szBaseFileName = NULL;
}
if (pQuery->szLogFileFolder != NULL) {
G_FREE(pQuery->szLogFileFolder);
pQuery->szLogFileFolder = NULL;
}
if (pQuery->szSqlLogName != NULL) {
G_FREE(pQuery->szSqlLogName);
pQuery->szSqlLogName = NULL;
}
if (pQuery->szCmdFileName != NULL) {
G_FREE(pQuery->szCmdFileName);
pQuery->szCmdFileName = NULL;
}
}
void
ClearTraceProperties (
IN PLOG_QUERY_DATA pQuery )
{
#if _IMPLEMENT_WMI
G_ZERO (& pQuery->Properties, sizeof(EVENT_TRACE_PROPERTIES));
G_ZERO (pQuery->szLoggerName, sizeof(pQuery->szLoggerName));
G_ZERO (pQuery->szLogFileName, sizeof(pQuery->szLogFileName));
if ( NULL != pQuery->arrpGuid ) {
ULONG ulIndex;
for ( ulIndex = 0; ulIndex < pQuery->ulGuidCount; ulIndex++ ) {
if ( NULL != pQuery->arrpGuid[ulIndex].pszProviderName ) {
G_FREE ( pQuery->arrpGuid[ulIndex].pszProviderName );
pQuery->arrpGuid[ulIndex].pszProviderName = NULL;
}
}
G_FREE ( pQuery->arrpGuid );
pQuery->arrpGuid = NULL;
}
pQuery->ulGuidCount = 0;
pQuery->Properties.LoggerNameOffset = sizeof(EVENT_TRACE_PROPERTIES);
pQuery->Properties.LogFileNameOffset = sizeof(EVENT_TRACE_PROPERTIES)
+ sizeof(pQuery->szLoggerName);
#endif
}
DWORD
LoadPdhLogUpdateSuccess ( void )
{
DWORD dwStatus = ERROR_SUCCESS;
HKEY hKeySysmonLog = NULL;
WCHAR* mszStatusList = NULL;
DWORD dwBufferSize = 0;
DWORD dwType = 0;
dwStatus = RegOpenKeyEx (
(HKEY)HKEY_LOCAL_MACHINE,
L"SYSTEM\\CurrentControlSet\\Services\\SysmonLog",
0L,
KEY_READ,
(PHKEY)&hKeySysmonLog);
if (dwStatus == ERROR_SUCCESS) {
//
// Find out the size of the required buffer
//
dwStatus = RegQueryValueExW (
hKeySysmonLog,
L"PdhDataCollectSuccessStatus",
NULL,
&dwType,
NULL,
&dwBufferSize); // In bytes
// If there is something to read
if ( (ERROR_SUCCESS == dwStatus ) && ( 0 < dwBufferSize ) ) {
mszStatusList = G_ALLOC ( dwBufferSize );
if ( NULL != mszStatusList ) {
mszStatusList[0] = L'\0';
dwType = 0;
dwStatus = RegQueryValueExW (
hKeySysmonLog,
L"PdhDataCollectSuccessStatus",
NULL,
&dwType,
(UCHAR*)mszStatusList,
&dwBufferSize);
if ( (ERROR_SUCCESS == dwStatus )
&& ( 0 < dwBufferSize )
&& ( L'\0' != mszStatusList[0] ) ) {
// Allocate and load Pdh data collection status value array.
INT iStatusCount = 0;
WCHAR* szThisStatus;
for (szThisStatus = mszStatusList;
*szThisStatus != 0;
szThisStatus += lstrlen(szThisStatus) + 1) {
iStatusCount++;
}
arrPdhDataCollectSuccess = G_ALLOC ( iStatusCount * sizeof ( DWORD ) );
if ( NULL != arrPdhDataCollectSuccess ) {
INT iStatusIndex;
szThisStatus = mszStatusList;
for ( iStatusIndex = 0; iStatusIndex < iStatusCount; iStatusIndex++ ) {
if (0 != *szThisStatus ) {
arrPdhDataCollectSuccess[iStatusIndex] = (DWORD)_wtoi( szThisStatus );
szThisStatus += lstrlen(szThisStatus) + 1;
} else {
break;
}
}
}
iPdhDataCollectSuccessCount = iStatusCount;
}
if ( NULL != mszStatusList ) {
G_FREE ( mszStatusList );
}
} else {
dwStatus = ERROR_OUTOFMEMORY;
}
}
RegCloseKey(hKeySysmonLog);
}
return dwStatus;
}
DWORD
InitTraceGuids(
IN PLOG_QUERY_DATA pQuery )
{
DWORD dwStatus = ERROR_SUCCESS;
#if _IMPLEMENT_WMI
#define GUID_BUF_LEN (64)
LPWSTR pszThisGuid;
LPWSTR pszThisFlag;
LPWSTR pszThisLevel;
LONG ulGuidIndex;
LONG ulGuidCount = 0;
PTRACE_PROVIDER arrpGuid = NULL;
WCHAR pszThisGuidBuffer[GUID_BUF_LEN];
UNICODE_STRING ustrGuid;
//
// Count the GUIDs
//
if ( NULL != pQuery ) {
if ( NULL != pQuery->mszProviderList ) {
for (pszThisGuid = pQuery->mszProviderList;
*pszThisGuid != 0;
pszThisGuid += lstrlen(pszThisGuid) + 1) {
ulGuidCount += 1;
if ( NULL == pszThisGuid ) {
dwStatus = ERROR_INVALID_PARAMETER;
break;
}
}
}
if ( ERROR_SUCCESS == dwStatus ) {
arrpGuid = G_ALLOC ( ulGuidCount * sizeof ( TRACE_PROVIDER ) );
if (NULL == arrpGuid) {
dwStatus = ERROR_OUTOFMEMORY;
} else {
G_ZERO ( arrpGuid, ulGuidCount * sizeof ( TRACE_PROVIDER ) );
}
}
if ( ERROR_SUCCESS == dwStatus ) {
//
// Create an array of pointers to individual provider Guids in the
// mszProviderList. The provider Guids are used as provider
// names in error messages, and for comparison with provider list
//
for ( ulGuidIndex = 0; ulGuidIndex < ulGuidCount; ulGuidIndex++) {
arrpGuid[ulGuidIndex].pszProviderName = G_ALLOC ( sizeof(WCHAR[MAX_PATH+1]) );
if (NULL == arrpGuid[ulGuidIndex].pszProviderName) {
dwStatus = ERROR_OUTOFMEMORY;
break;
}
}
if (ERROR_SUCCESS == dwStatus) {
ulGuidIndex = 0;
pszThisFlag = pQuery->mszProviderFlags;
pszThisLevel = pQuery->mszProviderLevels;
for (pszThisGuid = pQuery->mszProviderList;
*pszThisGuid != 0;
pszThisGuid += lstrlen(pszThisGuid) + 1) {
StringCchCopy ( pszThisGuidBuffer, GUID_BUF_LEN, pszThisGuid );
//
// Size of GUID length << USHORT
//
ustrGuid.Length = (USHORT)(GUID_BUF_LEN*sizeof(WCHAR));
ustrGuid.MaximumLength = (USHORT)(GUID_BUF_LEN*sizeof(WCHAR));
ustrGuid.Buffer = pszThisGuidBuffer;
dwStatus = GUIDFromString (&ustrGuid, &arrpGuid[ulGuidIndex].Guid );
StringCchCopy ( arrpGuid[ulGuidIndex].pszProviderName, MAX_PATH+1, pszThisGuid );
//
// Set provider flags
//
if (pszThisFlag) {
if (*pszThisFlag) {
arrpGuid[ulGuidIndex].dwFlag = ahextoi(pszThisFlag);
pszThisFlag += lstrlen(pszThisFlag) + 1;
}
}
//
// Set provider levels
//
if (pszThisLevel) {
if (*pszThisLevel) {
arrpGuid[ulGuidIndex].dwLevel = ahextoi(pszThisLevel);
pszThisLevel += lstrlen(pszThisLevel) + 1;
}
}
ulGuidIndex++;
}
pQuery->ulGuidCount = ulGuidCount;
pQuery->arrpGuid = arrpGuid;
}
}
if (ERROR_SUCCESS != dwStatus) {
// If failure anywhere, deallocate arrays
if ( NULL != arrpGuid ) {
for (ulGuidIndex--; ulGuidIndex>=0; ulGuidIndex--) {
if (arrpGuid[ulGuidIndex].pszProviderName) {
G_FREE(arrpGuid[ulGuidIndex].pszProviderName);
}
}
G_FREE(arrpGuid);
}
}
} else {
dwStatus = ERROR_INVALID_PARAMETER;
}
#else
dwStatus = ERROR_CALL_NOT_IMPLEMENTED;
#endif
return dwStatus;
}
DWORD
IsCreateNewFile (
IN PLOG_QUERY_DATA pQuery,
OUT BOOL* pbValidBySize,
OUT BOOL* pbValidByTime )
{
DWORD dwStatus = ERROR_SUCCESS;
BOOL bLocalValidBySize = FALSE;
BOOL bLocalValidByTime = FALSE;
if ( ( NULL != pQuery ) ) {
if ( SLQ_AUTO_MODE_SIZE == pQuery->stiCreateNewFile.dwAutoMode ) {
if ( ( SLF_SEQ_TRACE_FILE == pQuery->dwLogFileType )
&& ( -1 != pQuery->dwMaxFileSize )
&& ( 0 != pQuery->dwMaxFileSize ) )
{
bLocalValidBySize = TRUE;
}
} else if ( SLQ_AUTO_MODE_AFTER == pQuery->stiCreateNewFile.dwAutoMode ) {
bLocalValidByTime = TRUE;
}
if ( NULL != pbValidBySize ) {
*pbValidBySize = bLocalValidBySize;
}
if ( NULL != pbValidByTime ) {
*pbValidByTime = bLocalValidByTime;
}
} else {
assert ( FALSE );
dwStatus = ERROR_INVALID_PARAMETER;
}
return dwStatus;
}
void
InitTraceProperties (
IN PLOG_QUERY_DATA pQuery,
IN BOOL bUpdateSerial,
IN OUT DWORD* pdwSessionSerial,
IN OUT INT* piCnfSerial )
{
#if _IMPLEMENT_WMI
HRESULT hr;
DWORD dwStatus = ERROR_SUCCESS;
PPDH_PLA_INFO pInfo = NULL;
DWORD dwInfoSize = 0;
BOOL bBySize = FALSE;
BOOL bByTime = FALSE;
INT iLocalCnfSerial;
DWORD dwLocalSessionSerial = 0; // Init for Prefix check
if ( NULL != pQuery && NULL != piCnfSerial ) {
hr = PdhPlaGetInfoW( pQuery->szQueryName, NULL, &dwInfoSize, pInfo );
if( ERROR_SUCCESS == hr && 0 != dwInfoSize ) {
pInfo = (PPDH_PLA_INFO)G_ALLOC(dwInfoSize);
if( NULL != pInfo && (sizeof(PDH_PLA_INFO) <= dwInfoSize) ){
ZeroMemory( pInfo, dwInfoSize );
pInfo->dwMask = PLA_INFO_FLAG_MODE|PLA_INFO_FLAG_LOGGERNAME;
hr = PdhPlaGetInfoW( pQuery->szQueryName, NULL, &dwInfoSize, pInfo );
} else {
hr = E_OUTOFMEMORY;
}
}
ClearTraceProperties ( pQuery );
dwStatus = IsCreateNewFile ( pQuery, &bBySize, &bByTime );
// Create format string, store it in pQuery->szLogFileName
if ( bBySize ) {
// In BuildCurrentLogFileName, iCnfSerial of -1 signals code to
// return the format string for cnf serial number
iLocalCnfSerial = -1;
} else {
if ( bByTime ) {
*piCnfSerial += 1;
iLocalCnfSerial = *piCnfSerial;
} else {
iLocalCnfSerial = 0;
}
}
if ( NULL != pdwSessionSerial ) {
dwLocalSessionSerial = *pdwSessionSerial;
} else {
dwLocalSessionSerial = pQuery->dwCurrentSerialNumber;
}
dwStatus = BuildCurrentLogFileName (
pQuery->szQueryName,
pQuery->szBaseFileName,
pQuery->szLogFileFolder,
pQuery->szSqlLogName,
pQuery->szLogFileName,
&dwLocalSessionSerial,
pQuery->dwAutoNameFormat,
pQuery->dwLogFileType,
iLocalCnfSerial );
RegisterCurrentFile( pQuery->hKeyQuery, pQuery->szLogFileName, iLocalCnfSerial );
// Update log serial number if modified.
if ( bUpdateSerial && SLF_NAME_NNNNNN == pQuery->dwAutoNameFormat ) {
pQuery->dwCurrentSerialNumber++;
// Todo: Info event on number wrap - Server Beta 3.
if ( MAXIMUM_SERIAL_NUMBER < pQuery->dwCurrentSerialNumber ) {
pQuery->dwCurrentSerialNumber = MINIMUM_SERIAL_NUMBER;
}
WriteRegistryDwordValue (
pQuery->hKeyQuery,
L"Log File Serial Number",
&pQuery->dwCurrentSerialNumber,
REG_DWORD);
// Todo: log event on error.
}
pQuery->Properties.Wnode.BufferSize = sizeof(pQuery->Properties)
+ sizeof(pQuery->szLoggerName)
+ sizeof(pQuery->szLogFileName);
if ( TRUE == bBySize ) {
// Add room for trace code to to return formatted filename string.
pQuery->Properties.Wnode.BufferSize += 8;
}
pQuery->Properties.Wnode.Flags = WNODE_FLAG_TRACED_GUID;
// Fill out properties block and start.
pQuery->Properties.BufferSize = pQuery->dwBufferSize;
pQuery->Properties.MinimumBuffers = pQuery->dwBufferMinCount;
pQuery->Properties.MaximumBuffers = pQuery->dwBufferMaxCount;
if ( pInfo ) {
if ( pInfo->Trace.strLoggerName != NULL ) {
StringCchCopy (
pQuery->szLoggerName,
MAX_PATH + 1, // Defined in header
pInfo->Trace.strLoggerName );
}
} else {
StringCchCopy ( pQuery->szLoggerName, MAX_PATH + 1, pQuery->szQueryName );
}
if ( (BOOL)( 0 == (pQuery->dwFlags & SLQ_TLI_ENABLE_BUFFER_FLUSH)) )
pQuery->Properties.FlushTimer = 0;
else
pQuery->Properties.FlushTimer = pQuery->dwBufferFlushInterval;
if ( IsKernelTraceMode ( pQuery->dwFlags ) ) {
pQuery->Properties.Wnode.Guid = SystemTraceControlGuid;
StringCchCopy ( pQuery->szLoggerName, MAX_PATH + 1, KERNEL_LOGGER_NAMEW );
if ( (BOOL)( 0 != (pQuery->dwFlags & SLQ_TLI_ENABLE_KERNEL_TRACE)) ) {
// NT5 Beta 2 Single Kernel flag
pQuery->Properties.EnableFlags |= EVENT_TRACE_FLAG_PROCESS |
EVENT_TRACE_FLAG_THREAD |
EVENT_TRACE_FLAG_DISK_IO |
EVENT_TRACE_FLAG_NETWORK_TCPIP;
} else {
if ( (BOOL)( 0 != (pQuery->dwFlags & SLQ_TLI_ENABLE_PROCESS_TRACE)) )
pQuery->Properties.EnableFlags |= EVENT_TRACE_FLAG_PROCESS;
if ( (BOOL)( 0 != (pQuery->dwFlags & SLQ_TLI_ENABLE_THREAD_TRACE)) )
pQuery->Properties.EnableFlags |= EVENT_TRACE_FLAG_THREAD;
if ( (BOOL)( 0 != (pQuery->dwFlags & SLQ_TLI_ENABLE_DISKIO_TRACE)) )
pQuery->Properties.EnableFlags |= EVENT_TRACE_FLAG_DISK_IO;
if ( (BOOL)( 0 != (pQuery->dwFlags & SLQ_TLI_ENABLE_NETWORK_TCPIP_TRACE)) )
pQuery->Properties.EnableFlags |= EVENT_TRACE_FLAG_NETWORK_TCPIP;
}
if ( (BOOL)( 0 != (pQuery->dwFlags & SLQ_TLI_ENABLE_MEMMAN_TRACE)) )
pQuery->Properties.EnableFlags |= EVENT_TRACE_FLAG_MEMORY_PAGE_FAULTS;
if ( (BOOL)( 0 != (pQuery->dwFlags & SLQ_TLI_ENABLE_FILEIO_TRACE)) )
pQuery->Properties.EnableFlags |= EVENT_TRACE_FLAG_DISK_FILE_IO;
} else {
InitTraceGuids ( pQuery );
}
if ( -1 == pQuery->dwMaxFileSize ) {
pQuery->Properties.MaximumFileSize = 0;
} else {
pQuery->Properties.MaximumFileSize = pQuery->dwMaxFileSize;
}
if ( ERROR_SUCCESS == dwStatus && TRUE == bBySize ) {
pQuery->Properties.LogFileMode =
EVENT_TRACE_FILE_MODE_SEQUENTIAL | EVENT_TRACE_FILE_MODE_NEWFILE;
} else if ( SLF_SEQ_TRACE_FILE == pQuery->dwLogFileType ) {
pQuery->Properties.LogFileMode = EVENT_TRACE_FILE_MODE_SEQUENTIAL;
// Only set Append mode if the file already exists.
if ( pQuery->dwAppendMode && FileExists ( pQuery->szLogFileName ) ) {
pQuery->Properties.LogFileMode |= EVENT_TRACE_FILE_MODE_APPEND;
}
} else {
assert ( SLF_CIRC_TRACE_FILE == pQuery->dwLogFileType );
pQuery->Properties.LogFileMode = EVENT_TRACE_FILE_MODE_CIRCULAR;
}
if ( pInfo ) {
pQuery->Properties.LogFileMode |= pInfo->Trace.dwMode;
G_FREE( pInfo );
}
if ( NULL != pdwSessionSerial ) {
*pdwSessionSerial = dwLocalSessionSerial;
}
} // Todo: else report error, return error
#endif
}
void
FreeQueryData (
IN PLOG_QUERY_DATA pQuery )
{
// Caller must remove the thread data block from the list.
// Threads are deleted by only one thread, so this should not
// be deleted out from under.
assert ( NULL != pQuery );
if ( NULL != pQuery ) {
// Free this entry.
if (( SLQ_COUNTER_LOG == pQuery->dwLogType ) ||
( SLQ_ALERT == pQuery->dwLogType ) ){
while ( NULL != pQuery->pFirstCounter ) {
PLOG_COUNTER_INFO pDelCI = pQuery->pFirstCounter;
pQuery->pFirstCounter = pDelCI->next;
G_FREE( pDelCI );
}
} else {
if ( NULL != pQuery->arrpGuid ) {
ULONG ulIndex;
for ( ulIndex = 0; ulIndex < pQuery->ulGuidCount; ulIndex++ ) {
if ( NULL != pQuery->arrpGuid[ulIndex].pszProviderName ) {
G_FREE ( pQuery->arrpGuid[ulIndex].pszProviderName );
pQuery->arrpGuid[ulIndex].pszProviderName = NULL;
}
}
G_FREE ( pQuery->arrpGuid );
pQuery->arrpGuid = NULL;
}
}
if ( NULL != pQuery->hThread ) {
CloseHandle ( pQuery->hThread );
pQuery->hThread = NULL;
}
if ( NULL != pQuery->hUserToken ) {
CloseHandle ( pQuery->hUserToken );
pQuery->hUserToken = NULL;
}
if ( NULL != pQuery->hExitEvent ) {
CloseHandle ( pQuery->hExitEvent );
pQuery->hExitEvent = NULL;
}
if ( NULL != pQuery->hReconfigEvent ) {
CloseHandle ( pQuery->hReconfigEvent );
pQuery->hReconfigEvent = NULL;
}
if ( NULL != pQuery->hKeyQuery ) {
RegCloseKey ( pQuery->hKeyQuery );
pQuery->hKeyQuery = NULL;
}
DeallocateQueryBuffers( pQuery );
G_FREE (pQuery);
}
}
void
RemoveAndFreeQueryData (
HANDLE hThisQuery
)
{
PLOG_QUERY_DATA pQuery = NULL;
BOOL bFound = FALSE;
LockQueryData();
// Find the query data block and remove it from the list.
if ( hThisQuery == pFirstQuery->hThread ) {
bFound = TRUE;
}
if ( bFound ) {
pQuery = pFirstQuery;
pFirstQuery = pFirstQuery->next;
} else {
PLOG_QUERY_DATA pQueryRemaining;
for ( pQuery = pFirstQuery;
NULL != pQuery->next;
pQuery = pQuery->next ) {
if ( hThisQuery == pQuery->next->hThread ) {
pQueryRemaining = pQuery;
pQuery = pQuery->next;
pQueryRemaining->next = pQuery->next;
bFound = TRUE;
break;
}
}
}
assert ( bFound );
if ( bFound ) {
dwActiveSessionCount -= 1;
}
UnlockQueryData();
assert ( NULL != pQuery );
if ( bFound ) {
FreeQueryData( pQuery );
}
}
LONGLONG
ComputeStartWaitTics(
IN PLOG_QUERY_DATA pQuery,
IN BOOL bWriteToRegistry
)
{
LONGLONG llWaitTics = ((LONGLONG)0);
LONGLONG llLocalDateTime = 0;
LONGLONG llRptLocalDays = 0;
LONGLONG llRptStartTime = 0;
LONGLONG llRptStopTime = 0;
LONGLONG llRptLocalTime = 0;
SLQ_TIME_INFO stiSched;
// Compute time to wait before logging starts.
//
// Time returned is millisecond granularity.
//
// Return value:
//
// Start time minus Now when At time is in the future.
//
// 0 signals no wait. This is true when:
// Start is either Manual or At mode and start time set to before now.
// Exceptions for both of these cases are noted below.
//
// NULL_INTERVAL_TICS signals exit immediately. This is true when:
// Start is Manual and Start time is MAX_TIME_VALUE
// Stop is At mode and Stop time is past.
// Stop is Manual mode and Stop time is MIN_TIME_VALUE or any value <= Now
// Stop is Size mode, Stop time is MIN_TIME_VALUE or any value <= Now, and repeat mode is Manual.
// Stop is After mode, After value is 0 (UI should protect against this).
// Stop is After mode, Start is At mode, stop time is past and repeat mode is Manual.
//
GetLocalFileTime (&llLocalDateTime);
if ( ( MAX_TIME_VALUE == pQuery->stiRegStart.llDateTime )
&& ( SLQ_AUTO_MODE_NONE == pQuery->stiRegStart.dwAutoMode ) ) {
// Manual Start, start time is MAX_TIME_VALUE
// Note: For repeat functionality, manual start time might be > now.
// Need to keep the start mode Manual in this case to ensure that
// SetStoppedStatus works.
// Todo: Don't allow repeat or restart with Manual mode?
llWaitTics = NULL_INTERVAL_TICS;
} else if ( ( SLQ_AUTO_MODE_NONE == pQuery->stiRegStop.dwAutoMode )
&& ( pQuery->stiRegStop.llDateTime <= llLocalDateTime ) ) {
// Past Stop Manual time.
llWaitTics = NULL_INTERVAL_TICS;
} else if ( ( ( SLQ_AUTO_MODE_AT == pQuery->stiRegStop.dwAutoMode )
&& ( SLQ_AUTO_MODE_CALENDAR != pQuery->stiRepeat.dwAutoMode ) )
&& ( pQuery->stiRegStop.llDateTime <= llLocalDateTime ) ) {
// Past Stop At or time and repeat mode not set to calendar.
llWaitTics = NULL_INTERVAL_TICS;
} else if ( ( ( SLQ_AUTO_MODE_SIZE == pQuery->stiRegStop.dwAutoMode )
&& ( SLQ_AUTO_MODE_NONE == pQuery->stiRepeat.dwAutoMode ) )
&& ( pQuery->stiRegStop.llDateTime <= llLocalDateTime ) ) {
// Stop time set to 0 if Stop by size has completed and repeat
// mode not set to calendar.
llWaitTics = NULL_INTERVAL_TICS;
} else if ( SLQ_AUTO_MODE_AFTER == pQuery->stiRegStop.dwAutoMode ) {
if ( 0 == pQuery->stiRegStop.dwValue ) {
// Stop After mode and value is 0.
llWaitTics = NULL_INTERVAL_TICS;
} else if ( ( SLQ_AUTO_MODE_AT == pQuery->stiRegStart.dwAutoMode )
&& ( SLQ_AUTO_MODE_NONE == pQuery->stiRepeat.dwAutoMode ) ) {
LONGLONG llTics;
TimeInfoToTics ( &pQuery->stiRegStop, &llTics );
if ( ( pQuery->stiRegStart.llDateTime + llTics ) < llLocalDateTime ) {
// Start at, Stop After modes, stop time is past and no restart.
llWaitTics = NULL_INTERVAL_TICS;
}
}
}
// This code writes to local start and stop time structures to compute
// start wait tics. This avoids excessive log stops and starts, since
// the original registry data structures are compared when the registry
// has been modified, to determine if a log config has been changed by the UI.
if ( NULL_INTERVAL_TICS != llWaitTics ) {
pQuery->stiCurrentStart = pQuery->stiRegStart;
pQuery->stiCurrentStop = pQuery->stiRegStop;
// Handle repeat option separately.
if ( SLQ_AUTO_MODE_CALENDAR == pQuery->stiRepeat.dwAutoMode ) {
assert ( SLQ_AUTO_MODE_AT == pQuery->stiCurrentStart.dwAutoMode );
assert ( SLQ_AUTO_MODE_AT == pQuery->stiCurrentStop.dwAutoMode );
// assert ( ( pQuery->stiCurrentStop.llDateTime - pQuery->stiCurrentStart.llDateTime )
// < (FILETIME_TICS_PER_SECOND * SECONDS_IN_DAY) );
if ( pQuery->stiCurrentStop.llDateTime <= llLocalDateTime ) {
llRptLocalDays = llLocalDateTime / (FILETIME_TICS_PER_SECOND * SECONDS_IN_DAY);
llRptLocalTime = llLocalDateTime - llRptLocalDays;
llRptStopTime = pQuery->stiCurrentStop.llDateTime
- ( pQuery->stiCurrentStop.llDateTime
/ (FILETIME_TICS_PER_SECOND * SECONDS_IN_DAY) );
pQuery->stiCurrentStop.llDateTime = llRptLocalDays + llRptStopTime;
if ( llRptStopTime < llRptLocalTime ) {
// Set to stop tomorrow.
pQuery->stiCurrentStop.llDateTime += (FILETIME_TICS_PER_SECOND * SECONDS_IN_DAY) ;
}
llRptStartTime = pQuery->stiCurrentStart.llDateTime
- ( pQuery->stiCurrentStart.llDateTime
/ (FILETIME_TICS_PER_SECOND * SECONDS_IN_DAY) );
pQuery->stiCurrentStart.llDateTime = llRptLocalDays + llRptStartTime;
if ( (pQuery->stiCurrentStop.llDateTime - pQuery->stiCurrentStart.llDateTime)
> (FILETIME_TICS_PER_SECOND * SECONDS_IN_DAY) ) {
// Set to start tomorrow.
pQuery->stiCurrentStart.llDateTime += (FILETIME_TICS_PER_SECOND * SECONDS_IN_DAY);
}
}
if ( bWriteToRegistry ) {
stiSched.wDataType = SLQ_TT_DTYPE_DATETIME;
stiSched.wTimeType = SLQ_TT_TTYPE_REPEAT_START;
stiSched.dwAutoMode = SLQ_AUTO_MODE_AT;
stiSched.llDateTime = pQuery->stiCurrentStart.llDateTime;
WriteRegistrySlqTime (
pQuery->hKeyQuery,
L"Repeat Schedule Start",
&stiSched );
stiSched.wTimeType = SLQ_TT_TTYPE_REPEAT_STOP;
stiSched.dwAutoMode = SLQ_AUTO_MODE_AT;
stiSched.llDateTime = pQuery->stiCurrentStop.llDateTime;
WriteRegistrySlqTime (
pQuery->hKeyQuery,
L"Repeat Schedule Stop",
&stiSched );
}
}
if ( pQuery->stiCurrentStart.llDateTime <= llLocalDateTime ) {
llWaitTics = ((LONGLONG)(0));
} else {
llWaitTics = pQuery->stiCurrentStart.llDateTime - llLocalDateTime;
}
// If manual mode, set the start time to now, to handle repeat schedule.
// If any thread other than the log thread accesses this field for a
// running query, then need to synchronize access to the field.
if( SLQ_AUTO_MODE_NONE == pQuery->stiCurrentStart.dwAutoMode
&& MIN_TIME_VALUE == pQuery->stiCurrentStart.llDateTime )
{
pQuery->stiCurrentStart.llDateTime = llLocalDateTime + llWaitTics;
}
}
return llWaitTics;
}
void
LoadDefaultLogFileFolder ( void )
{
HKEY hKeyLogService = NULL;
WCHAR szLocalPath[MAX_PATH+1] = L"";
DWORD cchExpandedLen;
DWORD dwStatus;
dwStatus = RegOpenKeyEx (
(HKEY)HKEY_LOCAL_MACHINE,
L"SYSTEM\\CurrentControlSet\\Services\\SysmonLog",
0L,
KEY_READ,
(PHKEY)&hKeyLogService);
// update the service status
ssSmLogStatus.dwCheckPoint++;
SetServiceStatus (hSmLogStatus, &ssSmLogStatus);
if (dwStatus == ERROR_SUCCESS) {
DWORD dwBufferSize = (MAX_PATH+1) * sizeof(WCHAR);
RegQueryValueExW (
hKeyLogService,
L"DefaultLogFileFolder",
NULL,
0L,
(LPBYTE)szLocalPath,
&dwBufferSize);
szLocalPath[dwBufferSize/sizeof(WCHAR) - 1] = L'\0';
RegCloseKey (hKeyLogService);
} // No message on error. Just use load the local default.
if ( 0 == lstrlen (szLocalPath ) ) {
StringCchCopy ( szLocalPath, MAX_PATH + 1, DEFAULT_LOG_FILE_FOLDER );
}
// Todo: local and global buffer sizes are fixed.
cchExpandedLen = ExpandEnvironmentStrings (
szLocalPath,
gszDefaultLogFileFolder,
MAX_PATH+1 );
if ( 0 == cchExpandedLen ) {
gszDefaultLogFileFolder[0] = L'\0';
}
assert ( MAX_PATH >= iTemp );
}
DWORD
OpenLogQueriesKey (
REGSAM regsamAccess,
PHKEY phKeyLogQueries )
{
DWORD dwStatus;
dwStatus = RegOpenKeyEx (
(HKEY)HKEY_LOCAL_MACHINE,
L"SYSTEM\\CurrentControlSet\\Services\\SysmonLog\\Log Queries",
0L,
regsamAccess,
phKeyLogQueries);
return dwStatus;
}
DWORD
ClearQueryRunStates ( void )
{
DWORD dwStatus;
HKEY hKeyLogQueries = NULL;
HKEY hKeyThisLogQuery = NULL;
DWORD dwQueryIndex;
WCHAR szQueryNameBuffer[MAX_PATH+1];
DWORD cchQueryNameBufLen;
WCHAR szQueryClassBuffer[MAX_PATH+1];
DWORD cchQueryClassBufLen;
LPWSTR szCollectionName = NULL;
UINT uiCollectionNameLen = 0;
LPWSTR szStringArray[2];
DWORD dwCurrentState;
DWORD dwDefault;
DWORD dwLogType;
// For every query in the registry, if the state is SLQ_QUERY_RUNNING,
// set it to SLQ_QUERY_STOPPED.
//
// This method must be called before starting the query threads.
//
// Only the service sets the state to SLQ_QUERY_RUNNING, so there is no
// race condition.
// Open (each) query in the registry
dwStatus = OpenLogQueriesKey (
KEY_READ | KEY_SET_VALUE,
(PHKEY)&hKeyLogQueries);
if (dwStatus != ERROR_SUCCESS) {
if (dwStatus == ERROR_FILE_NOT_FOUND) {
//
// There are no logs nor alerts settings, bail out quietly.
// The error is reported later in the processing.
//
dwStatus = ERROR_SUCCESS;
}
else {
// unable to read the log query information from the registry
dwStatus = GetLastError();
ReportEvent (hEventLog,
EVENTLOG_ERROR_TYPE,
0,
SMLOG_UNABLE_OPEN_LOG_QUERY,
NULL,
0,
0,
NULL,
NULL);
dwStatus = SMLOG_UNABLE_OPEN_LOG_QUERY;
}
} else {
dwQueryIndex = 0;
*szQueryNameBuffer = L'\0';
cchQueryNameBufLen = MAX_PATH+1;
*szQueryClassBuffer = L'\0';
cchQueryClassBufLen = MAX_PATH+1;
while ((dwStatus = RegEnumKeyEx (
hKeyLogQueries,
dwQueryIndex,
szQueryNameBuffer,
&cchQueryNameBufLen,
NULL,
szQueryClassBuffer,
&cchQueryClassBufLen,
NULL)) != ERROR_NO_MORE_ITEMS) {
// open this key
dwStatus = RegOpenKeyEx (
hKeyLogQueries,
szQueryNameBuffer,
0L,
KEY_READ | KEY_WRITE,
(PHKEY)&hKeyThisLogQuery);
if (dwStatus != ERROR_SUCCESS) {
szStringArray[0] = szQueryNameBuffer;
ReportEvent (hEventLog,
EVENTLOG_WARNING_TYPE,
0,
SMLOG_UNABLE_READ_LOG_QUERY,
NULL,
1,
sizeof(DWORD),
szStringArray,
(LPVOID)&dwStatus);
// skip to next item
goto CONTINUE_ENUM_LOOP;
}
// update the service status
ssSmLogStatus.dwCheckPoint++;
SetServiceStatus (hSmLogStatus, &ssSmLogStatus);
dwStatus = SmReadRegistryIndirectStringValue (
hKeyThisLogQuery,
L"Collection Name",
NULL,
&szCollectionName,
&uiCollectionNameLen );
if ( NULL != szCollectionName ) {
if ( 0 < lstrlen ( szCollectionName ) ) {
StringCchCopy (
szQueryNameBuffer,
MAX_PATH + 1,
szCollectionName );
}
G_FREE ( szCollectionName );
szCollectionName = NULL;
uiCollectionNameLen = 0;
}
dwDefault = ((DWORD)-1);
dwStatus = ReadRegistryDwordValue (
hKeyThisLogQuery,
szQueryNameBuffer,
L"Log Type",
&dwDefault,
&dwLogType );
if ( ( SLQ_COUNTER_LOG == dwLogType )
|| ( SLQ_TRACE_LOG == dwLogType )
|| ( SLQ_ALERT == dwLogType ) ) {
// Check the current state of the query. If it is SLQ_QUERY_RUNNING,
// set it to SLQ_QUERY_STOPPED. If, in addition, the Start mode is
// manual, set the start time to MAX, so that the query doesn't
// start automatically.
// If the current state is SLQ_QUERY_START_PENDING, it is assumed to be a new
// request, so leave the registry as is.
//
// Note: For trace logs, this code only coordinates between trace log
// configs that are stored in the registry.
dwDefault = SLQ_QUERY_STOPPED;
dwStatus = ReadRegistryDwordValue (
hKeyThisLogQuery,
szQueryNameBuffer,
L"Current State",
&dwDefault,
&dwCurrentState );
assert (dwStatus == ERROR_SUCCESS);
// Status always success if default provided.
// If query is in START_PENDING or STOPPED state, then
// the registry contents are correct. If it is in
// RUNNING state, then the service was stopped before
// it could clean up the registry state.
if ( SLQ_QUERY_RUNNING == dwCurrentState ) {
SLQ_TIME_INFO stiDefault;
SLQ_TIME_INFO stiActual;
LONGLONG ftLocalTime;
dwCurrentState = SLQ_QUERY_STOPPED;
dwStatus = WriteRegistryDwordValue (
hKeyThisLogQuery,
L"Current State",
&dwCurrentState,
REG_DWORD );
if (dwStatus != ERROR_SUCCESS) {
szStringArray[0] = szQueryNameBuffer;
ReportEvent (hEventLog,
EVENTLOG_WARNING_TYPE,
0,
SMLOG_UNABLE_WRITE_STOP_STATE,
NULL,
1,
sizeof(DWORD),
szStringArray,
(LPVOID)&dwStatus);
// skip to next item
goto CONTINUE_ENUM_LOOP;
}
// If Start is manual mode, set start time to MAX, to signal
// not started.
GetLocalFileTime ( &ftLocalTime );
stiDefault.wTimeType = SLQ_TT_TTYPE_START;
stiDefault.dwAutoMode = SLQ_AUTO_MODE_AT;
stiDefault.wDataType = SLQ_TT_DTYPE_DATETIME;
stiDefault.llDateTime = *(LONGLONG *)&ftLocalTime;
dwStatus = ReadRegistrySlqTime (
hKeyThisLogQuery,
szQueryNameBuffer,
L"Start",
&stiDefault,
&stiActual );
//
// Status is always success if default is provided.
//
assert (dwStatus == ERROR_SUCCESS);
if ( ( SLQ_AUTO_MODE_NONE == stiActual.dwAutoMode )
&& ( MAX_TIME_VALUE != stiActual.llDateTime ) ) {
stiActual.llDateTime = MAX_TIME_VALUE;
dwStatus = WriteRegistrySlqTime (
hKeyThisLogQuery,
L"Start",
&stiActual);
if (dwStatus != ERROR_SUCCESS) {
szStringArray[0] = szQueryNameBuffer;
ReportEvent (hEventLog,
EVENTLOG_WARNING_TYPE,
0,
SMLOG_UNABLE_RESET_START_TIME,
NULL,
1,
sizeof(DWORD),
szStringArray,
(LPVOID)&dwStatus);
// skip to next item
goto CONTINUE_ENUM_LOOP;
}
}
//
// If Stop is manual mode, set stop time to MIN, to signal
// not started.
//
GetLocalFileTime ( &ftLocalTime );
stiDefault.wDataType = SLQ_TT_DTYPE_DATETIME;
stiDefault.wTimeType = SLQ_TT_TTYPE_STOP;
stiDefault.dwAutoMode = SLQ_AUTO_MODE_NONE;
stiDefault.llDateTime = MIN_TIME_VALUE;
dwStatus = ReadRegistrySlqTime (
hKeyThisLogQuery,
szQueryNameBuffer,
L"Stop",
&stiDefault,
&stiActual );
//
// Status always success if default provided.
//
assert (dwStatus == ERROR_SUCCESS);
if ( ( SLQ_AUTO_MODE_NONE == stiActual.dwAutoMode )
&& ( MIN_TIME_VALUE != stiActual.llDateTime ) ) {
stiActual.llDateTime = MIN_TIME_VALUE;
dwStatus = WriteRegistrySlqTime (
hKeyThisLogQuery,
L"Stop",
&stiActual);
if (dwStatus != ERROR_SUCCESS) {
szStringArray[0] = szQueryNameBuffer;
ReportEvent (hEventLog,
EVENTLOG_WARNING_TYPE,
0,
SMLOG_UNABLE_RESET_STOP_TIME,
NULL,
1,
sizeof(DWORD),
szStringArray,
(LPVOID)&dwStatus);
// skip to next item
goto CONTINUE_ENUM_LOOP;
}
}
}
} // Ignore invalid log types when clearing status.
CONTINUE_ENUM_LOOP:
if ( NULL != hKeyThisLogQuery ) {
RegCloseKey (hKeyThisLogQuery);
hKeyThisLogQuery = NULL;
}
// prepare for next loop
dwQueryIndex++;
*szQueryNameBuffer = L'\0';
cchQueryNameBufLen = MAX_PATH+1;
*szQueryClassBuffer = L'\0';
cchQueryClassBufLen = MAX_PATH+1;
} // end enumeration of log queries
}
if ( NULL != hKeyLogQueries ) {
RegCloseKey (hKeyLogQueries);
}
return dwStatus;
}
BOOL
TraceStopRestartFieldsMatch (
IN PLOG_QUERY_DATA pOrigQuery,
IN PLOG_QUERY_DATA pNewQuery )
{
#if _IMPLEMENT_WMI
// These are fields for which trace logging must
// be stopped and restarted in order to reconfigure.
BOOL bRequested;
BOOL bCurrent;
ULONG ulGuidCount = 0;
ULONG ulGuidIndex = 0;
WCHAR* pszThisGuid = NULL;
WCHAR* pszThisFlag = NULL;
WCHAR* pszThisLevel = NULL;
DWORD dwFlag;
DWORD dwLevel;
assert ( SLQ_TRACE_LOG == pOrigQuery->dwLogType );
assert ( SLQ_TRACE_LOG == pNewQuery->dwLogType );
if ( !CommonFieldsMatch ( pOrigQuery, pNewQuery ) )
return FALSE;
if ( pOrigQuery->stiCreateNewFile.dwAutoMode != pNewQuery->stiCreateNewFile.dwAutoMode ) {
return FALSE;
} else {
if ( ( SLQ_AUTO_MODE_AFTER == pOrigQuery->stiCreateNewFile.dwAutoMode )
&& ( pOrigQuery->stiCreateNewFile.llDateTime != pNewQuery->stiCreateNewFile.llDateTime ) ) {
return FALSE;
}
}
// Compare new query fields against the existing properties structure.
// Compare everything but flush interval, max buffer count and file name.
if ( pOrigQuery->Properties.BufferSize != pNewQuery->dwBufferSize )
return FALSE;
if ( pOrigQuery->Properties.MinimumBuffers != pNewQuery->dwBufferMinCount )
return FALSE;
// Not kernel trace, so check query name
if ((BOOL)( 0 == ( pNewQuery->dwFlags & SLQ_TLI_ENABLE_KERNEL_TRACE ) ) ) {
if ( 0 != lstrcmpi ( pOrigQuery->szLoggerName, pNewQuery->szQueryName ) ) {
return FALSE;
}
}
bRequested = (BOOL)( 0 != ( pNewQuery->dwFlags & SLQ_TLI_ENABLE_KERNEL_TRACE ) );
bCurrent = IsEqualGUID( &pOrigQuery->Properties.Wnode.Guid, &SystemTraceControlGuid );
if ( bRequested != bCurrent ) {
return FALSE;
}
// Extended memory trace
bRequested = (BOOL)( 0 != ( pNewQuery->dwFlags & SLQ_TLI_ENABLE_MEMMAN_TRACE ) );
bCurrent = (BOOL)( 0 != ( pOrigQuery->Properties.EnableFlags & EVENT_TRACE_FLAG_MEMORY_PAGE_FAULTS ) );
if ( bRequested != bCurrent ) {
return FALSE;
}
// Extended I/O trace
bRequested = (BOOL)( 0 != ( pNewQuery->dwFlags & SLQ_TLI_ENABLE_FILEIO_TRACE ) );
bCurrent = (BOOL)( 0 != ( pOrigQuery->Properties.EnableFlags & EVENT_TRACE_FLAG_DISK_FILE_IO ) );
if ( bRequested != bCurrent ) {
return FALSE;
}
if ( -1 == pNewQuery->dwMaxFileSize ) {
if ( 0 != pOrigQuery->Properties.MaximumFileSize ) {
return FALSE;
}
} else if ( pOrigQuery->Properties.MaximumFileSize != pNewQuery->dwMaxFileSize ) {
return FALSE;
}
if ( ( SLF_SEQ_TRACE_FILE == pNewQuery->dwLogFileType )
&& ( EVENT_TRACE_FILE_MODE_SEQUENTIAL != pOrigQuery->Properties.LogFileMode ) ) {
return FALSE;
} else if ( ( SLF_CIRC_TRACE_FILE == pNewQuery->dwLogFileType )
&& ( EVENT_TRACE_FILE_MODE_CIRCULAR != pOrigQuery->Properties.LogFileMode ) ) {
return FALSE;
}
// Compare each provider string against array element.
for (pszThisGuid = pNewQuery->mszProviderList;
*pszThisGuid != 0;
pszThisGuid += lstrlen(pszThisGuid) + 1) {
ulGuidCount += 1;
}
if ( pOrigQuery->ulGuidCount != ulGuidCount )
return FALSE;
ulGuidIndex = 0;
pszThisFlag = pNewQuery->mszProviderFlags;
pszThisLevel = pNewQuery->mszProviderLevels;
for (pszThisGuid = pNewQuery->mszProviderList;
*pszThisGuid != 0;
pszThisGuid += lstrlen(pszThisGuid) + 1) {
if ( 0 != lstrcmpi ( pOrigQuery->arrpGuid[ulGuidIndex].pszProviderName, pszThisGuid ) )
return FALSE;
if (pszThisFlag) {
if (*pszThisFlag) {
dwFlag = ahextoi(pszThisFlag);
pszThisFlag += lstrlen(pszThisFlag) + 1;
}
}
else {
dwFlag = 0;
}
if (pOrigQuery->arrpGuid[ulGuidIndex].dwFlag != dwFlag) {
return FALSE;
}
if (pszThisLevel) {
if ( *pszThisLevel) {
dwLevel = ahextoi(pszThisLevel);
pszThisLevel += lstrlen(pszThisLevel) + 1;
}
}
else {
dwLevel = 0;
}
if (pOrigQuery->arrpGuid[ulGuidIndex].dwLevel != dwLevel) {
return FALSE;
}
ulGuidIndex++;
assert ( ulGuidIndex <= ulGuidCount );
}
return TRUE;
#else
return FALSE;
#endif
}
BOOL
AlertFieldsMatch (
IN PLOG_QUERY_DATA pFirstQuery,
IN PLOG_QUERY_DATA pSecondQuery )
{
if ( pFirstQuery->dwAlertActionFlags != pSecondQuery->dwAlertActionFlags )
return FALSE;
if ( 0 != (pFirstQuery->dwAlertActionFlags & ALRT_ACTION_SEND_MSG) ) {
if ( 0 != lstrcmpi ( pFirstQuery->szNetName, pSecondQuery->szNetName ) ) {
return FALSE;
}
}
if ( 0 != (pFirstQuery->dwAlertActionFlags & ALRT_ACTION_EXEC_CMD) ) {
if ( 0 != lstrcmpi ( pFirstQuery->szCmdFileName, pSecondQuery->szCmdFileName ) ) {
return FALSE;
}
if ( 0 != (pFirstQuery->dwAlertActionFlags & ALRT_CMD_LINE_U_TEXT ) ) {
if ( 0 != lstrcmpi ( pFirstQuery->szUserText, pSecondQuery->szUserText ) ) {
return FALSE;
}
}
}
if ( 0 != (pFirstQuery->dwAlertActionFlags & ALRT_ACTION_START_LOG) ) {
if ( 0 != lstrcmpi ( pFirstQuery->szPerfLogName, pSecondQuery->szPerfLogName ) ) {
return FALSE;
}
}
return TRUE;
}
BOOL
CommonFieldsMatch (
IN PLOG_QUERY_DATA pFirstQuery,
IN PLOG_QUERY_DATA pSecondQuery )
{
if ( pFirstQuery->dwCurrentState != pSecondQuery->dwCurrentState )
return FALSE;
if ( pFirstQuery->dwLogFileType != pSecondQuery->dwLogFileType )
return FALSE;
if ( pFirstQuery->dwAutoNameFormat != pSecondQuery->dwAutoNameFormat )
return FALSE;
if ( pFirstQuery->dwMaxFileSize != pSecondQuery->dwMaxFileSize )
return FALSE;
if ( pFirstQuery->stiRegStart.dwAutoMode != pSecondQuery->stiRegStart.dwAutoMode )
return FALSE;
if ( pFirstQuery->stiRegStop.dwAutoMode != pSecondQuery->stiRegStop.dwAutoMode )
return FALSE;
if ( pFirstQuery->stiRepeat.dwAutoMode != pSecondQuery->stiRepeat.dwAutoMode )
return FALSE;
if ( pFirstQuery->stiRegStart.llDateTime != pSecondQuery->stiRegStart.llDateTime )
return FALSE;
if ( pFirstQuery->stiRegStop.llDateTime != pSecondQuery->stiRegStop.llDateTime )
return FALSE;
if ( pFirstQuery->stiRepeat.llDateTime != pSecondQuery->stiRepeat.llDateTime )
return FALSE;
if (( SLQ_COUNTER_LOG == pFirstQuery->dwLogType ) ||
( SLQ_TRACE_LOG == pFirstQuery->dwLogType)) {
if ( 0 != lstrcmpi ( pFirstQuery->szBaseFileName, pSecondQuery->szBaseFileName ) )
return FALSE;
if ( 0 != lstrcmpi ( pFirstQuery->szLogFileFolder, pSecondQuery->szLogFileFolder ) )
return FALSE;
if ( 0 != lstrcmpi ( pFirstQuery->szSqlLogName, pSecondQuery->szSqlLogName ) )
return FALSE;
if ( 0 != lstrcmpi ( pFirstQuery->szLogFileComment, pSecondQuery->szLogFileComment ) )
return FALSE;
if ( pFirstQuery->dwCurrentSerialNumber != pSecondQuery->dwCurrentSerialNumber )
return FALSE;
if ( pFirstQuery->dwLogFileSizeUnit != pSecondQuery->dwLogFileSizeUnit )
return FALSE;
if ( pFirstQuery->dwAppendMode != pSecondQuery->dwAppendMode )
return FALSE;
if ( pFirstQuery->stiCreateNewFile.dwAutoMode != pSecondQuery->stiCreateNewFile.dwAutoMode )
return FALSE;
if ( pFirstQuery->stiCreateNewFile.llDateTime != pSecondQuery->stiCreateNewFile.llDateTime )
return FALSE;
if ( 0 != lstrcmpi(pFirstQuery->szCmdFileName, pSecondQuery->szCmdFileName ) )
return FALSE;
}
if (( SLQ_COUNTER_LOG == pFirstQuery->dwLogType ) ||
( SLQ_ALERT == pFirstQuery->dwLogType)) {
LPWSTR szFirstPath;
LPWSTR szSecondPath;
if ( pFirstQuery->dwMillisecondSampleInterval != pSecondQuery->dwMillisecondSampleInterval ) {
return FALSE;
}
// Compare each counter string. Note: If counter order has changed, the query is
// reconfigured.
// For Alert queries, this code also checks the limit threshold logic and value.
szSecondPath = pSecondQuery->mszCounterList;
for ( szFirstPath = pFirstQuery->mszCounterList;
*szFirstPath != 0;
szFirstPath += lstrlen(szFirstPath) + 1) {
if ( 0 != lstrcmpi( szFirstPath, szSecondPath ) ) {
return FALSE;
}
szSecondPath += lstrlen(szSecondPath) + 1;
}
if ( 0 != *szSecondPath ) {
return FALSE;
}
}
return TRUE;
}
BOOL
FieldsMatch (
IN PLOG_QUERY_DATA pFirstQuery,
IN PLOG_QUERY_DATA pSecondQuery )
{
assert ( pFirstQuery->dwLogType == pSecondQuery->dwLogType );
if ( !CommonFieldsMatch ( pFirstQuery, pSecondQuery ) )
return FALSE;
if ( SLQ_ALERT == pFirstQuery->dwLogType ) {
if ( !AlertFieldsMatch( pFirstQuery, pSecondQuery ) ) {
return FALSE;
}
} else if ( SLQ_TRACE_LOG == pFirstQuery->dwLogType ) {
LPWSTR szFirstProv;
LPWSTR szSecondProv;
if ( pFirstQuery->dwBufferSize != pSecondQuery->dwBufferSize )
return FALSE;
if ( pFirstQuery->dwBufferMinCount != pSecondQuery->dwBufferMinCount )
return FALSE;
if ( pFirstQuery->dwBufferMaxCount != pSecondQuery->dwBufferMaxCount )
return FALSE;
if ( pFirstQuery->dwBufferFlushInterval != pSecondQuery->dwBufferFlushInterval )
return FALSE;
if ( pFirstQuery->dwFlags != pSecondQuery->dwFlags )
return FALSE;
szSecondProv = pSecondQuery->mszProviderList;
for ( szFirstProv = pFirstQuery->mszProviderList;
*szFirstProv != 0;
szFirstProv += lstrlen(szFirstProv) + 1) {
if ( 0 != lstrcmpi ( szFirstProv, szSecondProv ) )
return FALSE;
szSecondProv += lstrlen(szSecondProv) + 1;
}
if ( 0 != *szSecondProv) {
return FALSE;
}
} else if ( SLQ_COUNTER_LOG == pFirstQuery->dwLogType ) {
if ( pFirstQuery->stiCreateNewFile.dwAutoMode != pSecondQuery->stiCreateNewFile.dwAutoMode ) {
return FALSE;
} else {
if ( SLQ_AUTO_MODE_AFTER == pFirstQuery->stiCreateNewFile.dwAutoMode
&& pFirstQuery->stiCreateNewFile.llDateTime != pSecondQuery->stiCreateNewFile.llDateTime ) {
return FALSE;
} // else change in max size handled in commmon fields match check.
}
}
return TRUE;
}
DWORD
IsModified (
IN PLOG_QUERY_DATA pQuery,
OUT BOOL* pbModified
)
{
DWORD dwStatus = ERROR_SUCCESS;
SLQ_TIME_INFO stiLastModified;
SLQ_TIME_INFO stiDefault;
*pbModified = TRUE;
// Check the last read date against 'last modified' in
// the registry.
// If it is earlier than the registry, and the data in the
// registry has changed, return TRUE.
//
// The check of thread data against registry data reduces the
// number of times that the logging thread is interrupted.
// This is necessary because each property page OnApply
// generates this check.
//
stiDefault.wDataType = SLQ_TT_DTYPE_DATETIME;
stiDefault.wTimeType = SLQ_TT_TTYPE_LAST_MODIFIED;
stiDefault.dwAutoMode = SLQ_AUTO_MODE_AT;
stiDefault.llDateTime = MAX_TIME_VALUE;
dwStatus = ReadRegistrySlqTime (
pQuery->hKeyQuery,
pQuery->szQueryName,
L"Last Modified",
&stiDefault,
&stiLastModified );
//
// Status always success if default provided.
//
assert( ERROR_SUCCESS == dwStatus );
//
// LastModified and LastConfigured are stored as GMT
//
if ( stiLastModified.llDateTime <= pQuery->llLastConfigured ) {
*pbModified = FALSE;
} else {
LOG_QUERY_DATA TempQuery;
memset (&TempQuery, 0, sizeof(TempQuery));
StringCchCopy (TempQuery.szQueryName, MAX_PATH + 1, pQuery->szQueryName );
TempQuery.hKeyQuery = pQuery->hKeyQuery;
if ( ERROR_SUCCESS != LoadQueryConfig( &TempQuery ) ) {
// Event has been logged. Set mod flag to stop the query.
*pbModified = TRUE;
} else {
*pbModified = !FieldsMatch ( pQuery, &TempQuery );
}
// Delete memory allocated by registry data load.
DeallocateQueryBuffers ( &TempQuery );
}
return dwStatus;
}
DWORD
ReconfigureQuery (
IN PLOG_QUERY_DATA pQuery )
{
DWORD dwStatus = ERROR_SUCCESS;
LOG_QUERY_DATA TempQuery;
BOOL bStopQuery = FALSE;
// *** Optimization - perform this check within IsModified, to avoid extra
// load from the registry.
memset (&TempQuery, 0, sizeof(TempQuery));
StringCchCopy (TempQuery.szQueryName, MAX_PATH + 1, pQuery->szQueryName );
TempQuery.hKeyQuery = pQuery->hKeyQuery;
if ( ERROR_SUCCESS != LoadQueryConfig( &TempQuery ) ) {
// Event has been logged. Stop the query.
bStopQuery = TRUE;
} else {
bStopQuery = ( NULL_INTERVAL_TICS == ComputeStartWaitTics ( &TempQuery, FALSE ) );
}
if ( bStopQuery ) {
SetEvent (pQuery->hExitEvent);
} else {
// Set reconfiguration flag so that the log thread processing knows that
// this is not the initial configuration. The ProcessLogFileFolder uses
// this flag to determine which error event to report.
pQuery->bReconfiguration = TRUE;
if (( SLQ_COUNTER_LOG == pQuery->dwLogType ) ||
( SLQ_ALERT == pQuery->dwLogType ) ){
// Signal the logging thread to reconfigure.
pQuery->bLoadNewConfig= TRUE;
SetEvent (pQuery->hReconfigEvent);
} else {
#if _IMPLEMENT_WMI
BOOL bMustStopRestart;
assert( SLQ_TRACE_LOG == pQuery->dwLogType );
//
// Change the current query. For some properties, this
// means stopping then restarting the query.
//
bMustStopRestart = !TraceStopRestartFieldsMatch ( pQuery, &TempQuery );
if ( !bMustStopRestart ) {
if ( ERROR_SUCCESS != LoadQueryConfig( pQuery ) ) {
SetEvent (pQuery->hExitEvent);
} else {
// Update the trace log session. Do not increment
// the file autoformat serial number.
// File name serial number is already incremented.
InitTraceProperties ( pQuery, FALSE, NULL, NULL );
dwStatus = GetTraceQueryStatus ( pQuery, NULL );
if ( ERROR_SUCCESS == dwStatus ) {
dwStatus = UpdateTrace(
pQuery->LoggerHandle,
pQuery->szLoggerName,
&pQuery->Properties );
}
}
} else {
// Signal the logging thread to reconfigure.
pQuery->bLoadNewConfig= TRUE;
SetEvent (pQuery->hReconfigEvent);
}
}
}
#else
dwStatus = ERROR_CALL_NOT_IMPLEMENTED;
#endif
return dwStatus;
}
DWORD
GetTraceQueryStatus (
IN PLOG_QUERY_DATA pQuery,
IN OUT PLOG_QUERY_DATA pReturnQuery )
{
DWORD dwStatus = ERROR_SUCCESS;
#if _IMPLEMENT_WMI
PLOG_QUERY_DATA pLocalQuery = NULL;
if ( NULL != pQuery ) {
if ( NULL != pReturnQuery ) {
pLocalQuery = pReturnQuery;
} else {
pLocalQuery = G_ALLOC ( sizeof (LOG_QUERY_DATA) );
}
if ( NULL != pLocalQuery ) {
ClearTraceProperties ( pLocalQuery );
pLocalQuery->Properties.Wnode.BufferSize = sizeof(pQuery->Properties)
+ sizeof(pQuery->szLoggerName)
+ sizeof(pQuery->szLogFileName);
pLocalQuery->Properties.Wnode.Flags = WNODE_FLAG_TRACED_GUID;
dwStatus = QueryTrace (
pQuery->LoggerHandle,
pQuery->szLoggerName,
&pLocalQuery->Properties );
if ( NULL == pReturnQuery ) {
G_FREE ( pLocalQuery );
}
} else {
dwStatus = ERROR_OUTOFMEMORY;
}
} else {
dwStatus = ERROR_INVALID_PARAMETER;
}
#else
dwStatus = ERROR_CALL_NOT_IMPLEMENTED;
#endif
return dwStatus;
}
void
CloseTraceLogger (
IN PLOG_QUERY_DATA pQuery )
{
DWORD dwIndex;
if ( SLQ_TRACE_LOG == pQuery->dwLogType ) {
if ( !( pQuery->Properties.EnableFlags & EVENT_TRACE_FLAG_PROCESS
|| pQuery->Properties.EnableFlags & EVENT_TRACE_FLAG_THREAD
|| pQuery->Properties.EnableFlags & EVENT_TRACE_FLAG_DISK_IO
|| pQuery->Properties.EnableFlags & EVENT_TRACE_FLAG_NETWORK_TCPIP ) )
{
for (dwIndex = 0; dwIndex < pQuery->ulGuidCount; dwIndex++) {
EnableTrace (
FALSE,
pQuery->arrpGuid[dwIndex].dwFlag,
pQuery->arrpGuid[dwIndex].dwLevel,
&pQuery->arrpGuid[dwIndex].Guid,
pQuery->LoggerHandle);
}
}
StopTrace (
pQuery->LoggerHandle,
pQuery->szLoggerName,
&pQuery->Properties );
}
}
DWORD
StartQuery (
IN PLOG_QUERY_DATA pQuery )
{
DWORD dwStatus = ERROR_SUCCESS;
LPWSTR szStringArray[2];
HANDLE hThread = NULL;
DWORD dwThreadId;
pQuery->bLoadNewConfig= FALSE;
//
// Create the logging thread.
//
hThread = CreateThread (
NULL, 0, LoggingThreadProc,
(LPVOID)pQuery, 0, &dwThreadId);
if ( NULL != hThread ) {
pQuery->hThread = hThread;
} else {
//
// Unable to start thread.
//
dwStatus = GetLastError();
szStringArray[0] = pQuery->szQueryName;
ReportEvent (hEventLog,
EVENTLOG_WARNING_TYPE,
0,
SMLOG_UNABLE_START_THREAD,
NULL,
1,
sizeof(DWORD),
szStringArray,
(LPVOID)&dwStatus);
}
if ( ERROR_SUCCESS != dwStatus ) {
SetStoppedStatus ( pQuery );
}
return dwStatus;
}
DWORD
SetStoppedStatus (
IN PLOG_QUERY_DATA pQuery )
{
DWORD dwStatus;
LONGLONG llTime = 0;
//
// Ignore bad status
//
pQuery->dwCurrentState = SLQ_QUERY_STOPPED;
dwStatus = WriteRegistryDwordValue (
pQuery->hKeyQuery,
L"Current State",
&pQuery->dwCurrentState,
REG_DWORD );
if ( SLQ_AUTO_MODE_NONE == pQuery->stiRegStart.dwAutoMode ) {
pQuery->stiRegStart.llDateTime = MAX_TIME_VALUE;
dwStatus = WriteRegistrySlqTime (
pQuery->hKeyQuery,
L"Start",
&pQuery->stiRegStart);
}
GetLocalFileTime ( &llTime );
// If stop is manual or StopAt with time before now (no repeat), set to manual
// with MIN_TIME_VALUE
if ( SLQ_AUTO_MODE_NONE == pQuery->stiRegStop.dwAutoMode ) {
pQuery->stiRegStop.dwAutoMode = SLQ_AUTO_MODE_NONE;
pQuery->stiRegStop.llDateTime = MIN_TIME_VALUE;
dwStatus = WriteRegistrySlqTime (
pQuery->hKeyQuery,
L"Stop",
&pQuery->stiRegStop);
} else if ( ( SLQ_AUTO_MODE_AT == pQuery->stiRegStop.dwAutoMode
&& ( SLQ_AUTO_MODE_CALENDAR != pQuery->stiRepeat.dwAutoMode ) )
&& ( llTime >= pQuery->stiRegStop.llDateTime ) ) {
pQuery->stiRegStop.dwAutoMode = SLQ_AUTO_MODE_NONE;
pQuery->stiRegStop.llDateTime = MIN_TIME_VALUE;
dwStatus = WriteRegistrySlqTime (
pQuery->hKeyQuery,
L"Stop",
&pQuery->stiRegStop);
} else if ( SLQ_AUTO_MODE_SIZE == pQuery->stiRegStop.dwAutoMode
&& SLQ_AUTO_MODE_CALENDAR != pQuery->stiRepeat.dwAutoMode ) {
// If Size mode and no repeat, set stop time to MIN_TIME_VALUE
pQuery->stiRegStop.llDateTime = MIN_TIME_VALUE;
dwStatus = WriteRegistrySlqTime (
pQuery->hKeyQuery,
L"Stop",
&pQuery->stiRegStop);
}
return dwStatus;
}
DWORD
HandleMaxQueriesExceeded (
IN PLOG_QUERY_DATA pQuery )
{
DWORD dwStatus = ERROR_SUCCESS;
//
// The query has not been started yet, but still in "Start Pending" state.
//
SetStoppedStatus ( pQuery );
return dwStatus;
}
DWORD
ConfigureQuery (
HKEY hKeyLogQuery,
LPWSTR szQueryKeyNameBuffer,
LPWSTR szQueryNameBuffer )
{
DWORD dwStatus = ERROR_SUCCESS;
PLOG_QUERY_DATA pQuery = NULL;
pQuery = GetQueryData ( szQueryNameBuffer );
if ( NULL != pQuery ) {
BOOL bModified;
dwStatus = IsModified ( pQuery, &bModified );
if (dwStatus == ERROR_SUCCESS) {
if ( bModified ) {
dwStatus = ReconfigureQuery ( pQuery );
//
// LastModified and LastConfigured values are stored as GMT
//
GetSystemTimeAsFileTime ( (LPFILETIME)(&pQuery->llLastConfigured) );
}
}
} else {
// No query data block found. Create one and insert it into the list.
BOOL bStartQuery = FALSE;
LPWSTR szStringArray[2];
// Allocate a thread info block.
pQuery = G_ALLOC (sizeof(LOG_QUERY_DATA));
if (pQuery != NULL) {
//
// Initialize the query data block
//
G_ZERO (pQuery, sizeof(LOG_QUERY_DATA));
pQuery->hKeyQuery = hKeyLogQuery;
StringCchCopy (pQuery->szQueryName, MAX_PATH + 1, szQueryNameBuffer);
StringCchCopy (pQuery->szQueryKeyName, MAX_PATH + 1, szQueryKeyNameBuffer);
//
// Determine whether to continue, based on whether start wait time
// is 0 or greater.
// The thread is reinitialized in the logging procedure.
// This pre-check avoids spurious thread creation.
//
dwStatus = LoadQueryConfig( pQuery );
if ( ERROR_SUCCESS != dwStatus ) {
//
// Event already logged.
//
bStartQuery = FALSE;
} else {
bStartQuery = ( NULL_INTERVAL_TICS != ComputeStartWaitTics ( pQuery, FALSE ) );
}
if ( bStartQuery ) {
LockQueryData();
if ( dwActiveSessionCount < dwMaxActiveSessionCount ) {
pQuery->hExitEvent = CreateEvent(NULL, TRUE, FALSE, NULL);
if ( NULL != pQuery->hExitEvent ) {
pQuery->hReconfigEvent = CreateEvent(NULL, FALSE, FALSE, NULL);
if ( NULL != pQuery->hReconfigEvent ) {
//
// LastModified and LastConfigured values are stored as GMT
//
GetSystemTimeAsFileTime ( (LPFILETIME)(&pQuery->llLastConfigured) );
dwStatus = StartQuery( pQuery );
if ( ERROR_SUCCESS == dwStatus ) {
//
// Add the query to the list and continue
if (pFirstQuery == NULL) {
//
// This is the first thread so add it
//
pQuery->next = NULL;
pFirstQuery = pQuery;
} else {
//
// Insert this at the head of the list since
// that's the easiest and the order isn't
// really important.
//
pQuery->next = pFirstQuery;
pFirstQuery = pQuery;
}
dwActiveSessionCount += 1;
SetEvent (hNewQueryEvent );
} else {
// Unable to start query.
// Event has already been logged.
FreeQueryData ( pQuery );
}
} else {
// Unable to create reconfig event.
dwStatus = GetLastError();
szStringArray[0] = szQueryNameBuffer;
ReportEvent (hEventLog,
EVENTLOG_WARNING_TYPE,
0,
SMLOG_UNABLE_CREATE_RECONFIG_EVENT,
NULL,
1,
sizeof(DWORD),
szStringArray,
(LPVOID)&dwStatus);
FreeQueryData( pQuery );
}
} else {
// Unable to create exit event.
dwStatus = GetLastError();
szStringArray[0] = szQueryNameBuffer;
ReportEvent (hEventLog,
EVENTLOG_WARNING_TYPE,
0,
SMLOG_UNABLE_CREATE_EXIT_EVENT,
NULL,
1,
sizeof(DWORD),
szStringArray,
(LPVOID)&dwStatus);
FreeQueryData( pQuery );
}
} else {
szStringArray[0] = szQueryNameBuffer;
ReportEvent (hEventLog,
EVENTLOG_WARNING_TYPE,
0,
SMLOG_MAXIMUM_QUERY_LIMIT,
NULL,
1,
0,
szStringArray,
NULL);
dwStatus = HandleMaxQueriesExceeded ( pQuery );
FreeQueryData ( pQuery );
}
UnlockQueryData();
} else {
// Wait time is -1, or config load error.
FreeQueryData( pQuery );
}
} else {
// Memory allocation error.
dwStatus = GetLastError();
szStringArray[0] = szQueryNameBuffer;
ReportEvent (hEventLog,
EVENTLOG_WARNING_TYPE,
0,
SMLOG_UNABLE_ALLOCATE_DATABLOCK,
NULL,
1,
sizeof(DWORD),
szStringArray,
(LPVOID)&dwStatus);
}
}
return dwStatus;
}
DWORD
DoLogCommandFile (
IN PLOG_QUERY_DATA pArg,
IN LPWSTR szLogFileName,
IN BOOL bStillRunning
)
{
DWORD dwStatus;
BOOL bStatus = FALSE;
const INT ciExtraChars = 4;
size_t sizeCmdBufLen = 0;
size_t sizeBufLen = 0;
size_t sizeStrLen = 0;
LPWSTR szCommandString = NULL;
LPWSTR szTempBuffer = NULL;
LONG lErrorMode;
LPWSTR szStringArray[3];
STARTUPINFO si;
PROCESS_INFORMATION pi;
DWORD dwCreationFlags = NORMAL_PRIORITY_CLASS;
if ( NULL != pArg && NULL != szLogFileName ) {
if ( NULL != pArg->szCmdFileName ) {
dwStatus = pArg->dwCmdFileFailure;
if ( ERROR_SUCCESS == dwStatus ) {
sizeStrLen = lstrlen ( szLogFileName );
sizeCmdBufLen = sizeStrLen + ciExtraChars + 1; // 1 is for NULL
szCommandString = (LPWSTR)G_ALLOC(sizeCmdBufLen * sizeof(WCHAR));
sizeBufLen = sizeCmdBufLen + lstrlen ( pArg->szCmdFileName ) + 1; // 1 is for space char,
// NULL already counted.
szTempBuffer = (LPWSTR)G_ALLOC(sizeBufLen * sizeof(WCHAR));
if ( NULL != szCommandString && NULL != szTempBuffer ) {
// build command line arguments
szCommandString[0] = L'\"';
StringCchCopy (&szCommandString[1], (sizeCmdBufLen - 1), szLogFileName );
StringCchCopy (
&szCommandString[sizeStrLen+1],
(sizeCmdBufLen - (sizeStrLen+1)),
L"\" ");
StringCchCopy (
&szCommandString[sizeStrLen+3],
(sizeCmdBufLen - (sizeStrLen+3)),
(bStillRunning ? L"1" : L"0" ) );
// initialize Startup Info block
memset (&si, 0, sizeof(si));
si.cb = sizeof(si);
si.dwFlags = STARTF_USESHOWWINDOW ;
si.wShowWindow = SW_SHOWNOACTIVATE ;
//si.lpDesktop = L"WinSta0\\Default";
memset (&pi, 0, sizeof(pi));
// supress pop-ups in the detached process
lErrorMode = SetErrorMode(SEM_FAILCRITICALERRORS | SEM_NOOPENFILEERRORBOX);
StringCchCopy (szTempBuffer, sizeBufLen, pArg->szCmdFileName) ;
// see if this is a CMD or a BAT file
// if it is then create a process with a console window, otherwise
// assume it's an executable file that will create it's own window
// or console if necessary
//
_wcslwr (szTempBuffer);
if ((wcsstr(szTempBuffer, L".bat") != NULL)
|| (wcsstr(szTempBuffer, L".cmd") != NULL))
{
dwCreationFlags |= CREATE_NEW_CONSOLE;
} else {
dwCreationFlags |= DETACHED_PROCESS;
}
// recopy the image name to the temp buffer since it was modified
// (i.e. lowercased) for the previous comparison.
szTempBuffer[0] = L'\"';
StringCchCopy (
&szTempBuffer[1],
sizeBufLen - 1,
pArg->szCmdFileName) ;
StringCchLength (
szTempBuffer,
sizeBufLen - 1,
&sizeStrLen) ;
szTempBuffer[sizeStrLen] = L'\"';
sizeStrLen++;
// now add on the text args preceded with a space char
szTempBuffer [sizeStrLen] = L' ' ;
sizeStrLen++ ;
StringCchCopy (
&szTempBuffer[sizeStrLen],
sizeBufLen - sizeStrLen,
szCommandString) ;
//
// The lpApplication name is NULL for CreateProcess
// because the normal use of this function is to launch
// batch files which must be the first part of the lpCommandLine.
// The quotes around the szCommandFileName prevents the wrong
// file from being executed.
//
if( pArg->hUserToken != NULL ){
bStatus = CreateProcessAsUser (
pArg->hUserToken,
NULL,
szTempBuffer,
NULL, NULL, FALSE,
dwCreationFlags,
NULL,
NULL,
&si,
&pi);
} else {
bStatus = CreateProcess (
NULL,
szTempBuffer,
NULL, NULL, FALSE,
dwCreationFlags,
NULL,
NULL,
&si,
&pi);
}
SetErrorMode(lErrorMode);
if (bStatus) {
dwStatus = ERROR_SUCCESS;
if ( NULL != pi.hThread && INVALID_HANDLE_VALUE != pi.hThread ) {
CloseHandle(pi.hThread);
pi.hThread = NULL;
}
if ( NULL != pi.hProcess && INVALID_HANDLE_VALUE != pi.hProcess ) {
CloseHandle(pi.hProcess);
pi.hProcess = NULL;
}
} else {
dwStatus = GetLastError();
}
} else {
dwStatus = ERROR_OUTOFMEMORY;
}
if ( ERROR_SUCCESS != dwStatus ) {
szStringArray[0] = szTempBuffer;
szStringArray[1] = pArg->szQueryName;
szStringArray[2] = FormatEventLogMessage(dwStatus);
ReportEvent (hEventLog,
EVENTLOG_WARNING_TYPE,
0,
SMLOG_LOG_CMD_FAIL,
NULL,
3,
sizeof(DWORD),
szStringArray,
(LPVOID)&dwStatus );
LocalFree( szStringArray[2] );
pArg->dwCmdFileFailure = dwStatus;
}
if ( szCommandString != NULL ) {
G_FREE ( szCommandString );
}
if ( szTempBuffer != NULL ) {
G_FREE ( szTempBuffer );
}
}
} else {
dwStatus = ERROR_INVALID_PARAMETER;
}
} else {
dwStatus = ERROR_INVALID_PARAMETER;
}
return dwStatus;
}
DWORD
GetQueryKeyName (
IN LPCWSTR szQueryName,
OUT LPWSTR szQueryKeyName,
IN DWORD dwQueryKeyNameLen )
{
DWORD dwStatus = ERROR_SUCCESS;
HKEY hKeyLogQueries = NULL;
HKEY hKeyThisLogQuery = NULL;
DWORD dwQueryIndex;
WCHAR szQueryNameBuffer[MAX_PATH+1];
DWORD cchQueryNameBufLen;
WCHAR szQueryClassBuffer[MAX_PATH+1];
DWORD cchQueryClassBufLen;
LPWSTR szCollectionName = NULL;
UINT uiCollectionNameLen = 0;
assert ( 0 < lstrlen ( szQueryName ) );
if ( NULL != szQueryName
&& NULL != szQueryKeyName ) {
if ( 0 < lstrlen ( szQueryName )
&& 0 < dwQueryKeyNameLen ) {
//
// Note: This method does not reallocate buffer or return
// actual buffer size required.
//
memset ( szQueryKeyName, 0, dwQueryKeyNameLen * sizeof (WCHAR) );
dwStatus = OpenLogQueriesKey (
KEY_READ,
(PHKEY)&hKeyLogQueries);
if (dwStatus != ERROR_SUCCESS) {
//
// Unable to read the log query information from the registry.
//
dwStatus = GetLastError();
ReportEvent (hEventLog,
EVENTLOG_ERROR_TYPE,
0,
SMLOG_UNABLE_OPEN_LOG_QUERY,
NULL,
0,
0,
NULL,
NULL);
} else {
//
// Enumerate the queries in the registry.
//
dwQueryIndex = 0;
*szQueryNameBuffer = L'\0';
cchQueryNameBufLen = MAX_PATH+1;
*szQueryClassBuffer = L'\0';
cchQueryClassBufLen = MAX_PATH+1;
while ( (dwStatus = RegEnumKeyEx (
hKeyLogQueries,
dwQueryIndex,
szQueryNameBuffer,
&cchQueryNameBufLen,
NULL,
szQueryClassBuffer,
&cchQueryClassBufLen,
NULL)) != ERROR_NO_MORE_ITEMS )
{
//
// Open key for specified log.
//
dwStatus = RegOpenKeyEx (
hKeyLogQueries,
szQueryNameBuffer,
0L,
KEY_READ,
(PHKEY)&hKeyThisLogQuery);
if (dwStatus == ERROR_SUCCESS) {
if ( 0 == lstrcmpi ( szQueryNameBuffer, szQueryName ) ) {
// TodoSec: Fail on truncation?
StringCchCopy ( szQueryKeyName, dwQueryKeyNameLen, szQueryName );
break;
} else {
dwStatus = SmReadRegistryIndirectStringValue (
hKeyThisLogQuery,
L"Collection Name",
NULL,
&szCollectionName,
&uiCollectionNameLen );
if ( NULL != szCollectionName ) {
if ( 0 < lstrlen ( szCollectionName ) ) {
if ( 0 == lstrcmpi ( szCollectionName, szQueryName ) ) {
// TodoSec: Fail on truncation?
//
// Copy the corresponding query key name to the buffer.
//
StringCchCopy (
szQueryKeyName,
dwQueryKeyNameLen,
szQueryNameBuffer );
break;
}
}
G_FREE ( szCollectionName );
szCollectionName = NULL;
uiCollectionNameLen = 0;
}
}
}
if ( NULL != hKeyThisLogQuery ) {
RegCloseKey ( hKeyThisLogQuery );
hKeyThisLogQuery = NULL;
}
// prepare for next loop
dwStatus = ERROR_SUCCESS;
dwQueryIndex++;
*szQueryNameBuffer = L'\0';
cchQueryNameBufLen = MAX_PATH+1;
*szQueryClassBuffer = L'\0';
cchQueryClassBufLen = MAX_PATH+1;
} // end enumeration of log queries
}
if ( ERROR_NO_MORE_ITEMS == dwStatus ) {
dwStatus = ERROR_SUCCESS;
}
} else {
dwStatus = ERROR_INVALID_PARAMETER;
}
} else {
dwStatus = ERROR_INVALID_PARAMETER;
}
//
// Clean up here if break from while loop
//
if ( NULL != szCollectionName ) {
G_FREE ( szCollectionName );
szCollectionName = NULL;
uiCollectionNameLen = 0;
}
if ( NULL != hKeyThisLogQuery ) {
RegCloseKey ( hKeyThisLogQuery );
hKeyThisLogQuery = NULL;
}
if ( NULL != hKeyLogQueries ) {
RegCloseKey (hKeyLogQueries );
}
return dwStatus;
}
DWORD
Configure ( void )
{
DWORD dwStatus;
HKEY hKeyLogQueries = NULL;
HKEY hKeyThisLogQuery = NULL;
DWORD dwQueryIndex;
WCHAR szQueryNameBuffer[MAX_PATH+1];
DWORD cchQueryNameBufLen;
WCHAR szQueryKeyNameBuffer[MAX_PATH+1];
WCHAR szQueryClassBuffer[MAX_PATH+1];
DWORD cchQueryClassBufLen;
LPWSTR szCollectionName = NULL;
UINT uiCollectionNameLen = 0;
LPWSTR szStringArray[2];
__try {
//
// Open each query in the registry.
//
dwStatus = OpenLogQueriesKey (
KEY_READ,
(PHKEY)&hKeyLogQueries);
if (dwStatus != ERROR_SUCCESS) {
if (dwStatus == ERROR_FILE_NOT_FOUND) {
//
// No logs nor alerts settings, bail out quietly.
//
dwStatus = ERROR_SUCCESS;
} else {
//
// Unable to read the log query information from the registry.
//
dwStatus = GetLastError();
ReportEvent (hEventLog,
EVENTLOG_ERROR_TYPE,
0,
SMLOG_UNABLE_OPEN_LOG_QUERY,
NULL,
0,
0,
NULL,
NULL);
}
} else {
//
// Enumerate and restart or start the queries in the registry.
//
dwQueryIndex = 0;
*szQueryNameBuffer = L'\0';
cchQueryNameBufLen = MAX_PATH+1;
*szQueryClassBuffer = L'\0';
cchQueryClassBufLen = MAX_PATH+1;
while ((dwStatus = RegEnumKeyEx (
hKeyLogQueries,
dwQueryIndex,
szQueryNameBuffer,
&cchQueryNameBufLen,
NULL,
szQueryClassBuffer,
&cchQueryClassBufLen,
NULL)) != ERROR_NO_MORE_ITEMS) {
//
// Open this key
//
dwStatus = RegOpenKeyEx (
hKeyLogQueries,
szQueryNameBuffer,
0L,
KEY_READ | KEY_WRITE,
(PHKEY)&hKeyThisLogQuery);
if (dwStatus == ERROR_SUCCESS) {
//
// Update the service status
//
ssSmLogStatus.dwCheckPoint++;
SetServiceStatus (hSmLogStatus, &ssSmLogStatus);
if ( 0 < lstrlen(szQueryNameBuffer) ) {
StringCchCopy (
szQueryKeyNameBuffer,
MAX_PATH + 1,
szQueryNameBuffer );
}
dwStatus = SmReadRegistryIndirectStringValue (
hKeyThisLogQuery,
L"Collection Name",
NULL,
&szCollectionName,
&uiCollectionNameLen );
if ( NULL != szCollectionName ) {
if ( 0 < lstrlen ( szCollectionName ) ) {
StringCchCopy (
szQueryNameBuffer,
MAX_PATH + 1,
szCollectionName );
}
G_FREE ( szCollectionName );
szCollectionName = NULL;
uiCollectionNameLen = 0;
}
dwStatus = ConfigureQuery (
hKeyThisLogQuery,
szQueryKeyNameBuffer,
szQueryNameBuffer );
//
// hKeyThisLogQuery is stored in the Query data structure.
//
} else {
szStringArray[0] = szQueryNameBuffer;
ReportEvent (hEventLog,
EVENTLOG_WARNING_TYPE,
0,
SMLOG_UNABLE_READ_LOG_QUERY,
NULL,
1,
sizeof(DWORD),
szStringArray,
(LPVOID)&dwStatus);
}
//
// Prepare for next loop.
//
dwStatus = ERROR_SUCCESS;
dwQueryIndex++;
*szQueryNameBuffer = L'\0';
cchQueryNameBufLen = MAX_PATH+1;
*szQueryClassBuffer = L'\0';
cchQueryClassBufLen = MAX_PATH+1;
} // End enumeration of log queries.
}
if ( ERROR_NO_MORE_ITEMS == dwStatus ) {
dwStatus = ERROR_SUCCESS;
}
} __except ( EXCEPTION_EXECUTE_HANDLER ) {
dwStatus = SMLOG_THREAD_FAILED;
}
if ( NULL != hKeyLogQueries ) {
RegCloseKey (hKeyLogQueries );
}
return dwStatus;
}
void
SysmonLogServiceControlHandler(
IN DWORD dwControl
)
{
PLOG_QUERY_DATA pQuery;
DWORD dwStatus;
switch (dwControl) {
case SERVICE_CONTROL_SYNCHRONIZE:
EnterConfigure();
dwStatus = Configure ();
ExitConfigure();
if ( ERROR_SUCCESS == dwStatus )
break;
//
// If not successful, fall through to shutdown.
// Errors already logged.
//
case SERVICE_CONTROL_SHUTDOWN:
case SERVICE_CONTROL_STOP:
//
// Stop logging & close queries and files.
// Set stop event for all running threads.
//
LockQueryData();
ssSmLogStatus.dwCurrentState = SERVICE_STOP_PENDING;
SetServiceStatus (hSmLogStatus, &ssSmLogStatus);
pQuery = pFirstQuery;
while (pQuery != NULL) {
SetEvent (pQuery->hExitEvent);
pQuery = pQuery->next;
}
UnlockQueryData();
break;
case SERVICE_CONTROL_PAUSE:
//
// Stop logging, close queries and files.
// Not supported.
//
break;
case SERVICE_CONTROL_CONTINUE:
//
// Reload ration and restart logging
// Not supported.
//
break;
case SERVICE_CONTROL_INTERROGATE:
//
// Update current status.
//
default:
// report to event log that an unrecognized control
// request was received.
SetServiceStatus (hSmLogStatus, &ssSmLogStatus);
}
}
void
SysmonLogServiceStart (
IN DWORD argc,
IN LPWSTR *argv
)
{
DWORD dwStatus = ERROR_SUCCESS;
DWORD dwQueryIndex;
BOOL bInteractive = FALSE;
BOOL bLogQueriesKeyExists = TRUE;
BOOL bWmiNotificationRegistered = FALSE;
PLOG_QUERY_DATA pQuery;
if ((argc == 1) && (*argv[0] == 'I')) {
bInteractive = TRUE;
}
if (!bInteractive) {
ssSmLogStatus.dwServiceType = SERVICE_WIN32_OWN_PROCESS;
ssSmLogStatus.dwCurrentState = SERVICE_START_PENDING;
ssSmLogStatus.dwControlsAccepted = SERVICE_ACCEPT_STOP
| SERVICE_ACCEPT_SHUTDOWN;
ssSmLogStatus.dwWin32ExitCode = 0;
ssSmLogStatus.dwServiceSpecificExitCode = 0;
ssSmLogStatus.dwCheckPoint = 0;
ssSmLogStatus.dwWaitHint = 1000;
hSmLogStatus = RegisterServiceCtrlHandler (
L"SysmonLog",
SysmonLogServiceControlHandler );
if (hSmLogStatus == (SERVICE_STATUS_HANDLE)0) {
dwStatus = GetLastError();
ReportEvent (hEventLog,
EVENTLOG_ERROR_TYPE,
0,
SMLOG_UNABLE_REGISTER_HANDLER,
NULL,
0,
sizeof(DWORD),
NULL,
(LPVOID)&dwStatus);
//
// This is fatal so bail out.
//
}
}
if ( ERROR_SUCCESS == dwStatus ) {
InitializeCriticalSection ( &QueryDataLock );
InitializeCriticalSection ( &ConfigurationLock );
dwStatus = ClearQueryRunStates();
//
// Continue even if query run state error, unless
// the Log Queries key is missing or not accessible.
//
if ( SMLOG_UNABLE_OPEN_LOG_QUERY == dwStatus ) {
bLogQueriesKeyExists = FALSE;
//
// Sleep long enough for event to be written to event log.
//
Sleep(500);
if (!bInteractive) {
ssSmLogStatus.dwWin32ExitCode = ERROR_SERVICE_SPECIFIC_ERROR;
//
// Use status mask so that error matches the code in the application log.
//
ssSmLogStatus.dwServiceSpecificExitCode = (SMLOG_UNABLE_OPEN_LOG_QUERY & STATUS_MASK);
}
} else {
dwStatus = ERROR_SUCCESS;
//
// Continue on error.
//
LoadDefaultLogFileFolder();
//
// Ignore PDH errors. The only possible error is that the default
// data source has already been set for this process.
// Set the default for the service to DATA_SOURCE_REGISTRY.
//
dwStatus = PdhSetDefaultRealTimeDataSource ( DATA_SOURCE_REGISTRY );
//
// Continue on error.
//
LoadPdhLogUpdateSuccess();
hNewQueryEvent = CreateEvent ( NULL, TRUE, FALSE, NULL );
if ( NULL == hNewQueryEvent ) {
//
// Unable to create new query configuration event.
//
dwStatus = GetLastError();
ReportEvent (hEventLog,
EVENTLOG_WARNING_TYPE,
0,
SMLOG_UNABLE_CREATE_CONFIG_EVENT,
NULL,
0,
sizeof(DWORD),
NULL,
(LPVOID)&dwStatus);
//
// This is fatal so bail out.
//
if (!bInteractive) {
// Sleep long enough for event to be written to event log.
Sleep(500);
ssSmLogStatus.dwWin32ExitCode = dwStatus;
}
}
if ( ( ERROR_SUCCESS == dwStatus ) && !bInteractive) {
//
// Thread synchronization mechanisms now created,
// so set status to Running.
//
ssSmLogStatus.dwCurrentState = SERVICE_RUNNING;
ssSmLogStatus.dwCheckPoint = 0;
SetServiceStatus (hSmLogStatus, &ssSmLogStatus);
}
#if _IMPLEMENT_WMI
if ( ERROR_SUCCESS == dwStatus ) {
// Disable 64-bit warning
#if _MSC_VER >= 1200
#pragma warning(push)
#endif
#pragma warning ( disable : 4152 )
dwStatus = WmiNotificationRegistration (
(const LPGUID) & TraceErrorGuid,
TRUE,
TraceNotificationCallback,
0,
NOTIFICATION_CALLBACK_DIRECT );
if ( ERROR_SUCCESS == dwStatus ) {
bWmiNotificationRegistered = TRUE;
} else {
//
// Unable to create new query configuration event.
//
dwStatus = SMLOG_UNABLE_REGISTER_WMI;
ReportEvent (hEventLog,
EVENTLOG_ERROR_TYPE,
0,
SMLOG_UNABLE_REGISTER_WMI,
NULL,
0,
sizeof(DWORD),
NULL,
(LPVOID)&dwStatus);
//
// This is fatal so bail out.
//
if (!bInteractive) {
// Sleep long enough for event to be written to event log.
Sleep(500);
ssSmLogStatus.dwWin32ExitCode = dwStatus;
}
}
#if _MSC_VER >= 1200
#pragma warning(pop)
#endif
}
#endif
// Set up the queries and start threads.
__try {
if ( ERROR_SUCCESS == dwStatus && bLogQueriesKeyExists) {
EnterConfigure();
dwStatus = Configure ();
ExitConfigure();
}
if ( NULL == pFirstQuery ) {
//
// Nothing to do. Stop the service.
//
if (!bInteractive) {
ssSmLogStatus.dwCurrentState = SERVICE_STOP_PENDING;
SetServiceStatus (hSmLogStatus, &ssSmLogStatus);
}
} else if ( ERROR_SUCCESS == dwStatus ) {
//
// Loop in WaitForMultipleObjects. When any
// query is signaled, deallocate that query data block
// and close its handles.
//
while ( TRUE ) {
BOOL bStatus;
LockQueryData();
//
// About to reconfigure the Wait array, so clear the event.
//
bStatus = ResetEvent ( hNewQueryEvent );
if ( NULL == pFirstQuery ) {
if (!bInteractive) {
ssSmLogStatus.dwCurrentState = SERVICE_STOP_PENDING;
SetServiceStatus (hSmLogStatus, &ssSmLogStatus);
}
UnlockQueryData();
break;
} else {
DWORD dwIndex = 0;
DWORD dwWaitStatus;
assert ( 0 < dwActiveSessionCount );
G_ZERO( arrSessionHandle, sizeof( HANDLE ) * ( dwActiveSessionCount + 1) );
//
// The first element is the global hNewQueryEvent to signal new sessions.
//
arrSessionHandle[dwIndex] = hNewQueryEvent;
dwIndex++;
for ( pQuery = pFirstQuery;
NULL != pQuery;
pQuery = pQuery->next ) {
assert ( NULL != pQuery->hThread );
if ( NULL != pQuery->hExitEvent && NULL != pQuery->hThread ) {
arrSessionHandle[dwIndex] = pQuery->hThread;
dwIndex++;
assert ( dwIndex <= dwActiveSessionCount + 1 );
}
}
UnlockQueryData();
dwWaitStatus = WaitForMultipleObjects (
dwIndex,
arrSessionHandle,
FALSE,
INFINITE );
if ( WAIT_FAILED != dwWaitStatus ){
//
// When here, either a new query has been started, or
// at least one logging thread or has terminated so the
// memory can be released.
//
dwQueryIndex = dwWaitStatus - WAIT_OBJECT_0;
// release the dynamic memory if the wait object is not the StartQuery event.
if ( 0 < dwQueryIndex && dwQueryIndex < dwIndex ) {
SetStoppedStatus( GetQueryDataPtr( arrSessionHandle[dwQueryIndex] ) );
RemoveAndFreeQueryData( arrSessionHandle[dwQueryIndex] );
}
} else {
// Todo: handle error
dwStatus = GetLastError();
}
}
} // End while
}
}
__finally {
// Key assumption here is that all logging threads have been terminated by this point,
// so no need to lock the query data list before freeing the query.
for ( pQuery = pFirstQuery;
NULL != pQuery;
pQuery = pQuery->next )
{
if ( SLQ_TRACE_LOG == pQuery->dwLogType ) {
CloseTraceLogger ( pQuery );
} else {
// Counter log or alert.
if ( NULL != pQuery->hLog ) {
PdhCloseLog( pQuery->hLog, PDH_FLAGS_CLOSE_QUERY );
pQuery->hLog = NULL;
pQuery->hQuery = NULL;
} else {
PdhCloseQuery (pQuery->hQuery);
pQuery->hQuery = NULL;
}
}
SetStoppedStatus( pQuery );
RemoveAndFreeQueryData( pQuery );
}
}
#if _IMPLEMENT_WMI
// Disable 64-bit warning
#if _MSC_VER >= 1200
#pragma warning(push)
#endif
#pragma warning ( disable : 4152 )
if ( bWmiNotificationRegistered ) {
WmiNotificationRegistration(
(const LPGUID) & TraceErrorGuid,
FALSE,
TraceNotificationCallback,
0,
NOTIFICATION_CALLBACK_DIRECT);
}
#if _MSC_VER >= 1200
#pragma warning(pop)
#endif
#endif
if ( NULL != hNewQueryEvent ) {
CloseHandle ( hNewQueryEvent );
hNewQueryEvent = NULL;
}
}
DeleteCriticalSection ( &QueryDataLock );
DeleteCriticalSection ( &ConfigurationLock );
}
if (!bInteractive) {
// Update the service status
ssSmLogStatus.dwCurrentState = SERVICE_STOPPED;
SetServiceStatus (hSmLogStatus, &ssSmLogStatus);
}
if ( NULL != arrPdhDataCollectSuccess ) {
G_FREE ( arrPdhDataCollectSuccess );
arrPdhDataCollectSuccess = NULL;
iPdhDataCollectSuccessCount = 0;
}
if (hEventLog != NULL) {
DeregisterEventSource ( hEventLog );
hEventLog = NULL;
}
return;
}
int
__cdecl main (
int argc,
char *argv[])
/*++
main
Arguments
ReturnValue
0 (ERROR_SUCCESS) if command was processed
Non-Zero if command error was detected.
--*/
{
DWORD dwStatus = ERROR_SUCCESS;
BOOL bInteractive = FALSE;
SERVICE_TABLE_ENTRY DispatchTable[] = {
{L"SysmonLog", SysmonLogServiceStart },
{NULL, NULL }
};
hEventLog = RegisterEventSource (NULL, L"SysmonLog");
hModule = (HINSTANCE) GetModuleHandle(NULL);
if (argc > 1) {
if ((argv[1][0] == '-') || (argv[1][0] == '/')) {
if ((argv[1][1] == 'i') || (argv[1][1] == 'I')) {
bInteractive = TRUE;
}
}
}
if (bInteractive) {
DWORD dwArgs = 1;
LPWSTR szArgs[1];
szArgs[0] = L"I";
SysmonLogServiceStart (dwArgs, szArgs);
} else {
if (!StartServiceCtrlDispatcher (DispatchTable)) {
dwStatus = GetLastError();
// log failure to event log
ReportEvent (hEventLog,
EVENTLOG_ERROR_TYPE,
0,
SMLOG_UNABLE_START_DISPATCHER,
NULL,
0,
sizeof(DWORD),
NULL,
(LPVOID)&dwStatus);
}
}
return dwStatus;
}