/*++

Copyright (C) 1996-1999 Microsoft Corporation

Module Name:

    logthred.c

Abstract:

    Performance Logs and Alerts log/scan thread functions.

--*/

#ifndef UNICODE
#define UNICODE     1
#endif
#ifndef _UNICODE
#define _UNICODE    1
#endif

#ifndef _IMPLEMENT_WMI 
#define _IMPLEMENT_WMI 1
#endif

//
//  Windows Include files
//
#pragma warning ( disable : 4201)

#include <assert.h>

// For Trace *** - these are only necessary because of union query data struct.
#include <nt.h>
#include <ntrtl.h>
#include <nturtl.h>
#include <wtypes.h>
#include <float.h>
#include <limits.h>

#if _IMPLEMENT_WMI
#include <wmistr.h>
#include <evntrace.h>
#endif

#include <lmcons.h>
#include <lmmsg.h>  // for net message function

#include <pdh.h>
#include <pdhp.h>

#include <pdhmsg.h>
#include <strsafe.h>
#include "smlogsvc.h"
#include "smlogmsg.h"

#define SECONDS_IN_DAY      ((LONGLONG)(86400))

#define LOG_EVENT_ON_ERROR  ((BOOL)(1))

// A collection thread can get backed up behind some long-running PDH
// operations causing it to timeout;
// In the case of opening a query and adding a counter, retry
// a number of times before giving up
#define NUM_PDH_RETRIES 20



DWORD
ProcessLogFileFolder (     
    IN PLOG_QUERY_DATA pQuery )
{
    DWORD       dwStatus = ERROR_SUCCESS;
    LPWSTR      szLocalPath = NULL;
    LPWSTR      szEnd = NULL;
    DWORD       dwBufferLength = 0;
    LPSECURITY_ATTRIBUTES   lpSA = NULL;
    WCHAR       cBackslash = L'\\';
    LONG        lErrorMode;
    BOOL        fDirectoryCreated;

    //
    // Environment strings are already expanded.
    //
    dwBufferLength = GetFullPathName ( pQuery->szLogFileFolder, 0, NULL, NULL);

    szLocalPath = (LPWSTR) G_ALLOC ( (dwBufferLength + 1) * sizeof(WCHAR) );

    if ( szLocalPath ) {

        if ( GetFullPathName (
                pQuery->szLogFileFolder,
                dwBufferLength,
                szLocalPath,
                NULL ) > 0 ) 
        {
            //
            // Check for prefix
            //
            // Go one past the first backslash after the drive or remote machine name
            // N.B. We are assuming the full path name looks like either "\\machine\share\..."
            //      or "C:\xxx". How about "\\?\xxx" style names
            //
            if ( cBackslash == szLocalPath[0] && cBackslash == szLocalPath[1] ) {
                szEnd = &szLocalPath[2];
                while ((*szEnd != cBackslash) && (*szEnd != L'\0') ) szEnd++;

                if ( cBackslash == *szEnd ) {
                    szEnd++;
                }         
            } else {
                szEnd = &szLocalPath[3];
            }

            if (*szEnd != L'\0') {
                int iPathLen;

                //
                // Remove the trailing back slash character if it is there.
                //
                iPathLen = lstrlen(szEnd) - 1;
                while ( iPathLen >= 0 && cBackslash == szEnd[ iPathLen ]) {
                    szEnd[ iPathLen ] = L'\0';
                    iPathLen -= 1;
                }
            
                lErrorMode = SetErrorMode ( SEM_FAILCRITICALERRORS | SEM_NOOPENFILEERRORBOX );
                //
                // There are sub dirs to create. 
                //
                while (*szEnd != L'\0') {
                    //
                    // Go to next backslash.
                    //
                    while ((*szEnd != cBackslash) && (*szEnd != L'\0')) szEnd++;
                    if (*szEnd == cBackslash) {
                        //
                        // Terminate path here and create directory.
                        //
                        *szEnd = L'\0';
                        if (!CreateDirectory (szLocalPath, NULL)) {
                            //
                            // See what the error was and "adjust" it if necessary
                            //
                            dwStatus = GetLastError();
                            if ( ERROR_ALREADY_EXISTS == dwStatus ) {
                                //
                                // This is OK
                                //
                                dwStatus = ERROR_SUCCESS;
                            }
                            else {
                                //
                                // Return error code here and don't continue?
                                //
                            }
                        }
                        //
                        // Replace backslash and go to next dir
                        //
                        *szEnd++ = cBackslash;
                    }
                }

                //
                // If the log folder is the default one, put ACLs on it
                // N.B. The gszDefaultLogFileFolder does not contain a back slash char
                //      at the end
                //
                if (lstrcmpi(szLocalPath, gszDefaultLogFileFolder) == 0) {
                    fDirectoryCreated = PerfCreateDirectory (szLocalPath);
                } else {
                    fDirectoryCreated = CreateDirectory (szLocalPath, NULL);
                }

                if ( !fDirectoryCreated ) {
                    //
                    // See what the error was and "adjust" it if necessary
                    //
                    dwStatus = GetLastError();
                    if ( ERROR_ALREADY_EXISTS == dwStatus ) {
                        //
                        // This is OK
                        //
                        dwStatus = ERROR_SUCCESS;
                    }
                }

                SetErrorMode ( lErrorMode );
            } else {
                //
                // Root directory is OK.
                //
                dwStatus = ERROR_SUCCESS;
            }
        } else {
            dwStatus = GetLastError();
        }
        G_FREE ( szLocalPath );
    } else {
        dwStatus = ERROR_OUTOFMEMORY;
    }
    
    // Report event on error
    if ( ERROR_SUCCESS != dwStatus ) {
        DWORD   dwMessageId; 
        LPWSTR szStringArray[3];
        
        szStringArray[0] = pQuery->szLogFileFolder;
        szStringArray[1] = pQuery->szQueryName;
        szStringArray[2] = FormatEventLogMessage(dwStatus);

        if ( pQuery->bReconfiguration ) {
            dwMessageId = SMLOG_INVALID_LOG_FOLDER_STOP;
        } else {
            dwMessageId = SMLOG_INVALID_LOG_FOLDER_START;
        }

        ReportEvent (hEventLog,
            EVENTLOG_WARNING_TYPE,
            0,
            dwMessageId,
            NULL,
            3,
            sizeof(DWORD),
            szStringArray,      
            (LPVOID)&dwStatus);

        LocalFree( szStringArray[2] );
    }

    return dwStatus;
}

DWORD
ValidateCommandFilePath ( 
    IN    PLOG_QUERY_DATA pArg )
{
    DWORD dwStatus = ERROR_SUCCESS;

    if ( 0 != lstrlen ( pArg->szCmdFileName ) ) {
    
        HANDLE hOpenFile;
        LONG   lErrorMode;

        lErrorMode = SetErrorMode ( SEM_FAILCRITICALERRORS | SEM_NOOPENFILEERRORBOX );

        hOpenFile =  CreateFile (
                        pArg->szCmdFileName,
                        GENERIC_READ,
                        0,              // Not shared
                        NULL,           // Security attributes
                        OPEN_EXISTING,  
                        FILE_ATTRIBUTE_NORMAL,
                        NULL );

        if ( ( NULL == hOpenFile ) 
                || INVALID_HANDLE_VALUE == hOpenFile ) {

            LPWSTR  szStringArray[3];

            dwStatus = GetLastError();

            szStringArray[0] = pArg->szCmdFileName;
            szStringArray[1] = pArg->szQueryName;
            szStringArray[2] = FormatEventLogMessage(dwStatus);

            ReportEvent (hEventLog,
                EVENTLOG_WARNING_TYPE,
                0,
                SMLOG_CMD_FILE_INVALID,
                NULL,
                3,
                sizeof(DWORD),
                szStringArray,
                (LPVOID)&dwStatus );

            LocalFree( szStringArray[2] );

            pArg->dwCmdFileFailure = dwStatus;

        } else {
            CloseHandle(hOpenFile);
        }

        SetErrorMode ( lErrorMode );
    }
    return dwStatus;
}


DWORD 
AddCounterToCounterLog (                        
    IN      PLOG_QUERY_DATA pArg, 
    IN      LPWSTR  pszThisPath,
    IN      HANDLE  hQuery,
    IN      BOOL    bLogErrorEvent,
    IN OUT  DWORD*  pdwCounterCount )
{
    LPWSTR              szStringArray[3];
    LONG                lWaitStatus;
    INT                 iRetries;
    BOOL                bFirstTimeout;
    DWORD               dwStatus = ERROR_SUCCESS;
    HCOUNTER            hThisCounter = NULL;
    PDH_STATUS          pdhStatus;                
    PLOG_COUNTER_INFO   pCtrInfo = NULL;
    HANDLE              arrEventHandle[2];
    WCHAR               szRetryCount[SLQ_MAX_VALUE_LEN];

    arrEventHandle[0] = pArg->hExitEvent;           // WAIT_OBJECT_0
    arrEventHandle[1] = pArg->hReconfigEvent;
                
    iRetries = NUM_PDH_RETRIES;
    bFirstTimeout = TRUE;
    do {                
        dwStatus = pdhStatus = PdhAdd009Counter (
                                    hQuery,
                                    pszThisPath, 
                                    (*pdwCounterCount), 
                                    &hThisCounter);

        if ( bFirstTimeout && WAIT_TIMEOUT == pdhStatus ) {
            //
            // Write event log warning message
            //
            StringCchPrintf (
                szRetryCount,
                SLQ_MAX_VALUE_LEN,
                L"%d", 
                iRetries );

            szStringArray[0] = pszThisPath;
            szStringArray[1] = pArg->szQueryName;
            szStringArray[2] = szRetryCount;
            ReportEvent (hEventLog,
                EVENTLOG_WARNING_TYPE,
                0,
                SMLOG_ADD_COUNTER_TIMEOUT,
                NULL,
                3,
                sizeof(DWORD),
                szStringArray,
                (LPVOID)&pdhStatus);

            bFirstTimeout = FALSE;
        }

    } while ( WAIT_TIMEOUT == (lWaitStatus = WaitForMultipleObjects (2, arrEventHandle, FALSE, 0))
              && WAIT_TIMEOUT == pdhStatus
              && iRetries-- > 0 );
    if ( WAIT_TIMEOUT != lWaitStatus ) {
        // the loop was terminated by the Exit/Reconfigure event
        return ERROR_CANCELLED;
    }

    if (dwStatus != ERROR_SUCCESS) {

        iRetries = NUM_PDH_RETRIES;
        do {                
            dwStatus = pdhStatus = PdhAddCounter (
                                        hQuery,
                                        pszThisPath, 
                                        (*pdwCounterCount), 
                                        &hThisCounter);
        } while ( WAIT_TIMEOUT == (lWaitStatus = WaitForMultipleObjects (2, arrEventHandle, FALSE, 0))
                  && WAIT_TIMEOUT == pdhStatus
                  && iRetries-- > 0 );
        if ( WAIT_TIMEOUT != lWaitStatus ) {
            // the loop was terminated by the Exit/Reconfigure event
            return ERROR_CANCELLED;
        }
    }

    if ( !IsErrorSeverity(pdhStatus) ) {
        if ( IsWarningSeverity(pdhStatus) ) {
            //
            // Write event log warning message
            //
            szStringArray[0] = pszThisPath;
            szStringArray[1] = pArg->szQueryName;
            szStringArray[2] = FormatEventLogMessage(pdhStatus);
            ReportEvent (hEventLog,
                EVENTLOG_WARNING_TYPE,
                0,
                SMLOG_ADD_COUNTER_WARNING,
                NULL,
                3,
                sizeof(DWORD),
                szStringArray,
                (LPVOID)&pdhStatus);
            LocalFree( szStringArray[2] );
        }

        pCtrInfo = G_ALLOC (sizeof (LOG_COUNTER_INFO));
        if (pCtrInfo != NULL) {
            //
            // Add this handle to the list
            //
            // Insert at front of list since the order isn't
            // important and this is simpler than walking the
            // list each time.
            //
            pCtrInfo->hCounter = hThisCounter;
            pCtrInfo->next = pArg->pFirstCounter;
            pArg->pFirstCounter = pCtrInfo;
            pCtrInfo = NULL;
            
            (*pdwCounterCount)++; 
       } else {
            dwStatus = ERROR_OUTOFMEMORY;
        }
    } else {
        //
        // For LogByObject, the call is retried with expanded counter if
        // the first try fails, so don't log error event the first time.
        //
        if ( bLogErrorEvent ) {
            // unable to add the current counter so write event log message
            szStringArray[0] = pszThisPath;
            szStringArray[1] = pArg->szQueryName;
            szStringArray[2] = FormatEventLogMessage(pdhStatus);

            if ( PDH_ACCESS_DENIED == pdhStatus ) {
                ReportEvent (
                    hEventLog,
                    EVENTLOG_WARNING_TYPE,
                    0,
                    SMLOG_UNABLE_ACCESS_COUNTER,
                    NULL,
                    2,
                    0,
                    szStringArray,
                    NULL);
            } else {

                ReportEvent (
                    hEventLog,
                    EVENTLOG_WARNING_TYPE,
                    0,
                    SMLOG_UNABLE_ADD_COUNTER,
                    NULL,
                    3,
                    sizeof(DWORD),
                    szStringArray,
                    (LPVOID)&pdhStatus);
            }
            LocalFree( szStringArray[2] );
        }
    }
    return dwStatus;
}
    

BOOL
IsPdhDataCollectSuccess ( PDH_STATUS pdhStatus ) 
{
    BOOL bSuccess = FALSE;

    if ( ERROR_SUCCESS == pdhStatus 
            || PDH_INVALID_DATA == pdhStatus ) {
        bSuccess = TRUE;
    } else if ( 0 < iPdhDataCollectSuccessCount ) {
        INT iIndex;

        for ( iIndex = 0; iIndex < iPdhDataCollectSuccessCount; iIndex++ ) {
            if ( pdhStatus == (PDH_STATUS)arrPdhDataCollectSuccess[iIndex] ) {
                bSuccess = TRUE;
                break;
            }
        }
    }

    return bSuccess;
}

void
ComputeSessionTics(
    IN      PLOG_QUERY_DATA pArg,
    IN OUT  LONGLONG*   pllWaitTics
)
{
    LONGLONG    llLocalTime;

    //
    // Compute total session time based on Stop modes
    // and values.  

    // -1 (NULL_INTERVAL_TICS) signals no session time limit.  This is true for
    // Stop mode SLQ_AUTO_MODE_NONE and SLQ_AUTO_MODE_SIZE.
    //
    // 0 signals that the Stop time is past, so exit immediately.
    //
    // Assume that session is starting, so Start mode isn't relevant.
    //

    //
    // Pointer check is a sanity check.  The calling code is trusted.
    //
    if ( NULL != pArg && NULL != pllWaitTics ) {

        *pllWaitTics = NULL_INTERVAL_TICS;

        if ( SLQ_AUTO_MODE_AFTER == pArg->stiCurrentStop.dwAutoMode 
                || SLQ_AUTO_MODE_AT == pArg->stiCurrentStop.dwAutoMode ) {       

            llLocalTime = (LONGLONG)0;
            GetLocalFileTime (&llLocalTime);

            if ( SLQ_AUTO_MODE_AT == pArg->stiCurrentStop.dwAutoMode ) {
        
                if ( pArg->stiCurrentStop.llDateTime > llLocalTime ) {

                    *pllWaitTics = pArg->stiCurrentStop.llDateTime - llLocalTime;

                } else {
                    //
                    // Session length = 0.  Exit immediately.
                    //
                    *pllWaitTics = ((LONGLONG)(0)); 
                }

            } else if ( SLQ_AUTO_MODE_AFTER == pArg->stiCurrentStop.dwAutoMode ) {
            
                TimeInfoToTics( &pArg->stiCurrentStop, pllWaitTics );
            }
        }
    }

    return;
}

void
ComputeNewFileTics(
    IN      PLOG_QUERY_DATA pArg,
    IN OUT  LONGLONG*   pllWaitTics
)
{

    LONGLONG    llLocalTime;  
    //
    // Compute time until next file creation based on Create New File modes
    // and values.  

    // -1 (NULL_INTERVAL_TICS) signals no time limit.  This is true for
    // mode SLQ_AUTO_MODE_NONE and SLQ_AUTO_MODE_SIZE.
    //
    // 0 signals that the time is past, so exit immediately.
    //
    // Assume that session is starting, so Start mode isn't relevant.
    //

    //
    // Pointer check is a sanity check.  The calling code is trusted.
    //
    if ( NULL != pArg && NULL != pllWaitTics ) {

        *pllWaitTics = NULL_INTERVAL_TICS;

        if ( SLQ_AUTO_MODE_AFTER == pArg->stiCreateNewFile.dwAutoMode ) {       

            GetLocalFileTime (&llLocalTime);

            if ( SLQ_AUTO_MODE_AFTER == pArg->stiCreateNewFile.dwAutoMode ) {
                TimeInfoToTics( &pArg->stiCreateNewFile, pllWaitTics );
                assert ( (LONGLONG)(0) != *pllWaitTics );
            } else if ( SLQ_AUTO_MODE_AT == pArg->stiCreateNewFile.dwAutoMode ) {
                assert ( FALSE );
                *pllWaitTics = (LONGLONG)(0);
            }
        }
    }
    return;
}


void 
ComputeSampleCount(
    IN  PLOG_QUERY_DATA pArg,
    IN  BOOL    bSessionCount,
    OUT LONGLONG*   pllSampleCount
)
{
    LONGLONG    llLocalSampleCount = NULL_INTERVAL_TICS;
    //
    // Compute sample count based on Stop or CreateNewFile modes
    // and values.  Account for the first sample in the log.
    //
    // 0 signals no sample limit in the file.  This is true for
    // Stop modes SLQ_AUTO_MODE_NONE and SLQ_AUTO_MODE_SIZE.
    //
    // -1 signals that the Stop time is past.
    //
    // Sampling is starting now, so Start mode isn't relevant.
    //
    
    //
    // Pointer check is a sanity check.  The calling code is trusted.
    //
    assert ( NULL != pllSampleCount );
    if ( NULL != pllSampleCount ) {

        *pllSampleCount = (LONGLONG)(-1);
    
        if ( bSessionCount ) {
            ComputeSessionTics ( pArg, &llLocalSampleCount );
        } else {
            ComputeNewFileTics ( pArg, &llLocalSampleCount );
        }

        if ( NULL_INTERVAL_TICS == llLocalSampleCount ) {
            //
            // No session/sample limit
            //
            *pllSampleCount = (LONGLONG)(0);
        } else if ( (LONGLONG)(0) == llLocalSampleCount ){
            //
            // Stop time is past
            //
            *pllSampleCount = INFINITE_TICS;
        } else {
            *pllSampleCount = llLocalSampleCount 
                                / (pArg->dwMillisecondSampleInterval * FILETIME_TICS_PER_MILLISECOND);
            //
            // Add in the "zero-th" sample.
            //
            *pllSampleCount += 1;  
        }
    }
    
    return;
}


BOOL
ProcessRepeatOption ( 
    IN OUT PLOG_QUERY_DATA pArg,
    OUT LARGE_INTEGER* pliStartDelayTics )
{
    BOOL            bRepeat = TRUE;

    //
    // Pointer check is a sanity check.  The calling code is trusted.
    //
    assert ( NULL != pliStartDelayTics );
    if ( NULL != pliStartDelayTics ) {
        //
        // If restart not enabled, then exit.
        //
        if ( SLQ_AUTO_MODE_NONE == pArg->stiRepeat.dwAutoMode ) {
            pliStartDelayTics->QuadPart = NULL_INTERVAL_TICS;
            bRepeat = FALSE;
        } else {
            //
            // For SLQ_AUTO_MODE_AFTER, the only value currently supported is 0.
            //
            pliStartDelayTics->QuadPart = (LONGLONG)0;
            //
            // For SLQ_AUTO_MODE_CALENDAR, add n*24 hours to the original start time.
            //    If Stop mode is SLQ_AUTO_MODE_AT, add n*24 hours to stop time.
            //
            if ( SLQ_AUTO_MODE_CALENDAR == pArg->stiRepeat.dwAutoMode ) {
                //
                // Delay of NULL_INTERVAL signals exit immediately.
                //
                pliStartDelayTics->QuadPart = ComputeStartWaitTics ( pArg, TRUE );

                if ( NULL_INTERVAL_TICS == pliStartDelayTics->QuadPart ) {
                    //
                    // This should not occur.
                    //
                    assert ( FALSE );
                    bRepeat = FALSE;
                } else {
                    pArg->dwCurrentState = SLQ_QUERY_START_PENDING;
                    WriteRegistryDwordValue (
                        pArg->hKeyQuery, 
                        (LPCWSTR)L"Current State",
                        &pArg->dwCurrentState,
                        REG_DWORD );
                } 
            } // else for SLQ_AUTO_MODE_AFTER, repeat immediately
        }
    }

    return bRepeat;
}

void
SetPdhOpenOptions ( 
    IN  PLOG_QUERY_DATA   pArg,
    OUT DWORD*  pdwAccess,
    OUT DWORD*  pdwLogFileType )
{

    //
    // Get file type
    //
    switch ( pArg->dwLogFileType ) {
        case SLF_TSV_FILE:
            *pdwLogFileType = PDH_LOG_TYPE_TSV;
            break;

        case SLF_BIN_FILE:
        case SLF_BIN_CIRC_FILE:
            *pdwLogFileType = PDH_LOG_TYPE_BINARY;
            break;

        case SLF_SQL_LOG:
            *pdwLogFileType = PDH_LOG_TYPE_SQL;
            break;

        case SLF_CSV_FILE:
        default:
            *pdwLogFileType = PDH_LOG_TYPE_CSV;
            break;
    }

    *pdwAccess = PDH_LOG_WRITE_ACCESS |
                    PDH_LOG_CREATE_ALWAYS;

    if (SLF_BIN_CIRC_FILE == pArg->dwLogFileType)
        *pdwAccess |= PDH_LOG_OPT_CIRCULAR;

    if ( ( PDH_LOG_TYPE_BINARY != *pdwLogFileType ) 
         && (NULL != pArg->szLogFileComment ) )
        *pdwAccess |= PDH_LOG_OPT_USER_STRING;

    // NOTE:  For all types except sequential binary,
    // the append mode is determined by the file type.
    // All Sql logs are APPEND
    // All text logs are OVERWRITE
    if (   (pArg->dwAppendMode)
        && (*pdwLogFileType == PDH_LOG_TYPE_BINARY) ) {
        *pdwAccess |= PDH_LOG_OPT_APPEND;
    }

}


DWORD
StartLogQuery (
    IN  PLOG_QUERY_DATA pArg
)
{
    DWORD           dwStatus = ERROR_SUCCESS;
    HRESULT         hr = S_OK;
    HKEY            hKeyLogQuery = NULL;
    SLQ_TIME_INFO   slqTime;
    SC_HANDLE       hSC = NULL;
    SC_HANDLE       hService = NULL;
    SERVICE_STATUS  ssData;
    WCHAR           szQueryKeyNameBuf[MAX_PATH + 1];
    WCHAR           szLogPath[2*MAX_PATH];  
    DWORD           dwCurrentState;
    DWORD           dwValue;
    DWORD           dwDefault;
    LONGLONG        llTime;
    LONGLONG        llModifiedTime;

    //
    // Open registry key to the desired service
    //
    dwStatus = GetQueryKeyName ( 
                pArg->szPerfLogName,
                szQueryKeyNameBuf,
                MAX_PATH + 1 );

    if ( ERROR_SUCCESS == dwStatus && 0 < lstrlen (szQueryKeyNameBuf) ) {

        hr = StringCchCopy ( szLogPath, 2*MAX_PATH, L"SYSTEM\\CurrentControlSet\\Services\\SysmonLog\\Log Queries\\" );
        if ( SUCCEEDED ( hr ) ) {
            hr = StringCchCat ( szLogPath, 2*MAX_PATH, szQueryKeyNameBuf );
        }

        if ( SUCCEEDED ( hr ) ) {

            dwStatus = RegOpenKeyEx (
                (HKEY)HKEY_LOCAL_MACHINE,
                szLogPath,
                0L,
                KEY_READ | KEY_WRITE,
                (PHKEY)&hKeyLogQuery);

            if (dwStatus == ERROR_SUCCESS) {
                //
                // If current state is running, then skip the rest.
                //
                dwDefault = SLQ_QUERY_STOPPED;
                dwStatus = ReadRegistryDwordValue (
                    hKeyLogQuery,
                    pArg->szPerfLogName,
                    (LPCWSTR)L"Current State",
                    &dwDefault,
                    &dwCurrentState);

                if (dwCurrentState == SLQ_QUERY_STOPPED) {
                    //
                    // Update the start time to MIN_TIME_VALUE.
                    //
                    GetLocalFileTime ( &llTime );

                    memset (&slqTime, 0, sizeof(slqTime));
                    slqTime.wTimeType = SLQ_TT_TTYPE_START;
                    slqTime.wDataType = SLQ_TT_DTYPE_DATETIME;
                    slqTime.dwAutoMode = SLQ_AUTO_MODE_NONE;
                    slqTime.llDateTime = MIN_TIME_VALUE;

                    dwStatus = WriteRegistrySlqTime (
                        hKeyLogQuery,
                        (LPCWSTR)L"Start",
                        &slqTime);
                    //    
                    // If stop time mode set to manual, or StopAt with time before Now,
                    // set the mode to Manual, value to MAX_TIME_VALUE.
                    //
                    memset (&slqTime, 0, sizeof(slqTime));
                    slqTime.wTimeType = SLQ_TT_TTYPE_STOP;
                    slqTime.wDataType = SLQ_TT_DTYPE_DATETIME;
                    slqTime.dwAutoMode = SLQ_AUTO_MODE_NONE;
                    slqTime.llDateTime = MAX_TIME_VALUE;

                    dwStatus = ReadRegistrySlqTime (
                                hKeyLogQuery, 
                                pArg->szPerfLogName,
                                (LPCWSTR)L"Stop",
                                &slqTime,
                                &slqTime);

                    if ( SLQ_AUTO_MODE_NONE == slqTime.dwAutoMode 
                        || ( SLQ_AUTO_MODE_AT == slqTime.dwAutoMode 
                            && llTime >= slqTime.llDateTime ) ) {

                        slqTime.wTimeType = SLQ_TT_TTYPE_STOP;
                        slqTime.wDataType = SLQ_TT_DTYPE_DATETIME;
                        slqTime.dwAutoMode = SLQ_AUTO_MODE_NONE;
                        slqTime.llDateTime = MAX_TIME_VALUE;
                
                        dwStatus = WriteRegistrySlqTime (
                                        hKeyLogQuery, 
                                        (LPCWSTR)L"Stop",
                                        &slqTime);
                    }

                    //
                    // Set state to start pending.
                    //
                    if (dwStatus == ERROR_SUCCESS) {
                        dwValue = SLQ_QUERY_START_PENDING;
                        dwStatus = WriteRegistryDwordValue (
                            hKeyLogQuery,
                            (LPCWSTR)L"Current State",
                            &dwValue,
                            REG_DWORD);
                    }

                    //
                    // Update the modified time to indicate a change has occurred.
                    //
                    memset (&slqTime, 0, sizeof(slqTime));
                    //
                    // LastModified and LastConfigured values are stored as GMT.
                    //
                    GetSystemTimeAsFileTime ( (LPFILETIME)(&llModifiedTime) );

                    slqTime.wTimeType = SLQ_TT_TTYPE_LAST_MODIFIED;
                    slqTime.wDataType = SLQ_TT_DTYPE_DATETIME;
                    slqTime.dwAutoMode = SLQ_AUTO_MODE_NONE;
                    slqTime.llDateTime = llModifiedTime;

                    dwStatus = WriteRegistrySlqTime (
                        hKeyLogQuery,
                        (LPCWSTR)L"Last Modified",
                        &slqTime);


                    if (dwStatus == ERROR_SUCCESS) {
                        hSC = OpenSCManager ( NULL, NULL, SC_MANAGER_ALL_ACCESS);

                        if (hSC != NULL) {
                            //
                            // Ping the service controller to rescan the entries.
                            //
                            hService = OpenServiceW (
                                            hSC, 
                                            (LPCWSTR)L"SysmonLog",
                                            SERVICE_USER_DEFINED_CONTROL | SERVICE_START );

                            if (hService != NULL) {
                                ControlService ( 
                                    hService, 
                                    SERVICE_CONTROL_SYNCHRONIZE, 
                                    &ssData);
                                CloseServiceHandle (hService);
                            } else {
                                // unable to open log service
                                dwStatus = GetLastError();
                            }
                            CloseServiceHandle (hSC);
                        } else {                
                            // unable to open service controller
                            dwStatus = GetLastError();
                        }
                    } // else unable to set the time

                    if ( ( ERROR_SUCCESS != dwStatus )
                            && ( 1 != pArg->dwAlertLogFailureReported ) ) {
                        LPWSTR  szStringArray[2];

                        szStringArray[0] = pArg->szPerfLogName;
                        szStringArray[1] = pArg->szQueryName;

                        ReportEvent (hEventLog,
                            EVENTLOG_WARNING_TYPE,
                            0,
                            SMLOG_UNABLE_START_ALERT_LOG,
                            NULL,
                            2,
                            sizeof(DWORD),
                            szStringArray,
                            (LPVOID)&dwStatus );
                
                        pArg->dwAlertLogFailureReported = 1;
                    }
                } else {
                    //
                    // The query is either pending or running already.
                    //
                    dwStatus = ERROR_SUCCESS;
                }
            } else { 
                dwStatus = SMLOG_UNABLE_READ_ALERT_LOG;
        
                if ( 1 != pArg->dwAlertLogFailureReported ) {
                    LPWSTR  szStringArray[2];

                    szStringArray[0] = pArg->szPerfLogName;
                    szStringArray[1] = pArg->szQueryName;

                    ReportEvent (hEventLog,
                        EVENTLOG_WARNING_TYPE,
                        0,
                        SMLOG_UNABLE_READ_ALERT_LOG,
                        NULL,
                        2,
                        0,
                        szStringArray,
                        NULL );
        
                    pArg->dwAlertLogFailureReported = 1;
                }
            }
        } // ToDo: else report StringCchxxx failure.
    } else {

        dwStatus = SMLOG_UNABLE_READ_ALERT_LOG;
        
        if ( 1 != pArg->dwAlertLogFailureReported ) {
            LPWSTR  szStringArray[2];

            szStringArray[0] = pArg->szPerfLogName;
            szStringArray[1] = pArg->szQueryName;

            ReportEvent (hEventLog,
                EVENTLOG_WARNING_TYPE,
                0,
                SMLOG_UNABLE_READ_ALERT_LOG,
                NULL,
                2,
                0,
                szStringArray,
                NULL );
        
            pArg->dwAlertLogFailureReported = 1;
        }
    }

    if ( NULL != hKeyLogQuery ) {
        RegCloseKey ( hKeyLogQuery );
    }

    return dwStatus;
}

DWORD
DoAlertCommandFile (
    IN  PLOG_QUERY_DATA     pArg,
    IN  PALERT_COUNTER_INFO pAlertCI,
    IN  LPCWSTR             szTimeStamp,
    IN  LPCWSTR             szMeasuredValue,
    IN  LPCWSTR             szOverUnder,
    IN  LPCWSTR             szLimitValue
)
{
    const   INT ciMaxDelimPerArg = 3;
            DWORD   dwStatus = ERROR_SUCCESS;
            BOOL    bStatus = FALSE;
            LPWSTR  szCommandString = NULL;
            INT     iBufLen = 0;
            LPWSTR  szTempBuffer = NULL;
            LONG    lErrorMode;
            size_t  sizeStrLen;
            DWORD   dwCmdFlags;
            BOOL    bSingleArg = FALSE;
            STARTUPINFO si;
            PROCESS_INFORMATION pi;
            DWORD   dwCreationFlags = NORMAL_PRIORITY_CLASS;
            LPWSTR  szDelim1;
            LPWSTR  szDelim2;
            BOOL    bFirstArgDone = FALSE;

    if ( NULL != pArg 
            && NULL != pAlertCI ) {

        if ( NULL != pArg->szCmdFileName ) {

            dwStatus = pArg->dwCmdFileFailure;

            if ( ERROR_SUCCESS == dwStatus ) { 

                // See if any of the argument flags are set.
                dwCmdFlags = pArg->dwAlertActionFlags & ALRT_CMD_LINE_MASK;

                if ( 0 != dwCmdFlags ) {
                    // Allocate space for all arguments

                    if ( NULL != pArg->szQueryName ) {
                        iBufLen += lstrlen ( pArg->szQueryName ) + ciMaxDelimPerArg;
                    }
                    if ( NULL != szTimeStamp ) {
                        iBufLen += lstrlen ( szTimeStamp ) + ciMaxDelimPerArg;
                    }
                    if ( NULL != pAlertCI->pAlertInfo->szCounterPath) {
                        iBufLen += lstrlen ( pAlertCI->pAlertInfo->szCounterPath ) + ciMaxDelimPerArg;
                    }
                    if ( NULL != szMeasuredValue ) {
                        iBufLen += lstrlen ( szMeasuredValue ) + ciMaxDelimPerArg;
                    }
                    if ( NULL != szOverUnder ) {
                        iBufLen += lstrlen ( szOverUnder ) + ciMaxDelimPerArg;
                    }
                    if ( NULL != szLimitValue ) {
                        iBufLen += lstrlen ( szLimitValue ) + ciMaxDelimPerArg;
                    }
                    if ( NULL != pArg->szUserText ) {
                        iBufLen += lstrlen ( pArg->szUserText ) + ciMaxDelimPerArg;
                    }
                    iBufLen+= 2;    // 1 for possible leading ", 1 for NULL.

                    szCommandString = (LPWSTR)G_ALLOC(iBufLen * sizeof(WCHAR));

                    if ( NULL != szCommandString ) { 

                        szCommandString[0] = L'\0';

                        // build command line arguments
                        if ((pArg->dwAlertActionFlags  & ALRT_CMD_LINE_SINGLE) != 0) {
                            bSingleArg = TRUE;
                            szDelim1 = L",";
                            szDelim2 = L"\0";
                        } else {
                            // multiple arguments enclosed by double quotes and 
                            // separated by a space
                            szDelim1 = L" \"";
                            szDelim2 = L"\"";
                        }

                        if (pArg->dwAlertActionFlags & ALRT_CMD_LINE_A_NAME ) {
                            if ( NULL != pArg->szQueryName ) {
                                if (bFirstArgDone) {
                                    //
                                    // Add leading delimiter
                                    //
                                    StringCchCat ( szCommandString, iBufLen, szDelim1 );
                                } else {
                                    //
                                    // Add leading quote
                                    //
                                    StringCchCat ( szCommandString, iBufLen, L"\"" );
                                    bFirstArgDone = TRUE;
                                }
                                StringCchCat ( szCommandString, iBufLen, pArg->szQueryName );
                                StringCchCat ( szCommandString, iBufLen, szDelim2 );
                            } else {
                                dwStatus = ERROR_INVALID_PARAMETER;
                            }
                        }

                        if ( ERROR_SUCCESS == dwStatus
                                && ( pArg->dwAlertActionFlags  & ALRT_CMD_LINE_D_TIME ) ) 
                        {
                            if ( NULL != szTimeStamp ) {
                                if (bFirstArgDone) {
                                    StringCchCat ( szCommandString, iBufLen, szDelim1 );
                                } else {
                                    StringCchCat ( szCommandString, iBufLen, L"\"" );
                                    bFirstArgDone = TRUE;
                                }

                                StringCchCat ( szCommandString, iBufLen, szTimeStamp );
                                StringCchCat ( szCommandString, iBufLen, szDelim2 );
                            } else {
                                dwStatus = ERROR_INVALID_PARAMETER;
                            }
                        }

                        if ( ERROR_SUCCESS == dwStatus
                                && ( pArg->dwAlertActionFlags  & ALRT_CMD_LINE_C_NAME ) ) 
                        {
                            if ( NULL != pAlertCI->pAlertInfo->szCounterPath ) {
                                if (bFirstArgDone) {
                                    StringCchCat ( szCommandString, iBufLen, szDelim1 );
                                } else {
                                    StringCchCat ( szCommandString, iBufLen, L"\"" );
                                    bFirstArgDone = TRUE;
                                }
                                StringCchCat ( szCommandString, iBufLen, pAlertCI->pAlertInfo->szCounterPath );
                                StringCchCat ( szCommandString, iBufLen, szDelim2 );
                            } else {
                                dwStatus = ERROR_INVALID_PARAMETER;
                            }
                        }

                        if ( ERROR_SUCCESS == dwStatus
                                && ( pArg->dwAlertActionFlags  & ALRT_CMD_LINE_M_VAL ) ) 
                        {
                            if ( NULL != szMeasuredValue ) {
                                if (bFirstArgDone) {
                                    StringCchCat ( szCommandString, iBufLen, szDelim1 );
                                } else {
                                    StringCchCat ( szCommandString, iBufLen, L"\"" );
                                    bFirstArgDone = TRUE;
                                }
                                StringCchCat ( szCommandString, iBufLen, szMeasuredValue );
                                StringCchCat ( szCommandString, iBufLen, szDelim2 );
                            } else {
                                dwStatus = ERROR_INVALID_PARAMETER;
                            }
                        }

                        if ( ERROR_SUCCESS == dwStatus
                                && ( pArg->dwAlertActionFlags  & ALRT_CMD_LINE_L_VAL ) ) 
                        {
                            if ( NULL != szOverUnder && NULL != szLimitValue ) {
                                if (bFirstArgDone) {
                                    StringCchCat ( szCommandString, iBufLen, szDelim1 );
                                } else {
                                    StringCchCat ( szCommandString, iBufLen, L"\"" );
                                    bFirstArgDone = TRUE;
                                }
                                StringCchCat ( szCommandString, iBufLen, szOverUnder );
                                StringCchCat ( szCommandString, iBufLen, L" ");
                                StringCchCat ( szCommandString, iBufLen, szLimitValue );
                                StringCchCat ( szCommandString, iBufLen, szDelim2 );
                            } else {
                                dwStatus = ERROR_INVALID_PARAMETER;
                            }
                        }

                        if ( ERROR_SUCCESS == dwStatus
                                && ( pArg->dwAlertActionFlags  & ALRT_CMD_LINE_U_TEXT ) ) 
                        {
                            if ( NULL != pArg->szUserText ) {
                                if (bFirstArgDone) {
                                    StringCchCat ( szCommandString, iBufLen, szDelim1 );
                                } else {
                                    StringCchCat ( szCommandString, iBufLen, L"\"" );
                                    bFirstArgDone = TRUE;
                                }
                                StringCchCat ( szCommandString, iBufLen, pArg->szUserText );
                                StringCchCat ( szCommandString, iBufLen, szDelim2 );
                            } else {
                                dwStatus = ERROR_INVALID_PARAMETER;
                            }
                        }

                        if (bFirstArgDone && bSingleArg) {
                            // add closing quote if there's at least 1 arg in the command line
                            StringCchCat ( szCommandString, iBufLen, L"\"" );
                        }
                    } else {
                        dwStatus = ERROR_OUTOFMEMORY;
                    }

                    if ( ERROR_SUCCESS == dwStatus )
                    {

                        iBufLen = lstrlen( pArg->szCmdFileName ) + 1;  // 1 for NULL
                        if ( NULL != szCommandString ) {
                            iBufLen += lstrlen ( szCommandString ) + 1;  // 1 for space char
                        }
                        iBufLen += 2;  // 2 for quote characters
                        szTempBuffer = (LPWSTR)G_ALLOC(iBufLen * sizeof(WCHAR));
                    }

                    if ( NULL != szTempBuffer ) {

                        // build command line arguments
                        StringCchCopy ( szTempBuffer, iBufLen, pArg->szCmdFileName );

                        // see if this is a CMD or a BAT file
                        // if it is then create a process with a console window, otherwise
                        // assume it's an executable file that will create it's own window
                        // or console if necessary
                        //
                        _wcslwr (szTempBuffer);
                        if ((wcsstr(szTempBuffer, L".bat") != NULL) ||
                            (wcsstr(szTempBuffer, L".cmd") != NULL)){
                                dwCreationFlags |= CREATE_NEW_CONSOLE;
                        } else {
                                dwCreationFlags |= DETACHED_PROCESS;
                        }
                        // recopy the image name to the temp buffer since it was modified
                        // (i.e. lowercased) for the previous comparison.

                        szTempBuffer[0] = L'\"';

                        StringCchCopy ( (szTempBuffer+1), iBufLen - 1, pArg->szCmdFileName );
                        StringCchLength (szTempBuffer, iBufLen - 1, &sizeStrLen) ;
                        szTempBuffer[sizeStrLen] = L'\"';
                        sizeStrLen++;                        
                        szTempBuffer[sizeStrLen] = L'\0';

                        if ( NULL != szCommandString ) {
                            // now add on the alert text preceded with a space char
                            szTempBuffer [sizeStrLen] = L' ' ;
                            sizeStrLen++ ;

                            StringCchCopy ( &szTempBuffer[sizeStrLen], iBufLen - sizeStrLen, szCommandString );
                        }
                    
                        // initialize Startup Info block
                        memset (&si, 0, sizeof(si));
                        si.cb = sizeof(si);
                        si.dwFlags = STARTF_USESHOWWINDOW ;
                        si.wShowWindow = SW_SHOWNOACTIVATE ;
                        //si.lpDesktop = L"WinSta0\\Default";

                        memset (&pi, 0, sizeof(pi));

                        // supress pop-ups inf the detached process
                        lErrorMode = SetErrorMode(SEM_FAILCRITICALERRORS | SEM_NOOPENFILEERRORBOX);

                        //
                        // The lpApplication name is NULL for CreateProcess 
                        // because the normal use of this function is to launch
                        // batch files which must be the first part of the lpCommandLine.
                        // The quotes around the szCommandFileName prevents the wrong
                        // file from being executed.
                        //

                        if( pArg->hUserToken != NULL ){
                            bStatus = CreateProcessAsUser (
                                        pArg->hUserToken,
                                        NULL,
                                        szTempBuffer,
                                        NULL, NULL, FALSE,
                                        dwCreationFlags,
                                        NULL,
                                        NULL,
                                        &si,
                                        &pi);
                        } else {
                            bStatus = CreateProcess (
                                        NULL,
                                        szTempBuffer,
                                        NULL, NULL, FALSE,
                                        dwCreationFlags,
                                        NULL,
                                        NULL,
                                        &si,
                                        &pi);
                        }

                        SetErrorMode(lErrorMode);

                        if (bStatus) {
                            dwStatus = ERROR_SUCCESS;
                            if ( NULL != pi.hThread && INVALID_HANDLE_VALUE != pi.hThread ) {
                                CloseHandle(pi.hThread);
                                pi.hThread = NULL;
                            }
                            if ( NULL != pi.hProcess && INVALID_HANDLE_VALUE != pi.hProcess ) {
                                CloseHandle(pi.hProcess);
                                pi.hProcess = NULL;
                            }
                        } else {
                            dwStatus = GetLastError();
                        }
                    } else {
                        dwStatus = ERROR_OUTOFMEMORY;
                    }
                    if (szCommandString != NULL) G_FREE(szCommandString);
                    if (szTempBuffer != NULL) G_FREE(szTempBuffer);
                }
            }

            if ( ERROR_SUCCESS != dwStatus ) { 

                LPWSTR  szStringArray[2];

                szStringArray[0] = szTempBuffer;
                szStringArray[1] = pArg->szQueryName;

                ReportEvent (hEventLog,
                    EVENTLOG_WARNING_TYPE,
                    0,
                    SMLOG_ALERT_CMD_FAIL,
                    NULL,
                    2,
                    sizeof(DWORD),
                    szStringArray,
                    (LPVOID)&dwStatus );

                pArg->dwCmdFileFailure = dwStatus;
            }
        } else {
            dwStatus = ERROR_INVALID_PARAMETER;
        }
    } else {
        dwStatus = ERROR_INVALID_PARAMETER;
    }
    return dwStatus;
}

BOOL
ExamineAlertValues (
    IN    PLOG_QUERY_DATA pArg
)
{
    PDH_STATUS  pdhStatus = ERROR_SUCCESS;
    DWORD       dwStatus = ERROR_SUCCESS;
    PALERT_COUNTER_INFO     pAlertCI;
    DWORD                   dwType;
    PDH_FMT_COUNTERVALUE    pdhCurrentValue;
    BOOL                    bDoAlertAction;

    //
    // For each counter in query, compare it's formatted
    // value against the alert value and do the desired operation
    // if the alert condition is exceeded.
    //
    for (pAlertCI = (PALERT_COUNTER_INFO)pArg->pFirstCounter;
         pAlertCI != NULL;
         pAlertCI = pAlertCI->next) {

        bDoAlertAction = FALSE;
        
        //
        // get formatted counter value
        //
        pdhStatus = PdhGetFormattedCounterValue (
                        pAlertCI->hCounter,
                        PDH_FMT_DOUBLE | PDH_FMT_NOCAP100,
                        &dwType,
                        &pdhCurrentValue);

        if ((pdhStatus == ERROR_SUCCESS) && 
            ((pdhCurrentValue.CStatus == PDH_CSTATUS_VALID_DATA) || 
             (pdhCurrentValue.CStatus == PDH_CSTATUS_NEW_DATA))) {
            //
            // The value is good so compare it
            //
            if ((pAlertCI->pAlertInfo->dwFlags & AIBF_OVER) == AIBF_OVER) {
                //
                // Test for value > limit.
                //
                if (pdhCurrentValue.doubleValue > pAlertCI->pAlertInfo->dLimit) {
                    bDoAlertAction = TRUE;
                }
            } else {
                //
                // Test for value < limit.
                //
                if (pdhCurrentValue.doubleValue < pAlertCI->pAlertInfo->dLimit) {
                    bDoAlertAction = TRUE;
                }
            }
        }

        if (bDoAlertAction) {
            WCHAR   szValueString[SLQ_MAX_VALUE_LEN];
            WCHAR   szLimitString[SLQ_MAX_VALUE_LEN];
            WCHAR   szOverUnderString[64];
            WCHAR   szTimeStampFmt[2*SLQ_MAX_VALUE_LEN];
            WCHAR   szTimeStamp[2*SLQ_MAX_VALUE_LEN];
            DWORD   dwFmtStringFlags;
            size_t  cchBufLen;
            SYSTEMTIME  st;

            //
            // Build arguments used by event log and net messsage if either 
            // option is enabled
            //
            dwFmtStringFlags = ALRT_ACTION_LOG_EVENT | ALRT_ACTION_SEND_MSG | ALRT_ACTION_EXEC_CMD;

            if ((pArg->dwAlertActionFlags & dwFmtStringFlags) != 0) {
                INT     nResId;
 
                //
                // Report event to event log
                //

                //
                // Format message string elements
                // The following methods truncate and null terminate the string if it is
                // too long for the buffer.  Continue in this case because strings are only
                // used to report data to the user.
                //
                StringCchPrintf (
                        szValueString,
                        SLQ_MAX_VALUE_LEN,
                        L"%.*g", 
                        DBL_DIG, 
                        pdhCurrentValue.doubleValue );

                StringCchPrintf (
                    szLimitString,
                    SLQ_MAX_VALUE_LEN,
                    L"%.*g", 
                    DBL_DIG, 
                    pAlertCI->pAlertInfo->dLimit );

                nResId = pAlertCI->pAlertInfo->dwFlags & AIBF_OVER ? IDS_OVER : IDS_UNDER;
                LoadString (
                    hModule,
                    nResId,
                    szOverUnderString, 
                    (sizeof(szOverUnderString) / sizeof(szOverUnderString[0])));
                
                //
                // Get timestamp format string
                //
                LoadString (
                    hModule,
                    IDS_ALERT_TIMESTAMP_FMT,
                    szTimeStampFmt, 
                    (sizeof(szTimeStampFmt) / sizeof(szTimeStampFmt[0])));

                //
                // Message format string expects the following args:
                //  Timestamp
                //  Counter path string
                //  measured value
                //  over/under
                //  limit value
                GetLocalTime (&st);

                StringCchPrintf (
                    szTimeStamp,
                    2*SLQ_MAX_VALUE_LEN,
                    szTimeStampFmt, 
                    st.wYear, 
                    st.wMonth, 
                    st.wDay,
                    st.wHour, 
                    st.wMinute, 
                    st.wSecond );
            }

            //
            // Do action(s) as defined in flags
            //
            if ((pArg->dwAlertActionFlags & ALRT_ACTION_LOG_EVENT) == ALRT_ACTION_LOG_EVENT) {
                LPWSTR  szStringArray[4];

                szStringArray[0] = pAlertCI->pAlertInfo->szCounterPath;
                szStringArray[1] = szValueString;
                szStringArray[2] = szOverUnderString;
                szStringArray[3] = szLimitString;

                ReportEvent (hEventLog,
                    EVENTLOG_INFORMATION_TYPE,
                    0,
                    SMLOG_ALERT_LIMIT_CROSSED,
                    NULL,
                    4,
                    0,
                    szStringArray,
                    NULL);
            }
            

            if ((pArg->dwAlertActionFlags & ALRT_ACTION_SEND_MSG) == ALRT_ACTION_SEND_MSG) {
               if (pArg->szNetName != NULL) {
                    size_t  sizeCchMessageTextLen = 0;
                    size_t  sizeCchComponentLen = 0;
                    WCHAR   szMessageFormat[MAX_PATH+1];
                    LPWSTR  szMessageText = NULL;
                    //
                    // Get message format string
                    //
                    LoadString (hModule,
                        IDS_ALERT_MSG_FMT,
                        szMessageFormat, 
                        (sizeof(szMessageFormat) / sizeof(szMessageFormat[0])));
                    //
                    // MAX_PATH + 1 - 1
                    //
                    szMessageFormat [MAX_PATH] = L'\0';

                    // message format string expects the following args:
                    //  Timestamp
                    //  Counter path string
                    //  measured value
                    //  over/under
                    //  limit value

                    StringCchLength ( szMessageFormat, STRSAFE_MAX_CCH, &sizeCchComponentLen );
                    sizeCchMessageTextLen += sizeCchComponentLen;
                    
                    StringCchLength ( szTimeStamp, STRSAFE_MAX_CCH, &sizeCchComponentLen );
                    sizeCchMessageTextLen += sizeCchComponentLen;

                    StringCchLength ( pAlertCI->pAlertInfo->szCounterPath, STRSAFE_MAX_CCH, &sizeCchComponentLen );
                    sizeCchMessageTextLen += sizeCchComponentLen;

                    StringCchLength ( szValueString, STRSAFE_MAX_CCH, &sizeCchComponentLen );
                    sizeCchMessageTextLen += sizeCchComponentLen;

                    StringCchLength ( szOverUnderString, STRSAFE_MAX_CCH, &sizeCchComponentLen );
                    sizeCchMessageTextLen += sizeCchComponentLen;
    
                    StringCchLength ( szLimitString, STRSAFE_MAX_CCH, &sizeCchComponentLen );
                    sizeCchMessageTextLen += sizeCchComponentLen;
                    //
                    // Add one for Null.
                    //
                    sizeCchMessageTextLen++;

                    szMessageText = G_ALLOC ( sizeCchMessageTextLen * sizeof(WCHAR) );

                    if ( NULL != szMessageText ) {

                        //
                        // Truncation is okay.
                        //
                        StringCchPrintf (
                                szMessageText,
                                sizeCchMessageTextLen,
                                szMessageFormat, 
                                szTimeStamp,
                                pAlertCI->pAlertInfo->szCounterPath,
                                szValueString,
                                szOverUnderString,
                                szLimitString);

                        //
                        // Send network message to specified computer
                        //
                        dwStatus = NetMessageBufferSend(  
                                        NULL,
                                        pArg->szNetName,    
                                        NULL,      
                                        (LPBYTE)szMessageText,           
                                        (DWORD)(sizeCchMessageTextLen * sizeof(WCHAR)) );

                        G_FREE (szMessageText);
                    } else {
                        dwStatus = ERROR_OUTOFMEMORY;
                    }

                } else {
                   dwStatus = ERROR_OUTOFMEMORY;
                }
                if ( ( ERROR_SUCCESS != dwStatus )
                        && ( 1 != pArg->dwNetMsgFailureReported ) ) {
                    LPWSTR  szStringArray[3];
                    //
                    // Write event log warning message for net message
                    // only one time per session.
                    //
                    szStringArray[0] = pArg->szQueryName;
                    szStringArray[1] = pArg->szNetName;
                    szStringArray[2] = FormatEventLogMessage(dwStatus);
                    ReportEvent (hEventLog,
                        EVENTLOG_WARNING_TYPE,
                        0,
                        SMLOG_NET_MESSAGE_WARNING,
                        NULL,
                        3,
                        sizeof(DWORD),
                        szStringArray,
                        (LPVOID)&dwStatus);
                    
                    LocalFree( szStringArray[2] );
                    pArg->dwNetMsgFailureReported = 1;
                }
            }

            if ((pArg->dwAlertActionFlags & ALRT_ACTION_EXEC_CMD) == ALRT_ACTION_EXEC_CMD) {
                //
                // Errors logged in DoAlertCommandFile.
                //
                dwStatus = DoAlertCommandFile (
                                pArg,
                                pAlertCI,
                                szTimeStamp,
                                szValueString,
                                szOverUnderString,
                                szLimitString);
            }

            if ((pArg->dwAlertActionFlags & ALRT_ACTION_START_LOG) == ALRT_ACTION_START_LOG) {
                //
                // Start specified perf data log. 
                // Errors logged in StartLogQuery.
                //
                dwStatus = StartLogQuery ( pArg );
                
            }
        }
    }  // end of for each counter in alert loop
    return TRUE;
}

BOOL
AlertProc (
    IN    PLOG_QUERY_DATA pArg
)
{
    DWORD           dwStatus = ERROR_SUCCESS;
    LARGE_INTEGER   liStartDelayTics;
    LARGE_INTEGER   liSampleDelayTics;
    LONGLONG        llSampleCollectionTics;
    LONGLONG        llSampleIntervalTics;
    PDH_STATUS      pdhStatus = ERROR_SUCCESS;
    DWORD           dwCounterCount;
    INT             iRetries;
    LONG            lWaitStatus;

    LPWSTR          szThisPath;
    BOOL            bRun = FALSE;
    LPWSTR          szStringArray[4];
    WCHAR           szRetryCount[SLQ_MAX_VALUE_LEN];
    
    LONGLONG        llSessionSampleCount=(LONGLONG)-1;
    PALERT_COUNTER_INFO   pCtrInfo = NULL;
    PALERT_INFO_BLOCK   pAlertInfo = NULL;
    DWORD           dwBufSize;

    LONGLONG        llStartTime = 0;
    LONGLONG        llFinishTime = 0;
    HANDLE          arrEventHandle[2];
    BOOL            bFirstTimeout;

    arrEventHandle[0] = pArg->hExitEvent;           // WAIT_OBJECT_0
    arrEventHandle[1] = pArg->hReconfigEvent;

    __try {

        liStartDelayTics.QuadPart = ((LONGLONG)(0));
        liSampleDelayTics.QuadPart = ((LONGLONG)(0));
        llSampleCollectionTics = ((LONGLONG)(0));

        //
        // Read registry values.
        //
        if ( ERROR_SUCCESS == LoadQueryConfig ( pArg ) ) {
            bRun = TRUE;
        }
     
        if ( TRUE == bRun ) {
            // Delay of -1 signals exit immediately.
            liStartDelayTics.QuadPart = ComputeStartWaitTics ( pArg, TRUE );

            if ( NULL_INTERVAL_TICS == liStartDelayTics.QuadPart ) {
                bRun = FALSE;
            }
        }

        if ( TRUE == bRun ) {
        
            ValidateCommandFilePath ( pArg );

            // open query and add counters from info file

            iRetries = NUM_PDH_RETRIES;
            bFirstTimeout = TRUE;
            do {
                if (pArg->dwRealTimeQuery == DATA_SOURCE_WBEM) {
                    pdhStatus = PdhOpenQueryH(
                            H_WBEM_DATASOURCE, 0, & pArg->hQuery); // from current activity
                } else {
                    pdhStatus = PdhOpenQueryH(
                            H_REALTIME_DATASOURCE, 0, & pArg->hQuery);
                }

                if ( bFirstTimeout && WAIT_TIMEOUT == pdhStatus ) {
                    //
                    // Write event log warning message
                    //
                    StringCchPrintf (
                        szRetryCount,
                        SLQ_MAX_VALUE_LEN,
                        L"%d", 
                        iRetries );

                    szStringArray[0] = pArg->szQueryName;
                    szStringArray[1] = szRetryCount;
                    ReportEvent (hEventLog,
                        EVENTLOG_WARNING_TYPE,
                        0,
                        SMLOG_OPEN_QUERY_TIMEOUT,
                        NULL,
                        2,
                        sizeof(DWORD),
                        szStringArray,
                        (LPVOID)&pdhStatus);

                    bFirstTimeout = FALSE;
                }
            } while ( WAIT_TIMEOUT == (lWaitStatus = WaitForMultipleObjects (2, arrEventHandle, FALSE, 0)) &&
                      WAIT_TIMEOUT == pdhStatus &&
                      iRetries-- > 0);
            if ( WAIT_TIMEOUT != lWaitStatus ) {
                // the loop was terminated by the Exit/Reconfigure event
                if ( ERROR_SUCCESS == pdhStatus ) {
                    PdhCloseQuery(pArg->hQuery);
                }
                bRun = FALSE;
            } else if (pdhStatus != ERROR_SUCCESS) {
                // unable to open query so write event log message and exit
                szStringArray[0] = pArg->szQueryName;
                szStringArray[1] = FormatEventLogMessage(pdhStatus);
                ReportEvent (hEventLog,
                    EVENTLOG_WARNING_TYPE,
                    0,
                    SMLOG_UNABLE_OPEN_PDH_QUERY,
                    NULL,
                    2,
                    sizeof(DWORD),
                    szStringArray,
                    (LPVOID)&pdhStatus);

                LocalFree( szStringArray[1] );

                bRun = FALSE;
            } 
        }

        //
        // Add each counter and associated alert limits.
        //
        if ( TRUE == bRun ) {
            dwCounterCount = 0;
            for (szThisPath = pArg->mszCounterList;
                    *szThisPath != 0;
                    szThisPath += lstrlen(szThisPath) + 1) {
            
                HCOUNTER        hThisCounter;

                //
                // Allocate information block
                //
                dwBufSize = (lstrlenW(szThisPath) + 1) * sizeof(WCHAR);
                dwBufSize += sizeof(ALERT_INFO_BLOCK);
                pAlertInfo = (PALERT_INFO_BLOCK)G_ALLOC(dwBufSize);

                if (pAlertInfo == NULL) {
                    dwStatus = SMLOG_UNABLE_ALLOC_ALERT_MEMORY;
                    break;
                } else {                
                    //
                    // Get alert info from string
                    //
                    if (MakeInfoFromString (szThisPath, pAlertInfo, &dwBufSize)) {

                        iRetries = NUM_PDH_RETRIES;
                        bFirstTimeout = TRUE;
                        do {
                        
                            pdhStatus = PdhAdd009Counter (pArg->hQuery,
                                                   pAlertInfo->szCounterPath, 
                                                   dwCounterCount, 
                                                   &hThisCounter);
                            
                            if ( bFirstTimeout && WAIT_TIMEOUT == pdhStatus ) {
                                //
                                // Write event log warning message
                                //
                                StringCchPrintf (
                                    szRetryCount,
                                    SLQ_MAX_VALUE_LEN,
                                    L"%d", 
                                    iRetries );

                                szStringArray[0] = pAlertInfo->szCounterPath;
                                szStringArray[1] = pArg->szQueryName;
                                szStringArray[2] = szRetryCount;
                                ReportEvent (hEventLog,
                                    EVENTLOG_WARNING_TYPE,
                                    0,
                                    SMLOG_ADD_COUNTER_TIMEOUT,
                                    NULL,
                                    3,
                                    sizeof(DWORD),
                                    szStringArray,
                                    (LPVOID)&pdhStatus);

                                bFirstTimeout = FALSE;
                            }


                        } while ( WAIT_TIMEOUT == (lWaitStatus = WaitForMultipleObjects (2, arrEventHandle, FALSE, 0)) &&
                                  WAIT_TIMEOUT == pdhStatus &&
                                  iRetries-- > 0);

                        if ( WAIT_TIMEOUT != lWaitStatus ) {
                            if ( NULL != pAlertInfo ) {
                                G_FREE (pAlertInfo); // toss unused alert buffer
                                pAlertInfo = NULL;
                            }
                            bRun = FALSE;
                            dwStatus = ERROR_CANCELLED; // don't report an error
                            break;
                        } else {

                            if (pdhStatus != ERROR_SUCCESS) {
                                iRetries = NUM_PDH_RETRIES;
                                do {
                                    pdhStatus = PdhAddCounter (pArg->hQuery,
                                                       pAlertInfo->szCounterPath, 
                                                       dwCounterCount, 
                                                       &hThisCounter);

                                } while ( WAIT_TIMEOUT == (lWaitStatus = WaitForMultipleObjects (2, arrEventHandle, FALSE, 0)) &&
                                          WAIT_TIMEOUT == pdhStatus &&
                                          iRetries-- > 0);

                                if ( WAIT_TIMEOUT != lWaitStatus ) {
                                    if ( NULL != pAlertInfo ) {
                                        G_FREE (pAlertInfo); // toss unused alert buffer
                                        pAlertInfo = NULL;
                                    }
                                    bRun = FALSE;
                                    dwStatus = ERROR_CANCELLED; // don't report an error
                                    break;
                                }
                            }
                        }

                        if ( !IsErrorSeverity(pdhStatus) ) {

                            dwCounterCount++;

                            if ( ERROR_SUCCESS != pdhStatus ) {
                                szStringArray[0] = szThisPath;
                                szStringArray[1] = pArg->szQueryName;
                                szStringArray[2] = FormatEventLogMessage(pdhStatus);
                                ReportEvent (hEventLog,
                                    EVENTLOG_WARNING_TYPE,
                                    0,
                                    SMLOG_ADD_COUNTER_WARNING,
                                    NULL,
                                    3,
                                    sizeof(DWORD),
                                    szStringArray,
                                    (LPVOID)&pdhStatus);
                                LocalFree( szStringArray[2] );
                            }

                            //
                            //  Add this handle to the list
                            //
                            pCtrInfo = G_ALLOC (sizeof (ALERT_COUNTER_INFO));
                    
                            if (pCtrInfo != NULL) {
                                //
                                // Insert at front of list since the order isn't
                                // important.
                                //
                                pCtrInfo->hCounter = hThisCounter;
                                pCtrInfo->pAlertInfo = pAlertInfo;
                                pCtrInfo->next = (PALERT_COUNTER_INFO)pArg->pFirstCounter;
                                pArg->pFirstCounter = (PLOG_COUNTER_INFO)pCtrInfo;
                                pAlertInfo = NULL;
                                pCtrInfo = NULL;
                            } else {
                                dwStatus = SMLOG_UNABLE_ALLOC_ALERT_MEMORY;
                                //
                                // Delete unused alert info structure.
                                //
                                G_FREE (pAlertInfo); 
                                pAlertInfo = NULL;
                                break;
                            }
                        } else {
                            //
                            // Unable to add the current counter.
                            //
                            szStringArray[0] = pAlertInfo->szCounterPath;
                            szStringArray[1] = pArg->szQueryName;
                            szStringArray[2] = FormatEventLogMessage(pdhStatus);

                            if ( PDH_ACCESS_DENIED == pdhStatus ) {
                                ReportEvent (
                                    hEventLog,
                                    EVENTLOG_WARNING_TYPE,
                                    0,
                                    SMLOG_UNABLE_ACCESS_COUNTER,
                                    NULL,
                                    2,
                                    0,
                                    szStringArray,
                                    NULL);
                            } else {

                                ReportEvent (
                                    hEventLog,
                                    EVENTLOG_WARNING_TYPE,
                                    0,
                                    SMLOG_UNABLE_ADD_COUNTER,
                                    NULL,
                                    3,
                                    sizeof(DWORD),
                                    szStringArray,
                                    (LPVOID)&pdhStatus);
                            }
                            LocalFree( szStringArray[2] );

                            //
                            // Delete unused alert info structure.
                            //
                            if ( NULL != pAlertInfo ) {
                                G_FREE (pAlertInfo); 
                                pAlertInfo = NULL;
                            }
                        }
                    } else {
                        //
                        // Unable to parse alert info, or 
                        // unable to add the current counter.
                        //
                        szStringArray[0] = szThisPath;
                        szStringArray[1] = pArg->szQueryName;
                        ReportEvent (hEventLog,
                            EVENTLOG_WARNING_TYPE,
                            0,
                            SMLOG_UNABLE_PARSE_ALERT_INFO,
                            NULL,
                            2,
                            0,
                            szStringArray,
                            NULL);

                        //
                        // Delete unused alert info structure.
                        //
                        if ( NULL != pAlertInfo ) {
                            G_FREE (pAlertInfo); 
                            pAlertInfo = NULL;
                        }
                    }
                }
            }

            if ( ERROR_SUCCESS == dwStatus ) {
            
                if ( 0 < dwCounterCount ) {
                    //
                    // Raise priority to ensure that data is logged.
                    //
                    SetThreadPriority (GetCurrentThread(), THREAD_PRIORITY_TIME_CRITICAL);
                } else {
                    bRun = FALSE;
                    //
                    // Unable to add any counters.
                    //
                    szStringArray[0] = pArg->szQueryName;
                    ReportEvent (hEventLog,
                        EVENTLOG_WARNING_TYPE,
                        0,
                        SMLOG_UNABLE_ADD_ANY_COUNTERS,
                        NULL,
                        1,
                        0,
                        szStringArray,
                        NULL);
                }
            } else {

                assert ( ERROR_OUTOFMEMORY == dwStatus );
                //
                // Memory allocation error.
                //
                szStringArray[0] = pArg->szQueryName;
                ReportEvent (hEventLog,
                    EVENTLOG_WARNING_TYPE,
                    0,
                    SMLOG_UNABLE_ALLOC_ALERT_MEMORY,
                    NULL,
                    1,
                    0,
                    szStringArray,
                    NULL);

                bRun = FALSE;
            }

            while (bRun) {

                if ( 0 < liStartDelayTics.QuadPart ) {
                    //
                    // NtWaitForMultipleObjects requires negative Tic value
                    //
                    liStartDelayTics.QuadPart = ((LONGLONG)(0)) - liStartDelayTics.QuadPart;
                    //
                    // Wait until specified start time, or until exit or reconfigure event.
                    //
                    if ( STATUS_TIMEOUT != NtWaitForMultipleObjects ( 
                                                2, 
                                                &arrEventHandle[0], 
                                                WaitAny,
                                                FALSE, 
                                                &liStartDelayTics )) {
                        //
                        // Exit if not running.
                        //
                        bRun = FALSE;
                        break;
                    }
                }

                pArg->dwCurrentState = SLQ_QUERY_RUNNING;
                dwStatus = WriteRegistryDwordValue (
                            pArg->hKeyQuery, 
                            (LPCWSTR)L"Current State",
                            &pArg->dwCurrentState,
                            REG_DWORD );
                assert (dwStatus == ERROR_SUCCESS);
                    
                szStringArray[0] = pArg->szQueryName;
                ReportEvent (hEventLog,
                    EVENTLOG_INFORMATION_TYPE,
                    0,
                    SMLOG_ALERT_SCANNING,
                    NULL,
                    1,
                    0,
                    szStringArray,
                    NULL);
                //
                // Compute session sample count.
                // 0 samples signals no limit.
                // -1 samples signals exit immediately
                //
                ComputeSampleCount( pArg, TRUE, &llSessionSampleCount );
            
                if ( -1 == llSessionSampleCount ) {
                    goto ProcessAlertRepeat;
                }

                //
                // Start sampling immediately. liSampleDelayTics is initialized to 0.
                // Wait until specified sample time, or until exit or reconfigure event.
                //
                while ( STATUS_TIMEOUT == NtWaitForMultipleObjects ( 
                                            2, 
                                            &arrEventHandle[0], 
                                            WaitAny, 
                                            FALSE, 
                                            &liSampleDelayTics)) {
                    //
                    // An event flag will be set when the sampling should exit or reconfigure. if
                    // the wait times out, then that means it's time to collect and
                    // log another sample of data.
                    //
                
                    GetLocalFileTime (&llStartTime);
                    //
                    // Check for reconfig event.
                    //
                    if ( pArg->bLoadNewConfig ) {
                        bRun = FALSE;
                        break;
                    }

                    pdhStatus = PdhCollectQueryData (pArg->hQuery);

                    if ( IsPdhDataCollectSuccess ( pdhStatus )
                            || IsWarningSeverity ( pdhStatus ) ) {
                    
                        if (pdhStatus == ERROR_SUCCESS) {
                            //
                            // Process alert counters.
                            //
                            ExamineAlertValues (pArg);
                        }
                        //
                        // See if it's time to restart or end the alert scan.
                        // 0 samples signals no sample limit.
                        //
                        if ( 0 != llSessionSampleCount ) {
                            if ( !--llSessionSampleCount ) 
                                break;
                        }
                    } else {
                        //
                        // Unable to collect the query data.
                        //
                        szStringArray[0] = pArg->szQueryName;
                        szStringArray[1] = FormatEventLogMessage(pdhStatus);

                        ReportEvent (hEventLog,
                            EVENTLOG_WARNING_TYPE,
                            0,
                            SMLOG_UNABLE_COLLECT_DATA,
                            NULL,
                            2,
                            sizeof(DWORD),
                            szStringArray,
                            (LPVOID)&pdhStatus);

                        LocalFree( szStringArray[1] );

                        bRun = FALSE;
                        break;
                    }

                    //
                    // Compute new timeout value
                    //
                    GetLocalFileTime (&llFinishTime);

                    llSampleCollectionTics = llFinishTime - llStartTime;

                    llSampleIntervalTics = 
                        (LONGLONG)pArg->dwMillisecondSampleInterval*FILETIME_TICS_PER_MILLISECOND;
                    if ( llSampleCollectionTics < llSampleIntervalTics ) {
                        liSampleDelayTics.QuadPart = llSampleIntervalTics - llSampleCollectionTics;
                    } else {
                        liSampleDelayTics.QuadPart = ((LONGLONG)(0));                       
                    }
                    //
                    // NtWaitForMultipleObjects requires negative Tic value
                    //
                    liSampleDelayTics.QuadPart = ((LONGLONG)(0)) - liSampleDelayTics.QuadPart;

                } // end while wait keeps timing out
                
                //
                // Use 0 SampleDelayTics value to check for ExitEvent.
                //
                liSampleDelayTics.QuadPart = ((LONGLONG)(0));

                if ( pArg->bLoadNewConfig ) {
                    bRun = FALSE;
                } else if ( STATUS_TIMEOUT != NtWaitForSingleObject (
                                                pArg->hExitEvent, 
                                                FALSE, 
                                                &liSampleDelayTics ) ) {
                    //
                    // The loop was terminated by the Exit event
                    // so clear the "run" flag to exit the loop & thread.
                    //
                    bRun = FALSE;
                }
                //
                // Exit if restart not enabled.
                //
ProcessAlertRepeat:
                if ( bRun ) {
                    bRun = ProcessRepeatOption ( pArg, &liStartDelayTics );
                }

            } // end while (bRun)
            
            PdhCloseQuery (pArg->hQuery);
            pArg->hQuery = NULL;        
        }

        SetLastError ( ERROR_SUCCESS );
    } __except ( EXCEPTION_EXECUTE_HANDLER ) {

        bRun = FALSE;
        
        if ( NULL != pArg->hQuery ) {
            PdhCloseQuery ( pArg->hQuery );
            pArg->hQuery = NULL;
        }

        SetLastError ( SMLOG_THREAD_FAILED );  
    }
        
    DeallocateQueryBuffers ( pArg );

    while ( NULL != pArg->pFirstCounter ) {
        PALERT_COUNTER_INFO pDelCI = (PALERT_COUNTER_INFO)pArg->pFirstCounter;
        if (pDelCI->pAlertInfo != NULL) G_FREE(pDelCI->pAlertInfo);

        pArg->pFirstCounter = (PLOG_COUNTER_INFO)pDelCI->next;

        G_FREE( pDelCI );
    }

    return bRun;
}

BOOL
CounterLogProc (
    IN    PLOG_QUERY_DATA pArg )
{
#define INSTBUFLEN  (4096)

    DWORD           dwStatus = ERROR_SUCCESS;
    LARGE_INTEGER   liStartDelayTics;
    LARGE_INTEGER   liSampleDelayTics;
    LONGLONG        llSampleCollectionTics;
    LONGLONG        llSampleIntervalTics;
    PDH_STATUS      pdhStatus = ERROR_SUCCESS;
    DWORD           dwCounterCount;
    INT             iRetries;
    INT             iCnfSerial;
    DWORD           dwSessionSerial;

    LPWSTR          szThisPath;
    DWORD           dwPdhLogFileType;
    DWORD           dwPdhAccessFlags;
    BOOL            bRun = FALSE;
    LONGLONG        llSessionSampleCount=(LONGLONG)-1;
    LONGLONG        llCnfSampleCount=(LONGLONG)-1;
    LONGLONG        llLoopSampleCount=(LONGLONG)-1;
    // Todo:  Enforce log file name length
    WCHAR           szCurrentLogFile[MAX_PATH+1];
    WCHAR           szRetryCount[SLQ_MAX_VALUE_LEN];
    BOOL            bFirstTimeout;
    LPWSTR          szStringArray[4];
    DWORD           dwFileSizeLimit;
    ULONGLONG       ullFileSizeLimit;
    LONGLONG        llFileSize;

    LONGLONG        llStartTime = 0;
    LONGLONG        llFinishTime = 0;
    PLOG_COUNTER_INFO pDelCI;

    // Wildcard processing
    ULONG   ulBufLen = 0;
    ULONG   ulBufSize = 0;
    ULONG   ulLocaleBufLen = 0;
    LPWSTR  szLocaleBuf = NULL;
    LPWSTR  pLocalePath = NULL;
    INT     nCounterBufRetry;
    LPWSTR  pszCounterBuf = NULL;
    LPWSTR  pszCounter;
    DWORD   dwPdhExpandFlags;
    PPDH_COUNTER_PATH_ELEMENTS pPathInfo = NULL;

    LONG            lWaitStatus;
    HANDLE arrEventHandle[2];

    arrEventHandle[0] = pArg->hExitEvent;           // WAIT_OBJECT_0
    arrEventHandle[1] = pArg->hReconfigEvent;

    __try {

        liStartDelayTics.QuadPart = ((LONGLONG)(0));
        liSampleDelayTics.QuadPart = ((LONGLONG)(0));
        llSampleCollectionTics = ((LONGLONG)(0));

        //
        // Read registry values.
        //
        if ( ERROR_SUCCESS == LoadQueryConfig ( pArg ) ) {
            bRun = TRUE;
        }
    
        if ( TRUE == bRun ) {
            //
            // Delay of -1 signals exit immediately.
            //
            liStartDelayTics.QuadPart = ComputeStartWaitTics ( pArg, TRUE );

            if ( NULL_INTERVAL_TICS == liStartDelayTics.QuadPart ) {
                bRun = FALSE;
            }
        }

        if ( TRUE == bRun ) {
            //
            // Stop the query if new log file folder is not valid.
            // ProcessLogFileFolder reports an error event on failure.  Event message content
            // depends on whether this is a reconfiguration or the original configuration.
            //
            bRun = ( ERROR_SUCCESS == ProcessLogFileFolder( pArg ) );
        }

        if ( TRUE == bRun ) {
       
            ValidateCommandFilePath ( pArg );

            //
            // Open query and add counters from info file.
            //

            iRetries = NUM_PDH_RETRIES;
            bFirstTimeout = TRUE;
            do {
                if (pArg->dwRealTimeQuery == DATA_SOURCE_WBEM) {
                    pdhStatus = PdhOpenQueryH(
                            H_WBEM_DATASOURCE, 0, & pArg->hQuery); 
                } else {
                    pdhStatus = PdhOpenQueryH(
                            H_REALTIME_DATASOURCE, 0, & pArg->hQuery);
                }

                if ( bFirstTimeout && WAIT_TIMEOUT == pdhStatus ) {
                    //
                    // Write event log warning message
                    //
                    StringCchPrintf (
                        szRetryCount,
                        SLQ_MAX_VALUE_LEN,
                        L"%d", 
                        iRetries );

                    szStringArray[0] = pArg->szQueryName;
                    szStringArray[1] = szRetryCount;
                    ReportEvent (hEventLog,
                        EVENTLOG_WARNING_TYPE,
                        0,
                        SMLOG_OPEN_QUERY_TIMEOUT,
                        NULL,
                        2,
                        sizeof(DWORD),
                        szStringArray,
                        (LPVOID)&pdhStatus);

                    bFirstTimeout = FALSE;
                }
            } while ( WAIT_TIMEOUT == (lWaitStatus = WaitForMultipleObjects (2, arrEventHandle, FALSE, 0)) &&
                      WAIT_TIMEOUT == pdhStatus &&
                      iRetries-- > 0 );

            if ( WAIT_TIMEOUT != lWaitStatus ) {
                // the loop was terminated by the Exit/Reconfigure event
                if ( ERROR_SUCCESS == pdhStatus ) {
                    PdhCloseQuery (pArg->hQuery);
                }
                bRun = FALSE;
            } else if (pdhStatus != ERROR_SUCCESS) {
                 //
                // Unable to open query.
                //
                szStringArray[0] = pArg->szQueryName;
                szStringArray[1] = FormatEventLogMessage(pdhStatus);
                ReportEvent (hEventLog,
                    EVENTLOG_WARNING_TYPE,
                    0,
                    SMLOG_UNABLE_OPEN_PDH_QUERY,
                    NULL,
                    2,
                    sizeof(DWORD),
                    szStringArray,
                    (LPVOID)&pdhStatus);
                LocalFree( szStringArray[1] );

                bRun = FALSE;
            }
        }
        //
        // Add each counter to the open query.
        //
        if ( TRUE == bRun ) {
    
            dwStatus = ERROR_SUCCESS;
            dwCounterCount = 0;
            for (szThisPath = pArg->mszCounterList;
                *szThisPath != 0;
                szThisPath += lstrlen(szThisPath) + 1) {

                if (wcschr(szThisPath, L'*') == NULL) {
                    //
                    // No wildcards
                    //
                    dwStatus = AddCounterToCounterLog( pArg, szThisPath, pArg->hQuery, LOG_EVENT_ON_ERROR, &dwCounterCount );
                } else {
                    //
                    // At least one wildcard
                    //
                    dwPdhExpandFlags = 0;
                    pszCounterBuf = NULL;

                    //
                    // Only expand wildcard instances for text log files.
                    //
                    if (pArg->dwLogFileType == SLF_SQL_LOG) {
                        //
                        // No need to expand wildcard instances for SQL log.
                        // SQL log now has the capability to catch dynamic
                        // instances, so we can pass in wildcard-instance
                        // counter names here.
                        //
                        dwPdhExpandFlags |= PDH_NOEXPANDINSTANCES;
                    } else if (   SLF_CSV_FILE != pArg->dwLogFileType
                             && SLF_TSV_FILE != pArg->dwLogFileType) {
                        //
                        // This is the binary counter logfile case.
                        // No need to expand wildcard instances. Also, if
                        // default real-time datasource is from registry (not
                        // WMI), we can handle add-by-object.
                        //
                        dwPdhExpandFlags |= PDH_NOEXPANDINSTANCES;

                        if ( DATA_SOURCE_REGISTRY == pArg->dwRealTimeQuery) {
                            //
                            // If both instance and counter are wildcards, then log by object
                            // rather than expanding the counter path.
                            // This is only true when the actual data source is the registry.
                            //
                            // Parse pathname.
                            //
                            do {
                                if (pPathInfo) {
                                    G_FREE(pPathInfo);
                                    pPathInfo = NULL;
                                }
                                else {
                                    ulBufSize = sizeof(PDH_COUNTER_PATH_ELEMENTS) + (PDH_MAX_COUNTER_PATH + 1) * sizeof(WCHAR);
                                }
    
                                pPathInfo = (PPDH_COUNTER_PATH_ELEMENTS) G_ALLOC(ulBufSize);
    
                                if (pPathInfo == NULL) {
                                    pdhStatus = ERROR_OUTOFMEMORY;
                                    break;
                                }
    
                                pdhStatus = PdhParseCounterPath( szThisPath, pPathInfo, & ulBufSize, 0);
    
                            } while (pdhStatus == PDH_INSUFFICIENT_BUFFER || pdhStatus == PDH_MORE_DATA);
    
                            if (pdhStatus == ERROR_SUCCESS) {
                                if ( 0 == lstrcmpi ( pPathInfo->szCounterName, L"*" ) ) {
                                    if ( NULL != pPathInfo->szInstanceName ) {
                                        if ( 0 == lstrcmpi ( pPathInfo->szInstanceName, L"*" ) ) {
                                            //
                                            // If PdhAddCounter failed,the realtime data source is actually WBEM.
                                            // In this case, expand the counter paths.
                                            //
                                            dwStatus = AddCounterToCounterLog( pArg, szThisPath, pArg->hQuery, !LOG_EVENT_ON_ERROR, &dwCounterCount );
                                            if ( ERROR_SUCCESS == dwStatus ) {
                                                continue;
                                            } else {
                                                //
                                                // Enumerate counter paths below and retry.
                                                //
                                                dwStatus = ERROR_SUCCESS;
                                            }
                                        }
                                    } else {
                                        dwStatus = AddCounterToCounterLog( pArg, szThisPath, pArg->hQuery, !LOG_EVENT_ON_ERROR, &dwCounterCount );
                                        //
                                        // If PdhAddCounter failed,the realtime data source is actually WBEM.
                                        // In this case, expand the counter paths.
                                        //
                                        if ( ERROR_SUCCESS == dwStatus ) {
                                            continue;
                                        } else {
                                            //
                                            // Enumerate counter paths below and retry.
                                            //
                                            dwStatus = ERROR_SUCCESS;
                                        }
                                    }
                                }
                            } else {
                                //
                                // Report event and continue to next counter.
                                //
                                szStringArray[0] = szThisPath;
                                szStringArray[1] = pArg->szQueryName;
                                szStringArray[2] = FormatEventLogMessage(pdhStatus);
                                ReportEvent (
                                    hEventLog,
                                    EVENTLOG_WARNING_TYPE,
                                    0,
                                    SMLOG_UNABLE_PARSE_COUNTER,
                                    NULL,
                                    3,
                                    sizeof(DWORD),
                                    szStringArray,
                                    (LPVOID)&pdhStatus);
                                LocalFree( szStringArray[2] );

                                continue;
                            }
                        }
                    }
                    //
                    // Log by object paths are already processed.  For other paths with at least 
                    // one wildcard, expand the path before adding counters.
                    //

                    //
                    // Initialize the locale path buffer
                    //
                    pLocalePath = NULL;
                    if (ulLocaleBufLen == 0) {
                        ulLocaleBufLen = PDH_MAX_COUNTER_PATH + 1;

                        szLocaleBuf = (LPWSTR) G_ALLOC(ulLocaleBufLen * sizeof(WCHAR));
                        if (szLocaleBuf == NULL) {
                            dwStatus = ERROR_OUTOFMEMORY;
                            ulLocaleBufLen = 0;
                        }
                    }

                    if ( szLocaleBuf != NULL ) {
                        //
                        // Translate counter name from English to Localized.
                        //
                        ulBufSize = ulLocaleBufLen;
        
                        pdhStatus = PdhTranslateLocaleCounter(
                                        szThisPath,
                                        szLocaleBuf,
                                        &ulBufSize);
        
                        if (pdhStatus == PDH_MORE_DATA) {
                            if (szLocaleBuf) {
                                G_FREE(szLocaleBuf);
                                szLocaleBuf = NULL;
                                ulLocaleBufLen = 0;
                            }

                            szLocaleBuf = (LPWSTR) G_ALLOC(ulBufSize * sizeof(WCHAR));
                            if (szLocaleBuf != NULL) {
                                ulLocaleBufLen = ulBufSize;

                                pdhStatus = PdhTranslateLocaleCounter(
                                                szThisPath,
                                                szLocaleBuf,
                                                &ulBufSize);
                            }
                            else {
                                dwStatus = ERROR_OUTOFMEMORY;
                            }
                        }

                        if (pdhStatus == ERROR_SUCCESS) {
                            pLocalePath = szLocaleBuf;
                        }
                    }

                    if (pLocalePath) {
                        ulBufLen          = INSTBUFLEN;
                        nCounterBufRetry  = 10;   // the retry counter

                        do {
                            //
                            // pszCounterBuf is always NULL the first time through.
                            //
                            if ( NULL != pszCounterBuf ) {
                                G_FREE(pszCounterBuf);
                                pszCounterBuf = NULL;
                                ulBufLen *= 2;
                            }

                            pszCounterBuf = (WCHAR*) G_ALLOC(ulBufLen * sizeof(WCHAR));
                            if (pszCounterBuf == NULL) {
                                dwStatus = ERROR_OUTOFMEMORY;
                                break;
                            }
                
                            pdhStatus = PdhExpandWildCardPath (
                                NULL,
                                pLocalePath,
                                pszCounterBuf,
                                &ulBufLen,
                                dwPdhExpandFlags);
                            nCounterBufRetry--;
                        } while ((pdhStatus == PDH_MORE_DATA) && (nCounterBufRetry));
    

                        if (ERROR_SUCCESS == pdhStatus && ERROR_SUCCESS == dwStatus ) {
                            //
                            // Add path. 
                            //
                            for (pszCounter = pszCounterBuf;
                                *pszCounter != 0;
                                pszCounter += lstrlen(pszCounter) + 1) {

                                dwStatus = AddCounterToCounterLog ( pArg, pszCounter, pArg->hQuery, LOG_EVENT_ON_ERROR, &dwCounterCount );
                                if ( ERROR_OUTOFMEMORY == dwStatus ) {
                                    break;
                                }
                            }
                        }
                        if ( NULL != pszCounterBuf ) {
                            G_FREE(pszCounterBuf);
                            pszCounterBuf = NULL;
                        }
                    }
                }

                if ( ERROR_OUTOFMEMORY == dwStatus ) {

                    szStringArray[0] = pArg->szQueryName;
                    ReportEvent (hEventLog,
                        EVENTLOG_WARNING_TYPE,
                        0,
                        SMLOG_UNABLE_ALLOC_LOG_MEMORY,
                        NULL,
                        1,
                        0,
                        szStringArray,
                        NULL);
                    bRun = FALSE;
                } // Other errors reported within the loop
            }

            if (szLocaleBuf) {
                G_FREE(szLocaleBuf);
                szLocaleBuf = NULL;
            }
            if ( bRun ) {

                if ( 0 < dwCounterCount ) {
                    //
                    // Raise priority to make sure we get to log the data.
                    //
                    SetThreadPriority (GetCurrentThread(), THREAD_PRIORITY_TIME_CRITICAL);
                } else {
                    //
                    // Unable to add any counters.
                    //
                    bRun = FALSE;

                    szStringArray[0] = pArg->szQueryName;
                    ReportEvent (hEventLog,
                        EVENTLOG_WARNING_TYPE,
                        0,
                        SMLOG_UNABLE_ADD_ANY_COUNTERS,
                        NULL,
                        1,
                        0,
                        szStringArray,
                        NULL);

                }
            }

            while (bRun) {
                
                //
                // Wait until specified start time, or until exit or reconfig event.
                //
                if ( 0 < liStartDelayTics.QuadPart ) {
                    //
                    // NtWaitForMultipleObjects requires negative Tic value
                    //
                    liStartDelayTics.QuadPart = ((LONGLONG)(0)) - liStartDelayTics.QuadPart;

                    if ( STATUS_TIMEOUT != NtWaitForMultipleObjects ( 
                                                2, 
                                                &arrEventHandle[0], 
                                                WaitAny,
                                                FALSE, 
                                                &liStartDelayTics)) {
                        bRun = FALSE;
                        break;  // if we're not supposed to be running then bail out
                    }
                }
                //
                // Compute session sample count.
                // 0 samples signals no limit.
                // -1 samples signals exit immediately, because stop time is past.
                //
                ComputeSampleCount( pArg, TRUE, &llSessionSampleCount );

                if ( (LONGLONG)(-1) == llSessionSampleCount ) {
                    goto ProcessCounterRepeat;
                }

                //
                // Set session or cnf file size limit.
                //
                if ( SLQ_DISK_MAX_SIZE != pArg->dwMaxFileSize ) {
                    if (pArg->dwLogFileType == SLF_SQL_LOG) {
                        dwFileSizeLimit = pArg->dwMaxFileSize;
                    }
                    else {
                        dwFileSizeLimit = pArg->dwMaxFileSize * pArg->dwLogFileSizeUnit;    
                    }
                }
                else {
                    dwFileSizeLimit = 0;
                }

                //
                // 0 file size signals no limit.
                // Translate from DWORD to ULONGLONG instead of LONGLONG to preserve 
                // positive value, even if high bit of dword is used.
                //
                ullFileSizeLimit = ((ULONGLONG)(dwFileSizeLimit));

                ComputeSampleCount( pArg, FALSE, &llCnfSampleCount );
                if ( (LONGLONG)(-1) == llCnfSampleCount ) {
                    // Todo cnf:  Internal program error, report error and exit.
                    bRun = FALSE;
                    break;
                }

                if ( SLQ_AUTO_MODE_AFTER == pArg->stiCreateNewFile.dwAutoMode 
                    || SLQ_AUTO_MODE_SIZE == pArg->stiCreateNewFile.dwAutoMode ) {
                    iCnfSerial = 1;
                } else {
                    assert ( SLQ_AUTO_MODE_NONE == pArg->stiCreateNewFile.dwAutoMode );
                    iCnfSerial = 0;
                }

                dwSessionSerial = pArg->dwCurrentSerialNumber;

                BuildCurrentLogFileName (
                    pArg->szQueryName,
                    pArg->szBaseFileName,
                    pArg->szLogFileFolder,
                    pArg->szSqlLogName,
                    szCurrentLogFile,
                    &dwSessionSerial,
                    pArg->dwAutoNameFormat,
                    pArg->dwLogFileType,
                    iCnfSerial++ );

                //
                // Update log serial number if modified.
                //
                if (pArg->dwAutoNameFormat == SLF_NAME_NNNNNN) {
                
                    pArg->dwCurrentSerialNumber++;
                    // Todo:  Info event on number wrap.
                    if ( MAXIMUM_SERIAL_NUMBER < pArg->dwCurrentSerialNumber ) {
                        pArg->dwCurrentSerialNumber = MINIMUM_SERIAL_NUMBER;
                    }

                    dwStatus = RegSetValueEx (
                        pArg->hKeyQuery,
                        L"Log File Serial Number",
                        0L,
                        REG_DWORD,
                        (LPBYTE)&pArg->dwCurrentSerialNumber,
                        sizeof(DWORD));

                    assert ( ERROR_SUCCESS == dwStatus );
                }

                SetPdhOpenOptions ( pArg, &dwPdhAccessFlags, &dwPdhLogFileType );

                //
                // Create new file loop.
                //
                while ( bRun && (LONGLONG)(-1) != llSessionSampleCount ) {
                    assert ( (LONGLONG)(-1) != llCnfSampleCount );
                    //
                    // Compute cnf or session loop interval.
                    //
                    if ( (LONGLONG)(0) == llCnfSampleCount 
                            || ( (LONGLONG)(0) != llSessionSampleCount
                                    && llCnfSampleCount > llSessionSampleCount ) ) 
                    {   
                        //
                        // No need to create new file within session.
                        //
                        llLoopSampleCount = llSessionSampleCount;
                        //
                        // Specify exit after first loop if not cnf by size.
                        //
                        if ( SLQ_AUTO_MODE_SIZE != pArg->stiCreateNewFile.dwAutoMode ) {
                            llSessionSampleCount = (LONGLONG)(-1);
                        }
                    } else {
                        //
                        // Create new file by time before session ends.
                        //
                        llLoopSampleCount = llCnfSampleCount;
                        if ( (LONGLONG)(0) != llSessionSampleCount ) {
                            llSessionSampleCount -= llCnfSampleCount;
                            // todo cnf:  The following should be logically impossible,
                            // because session > newfile wait.
                            if ( llSessionSampleCount <= (LONGLONG)(0) ) {
                                llSessionSampleCount = (LONGLONG)(-1);
                            }
                        }
                    }

                    __try {
                        //
                        // Open log file using this query.
                        // For text files, max size is checked after each data collection
                        //
                        pdhStatus = PdhOpenLog (
                            szCurrentLogFile,
                            dwPdhAccessFlags,
                            &dwPdhLogFileType,
                            pArg->hQuery,
                            (   SLF_BIN_CIRC_FILE == pArg->dwLogFileType
                             || SLF_BIN_FILE == pArg->dwLogFileType
                             || SLF_SQL_LOG == pArg->dwLogFileType )
                                    ? dwFileSizeLimit
                                    : 0,                                  
                            ( ( PDH_LOG_TYPE_BINARY != dwPdhLogFileType ) ? pArg->szLogFileComment : NULL ),
                            &pArg->hLog);
                    } __except (EXCEPTION_EXECUTE_HANDLER) {
                        pdhStatus = PDH_INVALID_ARGUMENT;
                    }

                    if ( ERROR_SUCCESS != pdhStatus ) { 
                        //
                        // Unable to open log file.
                        //
                        dwStatus = GetLastError();
                        szStringArray[0] = szCurrentLogFile;
                        szStringArray[1] = pArg->szQueryName;
                        szStringArray[2] = FormatEventLogMessage(dwStatus);

                        ReportEvent (hEventLog,
                            EVENTLOG_WARNING_TYPE,
                            0,
                            SMLOG_UNABLE_OPEN_LOG_FILE,
                            NULL,
                            3,
                            sizeof(DWORD),
                            szStringArray,
                            (LPVOID)&dwStatus);

                        LocalFree( szStringArray[2] );

                        bRun = FALSE; // exit now
                        break;
                    } else {

                        RegisterCurrentFile( pArg->hKeyQuery, szCurrentLogFile, 0 );

                        pArg->dwCurrentState = SLQ_QUERY_RUNNING;
                        dwStatus = WriteRegistryDwordValue (
                                    pArg->hKeyQuery, 
                                    (LPCWSTR)L"Current State",
                                    &pArg->dwCurrentState,
                                    REG_DWORD );
                        assert (dwStatus == ERROR_SUCCESS);
                
                        szStringArray[0] = pArg->szQueryName;
                        szStringArray[1] = szCurrentLogFile;
                        ReportEvent (hEventLog,
                            EVENTLOG_INFORMATION_TYPE,
                            0,
                            SMLOG_LOGGING_QUERY,
                            NULL,
                            2,
                            0,
                            szStringArray,
                            NULL);
                    } 

                    //
                    // Start sampling immediately. liSampleDelayTics is initialized to 0.
                    //
                    while ( STATUS_TIMEOUT == NtWaitForMultipleObjects ( 
                                                2, 
                                                &arrEventHandle[0], 
                                                WaitAny,
                                                FALSE, 
                                                &liSampleDelayTics)) {
                        //    
                        // An event flag will be set when the sampling should exit or reconfigure. if
                        // the wait times out, then that means it's time to collect and
                        // log another sample of data.
                        //
            
                        GetLocalFileTime (&llStartTime);
                        //
                        // Check for reconfig event.
                        if ( pArg->bLoadNewConfig ) {
                            bRun = FALSE;
                            break;
                        }

                        pdhStatus = PdhUpdateLog (pArg->hLog, pArg->szLogFileComment );

                        if ( IsPdhDataCollectSuccess ( pdhStatus ) 
                            || IsWarningSeverity ( pdhStatus ) ) {
                            //
                            // See if it's time to restart or end the log.
                            // 0 samples signals no sample limit.
                            //
                            if ( ((LONGLONG)0) != llLoopSampleCount ) {
                                if ( !--llLoopSampleCount ) 
                                    break;
                            }

                            if ( ( ((ULONGLONG)0) != ullFileSizeLimit ) 
                                && ( SLF_BIN_CIRC_FILE != pArg->dwLogFileType ) ) {
                                //
                                // See if the file is too big.
                                //
                                pdhStatus = PdhGetLogFileSize (pArg->hLog, &llFileSize);
                                if (pdhStatus == ERROR_SUCCESS) {
                                    if (ullFileSizeLimit <= (ULONGLONG)llFileSize) 
                                        break;
                                }
                            }
            
                        
                        } else {
                            //
                            // Unable to update the log.
                            //
                            szStringArray[0] = pArg->szQueryName;
                            szStringArray[1] = FormatEventLogMessage(pdhStatus);
                            ReportEvent (hEventLog,
                                EVENTLOG_WARNING_TYPE,
                                0,
                                SMLOG_UNABLE_UPDATE_LOG,
                                NULL,
                                2,
                                sizeof(DWORD),
                                szStringArray,
                                (LPVOID)&pdhStatus);

                            LocalFree( szStringArray[1] );

                            bRun = FALSE;
                            break;
                        }

                        //
                        // Compute new timeout value.
                        //
                        GetLocalFileTime (&llFinishTime);
                        //
                        // Compute difference in tics
                        //
                        llSampleCollectionTics = llFinishTime - llStartTime;

                        llSampleIntervalTics = 
                            (LONGLONG)pArg->dwMillisecondSampleInterval*FILETIME_TICS_PER_MILLISECOND;

                        if ( llSampleCollectionTics < llSampleIntervalTics ) {
                            liSampleDelayTics.QuadPart = llSampleIntervalTics - llSampleCollectionTics;
                        } else {
                            liSampleDelayTics.QuadPart = ((LONGLONG)(0));                       
                        }
                        //
                        // NtWaitForMultipleObjects requires negative Tic value.
                        //
                        liSampleDelayTics.QuadPart = ((LONGLONG)(0)) - liSampleDelayTics.QuadPart;
                    } // end while wait keeps timing out
                
                    //
                    // Use 0 SampleDelayTics value to check for ExitEvent.
                    //
                    liSampleDelayTics.QuadPart = ((LONGLONG)(0));

                    if ( pArg->bLoadNewConfig ) {
                        bRun = FALSE;
                    } else if ( STATUS_TIMEOUT != NtWaitForSingleObject (
                                                    pArg->hExitEvent, 
                                                    FALSE, 
                                                    &liSampleDelayTics ) ) {
                        //
                        // The loop was terminated by the Exit event
                        // so clear the "run" flag to exit the loop & thread.
                        //
                        bRun = FALSE;
                    }
                    //
                    // Close log file, but keep query open.
                    //
                    PdhCloseLog (pArg->hLog, 0);
                    pArg->hLog = NULL;
                
                    if ( pArg->bLoadNewConfig )
                        break;

                    if ( pArg->szCmdFileName != NULL )
                        DoLogCommandFile (pArg, szCurrentLogFile, bRun);
            
                    if ( (LONGLONG)(-1) != llSessionSampleCount ) {
                        //
                        // Create new log name
                        //
                        BuildCurrentLogFileName (
                            pArg->szQueryName,
                            pArg->szBaseFileName,
                            pArg->szLogFileFolder,
                            pArg->szSqlLogName,
                            szCurrentLogFile,
                            &dwSessionSerial,
                            pArg->dwAutoNameFormat,
                            pArg->dwLogFileType,
                            iCnfSerial++ );

                        // Todo cnf:  report event on error;
                    }

                } // End of log file creation while loop

                // cnf Todo:  Handle break from sample loop. ?

                //
                // Exit if restart not enabled.
                //
ProcessCounterRepeat:
                if ( bRun ) {
                    bRun = ProcessRepeatOption ( pArg, &liStartDelayTics );
                }

            } // end while (bRun)

            PdhCloseQuery (pArg->hQuery);
            pArg->hQuery = NULL;
        }
        SetLastError ( ERROR_SUCCESS );

    } __except ( EXCEPTION_EXECUTE_HANDLER ) {

        bRun = FALSE;
        
        if ( NULL != pszCounterBuf ) {
            G_FREE(pszCounterBuf);
            pszCounterBuf = NULL;
        }

        if ( NULL != pArg->hLog ) {
            PdhCloseLog ( pArg->hLog, 0 );
            pArg->hLog = NULL;
        }

        if ( NULL != pArg->hQuery ) {
            PdhCloseQuery ( pArg->hQuery );
            pArg->hQuery = NULL;
        }

        SetLastError ( SMLOG_THREAD_FAILED );        
    }

    DeallocateQueryBuffers ( pArg );

    while ( NULL != pArg->pFirstCounter ) {
        pDelCI = pArg->pFirstCounter;
        pArg->pFirstCounter = pDelCI->next;
        G_FREE( pDelCI );
    }

    return bRun;
}

BOOL
TraceLogProc (
    IN    PLOG_QUERY_DATA pArg
)
{
    LARGE_INTEGER   liStartDelayTics;
    LARGE_INTEGER   liWaitTics;
    LONGLONG        llSessionWaitTics = 0;
    LONGLONG        llNewFileWaitTics = INFINITE_TICS;
    DWORD           dwStatus = ERROR_SUCCESS;
    BOOL            bRun = FALSE;
    BOOL            bStarted = FALSE;
    LPWSTR          szStringArray[4];
    INT             iCnfSerial = 0;
    ULONG           ulIndex;
    int             iEnableCount = 0;
    DWORD           dwSessionSerial;
    HANDLE          arrEventHandle[2];

    __try {

        liStartDelayTics.QuadPart = NULL_INTERVAL_TICS;
        liWaitTics.QuadPart = ((LONGLONG)(0));
        
        //
        // Read registry values.
        //
        if ( ERROR_SUCCESS == LoadQueryConfig ( pArg ) ) {
            bRun = TRUE;
        }
     
        if ( TRUE == bRun ) {
            //
            // Delay of -1 signals exit immediately.
            //
            liStartDelayTics.QuadPart = ComputeStartWaitTics ( pArg, TRUE );

            if ( NULL_INTERVAL_TICS == liStartDelayTics.QuadPart ) {
                bRun = FALSE;
            }
        }

        if ( TRUE == bRun ) {
            //
            // Stop the query if new log file folder is not valid.
            //
            bRun = ( ERROR_SUCCESS == ProcessLogFileFolder( pArg ) );
        }

        if ( bRun ) {

            ValidateCommandFilePath ( pArg );
            //
            // Raise priority to ensure that data is logged.
            //
            SetThreadPriority (GetCurrentThread(), THREAD_PRIORITY_TIME_CRITICAL);
        }


        pArg->bCallCloseTraceLogger = TRUE;
        pArg->bExitOnTermination = TRUE;
        while (bRun) {
            arrEventHandle[0] = pArg->hExitEvent;           // WAIT_OBJECT_0
            arrEventHandle[1] = pArg->hReconfigEvent;

            if ( 0 < liStartDelayTics.QuadPart ) {
                //
                // NtWaitForMultipleObjects requires negative Tic value.
                //
                liStartDelayTics.QuadPart = ((LONGLONG)(0)) - liStartDelayTics.QuadPart;
                //
                // Wait until specified start time, or until exit or reconfig event.
                //
                if ( STATUS_TIMEOUT != NtWaitForMultipleObjects ( 
                                            2, 
                                            &arrEventHandle[0],
                                            WaitAny,
                                            FALSE, 
                                            &liStartDelayTics)) {
                    //
                    // The loop was terminated by the Exit event
                    // so clear the "run" flag to exit the loop & thread.
                    //
                    bRun = FALSE;   
                    break;
                }
            }

            ComputeSessionTics( pArg, &llSessionWaitTics );
            //
            // 0 signals no session time, so exit.
            //
            if ( ((LONGLONG)(0)) == llSessionWaitTics ) {
                goto ProcessTraceRepeat;
            }

            //
            // llNewFileWaitTics defaults to -1 if no time limit.
            //
            ComputeNewFileTics( pArg, &llNewFileWaitTics );
            
            //
            // InitTraceProperties creates the current file name.
            //
            dwSessionSerial = pArg->dwCurrentSerialNumber;

            InitTraceProperties ( pArg, TRUE, &dwSessionSerial, &iCnfSerial );

            dwStatus = GetTraceQueryStatus ( pArg, NULL );

            //
            // If trace session with this name already started and successful,
            // don't create another session.
            //
        
            if ( ERROR_SUCCESS != dwStatus ) {

                dwStatus = StartTrace(
                            &pArg->LoggerHandle, 
                            pArg->szLoggerName, 
                            &pArg->Properties );
                if (dwStatus == ERROR_SUCCESS) {
                    bStarted = TRUE;
                }
                pArg->bExitOnTermination = TRUE;

                if ( ( ERROR_SUCCESS == dwStatus ) 
                     && !( pArg->Properties.EnableFlags & EVENT_TRACE_FLAG_PROCESS
                            || pArg->Properties.EnableFlags & EVENT_TRACE_FLAG_THREAD
                            || pArg->Properties.EnableFlags & EVENT_TRACE_FLAG_DISK_IO
                            || pArg->Properties.EnableFlags & EVENT_TRACE_FLAG_NETWORK_TCPIP ) ) {
            
                    for ( ulIndex = 0; ulIndex < pArg->ulGuidCount; ulIndex++ ) {
                        //
                        // Enable user mode and special kernel tracing.
                        //
                        dwStatus = EnableTrace (
                                    TRUE,
                                    pArg->arrpGuid[ulIndex].dwFlag,
                                    pArg->arrpGuid[ulIndex].dwLevel,
                                    &pArg->arrpGuid[ulIndex].Guid, 
                                    pArg->LoggerHandle);
                        if ( ERROR_SUCCESS == dwStatus ) {
                            iEnableCount++;
                        } else {
                            szStringArray[0] = pArg->arrpGuid[ulIndex].pszProviderName;
                            szStringArray[1] = pArg->szQueryName;
                    
                            ReportEvent (hEventLog,
                                EVENTLOG_WARNING_TYPE,
                                0,
                                SMLOG_UNABLE_ENABLE_TRACE_PROV,
                                NULL,
                                2,
                                sizeof(DWORD),
                                szStringArray,      
                                (LPVOID)&dwStatus);
                        }
                    }
            
                    if ( 0 < iEnableCount ) {
                        dwStatus = ERROR_SUCCESS;
                    } else {
                        szStringArray[0] = pArg->szQueryName;
                        ReportEvent (hEventLog,
                            EVENTLOG_WARNING_TYPE,
                            0,
                            SMLOG_TRACE_NO_PROVIDERS,
                            NULL,
                            1,
                            0,
                            szStringArray,      
                            NULL);
                        bRun = FALSE;
                    }
                }
            
                if ( bRun && ERROR_SUCCESS == dwStatus ) {

                    pArg->dwCurrentState = SLQ_QUERY_RUNNING;
                    dwStatus = WriteRegistryDwordValue (
                                pArg->hKeyQuery, 
                                (LPCWSTR)L"Current State",
                                &pArg->dwCurrentState,
                                REG_DWORD );
                    

                    szStringArray[0] = pArg->szQueryName;
                    szStringArray[1] = pArg->szLogFileName;
                    ReportEvent (hEventLog,
                        EVENTLOG_INFORMATION_TYPE,
                        0,
                        SMLOG_LOGGING_QUERY,
                        NULL,
                        2,
                        0,
                        szStringArray,
                        NULL);
                } else {
                    //
                    // StartTraceFailed 
                    // dwStatus should be ERROR_ALREADY_EXISTS if logger already started or anything else.
                    //
                    if ( ERROR_ALREADY_EXISTS == dwStatus ) {
                        szStringArray[0] = pArg->szQueryName;
                        ReportEvent (hEventLog,
                            EVENTLOG_WARNING_TYPE,
                            0,
                            SMLOG_TRACE_ALREADY_RUNNING,
                            NULL,
                            1,
                            0,
                            szStringArray,      
                            NULL);
                    } else {
                        szStringArray[0] = pArg->szQueryName;
                        ReportEvent (hEventLog,
                            EVENTLOG_WARNING_TYPE,
                            0,
                            SMLOG_UNABLE_START_TRACE,
                            NULL,
                            1,
                            sizeof(DWORD),
                            szStringArray,      
                            (LPVOID)&dwStatus );
                    }
            
                    bRun = FALSE;
                }
            } else {
                //
                // This means that QueryTrace returned Error Success.
                // The specified logger is already running. 
                //
                szStringArray[0] = pArg->szQueryName;
            
                ReportEvent (hEventLog,
                    EVENTLOG_WARNING_TYPE,
                    0,
                    SMLOG_TRACE_ALREADY_RUNNING,
                    NULL,
                    1,
                    0,
                    szStringArray,      
                    NULL);

                bRun = FALSE;
            }

            if ( TRUE == bRun ) {
                //    
                // Trace logger is now running.
                //
                // Exit when:  
                //  Wait times out,
                //  Exit event signaled, or
                //  Reconfig event signaled.                
                //
                // -1 wait time signals no limit.
                //
                // Loop wait intervals, calculating interval before each wait.
                //
                while ( ((LONGLONG)(0)) != llSessionWaitTics ) {

                    //
                    // Calculate wait interval.
                    //
                    if ( INFINITE_TICS == llNewFileWaitTics 
                            || ( INFINITE_TICS != llSessionWaitTics
                                    && llNewFileWaitTics > llSessionWaitTics ) ) {
                        //
                        // No need to create new file within session.
                        //
                        if ( INFINITE_TICS == llSessionWaitTics ) {
                            liWaitTics.QuadPart = llSessionWaitTics;
                            //
                            // Exit after first loop.
                            //
                            llSessionWaitTics = 0;
                        } else {
                            liWaitTics.QuadPart = llSessionWaitTics;
                            //
                            // Exit after first loop
                            //
                            llSessionWaitTics = 0;
                        }
                    } else {
                        //
                        // Create new file before session ends.
                        //
                        liWaitTics.QuadPart = llNewFileWaitTics;

                        if ( INFINITE_TICS != llSessionWaitTics ) {
                            llSessionWaitTics -= llNewFileWaitTics;
                            
                            // todo cnf:  The following should be logically impossible,
                            // because session > newfile wait.
                            if ( 0 > llSessionWaitTics ) {
                                llSessionWaitTics = 0;
                            }
                        }
                    }
                    //
                    // NtWaitForMultipleObjects requires negative Tic value.
                    //
                    if ( INFINITE_TICS != liWaitTics.QuadPart ) {
                        liWaitTics.QuadPart = ((LONGLONG)(0)) - liWaitTics.QuadPart;
                    }
            
                    if ( STATUS_TIMEOUT != NtWaitForMultipleObjects ( 
                                            2, 
                                            arrEventHandle,
                                            WaitAny,
                                            FALSE, 
                                            ( INFINITE_TICS != liWaitTics.QuadPart ) ? &liWaitTics : NULL )) 
                    {
                        bRun = FALSE;
                        break;
                    } else {
                        //
                        // If cnf by time, llNewFileWaitTics will not be infinite.
                        //
                        if ( INFINITE_TICS != llNewFileWaitTics 
                            && ((LONGLONG)(0)) != llSessionWaitTics ) {
                            //
                            // Time to create a new file. Don't update the autoformat
                            // serial number.  Use the initial autoformat serial number
                            //
                            InitTraceProperties ( pArg, FALSE, &dwSessionSerial, &iCnfSerial );
                            dwStatus = UpdateTrace(
                                        pArg->LoggerHandle, 
                                        pArg->szLoggerName, 
                                        &pArg->Properties );
                            // Todo cnf report event on bad status.
                        }
                    }
                }
            }

            if (bStarted == TRUE) {
                if (bRun) {
                    pArg->bExitOnTermination = FALSE;
                }
                    
                if (pArg->bCallCloseTraceLogger) {
                    //
                    // Stop the query.
                    //
                    CloseTraceLogger ( pArg );
                }
                else {
                    pArg->bCallCloseTraceLogger = TRUE;
                }
            }
                
            if ( pArg->bLoadNewConfig )
                break;

            if ( pArg->szCmdFileName != NULL )
                DoLogCommandFile (pArg, pArg->szLogFileName, bRun);

            //
            // If restart not enabled, then exit.
            //
ProcessTraceRepeat:
            if ( bRun ) {
                bRun = ProcessRepeatOption ( pArg, &liStartDelayTics );
            }

        } // end while (bRun)

        SetLastError ( ERROR_SUCCESS );
   
    } __except ( EXCEPTION_EXECUTE_HANDLER ) {

        CloseTraceLogger ( pArg );
        bRun = FALSE;
        SetLastError ( SMLOG_THREAD_FAILED );
    }

    return bRun;
}


DWORD
LoggingThreadProc (
    IN    LPVOID    lpThreadArg
)
{
    PLOG_QUERY_DATA     pThreadData = (PLOG_QUERY_DATA)lpThreadArg;
    DWORD               dwStatus = ERROR_SUCCESS;
    HRESULT             hr = NOERROR;
    BOOL                bContinue = TRUE;
    LPWSTR              szStringArray[2];

    if (pThreadData != NULL) {

        __try {

            hr = PdhiPlaRunAs( pThreadData->szQueryName, NULL, &pThreadData->hUserToken );

            if( ERROR_SUCCESS != hr ){
                szStringArray[0] = pThreadData->szQueryName;
                ReportEvent (hEventLog,
                        EVENTLOG_WARNING_TYPE,
                        0,
                        SMLOG_INVALID_CREDENTIALS,
                        NULL,
                        1,
                        sizeof(HRESULT),
                        szStringArray,
                        (LPVOID)&hr
                    );

                return hr;
            }

            do {
                if (pThreadData->dwLogType == SLQ_ALERT) {
                    bContinue = AlertProc (pThreadData);
                } else if (pThreadData->dwLogType == SLQ_COUNTER_LOG) {
                    bContinue = CounterLogProc (pThreadData);
                } else if (pThreadData->dwLogType == SLQ_TRACE_LOG) {
                    bContinue = TraceLogProc (pThreadData);
                } else {
                    //
                    // Incorrect log type for this function.
                    //
                    assert (FALSE); 
                }
                //
                // Determine if this thread was paused for reloading
                // or stopped to terminate
                //
                if (pThreadData->bLoadNewConfig) {
                    //
                    // Reset the reconfig flag and event.
                    //
                    bContinue = TRUE;
                    pThreadData->bLoadNewConfig = FALSE;
					ResetEvent ( pThreadData->hReconfigEvent );
                } // else  bContinue is always returned as FALSE
                  // so that will terminate this loop
            } while (bContinue);
            
            dwStatus = GetLastError();

        } __except ( EXCEPTION_EXECUTE_HANDLER ) {
            dwStatus = SMLOG_THREAD_FAILED;
        }

    } else {
        //
        // Unable to find data block so return.
        //
        dwStatus = ERROR_INVALID_PARAMETER;
    }

    if ( ERROR_SUCCESS != dwStatus ) {       
        szStringArray[0] = pThreadData->szQueryName;
        ReportEvent (
            hEventLog,
            EVENTLOG_WARNING_TYPE,
            0,
            dwStatus,
            NULL,
            1,
            0,
            szStringArray,
            NULL
        );
    }
        
    return dwStatus;
}