2020-09-30 16:53:55 +02:00

312 lines
8.7 KiB
C

/*++
Copyright (C) 1998-1999 Microsoft Corporation
Module Name:
smlogsvc.h
Abstract:
Header file for the Performance Logs and Alerts service
--*/
#ifndef _SMLOGSVC_H_
#define _SMLOGSVC_H_
#include <pdh.h>
#include "common.h"
#if !(_IMPLEMENT_WMI)
#define TRACEHANDLE HANDLE
#define EVENT_TRACE_PROPERTIES LPVOID
#endif
#define IDS_UNDER 101
#define IDS_OVER 102
#define IDS_ALERT_MSG_FMT 103
#define IDS_ALERT_TIMESTAMP_FMT 104
#define IDS_CNF_SERIAL_NUMBER_FMT 105
#define IDS_ERR_COUNTER_NOT_VALIDATED 150
// Start or sample delay of NULL_INTERVAL = ULONG_MAX = INFINITE signals to stop immediately.
// The largest single wait time is thus ULONG_MAX -1.
#define NULL_INTERVAL ((DWORD)(INFINITE)) // == ULONG_MAX == 0xFFFFFFFF
#define NULL_INTERVAL_TICS ((LONGLONG)(-1)) // == 0xFFFFFFFF'FFFFFFFF
#define INFINITE_TICS ((LONGLONG)(-1)) // == 0xFFFFFFFF'FFFFFFFF
// Maximum serial number is 999999 for Windows XP
#define MINIMUM_SERIAL_NUMBER ((DWORD)(0x00000000))
#define MAXIMUM_SERIAL_NUMBER ((DWORD)(0x000F423F))
// definitions of dwAutoNameFormat
typedef struct _LOG_COUNTER_INFO {
struct _LOG_COUNTER_INFO *next;
HCOUNTER hCounter;
} LOG_COUNTER_INFO, * PLOG_COUNTER_INFO;
typedef struct _ALERT_COUNTER_INFO {
struct _ALERT_COUNTER_INFO *next;
HCOUNTER hCounter;
PALERT_INFO_BLOCK pAlertInfo;
} ALERT_COUNTER_INFO, * PALERT_COUNTER_INFO;
typedef struct _TRACE_PROVIDER {
GUID Guid;
DWORD dwFlag;
DWORD dwLevel;
LPWSTR pszProviderName;
} TRACE_PROVIDER, *PTRACE_PROVIDER;
#pragma warning( push )
#pragma warning( disable : 4201 ) // Nameless union
typedef struct _LOG_QUERY_DATA {
struct _LOG_QUERY_DATA *next;
// These fields are written by the main thread
// and read by the logging thread
HANDLE hThread;
HKEY hKeyQuery;
HANDLE hExitEvent;
HANDLE hReconfigEvent;
LONGLONG llLastConfigured;
// For queries, these fields are written
// and read by the logging thread
SLQ_TIME_INFO stiRegStart;
SLQ_TIME_INFO stiRegStop;
SLQ_TIME_INFO stiCreateNewFile;
SLQ_TIME_INFO stiRepeat;
SLQ_TIME_INFO stiCurrentStart;
SLQ_TIME_INFO stiCurrentStop;
LPWSTR szBaseFileName;
LPWSTR szLogFileFolder;
LPWSTR szSqlLogName;
LPWSTR szLogFileComment;
LPWSTR szCmdFileName;
HANDLE hUserToken;
DWORD dwLogType; // Determines union type below
DWORD dwCurrentState;
DWORD dwLogFileType;
DWORD dwAppendMode;
DWORD dwCmdFileFailure;
DWORD dwAutoNameFormat;
DWORD dwCurrentSerialNumber;
DWORD dwMaxFileSize;
DWORD dwLogFileSizeUnit;
WCHAR szQueryName[MAX_PATH+1];
WCHAR szQueryKeyName[MAX_PATH+1];
BOOL bLoadNewConfig;
BOOL bReconfiguration;
union {
struct {
// For trace queries
// these fields are written and read by the logging thread,
// or by the main thread when creating a temporary query
// for comparison.
// Todo: Still true?
TRACEHANDLE LoggerHandle;
LPWSTR mszProviderList;
LPWSTR mszProviderFlags;
LPWSTR mszProviderLevels;
PTRACE_PROVIDER arrpGuid;
HANDLE hNewFileEvent;
EVENT_TRACE_PROPERTIES Properties;
WCHAR szLoggerName[MAX_PATH+1]; // Must follow Properties
WCHAR szLogFileName[MAX_PATH+1]; // Must follow szLoggerName
ULONG ulGuidCount;
DWORD dwBufferSize;
DWORD dwBufferMinCount;
DWORD dwBufferMaxCount;
DWORD dwBufferFlushInterval;
DWORD dwFlags;
BOOL bExitOnTermination;
BOOL bCallCloseTraceLogger;
};
struct {
// For counter and alert queries
// these fields are written and read by the logging thread,
// or by the main thread when creating a temporary query
// for comparison.
LPWSTR mszCounterList;
PLOG_COUNTER_INFO pFirstCounter;
LPWSTR szNetName;
LPWSTR szPerfLogName;
LPWSTR szUserText;
HANDLE hQuery;
HANDLE hLog; // counter logs only
DWORD dwRealTimeQuery;
DWORD dwAlertActionFlags; // for alert queries
DWORD dwMillisecondSampleInterval;
DWORD dwNetMsgFailureReported;
DWORD dwAlertLogFailureReported;
};
};
} LOG_QUERY_DATA, FAR* PLOG_QUERY_DATA;
#pragma warning( pop )
// global variables
extern HANDLE hEventLog;
extern HINSTANCE hModule;
extern SERVICE_STATUS_HANDLE hPerfLogStatus;
extern SERVICE_STATUS ssPerfLogStatus;
extern DWORD* arrPdhDataCollectSuccess;
extern INT iPdhDataCollectSuccessCount;
extern WCHAR gszDefaultLogFileFolder[];
// smlogsvc.c
void SysmonLogServiceControlHandler(
IN DWORD dwControl );
void
SysmonLogServiceStart (
IN DWORD argc,
IN LPWSTR *argv );
int
__cdecl main(int argc, char *argv[]);
// Common functions
BOOL
GetLocalFileTime (
LONGLONG *pFileTime );
long
JulianDateFromSystemTime(
SYSTEMTIME *pST );
DWORD
ReadRegistrySlqTime (
HKEY hKey,
LPCWSTR szQueryName, // For error logging
LPCWSTR szValueName,
PSLQ_TIME_INFO pSlqDefault,
PSLQ_TIME_INFO pSlqValue );
DWORD
ReadRegistryDwordValue (
HKEY hKey,
LPCWSTR szQueryName, // For error logging
LPCWSTR szValueName,
PDWORD pdwDefault,
LPDWORD pdwValue );
DWORD
ReadRegistryStringValue (
HKEY hKey,
LPCWSTR szQueryName, // For error logging
LPCWSTR szValue,
LPCWSTR szDefault,
LPWSTR *pszBuffer,
LPDWORD pdwLength );
DWORD
ReadRegistryIndirectStringValue (
HKEY hKey,
LPCWSTR szQueryName, // For error logging
LPCWSTR szValueName,
LPCWSTR szDefault,
LPWSTR* pszBuffer,
UINT* puiLength );
DWORD
WriteRegistryDwordValue (
HKEY hKey,
LPCWSTR szValueName,
LPDWORD pdwValue,
DWORD dwType); // Also supports REG_BINARY
// *** Optional in C++
DWORD
WriteRegistrySlqTime (
HKEY hKey,
LPCWSTR szValueName,
PSLQ_TIME_INFO pSlqTime );
LONGLONG
ComputeStartWaitTics (
IN PLOG_QUERY_DATA pArg,
IN BOOL bWriteToRegistry );
DWORD
LoadQueryConfig (
IN PLOG_QUERY_DATA pArg );
HRESULT
RegisterCurrentFile(
HKEY hkeyQuery,
LPWSTR strFileName,
DWORD dwSubIndex );
DWORD
BuildCurrentLogFileName (
IN LPCWSTR szQueryName,
IN LPCWSTR szBaseFileName,
IN LPCWSTR szDefaultDir,
IN LPCWSTR szSqlLogName,
IN LPWSTR szOutFileBuffer,
IN LPDWORD lpdwSerialNumber,
IN DWORD dwAutoNameFormat,
IN DWORD dwLogFileType,
IN INT iCnfSerial );
BOOL
FileExists (
IN LPCWSTR szFileName );
void
DeallocateQueryBuffers (
IN PLOG_QUERY_DATA pThisThread );
DWORD
SetStoppedStatus (
IN PLOG_QUERY_DATA pQuery );
// Trace
void
InitTraceProperties (
IN PLOG_QUERY_DATA pQuery,
IN BOOL bUpdateSerial,
IN OUT DWORD* pdwSessionSerial,
IN OUT INT* pCnfSerial );
DWORD
GetTraceQueryStatus (
IN PLOG_QUERY_DATA pQuery,
IN OUT PLOG_QUERY_DATA pReturnQuery);
LPWSTR
FormatEventLogMessage(DWORD dwStatus);
DWORD
DoLogCommandFile (
IN PLOG_QUERY_DATA pArg,
IN LPWSTR szLogFileName,
IN BOOL bStillRunning );
DWORD
GetQueryKeyName (
IN LPCWSTR szQueryName,
OUT LPWSTR szQueryKeyName,
IN DWORD dwQueryKeyNameLen );
void
CloseTraceLogger (
IN PLOG_QUERY_DATA pQuery );
// logthred.c
DWORD
LoggingThreadProc (
IN LPVOID lpThreadArg );
#endif //_SMLOGSVC_H_