1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
|
/*++
Copyright (c) 1990 Microsoft Corporation
Module Name:
ELF.IDL
Abstract:
Contains the Elfr APIs which are used to remote the Elf APIs to
the local or remote server via RPC.
Also contains the RPC specific data structures for these API.
Author:
Rajen Shah (rajens) 02-Apr-1991
Revision History:
02-Apr-1991 RajenS
created
--*/
//
// Interface Attributes
//
[
uuid(82273FDC-E32A-18C3-3F78-827929DC23EA),
version(0.0),
#ifdef __midl
ms_union,
#endif // __midl
pointer_default(unique)
]
//
// Interface Keyword
//
interface eventlog
//
// Interface Body
//
{
import "imports.idl"; // import all the include files
#include "event.h"
//
// ELF Generic Handle used to bind from client to server.
//
typedef [handle,unique] LPWSTR EVENTLOG_HANDLE_W;
typedef [handle,unique] LPSTR EVENTLOG_HANDLE_A;
//
// ELF RPC Context Handle (Internal definition of ELF_HANDLE)
//
typedef [context_handle] struct _IELF_HANDLE {
LIST_ENTRY Next;
ULONG Signature; // BUGBUG - For debug only
ULONG Flags; // e.g. "invalid"
ULONG GrantedAccess;
ATOM Atom;
ULONG SeekRecordPos;
ULONG SeekBytePos;
ULONG MajorVersion; // To identify caller
ULONG MinorVersion;
ULONG NameLength;
[size_is(NameLength)] WCHAR Name[]; // Keep this as last field
} *IELF_HANDLE;
typedef IELF_HANDLE *PIELF_HANDLE;
//
// UNICODE Function Prototypes
//
//
// Only OpenEL and CloseEL need to take PIELF_HANDLE
// parameters since they are the only ones to modify the handle.
// The others will take IELF_HANDLE parameters instead.
//
// NOTE:
// The names of the functions are short so that when RPC
// prepends the interface name to the names, they are still
// unique.
//
NTSTATUS
ElfrClearELFW (
[in] IELF_HANDLE LogHandle,
[in,unique] PRPC_UNICODE_STRING BackupFileName
);
NTSTATUS
ElfrBackupELFW (
[in] IELF_HANDLE LogHandle,
[in] PRPC_UNICODE_STRING BackupFileName
);
NTSTATUS
ElfrCloseEL (
[in,out] PIELF_HANDLE LogHandle
);
NTSTATUS
ElfrDeregisterEventSource (
[in,out] PIELF_HANDLE LogHandle
);
NTSTATUS
ElfrNumberOfRecords(
[in] IELF_HANDLE LogHandle,
[out] PULONG NumberOfRecords
);
NTSTATUS
ElfrOldestRecord(
[in] IELF_HANDLE LogHandle,
[out] PULONG OldestRecordNumber
);
NTSTATUS
ElfrChangeNotify(
[in] IELF_HANDLE LogHandle,
[in] RPC_CLIENT_ID ClientId,
[in] ULONG Event
);
//
// The ModuleName is the one passed in by the caller of the API. This is
// the one that is written to the log file.
//
// RegModuleName is generated by the client stub, and is the name that is
// used to determine the default log file name from the registry. For
// NT Product1, this will be "Application". NOTE: It is necessary to do this
// now so that we can support viewing logs from a Product 2 system in the
// future if we change our logging mechanism.
//
NTSTATUS
ElfrOpenELW (
[in] EVENTLOG_HANDLE_W UNCServerName,
[in] PRPC_UNICODE_STRING ModuleName, // Passed in API call
[in] PRPC_UNICODE_STRING RegModuleName, // Used for registry
[in] ULONG MajorVersion,
[in] ULONG MinorVersion,
[out] PIELF_HANDLE LogHandle
);
NTSTATUS
ElfrRegisterEventSourceW (
[in] EVENTLOG_HANDLE_W UNCServerName,
[in] PRPC_UNICODE_STRING ModuleName, // Passed in API call
[in] PRPC_UNICODE_STRING RegModuleName, // Used for registry info
[in] ULONG MajorVersion,
[in] ULONG MinorVersion,
[out] PIELF_HANDLE LogHandle
);
NTSTATUS
ElfrOpenBELW (
[in] EVENTLOG_HANDLE_W UNCServerName,
[in] PRPC_UNICODE_STRING BackupFileName, // Passed in API call
[in] ULONG MajorVersion,
[in] ULONG MinorVersion,
[out] PIELF_HANDLE LogHandle
);
//
// BUGBUG - Fix this interface once RPC supports the ability to return
// zero bytes. Then, Buffer will have a length_is(*NumberOfBytesRead)
// added to it. For now, always transfer NumberOfBytesToRead bytes!
//
// The LogHandle is an [in,out] since the server side stores information
// in it that pertains to the current seek position.
//
NTSTATUS
ElfrReadELW (
[in] IELF_HANDLE LogHandle,
[in] ULONG ReadFlags,
[in] ULONG RecordOffset,
[in] ULONG NumberOfBytesToRead,
[out,size_is(NumberOfBytesToRead)] PBYTE Buffer,
[out] PULONG NumberOfBytesRead,
[out] PULONG MinNumberOfBytesNeeded
);
NTSTATUS
ElfrReportEventW (
[in] IELF_HANDLE LogHandle,
[in] ULONG Time,
[in] USHORT EventType,
[in] USHORT EventCategory,
[in] ULONG EventID,
[in] USHORT NumStrings,
[in] ULONG DataSize,
[in] PRPC_UNICODE_STRING ComputerName,
[in, unique] PRPC_SID UserSID,
[in, size_is(NumStrings), unique] PRPC_UNICODE_STRING Strings[*],
[in, size_is(DataSize), unique] PBYTE Data,
[in] USHORT Flags,
[in,out,unique] PULONG RecordNumber,
[in,out,unique] PULONG TimeWritten
);
//
// ANSI Function Prototypes
//
//
// Only OpenEL needs to take PIELF_HANDLE
// parameters since they are the only ones to modify the handle.
// The others will take IELF_HANDLE parameters instead.
//
// NOTE that there is only one api for CloseEL since there are no
// strings involved.
//
NTSTATUS
ElfrClearELFA (
[in] IELF_HANDLE LogHandle,
[in,unique] PRPC_STRING BackupFileName
);
NTSTATUS
ElfrBackupELFA (
[in] IELF_HANDLE LogHandle,
[in] PRPC_STRING BackupFileName
);
//
// The ModuleName is the one passed in by the caller of the API. This is
// the one that is written to the log file.
//
// RegModuleName is generated by the client stub, and is the name that is
// used to determine the default log file name from the registry. For
// NT Product1, this will be "Application". NOTE: It is necessary to do this
// now so that we can support viewing logs from a Product 2 system in the
// future if we change our logging mechanism.
//
NTSTATUS
ElfrOpenELA (
[in] EVENTLOG_HANDLE_A UNCServerName,
[in] PRPC_STRING ModuleName, // Passed in API call
[in] PRPC_STRING RegModuleName, // Used for registry info
[in] ULONG MajorVersion,
[in] ULONG MinorVersion,
[out] PIELF_HANDLE LogHandle
);
NTSTATUS
ElfrRegisterEventSourceA (
[in] EVENTLOG_HANDLE_A UNCServerName,
[in] PRPC_STRING ModuleName, // Passed in API call
[in] PRPC_STRING RegModuleName, // Used for registry info
[in] ULONG MajorVersion,
[in] ULONG MinorVersion,
[out] PIELF_HANDLE LogHandle
);
NTSTATUS
ElfrOpenBELA (
[in] EVENTLOG_HANDLE_A UNCServerName,
[in] PRPC_STRING FileName, // Passed in API call
[in] ULONG MajorVersion,
[in] ULONG MinorVersion,
[out] PIELF_HANDLE LogHandle
);
//
// BUGBUG - Fix this interface once RPC supports the ability to return
// zero bytes. Then, Buffer will have a length_is(*NumberOfBytesRead)
// added to it. For now, always transfer NumberOfBytesToRead bytes!
//
// The LogHandle is an [in,out] since the server side stores information
// in it that pertains to the current seek position.
//
NTSTATUS
ElfrReadELA (
[in] IELF_HANDLE LogHandle,
[in] ULONG ReadFlags,
[in] ULONG RecordOffset,
[in] ULONG NumberOfBytesToRead,
[out,size_is(NumberOfBytesToRead)] PBYTE Buffer,
[out] PULONG NumberOfBytesRead,
[out] PULONG MinNumberOfBytesNeeded
);
NTSTATUS
ElfrReportEventA (
[in] IELF_HANDLE LogHandle,
[in] ULONG Time,
[in] USHORT EventType,
[in] USHORT EventCategory,
[in] ULONG EventID,
[in] USHORT NumStrings,
[in] ULONG DataSize,
[in] PRPC_STRING ComputerName,
[in, unique] PRPC_SID UserSID,
[in, size_is(NumStrings), unique] PRPC_STRING Strings[*],
[in, size_is(DataSize), unique] PBYTE Data,
[in] USHORT Flags,
[in,out,unique] PULONG RecordNumber,
[in,out,unique] PULONG TimeWritten
);
}
|