public/sdk/inc/ntelfapi.h


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295

/*++

Copyright (c) 1991-1993 Microsoft Corporation

Module Name:

    ntelfapi.h

Abstract:

    This file contains the prototypes for the user-level Elf APIs.

Author:

    Rajen Shah (rajens) 30-Jul-1991

Revision History:

--*/

#ifndef _NTELFAPI_
#define _NTELFAPI_

// begin_winnt

//
// Defines for the READ flags for Eventlogging
//
#define EVENTLOG_SEQUENTIAL_READ        0X0001
#define EVENTLOG_SEEK_READ              0X0002
#define EVENTLOG_FORWARDS_READ          0X0004
#define EVENTLOG_BACKWARDS_READ         0X0008

//
// The types of events that can be logged.
//
#define EVENTLOG_SUCCESS                0X0000
#define EVENTLOG_ERROR_TYPE             0x0001
#define EVENTLOG_WARNING_TYPE           0x0002
#define EVENTLOG_INFORMATION_TYPE       0x0004
#define EVENTLOG_AUDIT_SUCCESS          0x0008
#define EVENTLOG_AUDIT_FAILURE          0x0010

//
// Defines for the WRITE flags used by Auditing for paired events
// These are not implemented in Product 1
//

#define EVENTLOG_START_PAIRED_EVENT    0x0001
#define EVENTLOG_END_PAIRED_EVENT      0x0002
#define EVENTLOG_END_ALL_PAIRED_EVENTS 0x0004
#define EVENTLOG_PAIRED_EVENT_ACTIVE   0x0008
#define EVENTLOG_PAIRED_EVENT_INACTIVE 0x0010

//
// Structure that defines the header of the Eventlog record. This is the
// fixed-sized portion before all the variable-length strings, binary
// data and pad bytes.
//
// TimeGenerated is the time it was generated at the client.
// TimeWritten is the time it was put into the log at the server end.
//

typedef struct _EVENTLOGRECORD {
    ULONG  Length;        // Length of full record
    ULONG  Reserved;      // Used by the service
    ULONG  RecordNumber;  // Absolute record number
    ULONG  TimeGenerated; // Seconds since 1-1-1970
    ULONG  TimeWritten;   // Seconds since 1-1-1970
    ULONG  EventID;
    USHORT EventType;
    USHORT NumStrings;
    USHORT EventCategory;
    USHORT ReservedFlags; // For use with paired events (auditing)
    ULONG  ClosingRecordNumber; // For use with paired events (auditing)
    ULONG  StringOffset;  // Offset from beginning of record
    ULONG  UserSidLength;
    ULONG  UserSidOffset;
    ULONG  DataLength;
    ULONG  DataOffset;    // Offset from beginning of record
    //
    // Then follow:
    //
    // WCHAR SourceName[]
    // WCHAR Computername[]
    // SID   UserSid
    // WCHAR Strings[]
    // BYTE  Data[]
    // CHAR  Pad[]
    // ULONG Length;
    //
} EVENTLOGRECORD, *PEVENTLOGRECORD;

// end_winnt

#ifdef UNICODE
#define ElfClearEventLogFile   ElfClearEventLogFileW
#define ElfBackupEventLogFile  ElfBackupEventLogFileW
#define ElfOpenEventLog        ElfOpenEventLogW
#define ElfRegisterEventSource ElfRegisterEventSourceW
#define ElfOpenBackupEventLog  ElfOpenBackupEventLogW
#define ElfReadEventLog        ElfReadEventLogW
#define ElfReportEvent         ElfReportEventW
#else
#define ElfClearEventLogFile   ElfClearEventLogFileA
#define ElfBackupEventLogFile  ElfBackupEventLogFileA
#define ElfOpenEventLog        ElfOpenEventLogA
#define ElfRegisterEventSource ElfRegisterEventSourceA
#define ElfOpenBackupEventLog  ElfOpenBackupEventLogA
#define ElfReadEventLog        ElfReadEventLogA
#define ElfReportEvent         ElfReportEventA
#endif // !UNICODE

//
// Handles are RPC context handles. Note that a Context Handle is
// always a pointer type unlike regular handles.
//

//
// Prototypes for the APIs
//

NTSTATUS
NTAPI
ElfClearEventLogFileW (
    IN  HANDLE LogHandle,
    IN  PUNICODE_STRING BackupFileName
    );

NTSTATUS
NTAPI
ElfClearEventLogFileA (
    IN  HANDLE LogHandle,
    IN  PSTRING BackupFileName
    );

NTSTATUS
NTAPI
ElfBackupEventLogFileW (
    IN  HANDLE LogHandle,
    IN  PUNICODE_STRING BackupFileName
    );

NTSTATUS
NTAPI
ElfBackupEventLogFileA (
    IN  HANDLE LogHandle,
    IN  PSTRING BackupFileName
    );

NTSTATUS
NTAPI
ElfCloseEventLog (
    IN  HANDLE LogHandle
    );

NTSTATUS
NTAPI
ElfDeregisterEventSource (
    IN  HANDLE LogHandle
    );

NTSTATUS
NTAPI
ElfNumberOfRecords (
    IN  HANDLE LogHandle,
    OUT PULONG NumberOfRecords
    );

NTSTATUS
NTAPI
ElfOldestRecord (
    IN  HANDLE LogHandle,
    OUT PULONG OldestRecord
    );


NTSTATUS
NTAPI
ElfChangeNotify (
    IN  HANDLE LogHandle,
    IN  HANDLE Event
    );


NTSTATUS
NTAPI
ElfOpenEventLogW (
    IN  PUNICODE_STRING UNCServerName,
    IN  PUNICODE_STRING SourceName,
    OUT PHANDLE         LogHandle
    );

NTSTATUS
NTAPI
ElfRegisterEventSourceW (
    IN  PUNICODE_STRING UNCServerName,
    IN  PUNICODE_STRING SourceName,
    OUT PHANDLE         LogHandle
    );

NTSTATUS
NTAPI
ElfOpenBackupEventLogW (
    IN  PUNICODE_STRING UNCServerName,
    IN  PUNICODE_STRING FileName,
    OUT PHANDLE         LogHandle
    );

NTSTATUS
NTAPI
ElfOpenEventLogA (
    IN  PSTRING UNCServerName,
    IN  PSTRING SourceName,
    OUT PHANDLE LogHandle
    );

NTSTATUS
NTAPI
ElfRegisterEventSourceA (
    IN  PSTRING UNCServerName,
    IN  PSTRING SourceName,
    OUT PHANDLE LogHandle
    );

NTSTATUS
NTAPI
ElfOpenBackupEventLogA (
    IN  PSTRING UNCServerName,
    IN  PSTRING FileName,
    OUT PHANDLE LogHandle
    );


NTSTATUS
NTAPI
ElfReadEventLogW (
    IN  HANDLE LogHandle,
    IN  ULONG  ReadFlags,
    IN  ULONG  RecordNumber,
    OUT PVOID  Buffer,
    IN  ULONG  NumberOfBytesToRead,
    OUT PULONG NumberOfBytesRead,
    OUT PULONG MinNumberOfBytesNeeded
    );


NTSTATUS
NTAPI
ElfReadEventLogA (
    IN  HANDLE LogHandle,
    IN  ULONG  ReadFlags,
    IN  ULONG  RecordNumber,
    OUT PVOID  Buffer,
    IN  ULONG  NumberOfBytesToRead,
    OUT PULONG NumberOfBytesRead,
    OUT PULONG MinNumberOfBytesNeeded
    );


NTSTATUS
NTAPI
ElfReportEventW (
    IN     HANDLE      LogHandle,
    IN     USHORT      EventType,
    IN     USHORT      EventCategory   OPTIONAL,
    IN     ULONG       EventID,
    IN     PSID        UserSid         OPTIONAL,
    IN     USHORT      NumStrings,
    IN     ULONG       DataSize,
    IN     PUNICODE_STRING *Strings    OPTIONAL,
    IN     PVOID       Data            OPTIONAL,
    IN     USHORT      Flags,
    IN OUT PULONG      RecordNumber    OPTIONAL,
    IN OUT PULONG      TimeWritten     OPTIONAL
    );

NTSTATUS
NTAPI
ElfReportEventA (
    IN     HANDLE      LogHandle,
    IN     USHORT      EventType,
    IN     USHORT      EventCategory   OPTIONAL,
    IN     ULONG       EventID,
    IN     PSID        UserSid         OPTIONAL,
    IN     USHORT      NumStrings,
    IN     ULONG       DataSize,
    IN     PANSI_STRING *Strings       OPTIONAL,
    IN     PVOID       Data            OPTIONAL,
    IN     USHORT      Flags,
    IN OUT PULONG      RecordNumber    OPTIONAL,
    IN OUT PULONG      TimeWritten     OPTIONAL
    );

#endif // _NTELFAPI_