_EventLog__Read has an error in the __EventLog_DecodeDesc Function, Insertions replace unintended variables after %1- %9

[BILGUS]

EventLog_DecodeDesc uses string replace on Insertion place holders returned from _WinAPI_FormatMessage
ex. %1, %2, %3, %4, %5, %6, %7, %8, %9, %10, %11, %12
However every instance is replaced therefore The data in %1 is also replaced in %10, %11, %12, %13 etc
the data in %2 is replaced in %20 %21 etc.

For instance if %1 contains Foo
%10 becomes Foo0
%11 becomes Foo1
%12 becomes Foo2

The fix is to change
$sDesc = StringReplace($sDesc, "%" & $iI, $aStrings[$iI])
to
$sDesc = StringReplace($sDesc, "%" & $iI, $aStrings[$iI],1)

Func EventLog_DecodeDesc($tEventLog)

Local $aStrings = EventLog_DecodeStrings($tEventLog)
Local $sSource = EventLog_DecodeSource($tEventLog)
Local $iEventID = DllStructGetData($tEventLog, "EventID")
Local $sKey = "HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\" & $g_sSourceName_Event & "\" & $sSource

Local $aMsgDLL = StringSplit(_WinAPI_ExpandEnvironmentStrings(RegRead($sKey, "EventMessageFile")), ";")

Local $iFlags = BitOR($EVENTLOG_FORMAT_MESSAGE_FROM_HMODULE, $EVENTLOG_FORMAT_MESSAGE_IGNORE_INSERTS)
Local $sDesc = ""
For $iI = 1 To $aMsgDLL[0]

Local $hDLL = _WinAPI_LoadLibraryEx($aMsgDLL[$iI], $EVENTLOG_LOAD_LIBRARY_AS_DATAFILE)
If $hDLL = 0 Then ContinueLoop
Local $tBuffer = DllStructCreate("wchar Text[4096]")
_WinAPI_FormatMessage($iFlags, $hDLL, $iEventID, 0, $tBuffer, 4096, 0)
_WinAPI_FreeLibrary($hDLL)
$sDesc &= DllStructGetData($tBuffer, "Text")

Next

If $sDesc = "" Then

For $iI = 1 To $aStrings[0]

$sDesc &= $aStrings[$iI]

Next

Else

For $iI = 1 To $aStrings[0]

$sDesc = StringReplace($sDesc, "%" & $iI, $aStrings[$iI],1);<<<<<<<<<HERE Added as 1st occurrence Bilgus 5-20-2016

Next

EndIf

Return StringStripWS($sDesc, $STR_STRIPLEADING + $STR_STRIPTRAILING)

EndFunc ;==>EventLog_DecodeDesc

[Melba23]

I think it might be better to use StringRegExpReplace to limit the replacements to a single place.

Can you please post (or send me via PM) a sample of $sDesc that causes the problem. Then I can look into how we might distinguish the separate elements within the RegEx pattern.

M23

[anonymous]

<snip>

[Melba23]

Like you I have access to the various functions involved, thanks, so there was no need to paste all that code.

What I wanted was a copy of a $sDesc variable from inside the EventLog_DecodeDesc function which gives you the problem. When I run the example code in the Help file on my machine $sDesc is an empty string, so I get no indication of how it might be delimited and therefore cannot work out a suitable RegEx pattern to replace the various elements.

So what I would like you to do is post an example of a $sDesc variable that includes some of these %1, %10, %11 etc.

M23

[anonymous]

The code supplied was changed to illustrate the issue hence the reason I pasted it all, The example function was changed to only bring up the proper data source.

Here is a sample of the template string:

---

The Windows Filtering Platform has blocked a connection.

Application Information:

Process ID: %1
Application Name: %2

Network Information:

Direction: %3
Source Address: %4
Source Port: %5
Destination Address: %6
Destination Port: %7
Protocol: %8

Filter Information:

Filter Run-Time ID: %9
Layer Name: %10
Layer Run-Time ID: %11

<-----------------------------------------------------
After The first Replacement:

---

Application Information:

Process ID: 524
Application Name: %2

Network Information:

Direction: %3
Source Address: %4
Source Port: %5
Destination Address: %6
Destination Port: %7
Protocol: %8

Filter Information:

Filter Run-Time ID: %9
Layer Name: 5240
Layer Run-Time ID: 5241

<----------------------------------------------
Here is the $desc after replacement:

---

The Windows Filtering Platform has blocked a connection.

Application Information:

Process ID: 524
Application Name: \device\harddiskvolume11\windows\system32\svchost.exe

Network Information:

Direction: %%14592
Source Address: 255.255.255.255
Source Port: 67
Destination Address: 0.0.0.0
Destination Port: 68
Protocol: 0

Filter Information:

Filter Run-Time ID: 70589
Layer Name: 5240
Layer Run-Time ID: 5241

<-----------------------------------------------
Here is the Array of Strings: (0 holds count)

---

The Windows Filtering Platform has blocked a connection.

Application Information:

Process ID: 524
Application Name: \device\harddiskvolume11\windows\system32\svchost.exe

Network Information:

Direction: %%14592
Source Address: 255.255.255.255
Source Port: 67
Destination Address: 0.0.0.0
Destination Port: 68
Protocol: 0

Filter Information:

Filter Run-Time ID: 70589
Layer Name: 5240
Layer Run-Time ID: 5241

<-----------------------------------------------
AND. Finally after the fix this is the returned $Desc

---

The Windows Filtering Platform has blocked a connection.

Application Information:

Process ID: 524
Application Name: \device\harddiskvolume11\windows\system32\svchost.exe

Network Information:

Direction: %%14592
Source Address: 255.255.255.255
Source Port: 67
Destination Address: 0.0.0.0
Destination Port: 68
Protocol: 0

Filter Information:

Filter Run-Time ID: 70589
Layer Name: %%14610
Layer Run-Time ID: 44

<------------------------------------------------

Also note the Strings %%14592 and %%14610 I plan on fixing this in the next few days, as far as I can tell it needs to call FormatMessage with those ID's to fill these type of strings

[anonymous]

Sorry here is the array of strings (0 Denotes Count):

---

13
524
\device\harddiskvolume11\windows\system32\svchost.exe
%%14592
255.255.255.255
67
0.0.0.0
68
0
70589
%%14610
44
S-1-0-0
S-1-0-0

---

[anonymous]

Here is the fuction with code for insertion on %% placeholders

---

Func EventLog_DecodeDesc($tEventLog)

Local $aStrings = EventLog_DecodeStrings($tEventLog)
Local $sSource = EventLog_DecodeSource($tEventLog)
Local $iEventID = DllStructGetData($tEventLog, "EventID")
Local $sKey = "HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\" & $g_sSourceName_Event & "\" & $sSource
Local $aMsgDLL = StringSplit(_WinAPI_ExpandEnvironmentStrings(RegRead($sKey, "EventMessageFile")), ";")

Local $iFlags = BitOR($EVENTLOG_FORMAT_MESSAGE_FROM_HMODULE, $EVENTLOG_FORMAT_MESSAGE_IGNORE_INSERTS)
Local $sDesc = ""
For $iI = 1 To $aMsgDLL[0]

Local $hDLL = _WinAPI_LoadLibraryEx($aMsgDLL[$iI], $EVENTLOG_LOAD_LIBRARY_AS_DATAFILE)
If $hDLL = 0 Then ContinueLoop
Local $tBuffer = DllStructCreate("wchar Text[4096]")
_WinAPI_FormatMessage($iFlags, $hDLL, $iEventID, 0, $tBuffer, 4096, 0)
_WinAPI_FreeLibrary($hDLL)
$sDesc &= DllStructGetData($tBuffer, "Text")

Next
;ADDED Source\Source\ParameterMessageFile for %% insertion place holders
$sKey = "HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\" & $g_sSourceName_Event & "\" & $g_sSourceName_Event
$aMsgDLL = StringSplit(_WinAPI_ExpandEnvironmentStrings(RegRead($sKey, "ParameterMessageFile")), ";")

For $iI = 1 To $aMsgDLL[0]

$hDLL = _WinAPI_LoadLibraryEx($aMsgDLL[$iI], $EVENTLOG_LOAD_LIBRARY_AS_DATAFILE)
If $hDLL <> 0 Then

For $iJ = 1 To $aStrings[0] ;Added to parse secondary replacements

Local $tBuffer = DllStructCreate("wchar Text[4096]")
If StringInStr($aStrings[$iJ], "%%") Then

_WinAPI_FormatMessage($iFlags, $hDLL, Int(StringTrimLeft($aStrings[$iJ], 2)), 0, $tBuffer, 4096, 0)
If @error = 0 Then $aStrings[$iJ] = DllStructGetData($tBuffer, "Text")

EndIf

Next
_WinAPI_FreeLibrary($hDLL)

EndIf

Next

If $sDesc = "" Then

For $iI = 1 To $aStrings[0]

$sDesc &= $aStrings[$iI]

Next

Else

For $iI = 1 To $aStrings[0]

$sDesc = StringReplace($sDesc, "%" & $iI, $aStrings[$iI], 1);Fixed

Next

EndIf
Return StringStripWS($sDesc, $STR_STRIPLEADING + $STR_STRIPTRAILING)

EndFunc ;==>EventLog_DecodeDesc

[Jos]

Fixed by revision [11939] in version: 3.3.15.1

[Jon]

Fixed by revision [11942] in version: 3.3.14.3