Modify

Opened 9 years ago

Closed 7 years ago

Last modified 7 years ago

#3237 closed Bug (Fixed)

_EventLog__Read has an error in the __EventLog_DecodeDesc Function, Insertions replace unintended variables after %1- %9

Reported by: BILGUS Owned by: Jon
Milestone: 3.3.14.3 Component: Standard UDFs
Version: 3.3.14.0 Severity: None
Keywords: Cc:

Description

EventLog_DecodeDesc uses string replace on Insertion place holders returned from _WinAPI_FormatMessage
ex. %1, %2, %3, %4, %5, %6, %7, %8, %9, %10, %11, %12
However every instance is replaced therefore The data in %1 is also replaced in %10, %11, %12, %13 etc
the data in %2 is replaced in %20 %21 etc.

For instance if %1 contains Foo
%10 becomes Foo0
%11 becomes Foo1
%12 becomes Foo2

The fix is to change
$sDesc = StringReplace($sDesc, "%" & $iI, $aStrings[$iI])
to
$sDesc = StringReplace($sDesc, "%" & $iI, $aStrings[$iI],1)

Func EventLog_DecodeDesc($tEventLog)

Local $aStrings = EventLog_DecodeStrings($tEventLog)
Local $sSource = EventLog_DecodeSource($tEventLog)
Local $iEventID = DllStructGetData($tEventLog, "EventID")
Local $sKey = "HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\" & $g_sSourceName_Event & "\" & $sSource

Local $aMsgDLL = StringSplit(_WinAPI_ExpandEnvironmentStrings(RegRead($sKey, "EventMessageFile")), ";")

Local $iFlags = BitOR($EVENTLOG_FORMAT_MESSAGE_FROM_HMODULE, $EVENTLOG_FORMAT_MESSAGE_IGNORE_INSERTS)
Local $sDesc = ""
For $iI = 1 To $aMsgDLL[0]

Local $hDLL = _WinAPI_LoadLibraryEx($aMsgDLL[$iI], $EVENTLOG_LOAD_LIBRARY_AS_DATAFILE)
If $hDLL = 0 Then ContinueLoop
Local $tBuffer = DllStructCreate("wchar Text[4096]")
_WinAPI_FormatMessage($iFlags, $hDLL, $iEventID, 0, $tBuffer, 4096, 0)
_WinAPI_FreeLibrary($hDLL)
$sDesc &= DllStructGetData($tBuffer, "Text")

Next

If $sDesc = "" Then

For $iI = 1 To $aStrings[0]

$sDesc &= $aStrings[$iI]

Next

Else

For $iI = 1 To $aStrings[0]

$sDesc = StringReplace($sDesc, "%" & $iI, $aStrings[$iI],1);<<<<<<<<<HERE Added as 1st occurrence Bilgus 5-20-2016

Next

EndIf

Return StringStripWS($sDesc, $STR_STRIPLEADING + $STR_STRIPTRAILING)

EndFunc ;==>EventLog_DecodeDesc

Attachments (0)

Change History (8)

comment:1 Changed 9 years ago by Melba23

I think it might be better to use StringRegExpReplace to limit the replacements to a single place.

Can you please post (or send me via PM) a sample of $sDesc that causes the problem. Then I can look into how we might distinguish the separate elements within the RegEx pattern.

M23

comment:2 Changed 9 years ago by anonymous

#RequireAdmin

;++++++++++++++++++++++++++++++++++START OF INCLUDE
;;#include <EventLog.au3>
;#include-once

#include "Date.au3"
#include "Security.au3"
#include "StructureConstants.au3"
#include "WinAPI.au3"

; #INDEX# =======================================================================================================================
; Title .........: Event_Log
; AutoIt Version : 3.3.14.2
; Language ......: English
; Description ...: Functions that assist Windows System logs.
; Description ...: When an error occurs, the system administrator or support technicians must determine what caused the error,
; attempt to recover any lost data, and prevent the error from recurring. It is helpful if applications, the
; operating system, and other system services record important events such as low-memory conditions or excessive
; attempts to access a disk. Then the system administrator can use the event log to help determine what
; conditions caused the error and the context in which it occurred. By periodically viewing the event log, the
; system administrator may be able to identify problems (such as a failing hard drive) before they cause damage.
; Author(s) .....: Paul Campbell (PaulIA), Gary Frost
; Dll ...........: advapi32.dll
; ===============================================================================================================================

; #VARIABLES# ===================================================================================================================
Global $g_sSourceName_Event
; ===============================================================================================================================

; #CONSTANTS# ===================================================================================================================
Global Const $EVENTLOG_SUCCESS = 0x00000000
Global Const $EVENTLOG_ERROR_TYPE = 0x00000001
Global Const $EVENTLOG_WARNING_TYPE = 0x00000002
Global Const $EVENTLOG_INFORMATION_TYPE = 0x00000004
Global Const $EVENTLOG_AUDIT_SUCCESS = 0x00000008
Global Const $EVENTLOG_AUDIT_FAILURE = 0x00000010
Global Const $EVENTLOG_SEQUENTIAL_READ = 0x00000001
Global Const $EVENTLOG_SEEK_READ = 0x00000002
Global Const $EVENTLOG_FORWARDS_READ = 0x00000004
Global Const $EVENTLOG_BACKWARDS_READ = 0x00000008

Global Const $EVENTLOG_LOAD_LIBRARY_AS_DATAFILE = 0x00000002
Global Const $EVENTLOG_FORMAT_MESSAGE_FROM_HMODULE = 0x00000800
Global Const $EVENTLOG_FORMAT_MESSAGE_IGNORE_INSERTS = 0x00000200
; ===============================================================================================================================

; #CURRENT# =====================================================================================================================
; _EventLogBackup
; _EventLogClear
; _EventLogClose
; _EventLogCount
; _EventLogDeregisterSource
; _EventLogFull
; _EventLogNotify
; _EventLogOldest
; _EventLogOpen
; _EventLogOpenBackup
; _EventLogRead
; _EventLogRegisterSource
; _EventLogReport
; ===============================================================================================================================

; #INTERNAL_USE_ONLY# ===========================================================================================================
; EventLog_DecodeCategory
; EventLog_DecodeComputer
; EventLog_DecodeData
; EventLog_DecodeDate
; EventLog_DecodeDesc
; EventLog_DecodeEventID
; EventLog_DecodeSource
; EventLog_DecodeStrings
; EventLog_DecodeTime
; EventLog_DecodeTypeStr
; EventLog_DecodeUserName
; ===============================================================================================================================

; #FUNCTION# ====================================================================================================================
; Author ........: Paul Campbell (PaulIA)
; Modified.......: Gary Frost (gafrost)
; ===============================================================================================================================
Func _EventLogBackup($hEventLog, $sFileName)

Local $aResult = DllCall("advapi32.dll", "bool", "BackupEventLogW", "handle", $hEventLog, "wstr", $sFileName)
If @error Then Return SetError(@error, @extended, False)
Return $aResult[0] <> 0

EndFunc ;==>_EventLogBackup

; #FUNCTION# ====================================================================================================================
; Author ........: Paul Campbell (PaulIA)
; Modified.......: Gary Frost (gafrost)
; ===============================================================================================================================
Func _EventLogClear($hEventLog, $sFileName)

Local $bTemp = False
If StringLen($sFileName) = 0 Then

$sFileName = @TempDir & "\_EventLog_tempbackup.bak"
$bTemp = True

EndIf
Local $aResult = DllCall("advapi32.dll", "bool", "ClearEventLogW", "handle", $hEventLog, "wstr", $sFileName)
If @error Then Return SetError(@error, @extended, False)
If $bTemp Then FileDelete($sFileName)
Return $aResult[0] <> 0

EndFunc ;==>_EventLogClear

; #FUNCTION# ====================================================================================================================
; Author ........: Paul Campbell (PaulIA)
; Modified.......: Gary Frost (gafrost)
; ===============================================================================================================================
Func _EventLogClose($hEventLog)

Local $aResult = DllCall("advapi32.dll", "bool", "CloseEventLog", "handle", $hEventLog)
If @error Then Return SetError(@error, @extended, False)
Return $aResult[0] <> 0

EndFunc ;==>_EventLogClose

; #FUNCTION# ====================================================================================================================
; Author ........: Paul Campbell (PaulIA)
; Modified.......:
; ===============================================================================================================================
Func _EventLogCount($hEventLog)

Local $aResult = DllCall("advapi32.dll", "bool", "GetNumberOfEventLogRecords", "handle", $hEventLog, "dword*", 0)
If @error Then Return SetError(@error, @extended, -1)
If $aResult[0] = 0 Then Return -1
Return $aResult[2]

EndFunc ;==>_EventLogCount

; #INTERNAL_USE_ONLY# ===========================================================================================================
; Name...........: EventLog_DecodeCategory
; Description ...: Decodes an event category for an event record
; Syntax.........: EventLog_DecodeCategory ( $tEventLog )
; Parameters ....: $tEventLog - tagEVENTLOGRECORD structure
; Return values .: Success - Event category
; Author ........: Paul Campbell (PaulIA)
; Modified.......: Gary Frost (gafrost)
; Remarks .......: This function is used internally
; Related .......:
; Link ..........:
; Example .......:
; ===============================================================================================================================
Func EventLog_DecodeCategory($tEventLog)

Return DllStructGetData($tEventLog, "EventCategory")

EndFunc ;==>EventLog_DecodeCategory

; #INTERNAL_USE_ONLY# ===========================================================================================================
; Name...........: EventLog_DecodeComputer
; Description ...: Decodes the computer name from an event log record
; Syntax.........: EventLog_DecodeComputer ( $tEventLog )
; Parameters ....: $tEventLog - tagEVENTLOGRECORD structure
; Return values .: Success - Computer name
; Author ........: Paul Campbell (PaulIA)
; Modified.......: Gary Frost (gafrost)
; Remarks .......: This function is used internally
; Related .......:
; Link ..........:
; Example .......:
; ===============================================================================================================================
Func EventLog_DecodeComputer($tEventLog)

Local $pEventLog = DllStructGetPtr($tEventLog)
; The buffer length doesn't need to extend past UserSidOffset since
; the string appears before that.
Local $iLength = DllStructGetData($tEventLog, "UserSidOffset") - 1
; This points to the start of the variable length data.
Local $iOffset = DllStructGetSize($tEventLog)
; Offset the buffer with the Source string length which appears right
; before the Computer name.
$iOffset += 2 * (StringLen(EventLog_DecodeSource($tEventLog)) + 1)
; Adjust the length to be a difference instead of absolute address.
$iLength -= $iOffset
; Adjust the buffer to point to the start of the Computer string.
Local $tBuffer = DllStructCreate("wchar Text& $iLength &?", $pEventLog + $iOffset)
Return DllStructGetData($tBuffer, "Text")

EndFunc ;==>EventLog_DecodeComputer

; #INTERNAL_USE_ONLY# ===========================================================================================================
; Name...........: EventLog_DecodeData
; Description ...: Decodes the event specific binary data from an event log record
; Syntax.........: EventLog_DecodeData ( $tEventLog )
; Parameters ....: $tEventLog - tagEVENTLOGRECORD structure
; Return values .: Success - Array with the following format:
; |[0] - Number of bytes in array
; |[1] - Byte 1
; |[2] - Byte 2
; |[n] - Byte n
; Author ........: Paul Campbell (PaulIA)
; Modified.......: Gary Frost (gafrost)
; Remarks .......: This function is used internally
; Related .......:
; Link ..........:
; Example .......:
; ===============================================================================================================================
Func EventLog_DecodeData($tEventLog)

Local $pEventLog = DllStructGetPtr($tEventLog)
Local $iOffset = DllStructGetData($tEventLog, "DataOffset")
Local $iLength = DllStructGetData($tEventLog, "DataLength")
Local $tBuffer = DllStructCreate("byte& $iLength &?", $pEventLog + $iOffset)
Local $aData[$iLength + 1]
$aData[0] = $iLength
For $iI = 1 To $iLength

$aData[$iI] = DllStructGetData($tBuffer, 1, $iI)

Next
Return $aData

EndFunc ;==>EventLog_DecodeData

; #INTERNAL_USE_ONLY# ===========================================================================================================
; Name...........: EventLog_DecodeDate
; Description ...: Converts an event log time to a date string
; Syntax.........: EventLog_DecodeDate ( $iEventTime )
; Parameters ....: $iEventTime - Event log time to be converted
; Return values .: Success - Date string in the format of mm/dd/yyyy
; Author ........: Paul Campbell (PaulIA)
; Modified.......: Gary Frost (gafrost)
; Remarks .......: This function is used internally
; Related .......:
; Link ..........:
; Example .......:
; ===============================================================================================================================
Func EventLog_DecodeDate($iEventTime)

Local $tInt64 = DllStructCreate("int64")
Local $pInt64 = DllStructGetPtr($tInt64)
Local $tFileTime = DllStructCreate($tagFILETIME, $pInt64)
DllStructSetData($tInt64, 1, ($iEventTime * 10000000) + 116444736000000000)
Local $tLocalTime = _Date_Time_FileTimeToLocalFileTime($tFileTime)
Local $tSystTime = _Date_Time_FileTimeToSystemTime($tLocalTime)
Local $iMonth = DllStructGetData($tSystTime, "Month")
Local $iDay = DllStructGetData($tSystTime, "Day")
Local $iYear = DllStructGetData($tSystTime, "Year")
Return StringFormat("%02d/%02d/%04d", $iMonth, $iDay, $iYear)

EndFunc ;==>EventLog_DecodeDate

; #INTERNAL_USE_ONLY# ===========================================================================================================
; Name...........: EventLog_DecodeDesc
; Description ...: Decodes the description strings for an event record
; Syntax.........: EventLog_DecodeDesc ( $tEventLog )
; Parameters ....: $tEventLog - tagEVENTLOGRECORD structure
; Return values .: Success - Description
; Author ........: Paul Campbell (PaulIA)
; Modified.......: Gary Frost (gafrost)
; Remarks .......: This function is used internally
; Related .......:
; Link ..........:
; Example .......:
; ===============================================================================================================================
Func EventLog_DecodeDesc($tEventLog)

Local $aStrings = EventLog_DecodeStrings($tEventLog)
Local $sSource = EventLog_DecodeSource($tEventLog)
Local $iEventID = DllStructGetData($tEventLog, "EventID")
Local $sKey = "HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\" & $g_sSourceName_Event & "\" & $sSource
Local $aMsgDLL = StringSplit(_WinAPI_ExpandEnvironmentStrings(RegRead($sKey, "EventMessageFile")), ";")

Local $iFlags = BitOR($EVENTLOG_FORMAT_MESSAGE_FROM_HMODULE, $EVENTLOG_FORMAT_MESSAGE_IGNORE_INSERTS)
Local $sDesc = ""
For $iI = 1 To $aMsgDLL[0]

Local $hDLL = _WinAPI_LoadLibraryEx($aMsgDLL[$iI], $EVENTLOG_LOAD_LIBRARY_AS_DATAFILE)
If $hDLL = 0 Then ContinueLoop
Local $tBuffer = DllStructCreate("wchar Text[4096]")
_WinAPI_FormatMessage($iFlags, $hDLL, $iEventID, 0, $tBuffer, 4096, 0)
_WinAPI_FreeLibrary($hDLL)
$sDesc &= DllStructGetData($tBuffer, "Text")

Next

If $sDesc = "" Then

For $iI = 1 To $aStrings[0]

$sDesc &= $aStrings[$iI]

Next

Else

Local $sDescTEST=$sDesc
if $aStrings[0] > 9 Then msgbox(0,"INSERTION TEMPLATE BROKEN",$sDesc);ADDED TO SHOW PROBLEM
For $iI = 1 To $aStrings[0]

$sDesc = StringReplace($sDesc, "%" & $iI, $aStrings[$iI]);CHANGE TO $sDesc = StringReplace($sDesc, "%" & $iI, $aStrings[$iI],1) to fix

if $aStrings[0] > 9 and $iI <2 or $iI = $aStrings[0] Then msgbox(0,"INSERTION TEMPLATE BROKEN",$sDesc);ADDED TO SHOW PROBLEM
Next

if $aStrings[0] > 9 Then msgbox(0,"INSERTION TEMPLATE FIXED",$sDescTEST);ADDED TO SHOW PROBLEM

For $iI = 1 To $aStrings[0]

$sDescTEST = StringReplace($sDescTEST, "%" & $iI, $aStrings[$iI],1);CHANGED FROM $sDesc = StringReplace($sDesc, "%" & $iI, $aStrings[$iI])

if $aStrings[0] > 9 and $iI <2 or $iI = $aStrings[0] Then msgbox(0,"INSERTION TEMPLATE FIXED",$sDescTEST);ADDED TO SHOW PROBLEM
Next

EndIf
Return StringStripWS($sDesc, $STR_STRIPLEADING + $STR_STRIPTRAILING)

EndFunc ;==>EventLog_DecodeDesc

; #INTERNAL_USE_ONLY# ===========================================================================================================
; Name...........: EventLog_DecodeEventID
; Description ...: Decodes an event ID for an event record
; Syntax.........: EventLog_DecodeEventID ( $tEventLog )
; Parameters ....: $tEventLog - tagEVENTLOGRECORD structure
; Return values .: Success - Event ID
; Author ........: Paul Campbell (PaulIA)
; Modified.......: Gary Frost (gafrost)
; Remarks .......: This function is used internally
; Related .......:
; Link ..........:
; Example .......:
; ===============================================================================================================================
Func EventLog_DecodeEventID($tEventLog)

Return BitAND(DllStructGetData($tEventLog, "EventID"), 0x7FFF)

EndFunc ;==>EventLog_DecodeEventID

; #INTERNAL_USE_ONLY# ===========================================================================================================
; Name...........: EventLog_DecodeSource
; Description ...: Decodes the event source from an event log record
; Syntax.........: EventLog_DecodeSource ( $tEventLog )
; Parameters ....: $tEventLog - tagEVENTLOGRECORD structure
; Return values .: Success - Source name
; Author ........: Paul Campbell (PaulIA)
; Modified.......: Gary Frost (gafrost)
; Remarks .......: This function is used internally
; Related .......:
; Link ..........:
; Example .......:
; ===============================================================================================================================
Func EventLog_DecodeSource($tEventLog)

Local $pEventLog = DllStructGetPtr($tEventLog)
; The buffer length doesn't need to extend past UserSidOffset since
; the string appears before that.
Local $iLength = DllStructGetData($tEventLog, "UserSidOffset") - 1
; This points to the start of the variable length data.
Local $iOffset = DllStructGetSize($tEventLog)
; Adjust the length to be a difference instead of absolute address.
$iLength -= $iOffset
; Initialize the buffer to the start of the variable length data
Local $tBuffer = DllStructCreate("wchar Text& $iLength &?", $pEventLog + $iOffset)
Return DllStructGetData($tBuffer, "Text")

EndFunc ;==>EventLog_DecodeSource

; #INTERNAL_USE_ONLY# ===========================================================================================================
; Name...........: EventLog_DecodeStrings
; Description ...: Decodes the insertion strings from an event log record
; Syntax.........: EventLog_DecodeStrings ( $tEventLog )
; Parameters ....: $tEventLog - tagEVENTLOGRECORD structure
; Return values .: Success - Array with the following format:
; |[0] - Number of strings in array
; |[1] - String 1
; |[2] - String 2
; |[n] - String n
; Author ........: Paul Campbell (PaulIA)
; Modified.......: Gary Frost (gafrost)
; Remarks .......: This function is used internally
; Related .......:
; Link ..........:
; Example .......:
; ===============================================================================================================================
Func EventLog_DecodeStrings($tEventLog)

Local $pEventLog = DllStructGetPtr($tEventLog)
Local $iNumStrs = DllStructGetData($tEventLog, "NumStrings")
Local $iOffset = DllStructGetData($tEventLog, "StringOffset")
; The data offset is used to calculate buffer sizes.
Local $iDataOffset = DllStructGetData($tEventLog, "DataOffset")
Local $tBuffer = DllStructCreate("wchar Text& $iDataOffset - $iOffset &?", $pEventLog + $iOffset)

Local $aStrings[$iNumStrs + 1]
$aStrings[0] = $iNumStrs
For $iI = 1 To $iNumStrs

$aStrings[$iI] = DllStructGetData($tBuffer, "Text")
$iOffset += 2 * (StringLen($aStrings[$iI]) + 1)
$tBuffer = DllStructCreate("wchar Text& $iDataOffset - $iOffset &?", $pEventLog + $iOffset)

Next
Return $aStrings

EndFunc ;==>EventLog_DecodeStrings

; #INTERNAL_USE_ONLY# ===========================================================================================================
; Name...........: EventLog_DecodeTime
; Description ...: Converts an event log time to a date time
; Syntax.........: EventLog_DecodeTime ( $iEventTime )
; Parameters ....: $iEventTime - Event log time to be converted
; Return values .: Success - Time string in the format of hh:mm:ss am/pm
; Author ........: Paul Campbell (PaulIA)
; Modified.......: Gary Frost (gafrost)
; Remarks .......: This function is used internally
; Related .......:
; Link ..........:
; Example .......:
; ===============================================================================================================================
Func EventLog_DecodeTime($iEventTime)

Local $tInt64 = DllStructCreate("int64")
Local $pInt64 = DllStructGetPtr($tInt64)
Local $tFileTime = DllStructCreate($tagFILETIME, $pInt64)
DllStructSetData($tInt64, 1, ($iEventTime * 10000000) + 116444736000000000)
Local $tLocalTime = _Date_Time_FileTimeToLocalFileTime($tFileTime)
Local $tSystTime = _Date_Time_FileTimeToSystemTime($tLocalTime)
Local $iHours = DllStructGetData($tSystTime, "Hour")
Local $iMinutes = DllStructGetData($tSystTime, "Minute")
Local $iSeconds = DllStructGetData($tSystTime, "Second")
Local $sAMPM = "AM"
If $iHours < 12 Then

If $iHours = 0 Then

$iHours = 12

EndIf

Else

$sAMPM = "PM"
If $iHours > 12 Then

$iHours -= 12

EndIf

EndIf
Return StringFormat("%02d:%02d:%02d %s", $iHours, $iMinutes, $iSeconds, $sAMPM)

EndFunc ;==>EventLog_DecodeTime

; #INTERNAL_USE_ONLY# ===========================================================================================================
; Name...........: EventLog_DecodeTypeStr
; Description ...: Decodes an event type to an event string
; Syntax.........: EventLog_DecodeTypeStr ( $iEventType )
; Parameters ....: $iEventType - Event type
; Return values .: Success - String indicating the event type
; Failure - Unknown event type ID
; Author ........: Paul Campbell (PaulIA)
; Modified.......:
; Remarks .......: This function is used internally
; Related .......:
; Link ..........:
; Example .......:
; ===============================================================================================================================
Func EventLog_DecodeTypeStr($iEventType)

Select

Case $iEventType = $EVENTLOG_SUCCESS

Return "Success"

Case $iEventType = $EVENTLOG_ERROR_TYPE

Return "Error"

Case $iEventType = $EVENTLOG_WARNING_TYPE

Return "Warning"

Case $iEventType = $EVENTLOG_INFORMATION_TYPE

Return "Information"

Case $iEventType = $EVENTLOG_AUDIT_SUCCESS

Return "Success audit"

Case $iEventType = $EVENTLOG_AUDIT_FAILURE

Return "Failure audit"

Case Else

Return $iEventType

EndSelect

EndFunc ;==>EventLog_DecodeTypeStr

; #INTERNAL_USE_ONLY# ===========================================================================================================
; Name...........: EventLog_DecodeUserName
; Description ...: Decodes the user name from an event log record
; Syntax.........: EventLog_DecodeUserName ( $tEventLog )
; Parameters ....: $tEventLog - tagEVENTLOGRECORD structure
; Return values .: Success - User name
; Author ........: Paul Campbell (PaulIA)
; Modified.......: Gary Frost (gafrost)
; Remarks .......: This function is used internally
; Related .......:
; Link ..........:
; Example .......:
; ===============================================================================================================================
Func EventLog_DecodeUserName($tEventLog)

Local $pEventLog = DllStructGetPtr($tEventLog)
If DllStructGetData($tEventLog, "UserSidLength") = 0 Then Return ""
Local $pAcctSID = $pEventLog + DllStructGetData($tEventLog, "UserSidOffset")
Local $aAcctInfo = _SecurityLookupAccountSid($pAcctSID)
If IsArray($aAcctInfo) Then Return $aAcctInfo[1]
Return

EndFunc ;==>EventLog_DecodeUserName

; #FUNCTION# ====================================================================================================================
; Author ........: Paul Campbell (PaulIA)
; Modified.......: Gary Frost (gafrost)
; ===============================================================================================================================
Func _EventLogDeregisterSource($hEventLog)

Local $aResult = DllCall("advapi32.dll", "bool", "DeregisterEventSource", "handle", $hEventLog)
If @error Then Return SetError(@error, @extended, False)
Return $aResult[0] <> 0

EndFunc ;==>_EventLogDeregisterSource

; #FUNCTION# ====================================================================================================================
; Author ........: Paul Campbell (PaulIA)
; Modified.......: Gary Frost (gafrost)
; ===============================================================================================================================
Func _EventLogFull($hEventLog)

Local $aResult = DllCall("advapi32.dll", "bool", "GetEventLogInformation", "handle", $hEventLog, "dword", 0, "dword*", 0, "dword", 4, "dword*", 0)
If @error Then Return SetError(@error, @extended, False)
Return $aResult[3] <> 0

EndFunc ;==>_EventLogFull

; #FUNCTION# ====================================================================================================================
; Author ........: Paul Campbell (PaulIA)
; Modified.......: Gary Frost (gafrost)
; ===============================================================================================================================
Func _EventLogNotify($hEventLog, $hEvent)

Local $aResult = DllCall("advapi32.dll", "bool", "NotifyChangeEventLog", "handle", $hEventLog, "handle", $hEvent)
If @error Then Return SetError(@error, @extended, False)
Return $aResult[0] <> 0

EndFunc ;==>_EventLogNotify

; #FUNCTION# ====================================================================================================================
; Author ........: Paul Campbell (PaulIA)
; Modified.......: Gary Frost (gafrost)
; ===============================================================================================================================
Func _EventLogOldest($hEventLog)

Local $aResult = DllCall("advapi32.dll", "bool", "GetOldestEventLogRecord", "handle", $hEventLog, "dword*", 0)
If @error Then Return SetError(@error, @extended, 0)
Return $aResult[2]

EndFunc ;==>_EventLogOldest

; #FUNCTION# ====================================================================================================================
; Author ........: Paul Campbell (PaulIA)
; Modified.......: Gary Frost (gafrost)
; ===============================================================================================================================
Func _EventLogOpen($sServerName, $sSourceName)

$g_sSourceName_Event = $sSourceName
Local $aResult = DllCall("advapi32.dll", "handle", "OpenEventLogW", "wstr", $sServerName, "wstr", $sSourceName)
If @error Then Return SetError(@error, @extended, 0)
Return $aResult[0]

EndFunc ;==>_EventLogOpen

; #FUNCTION# ====================================================================================================================
; Author ........: Paul Campbell (PaulIA)
; Modified.......: Gary Frost (gafrost)
; ===============================================================================================================================
Func _EventLogOpenBackup($sServerName, $sFileName)

Local $aResult = DllCall("advapi32.dll", "handle", "OpenBackupEventLogW", "wstr", $sServerName, "wstr", $sFileName)
If @error Then Return SetError(@error, @extended, 0)
Return $aResult[0]

EndFunc ;==>_EventLogOpenBackup

; #FUNCTION# ====================================================================================================================
; Author ........: Paul Campbell (PaulIA)
; Modified.......: Gary Frost (gafrost)
; ===============================================================================================================================
Func _EventLogRead($hEventLog, $bRead = True, $bForward = True, $iOffset = 0)

Local $iReadFlags, $aEvent[15]
$aEvent[0] = False; in cas of error

If $bRead Then

$iReadFlags = $EVENTLOG_SEQUENTIAL_READ

Else

$iReadFlags = $EVENTLOG_SEEK_READ

EndIf
If $bForward Then

$iReadFlags = BitOR($iReadFlags, $EVENTLOG_FORWARDS_READ)

Else

$iReadFlags = BitOR($iReadFlags, $EVENTLOG_BACKWARDS_READ)

EndIf

; First call gets the size for the buffer. A fake buffer is passed because
; the function demands the buffer be non-NULL even when requesting the size.
Local $tBuffer = DllStructCreate("wchar[1]")
Local $aResult = DllCall("advapi32.dll", "bool", "ReadEventLogW", "handle", $hEventLog, "dword", $iReadFlags, "dword", $iOffset, _

"struct*", $tBuffer, "dword", 0, "dword*", 0, "dword*", 0)

If @error Then Return SetError(@error, @extended, $aEvent)

; Allocate the buffer and repeat the call obtaining the information.
Local $iBytesMin = $aResult[7]
$tBuffer = DllStructCreate("wchar& $iBytesMin + 1 &?")
$aResult = DllCall("advapi32.dll", "bool", "ReadEventLogW", "handle", $hEventLog, "dword", $iReadFlags, "dword", $iOffset, _

"struct*", $tBuffer, "dword", $iBytesMin, "dword*", 0, "dword*", 0)

If @error Or Not $aResult[0] Then Return SetError(@error, @extended, $aEvent)

Local $tEventLog = DllStructCreate($tagEVENTLOGRECORD, DllStructGetPtr($tBuffer))
$aEvent[0] = True
$aEvent[1] = DllStructGetData($tEventLog, "RecordNumber")
$aEvent[2] = EventLog_DecodeDate(DllStructGetData($tEventLog, "TimeGenerated"))
$aEvent[3] = EventLog_DecodeTime(DllStructGetData($tEventLog, "TimeGenerated"))
$aEvent[4] = EventLog_DecodeDate(DllStructGetData($tEventLog, "TimeWritten"))
$aEvent[5] = EventLog_DecodeTime(DllStructGetData($tEventLog, "TimeWritten"))
$aEvent[6] = EventLog_DecodeEventID($tEventLog)
$aEvent[7] = DllStructGetData($tEventLog, "EventType")
$aEvent[8] = EventLog_DecodeTypeStr(DllStructGetData($tEventLog, "EventType"))
$aEvent[9] = EventLog_DecodeCategory($tEventLog)
$aEvent[10] = EventLog_DecodeSource($tEventLog)
$aEvent[11] = EventLog_DecodeComputer($tEventLog)
$aEvent[12] = EventLog_DecodeUserName($tEventLog)
$aEvent[13] = EventLog_DecodeDesc($tEventLog)
$aEvent[14] = EventLog_DecodeData($tEventLog)
Return $aEvent

EndFunc ;==>_EventLogRead

; #FUNCTION# ====================================================================================================================
; Author ........: Paul Campbell (PaulIA)
; Modified.......: Gary Frost (gafrost)
; ===============================================================================================================================
Func _EventLogRegisterSource($sServerName, $sSourceName)

$g_sSourceName_Event = $sSourceName
Local $aResult = DllCall("advapi32.dll", "handle", "RegisterEventSourceW", "wstr", $sServerName, "wstr", $sSourceName)
If @error Then Return SetError(@error, @extended, 0)
Return $aResult[0]

EndFunc ;==>_EventLogRegisterSource

; #FUNCTION# ====================================================================================================================
; Author ........: Paul Campbell (PaulIA)
; Modified.......: Gary Frost (gafrost)
; ===============================================================================================================================
Func _EventLogReport($hEventLog, $iType, $iCategory, $iEventID, $sUserName, $sDesc, $aData)

Local $tSID = 0

If $sUserName <> "" Then

$tSID = _SecurityGetAccountSid($sUserName)

EndIf

Local $iData = $aData[0]
Local $tData = DllStructCreate("byte& $iData &?")
Local $iDesc = StringLen($sDesc) + 1
Local $tDesc = DllStructCreate("wchar& $iDesc &?")
Local $tPtr = DllStructCreate("ptr")
DllStructSetData($tPtr, 1, DllStructGetPtr($tDesc))
DllStructSetData($tDesc, 1, $sDesc)
For $iI = 1 To $iData

DllStructSetData($tData, 1, $aData[$iI], $iI)

Next
Local $aResult = DllCall("advapi32.dll", "bool", "ReportEventW", "handle", $hEventLog, "word", $iType, "word", $iCategory, _

"dword", $iEventID, "struct*", $tSID, "word", 1, "dword", $iData, "struct*", $tPtr, "struct*", $tData)

If @error Then Return SetError(@error, @extended, False)
Return $aResult[0] <> 0

EndFunc ;==>_EventLogReport

;++++++++++++++++++++++++END OF INCLUDE

Example()

Func Example()

Local Const $GUI_EVENT_CLOSE = -3

Local Const $WS_VSCROLL = 0x00200000

Local $hEventLog, $aEvent

; Create GUI
GUICreate("EventLog", 400, 300)

Local $idMemo = GUICtrlCreateEdit("", 2, 2, 396, 300,$WS_VSCROLL)

GUICtrlSetFont($idMemo, 9, 400, 0, "Courier New")
GUISetState(@SW_SHOW)

Local $i=0

; Read most current event record
$hEventLog = _EventLogOpen("", "Security")
Do

$aEvent = _EventLogRead($hEventLog, True, False)

$i+=1

; $hEventLog = _EventLogOpen("", "System")

; $aEvent = _EventLogRead($hEventLog)
; $aEvent = _EventLogRead($hEventLog, True, False)

; MemoWrite($idMemo,"Result ............: " & $aEvent[0])
; MemoWrite($idMemo,"Record number .....: " & $aEvent[1])
; MemoWrite($idMemo,"Submitted .........: " & $aEvent[2] & " " & $aEvent[3])
; MemoWrite($idMemo,"Generated .........: " & $aEvent[4] & " " & $aEvent[5])
; MemoWrite($idMemo,"Event ID ..........: " & $aEvent[6])
; MemoWrite($idMemo,"Type ..............: " & $aEvent[8])
; MemoWrite($idMemo,"Category ..........: " & $aEvent[9])
; MemoWrite($idMemo,"Source ............: " & $aEvent[10])
; MemoWrite($idMemo,"Computer ..........: " & $aEvent[11])
; MemoWrite($idMemo,"Username ..........: " & $aEvent[12])
; MemoWrite($idMemo,"Description .......: " & $aEvent[13])
Until $i=_EventLogCount ( $hEventLog )-1
_EventLogClose($hEventLog)

Do

; Loop until the user exits.

Until GUIGetMsg() = $GUI_EVENT_CLOSE or $i=10

EndFunc ;==>Example

; Write a line to the memo control
Func MemoWrite($idMemo,$sMessage)

GUICtrlSetData($idMemo, $sMessage & @CRLF, 1)

EndFunc ;==>MemoWrite

Version 0, edited 9 years ago by anonymous (next)

comment:3 Changed 9 years ago by Melba23

Like you I have access to the various functions involved, thanks, so there was no need to paste all that code.

What I wanted was a copy of a $sDesc variable from inside the EventLog_DecodeDesc function which gives you the problem. When I run the example code in the Help file on my machine $sDesc is an empty string, so I get no indication of how it might be delimited and therefore cannot work out a suitable RegEx pattern to replace the various elements.

So what I would like you to do is post an example of a $sDesc variable that includes some of these %1, %10, %11 etc.

M23

comment:4 Changed 9 years ago by anonymous

The code supplied was changed to illustrate the issue hence the reason I pasted it all, The example function was changed to only bring up the proper data source.

Here is a sample of the template string:

The Windows Filtering Platform has blocked a connection.

Application Information:

Process ID: %1
Application Name: %2

Network Information:

Direction: %3
Source Address: %4
Source Port: %5
Destination Address: %6
Destination Port: %7
Protocol: %8

Filter Information:

Filter Run-Time ID: %9
Layer Name: %10
Layer Run-Time ID: %11

<-----------------------------------------------------
After The first Replacement:

Application Information:

Process ID: 524
Application Name: %2

Network Information:

Direction: %3
Source Address: %4
Source Port: %5
Destination Address: %6
Destination Port: %7
Protocol: %8

Filter Information:

Filter Run-Time ID: %9
Layer Name: 5240
Layer Run-Time ID: 5241

<----------------------------------------------
Here is the $desc after replacement:

The Windows Filtering Platform has blocked a connection.

Application Information:

Process ID: 524
Application Name: \device\harddiskvolume11\windows\system32\svchost.exe

Network Information:

Direction: %%14592
Source Address: 255.255.255.255
Source Port: 67
Destination Address: 0.0.0.0
Destination Port: 68
Protocol: 0

Filter Information:

Filter Run-Time ID: 70589
Layer Name: 5240
Layer Run-Time ID: 5241

<-----------------------------------------------
Here is the Array of Strings: (0 holds count)

The Windows Filtering Platform has blocked a connection.

Application Information:

Process ID: 524
Application Name: \device\harddiskvolume11\windows\system32\svchost.exe

Network Information:

Direction: %%14592
Source Address: 255.255.255.255
Source Port: 67
Destination Address: 0.0.0.0
Destination Port: 68
Protocol: 0

Filter Information:

Filter Run-Time ID: 70589
Layer Name: 5240
Layer Run-Time ID: 5241

<-----------------------------------------------
AND. Finally after the fix this is the returned $Desc

The Windows Filtering Platform has blocked a connection.

Application Information:

Process ID: 524
Application Name: \device\harddiskvolume11\windows\system32\svchost.exe

Network Information:

Direction: %%14592
Source Address: 255.255.255.255
Source Port: 67
Destination Address: 0.0.0.0
Destination Port: 68
Protocol: 0

Filter Information:

Filter Run-Time ID: 70589
Layer Name: %%14610
Layer Run-Time ID: 44

<------------------------------------------------

Also note the Strings %%14592 and %%14610 I plan on fixing this in the next few days, as far as I can tell it needs to call FormatMessage with those ID's to fill these type of strings

comment:5 Changed 9 years ago by anonymous

Sorry here is the array of strings (0 Denotes Count):

13
524
\device\harddiskvolume11\windows\system32\svchost.exe
%%14592
255.255.255.255
67
0.0.0.0
68
0
70589
%%14610
44
S-1-0-0
S-1-0-0

comment:6 Changed 9 years ago by anonymous

Here is the fuction with code for insertion on %% placeholders

Func EventLog_DecodeDesc($tEventLog)

Local $aStrings = EventLog_DecodeStrings($tEventLog)
Local $sSource = EventLog_DecodeSource($tEventLog)
Local $iEventID = DllStructGetData($tEventLog, "EventID")
Local $sKey = "HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\" & $g_sSourceName_Event & "\" & $sSource
Local $aMsgDLL = StringSplit(_WinAPI_ExpandEnvironmentStrings(RegRead($sKey, "EventMessageFile")), ";")

Local $iFlags = BitOR($EVENTLOG_FORMAT_MESSAGE_FROM_HMODULE, $EVENTLOG_FORMAT_MESSAGE_IGNORE_INSERTS)
Local $sDesc = ""
For $iI = 1 To $aMsgDLL[0]

Local $hDLL = _WinAPI_LoadLibraryEx($aMsgDLL[$iI], $EVENTLOG_LOAD_LIBRARY_AS_DATAFILE)
If $hDLL = 0 Then ContinueLoop
Local $tBuffer = DllStructCreate("wchar Text[4096]")
_WinAPI_FormatMessage($iFlags, $hDLL, $iEventID, 0, $tBuffer, 4096, 0)
_WinAPI_FreeLibrary($hDLL)
$sDesc &= DllStructGetData($tBuffer, "Text")

Next
;ADDED Source\Source\ParameterMessageFile for %% insertion place holders
$sKey = "HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\" & $g_sSourceName_Event & "\" & $g_sSourceName_Event
$aMsgDLL = StringSplit(_WinAPI_ExpandEnvironmentStrings(RegRead($sKey, "ParameterMessageFile")), ";")

For $iI = 1 To $aMsgDLL[0]

$hDLL = _WinAPI_LoadLibraryEx($aMsgDLL[$iI], $EVENTLOG_LOAD_LIBRARY_AS_DATAFILE)
If $hDLL <> 0 Then

For $iJ = 1 To $aStrings[0] ;Added to parse secondary replacements

Local $tBuffer = DllStructCreate("wchar Text[4096]")
If StringInStr($aStrings[$iJ], "%%") Then

_WinAPI_FormatMessage($iFlags, $hDLL, Int(StringTrimLeft($aStrings[$iJ], 2)), 0, $tBuffer, 4096, 0)
If @error = 0 Then $aStrings[$iJ] = DllStructGetData($tBuffer, "Text")

EndIf

Next
_WinAPI_FreeLibrary($hDLL)

EndIf

Next

If $sDesc = "" Then

For $iI = 1 To $aStrings[0]

$sDesc &= $aStrings[$iI]

Next

Else

For $iI = 1 To $aStrings[0]

$sDesc = StringReplace($sDesc, "%" & $iI, $aStrings[$iI], 1);Fixed

Next

EndIf
Return StringStripWS($sDesc, $STR_STRIPLEADING + $STR_STRIPTRAILING)

EndFunc ;==>EventLog_DecodeDesc

comment:7 Changed 7 years ago by Jos

  • Milestone set to 3.3.15.1
  • Owner set to Jos
  • Resolution set to Fixed
  • Status changed from new to closed

Fixed by revision [11939] in version: 3.3.15.1

comment:8 Changed 7 years ago by Jon

  • Milestone changed from 3.3.15.1 to 3.3.14.3
  • Owner changed from Jos to Jon

Fixed by revision [11942] in version: 3.3.14.3

Guidelines for posting comments:

  • You cannot re-open a ticket but you may still leave a comment if you have additional information to add.
  • In-depth discussions should take place on the forum.

For more information see the full version of the ticket guidelines here.

Add Comment

Modify Ticket

Action
as closed The owner will remain Jon.
Author


E-mail address and user name can be saved in the Preferences.

AttachmentsDescription
 
Note: See TracTickets for help on using tickets.