eventlogthreads.c

读系统日志,功能强大哟

#include "EventLogThreads.h"
#include "_Constants.h"
#include "_GlobalVars.h"
#include "_Utils.h"
#include "SysMain.h"
#include "resource.h"
#include <ctype.h>

#define MAX_MSG_LENGTH 1024

unsigned int __stdcall 
FillEventLogList(LPVOID lpParam)
{
	EVENTLOGFILTER *pelf = 0;
	int nRetVal = 0;
	HWND hParentWnd = 0, hwndDlg = 0, hwndLV = 0, hwndProgr = 0;
	HANDLE hEventLog = 0;
	DWORD dwEventLogRecords = 0, dwOldestEventLogRecord = 0, dwEvLogCounter = 0, dwNumberOfBytesToRead = 0, 
		dwBytesRead = 0, dwMinNumberOfBytesNeeded = 0, dwCancel = 0, dwClose = 0;
	LPVOID lpEventLogRecordBuffer = 0;
	TCHAR chFakeBuffer;
	BOOL bRetVal = FALSE;
	BOOL fExit = FALSE;
	UINT uStep = 0, uStepAt = 0, uPos = 0, uOffset = 0;
	TCHAR lpUNCServerName[_MAX_PATH + 1], lpszEventLogSourceName[_MAX_PATH + 1], lpszErrMsg[1024];

	// get thread parameter structure address...
	pelf = (EVENTLOGFILTER *)lpParam;
	// ...and retrieve the appropriate handles
	hwndDlg	= pelf->hwndDlg;
	hwndLV	= pelf->hwndLV;
	hwndProgr = pelf->hwndProgr;

	// get parent window...
	hParentWnd = GetParent(hwndDlg);
	// ...and set user data to 1 (the window has thread running) - will be reset to 0 when thread will terminate
	SetWindowLong(hParentWnd, GWL_USERDATA, (LONG)pelf); 

	// resize dialog
	MDIChild_ResizeDlg(hwndDlg, TRUE);

	// format UNC machine name to work with
	wsprintf(lpUNCServerName, _T("\\\\%s"), pelf->lpszComputerName);

	// establish what kind of event log section will show the list
	if(g_fApplication)
		_tcscpy(lpszEventLogSourceName, _T("Application"));				//	APPLICATION
	else if(g_fSystem)
		_tcscpy(lpszEventLogSourceName, _T("System"));					//	SYSTEM
	else if(g_fSecurity)
		_tcscpy(lpszEventLogSourceName, _T("Security"));				//	SECURITY
	else if(g_fCustom)
		_tcscpy(lpszEventLogSourceName, pelf->lpszCustomEventFileName);	//	CUSTOM
	else
	{
		nRetVal = -1;
		goto _cleanup_;
	}

	dwCancel = WaitForSingleObject(pelf->hCancelEvent, 0);
	dwClose = WaitForSingleObject(pelf->hCloseEvent, 0);
	while(!fExit)
	{
		if(g_fCustom)
			hEventLog = OpenBackupEventLog((LPCTSTR)lpUNCServerName, (LPCTSTR)lpszEventLogSourceName);
		else
			hEventLog = OpenEventLog((LPCTSTR)lpUNCServerName, (LPCTSTR)lpszEventLogSourceName);

		if(hEventLog)
		{
			if(GetNumberOfEventLogRecords(hEventLog, &dwEventLogRecords) && 
				GetOldestEventLogRecord(hEventLog, &dwOldestEventLogRecord))
			{
				SendMessage(hwndProgr, PBM_SETRANGE, (WPARAM)0, (LPARAM)MAKELPARAM(0, 100));
				uStepAt = (dwEventLogRecords / 100) + 1;

				for(dwEvLogCounter = dwOldestEventLogRecord; 
					dwEvLogCounter < (dwOldestEventLogRecord + dwEventLogRecords); 
					dwEvLogCounter++)
				{
					uStep++;
					if(uStep % uStepAt == 0)
						hwndProgr && SendMessage(hwndProgr, PBM_SETPOS, (WPARAM)++uPos, 0);

					dwCancel = WaitForSingleObject(pelf->hCancelEvent, 0);
					if(dwCancel == WAIT_OBJECT_0)
						goto _canceled_;
					dwClose = WaitForSingleObject(pelf->hCloseEvent, 0);
					if(dwClose == WAIT_OBJECT_0)
						goto _close_;

					lpEventLogRecordBuffer		= (LPVOID)&chFakeBuffer;
					dwNumberOfBytesToRead		= 1;
					dwMinNumberOfBytesNeeded	= 1;

	_retry_:
					bRetVal = ReadEventLog(hEventLog, EVENTLOG_SEEK_READ | EVENTLOG_FORWARDS_READ, dwEvLogCounter, 
						lpEventLogRecordBuffer, dwNumberOfBytesToRead, &dwBytesRead, &dwMinNumberOfBytesNeeded);

					if(!bRetVal)
					{
						g_dwLastError = GetLastError();

						if(g_dwLastError == ERROR_INSUFFICIENT_BUFFER)
						{
							lpEventLogRecordBuffer = (LPVOID)GlobalAlloc(GPTR, dwMinNumberOfBytesNeeded);
							if(lpEventLogRecordBuffer == (void *)0)
								goto _allocationfailure_;

							dwNumberOfBytesToRead = dwMinNumberOfBytesNeeded;
							goto _retry_;
						}
						else
							goto _unknownerror_;
					}
					else
					{
						PEVENTLOGRECORD pELR = 0;
						TCHAR *lpszSourceName = 0, lpszUserName[_MAX_PATH + 1], *lpszComputerName = 0,
							lpszRefDomainName[_MAX_PATH + 1], *szSIDType = 0, *szSIDName = 0, sz2[32],
							*szExpandedString = 0, szSubmitTime[32], szWriteTime[32];
						DWORD dwSourceNameLen = 0, dwComputerNameLen = 0, cbName = _MAX_PATH + 1, 
							cbRefDomainName = _MAX_PATH + 1, dwSIDTypeLen = 0, dwSidSize = 0, dwEventTypeLen = 0;
						PSID pUserSID = 0;
						SID_NAME_USE _SidNameUse = (SID_NAME_USE)(SidTypeUser - 1);
						BOOL bRetVal = FALSE;
						LPBYTE pStrings = 0, pData = 0;
						UINT x = 0, uSize, uStringOffset, uStepOfString = 0, uImage = 0;

						pELR	= (PEVENTLOGRECORD)lpEventLogRecordBuffer;

						uOffset	= sizeof(EVENTLOGRECORD);
						lpszSourceName = (TCHAR *)GlobalAlloc(GPTR, (_MAX_PATH + 1) * sizeof(TCHAR));
						strcpy(lpszSourceName, (LPTSTR)((LPBYTE)pELR + uOffset));
						dwSourceNameLen = strlen(lpszSourceName);

						uOffset	+= strlen(lpszSourceName) + sizeof(TCHAR);
						lpszComputerName = (TCHAR *)GlobalAlloc(GPTR, (_MAX_PATH + 1) * sizeof(TCHAR));
						strcpy(lpszComputerName, (LPTSTR)((LPBYTE)pELR + uOffset));
						dwComputerNameLen = strlen(lpszComputerName);

						uOffset += strlen(lpszComputerName) + sizeof(TCHAR);

						dwSIDTypeLen = 32;
						szSIDType = (TCHAR *)GlobalAlloc(GPTR, (dwSIDTypeLen + 1) * sizeof(TCHAR));

						if(pELR->UserSidLength > 0)
						{
							pUserSID = (SID *)GlobalAlloc(GPTR, pELR->UserSidLength);
							memcpy(pUserSID, (PSID)((LPBYTE)pELR + pELR->UserSidOffset), pELR->UserSidLength);
							
							cbName = cbRefDomainName = _MAX_PATH + 1;
							*lpszRefDomainName = *lpszUserName = '\0';

							bRetVal = LookupAccountSid(0, pUserSID, 
								lpszUserName, &cbName, 
								lpszRefDomainName, &cbRefDomainName, 
								&_SidNameUse);

							if(bRetVal)
							{
								if(bRetVal)
								{
									dwSIDTypeLen = 32;
									GetNameUse(_SidNameUse, szSIDType, &dwSIDTypeLen);

									dwSidSize = (15 + 12 + (12 * (*GetSidSubAuthorityCount(pUserSID))) + 1) * sizeof(TCHAR);
									szSIDName = (TCHAR *)GlobalAlloc(GPTR, (dwSidSize + 1) * sizeof(TCHAR));
									ConvertSid(pUserSID, szSIDName, &dwSidSize); 
								}
								else
								{
									strcpy(lpszRefDomainName, "N/A");
									strcpy(lpszUserName, "N/A");
									strcpy(szSIDType, "N/A");
								}
							}
							else
							{
							}
						}
						else
						{
							strcpy(lpszRefDomainName, "N/A");
							strcpy(lpszUserName, "N/A");
							strcpy(szSIDType, "N/A");
						}

						uSize = 0, uStringOffset = pELR->StringOffset;
						uSize = pELR->DataOffset - pELR->StringOffset;

						// Strings
						if(uSize > 0)
						{
							pStrings = (LPBYTE)GlobalAlloc(GPTR, uSize * sizeof(BYTE));
							memcpy(pStrings, (LPBYTE)pELR + uStringOffset, uSize);

							//	Strings
							uStepOfString = 0;
							szExpandedString = (TCHAR *)GlobalAlloc(GPTR, (uSize + MAX_MSG_LENGTH) * sizeof(TCHAR));
							for(x = 0; x < pELR->NumStrings; x++)
							{
								if(x == 0)
								{
									strcpy(szExpandedString, (TCHAR *)pStrings + uStepOfString);
									if(x < (UINT)pELR->NumStrings - 1)
										strcat(szExpandedString, ",");
								}
								else
									strcat(szExpandedString, (TCHAR *)pStrings + uStepOfString);

								uStepOfString = strlen((TCHAR *)pStrings + uStepOfString) + 1;
							}
						}

						//	Data
						pData = (LPBYTE)GlobalAlloc(GPTR, pELR->DataLength * sizeof(BYTE));
						memcpy(pData, (LPBYTE)((LPBYTE)pELR + pELR->DataOffset), pELR->DataLength);

						dwEventTypeLen = 32;
						GetEventLogType(sz2, pELR->EventType, &dwEventTypeLen);
						GetEventLogImage(&uImage, pELR->EventType);

						lstrcpyn(szSubmitTime, asctime(localtime((time_t *)&(pELR->TimeGenerated))), 25);
						lstrcpyn(szWriteTime, asctime(localtime((time_t *)&(pELR->TimeWritten))), 25);

						InsertRowInList(hwndLV, 9, &dwEvLogCounter, 
							lpszSourceName, 
							lpszUserName, 
							szSIDName, 
							lpszRefDomainName, 
							sz2, uImage, 
							szSubmitTime, szWriteTime);

						SafeDeletePointer(pData, pELR->DataLength);
						SafeDeletePointer(szExpandedString, uSize); 
						SafeDeletePointer(pStrings, pELR->DataOffset - pELR->StringOffset);
						SafeDeletePointer(szSIDName, dwSidSize + 1);
						SafeDeletePointer(szSIDType, dwSIDTypeLen + 1);
						SafeDeletePointer(lpszSourceName, dwSourceNameLen);
						SafeDeletePointer(lpszComputerName, dwComputerNameLen);
						SafeDeletePointer(pUserSID, pELR->UserSidLength);
						SafeDeletePointer(lpEventLogRecordBuffer, dwNumberOfBytesToRead);
					}
				}

				goto _cleanup_;
			}
			else
				ReportLastError(0, 0, TRUE);

	_unknownerror_:
			ReportLastError(lpszErrMsg, 0, TRUE);
			goto _cleanup_;

	_allocationfailure_:
			LoadString(g_hInstance, IDS_ERR_ALLOCATIONFAILURE, lpszErrMsg, 1024);
			MessageBox(0, lpszErrMsg, 0, MB_OK | MB_ICONSTOP);
			goto _cleanup_;

	_canceled_:
			nRetVal = 1;
			goto _cleanup_;

	_close_:
			nRetVal = 2;
			goto _cleanup_;

	_cleanup_:
			fExit = TRUE;

			CloseEventLog(hEventLog);
			hEventLog = 0;
		}
		else
		{
			fExit = TRUE;
			ReportLastError(0, 0, TRUE);
		}
	}

	// final cleanup on dialog
	if(nRetVal != 2)
	{
		if(IsWindow(hwndDlg))
			MDIChild_ResizeDlg(hwndDlg, FALSE);
		if(IsWindow(hParentWnd))
			SetWindowLong(hParentWnd, GWL_USERDATA, (LONG)0);
	}

	CloseHandle(pelf->hCancelEvent);
	CloseHandle(pelf->hCloseEvent);

	GlobalFree(pelf);
	pelf = 0;

	return nRetVal;
}

int CALLBACK 
CompareItems(LPARAM lParam1, LPARAM lParam2, LPARAM lParamSort)
{
	int nIdx1	= (int)lParam1;
	int nIdx2	= (int)lParam2;
	
	int nRetVal = 0;
	
	DLGSORTDATA *pSortData	= (DLGSORTDATA *)lParamSort;