internal EventLogRecord(EventLogHandle handle, EventLogSession session, ProviderMetadataCachedInformation cachedMetadataInfo) {
this.cachedMetadataInformation = cachedMetadataInfo;
this.handle = handle;
this.session = session;
systemProperties = new NativeWrapper.SystemProperties();
syncObject = new object();
}
public EventLogSession(string server, string domain, string user, SecureString password, SessionAuthentication logOnType)
{
this.renderContextHandleSystem = EventLogHandle.Zero;
this.renderContextHandleUser = EventLogHandle.Zero;
this.handle = EventLogHandle.Zero;
EventLogPermissionHolder.GetEventLogPermission().Demand();
if (server == null)
{
server = "localhost";
}
this.syncObject = new object();
this.server = server;
this.domain = domain;
this.user = user;
this.logOnType = logOnType;
Microsoft.Win32.UnsafeNativeMethods.EvtRpcLogin login = new Microsoft.Win32.UnsafeNativeMethods.EvtRpcLogin {
Server = this.server,
User = this.user,
Domain = this.domain,
Flags = (int) this.logOnType,
Password = CoTaskMemUnicodeSafeHandle.Zero
};
try
{
if (password != null)
{
login.Password.SetMemory(Marshal.SecureStringToCoTaskMemUnicode(password));
}
this.handle = NativeWrapper.EvtOpenSession(Microsoft.Win32.UnsafeNativeMethods.EvtLoginClass.EvtRpcLogin, ref login, 0, 0);
}
finally
{
login.Password.Close();
}
}
public EventLogSession()
{
this.renderContextHandleSystem = EventLogHandle.Zero;
this.renderContextHandleUser = EventLogHandle.Zero;
this.handle = EventLogHandle.Zero;
EventLogPermissionHolder.GetEventLogPermission().Demand();
this.syncObject = new object();
}
public EventLogConfiguration(string logName, EventLogSession session)
{
if (session == null)
session = EventLogSession.GlobalSession;
_session = session;
_channelName = logName;
_handle = NativeWrapper.EvtOpenChannelConfig(_session.Handle, _channelName, 0);
}
public static void EvtSeek(
EventLogHandle resultSet,
long position,
EventLogHandle bookmark,
int timeout,
UnsafeNativeMethods.EvtSeekFlags flags) {
bool status = UnsafeNativeMethods.EvtSeek(resultSet, position, bookmark, timeout, flags);
int win32Error = Marshal.GetLastWin32Error();
if (!status)
EventLogException.Throw(win32Error);
}
public EventLogConfiguration(string logName, EventLogSession session)
{
this.handle = EventLogHandle.Zero;
EventLogPermissionHolder.GetEventLogPermission().Demand();
if (session == null)
{
session = EventLogSession.GlobalSession;
}
this.session = session;
this.channelName = logName;
this.handle = NativeWrapper.EvtOpenChannelConfig(this.session.Handle, this.channelName, 0);
}
internal void SetupSystemContext() {
EventLogPermissionHolder.GetEventLogPermission().Demand();
if (!this.renderContextHandleSystem.IsInvalid)
return;
lock (this.syncObject) {
if (this.renderContextHandleSystem.IsInvalid) {
//create the SYSTEM render context
//call the EvtCreateRenderContext to get the renderContextHandleSystem, so that we can get the system/values/user properties.
this.renderContextHandleSystem = NativeWrapper.EvtCreateRenderContext(0, null, UnsafeNativeMethods.EvtRenderContextFlags.EvtRenderContextSystem);
}
}
}
public static EventLogHandle EvtQuery(
EventLogHandle session,
string path,
string query,
int flags) {
if (s_platformNotSupported)
throw new System.PlatformNotSupportedException();
EventLogHandle handle = UnsafeNativeMethods.EvtQuery(session, path, query, flags);
int win32Error = Marshal.GetLastWin32Error();
if (handle.IsInvalid)
EventLogException.Throw(win32Error);
return handle;
}
internal EventLogInformation(EventLogSession session, string channelName, PathType pathType)
{
EventLogHandle logHandle = NativeWrapper.EvtOpenLog(session.Handle, channelName, pathType);
using (logHandle)
{
CreationTime = (DateTime?)NativeWrapper.EvtGetLogInfo(logHandle, UnsafeNativeMethods.EvtLogPropertyId.EvtLogCreationTime);
LastAccessTime = (DateTime?)NativeWrapper.EvtGetLogInfo(logHandle, UnsafeNativeMethods.EvtLogPropertyId.EvtLogLastAccessTime);
LastWriteTime = (DateTime?)NativeWrapper.EvtGetLogInfo(logHandle, UnsafeNativeMethods.EvtLogPropertyId.EvtLogLastWriteTime);
FileSize = (long?)((ulong?)NativeWrapper.EvtGetLogInfo(logHandle, UnsafeNativeMethods.EvtLogPropertyId.EvtLogFileSize));
Attributes = (int?)((uint?)NativeWrapper.EvtGetLogInfo(logHandle, UnsafeNativeMethods.EvtLogPropertyId.EvtLogAttributes));
RecordCount = (long?)((ulong?)NativeWrapper.EvtGetLogInfo(logHandle, UnsafeNativeMethods.EvtLogPropertyId.EvtLogNumberOfLogRecords));
OldestRecordNumber = (long?)((ulong?)NativeWrapper.EvtGetLogInfo(logHandle, UnsafeNativeMethods.EvtLogPropertyId.EvtLogOldestRecordNumber));
IsLogFull = (bool?)NativeWrapper.EvtGetLogInfo(logHandle, UnsafeNativeMethods.EvtLogPropertyId.EvtLogFull);
}
}
public string GetFormatDescription(string ProviderName, EventLogHandle eventHandle, string[] values)
{
lock (this)
{
ProviderMetadataId key = new ProviderMetadataId(ProviderName, CultureInfo.CurrentCulture);
ProviderMetadata pm = GetProviderMetadata(key);
try
{
return(NativeWrapper.EvtFormatMessageFormatDescription(pm.Handle, eventHandle, values));
}
catch (EventLogNotFoundException)
{
return(null);
}
}
}
// Setup the System Context, once for all the EventRecords.
internal void SetupSystemContext()
{
if (!this.renderContextHandleSystem.IsInvalid)
{
return;
}
lock (_syncObject)
{
if (this.renderContextHandleSystem.IsInvalid)
{
// Create the SYSTEM render context
// Call the EvtCreateRenderContext to get the renderContextHandleSystem, so that we can get the system/values/user properties.
this.renderContextHandleSystem = NativeWrapper.EvtCreateRenderContext(0, null, UnsafeNativeMethods.EvtRenderContextFlags.EvtRenderContextSystem);
}
}
}
public string GetFormatDescription(string ProviderName, EventLogHandle eventHandle)
{
lock (this)
{
ProviderMetadataId key = new ProviderMetadataId(ProviderName, CultureInfo.CurrentCulture);
try
{
ProviderMetadata pm = GetProviderMetadata(key);
return(NativeWrapper.EvtFormatMessageRenderName(pm.Handle, eventHandle, UnsafeNativeMethods.EvtFormatMessageFlags.EvtFormatMessageEvent));
}
catch (EventLogNotFoundException)
{
return(null);
}
}
}
public string GetFormatDescription(string ProviderName, EventLogHandle eventHandle)
{
string str;
lock (this)
{
ProviderMetadataId key = new ProviderMetadataId(ProviderName, CultureInfo.CurrentCulture);
try
{
str = NativeWrapper.EvtFormatMessageRenderName(this.GetProviderMetadata(key).Handle, eventHandle, Microsoft.Win32.UnsafeNativeMethods.EvtFormatMessageFlags.EvtFormatMessageEvent);
}
catch (EventLogNotFoundException)
{
str = null;
}
}
return str;
}
public EventLogReader(EventLogQuery eventQuery, EventBookmark bookmark)
{
if (eventQuery == null)
{
throw new ArgumentNullException("eventQuery");
}
string logfile = null;
if (eventQuery.ThePathType == PathType.FilePath)
{
logfile = eventQuery.Path;
}
this.cachedMetadataInformation = new ProviderMetadataCachedInformation(eventQuery.Session, logfile, 50);
this.eventQuery = eventQuery;
this.batchSize = 0x40;
this.eventsBuffer = new IntPtr[this.batchSize];
int flags = 0;
if (this.eventQuery.ThePathType == PathType.LogName)
{
flags |= 1;
}
else
{
flags |= 2;
}
if (this.eventQuery.ReverseDirection)
{
flags |= 0x200;
}
if (this.eventQuery.TolerateQueryErrors)
{
flags |= 0x1000;
}
EventLogPermissionHolder.GetEventLogPermission().Demand();
this.handle = NativeWrapper.EvtQuery(this.eventQuery.Session.Handle, this.eventQuery.Path, this.eventQuery.Query, flags);
EventLogHandle bookmarkHandleFromBookmark = EventLogRecord.GetBookmarkHandleFromBookmark(bookmark);
if (!bookmarkHandleFromBookmark.IsInvalid)
{
using (bookmarkHandleFromBookmark)
{
NativeWrapper.EvtSeek(this.handle, 1L, bookmarkHandleFromBookmark, 0, Microsoft.Win32.UnsafeNativeMethods.EvtSeekFlags.EvtSeekRelativeToBookmark);
}
}
}
internal ProviderMetadata(string providerName, EventLogSession session, CultureInfo targetCultureInfo, string logFilePath)
{
if (targetCultureInfo == null)
targetCultureInfo = CultureInfo.CurrentCulture;
if (session == null)
session = EventLogSession.GlobalSession;
_session = session;
_providerName = providerName;
_cultureInfo = targetCultureInfo;
_logFilePath = logFilePath;
_handle = NativeWrapper.EvtOpenProviderMetadata(_session.Handle, _providerName, _logFilePath, 0, 0);
_syncObject = new object();
}
public string GetFormatDescription(string ProviderName, EventLogHandle eventHandle, string[] values)
{
string str;
lock (this)
{
ProviderMetadataId key = new ProviderMetadataId(ProviderName, CultureInfo.CurrentCulture);
ProviderMetadata providerMetadata = this.GetProviderMetadata(key);
try
{
str = NativeWrapper.EvtFormatMessageFormatDescription(providerMetadata.Handle, eventHandle, values);
}
catch (EventLogNotFoundException)
{
str = null;
}
}
return str;
}
public string GetFormatDescription(string ProviderName, EventLogHandle eventHandle)
{
string str;
lock (this)
{
ProviderMetadataId key = new ProviderMetadataId(ProviderName, CultureInfo.CurrentCulture);
try
{
str = NativeWrapper.EvtFormatMessageRenderName(this.GetProviderMetadata(key).Handle, eventHandle, Microsoft.Win32.UnsafeNativeMethods.EvtFormatMessageFlags.EvtFormatMessageEvent);
}
catch (EventLogNotFoundException)
{
str = null;
}
}
return(str);
}
public EventLogReader(EventLogQuery eventQuery, EventBookmark bookmark)
{
if (eventQuery == null)
{
throw new ArgumentNullException("eventQuery");
}
string logfile = null;
if (eventQuery.ThePathType == PathType.FilePath)
{
logfile = eventQuery.Path;
}
this.cachedMetadataInformation = new ProviderMetadataCachedInformation(eventQuery.Session, logfile, 50);
this.eventQuery = eventQuery;
this.batchSize = 0x40;
this.eventsBuffer = new IntPtr[this.batchSize];
int flags = 0;
if (this.eventQuery.ThePathType == PathType.LogName)
{
flags |= 1;
}
else
{
flags |= 2;
}
if (this.eventQuery.ReverseDirection)
{
flags |= 0x200;
}
if (this.eventQuery.TolerateQueryErrors)
{
flags |= 0x1000;
}
EventLogPermissionHolder.GetEventLogPermission().Demand();
this.handle = NativeWrapper.EvtQuery(this.eventQuery.Session.Handle, this.eventQuery.Path, this.eventQuery.Query, flags);
EventLogHandle bookmarkHandleFromBookmark = EventLogRecord.GetBookmarkHandleFromBookmark(bookmark);
if (!bookmarkHandleFromBookmark.IsInvalid)
{
using (bookmarkHandleFromBookmark)
{
NativeWrapper.EvtSeek(this.handle, 1L, bookmarkHandleFromBookmark, 0, Microsoft.Win32.UnsafeNativeMethods.EvtSeekFlags.EvtSeekRelativeToBookmark);
}
}
}
public IEnumerable <string> GetProviderNames()
{
EventLogPermissionHolder.GetEventLogPermission().Demand();
List <string> list = new List <string>(100);
using (EventLogHandle handle = NativeWrapper.EvtOpenProviderEnum(this.Handle, 0))
{
bool finish = false;
do
{
string item = NativeWrapper.EvtNextPublisherId(handle, ref finish);
if (!finish)
{
list.Add(item);
}
}while (!finish);
return(list);
}
}
internal ProviderMetadata(string providerName, EventLogSession session, CultureInfo targetCultureInfo, string logFilePath)
{
this.handle = EventLogHandle.Zero;
this.defaultProviderHandle = EventLogHandle.Zero;
EventLogPermissionHolder.GetEventLogPermission().Demand();
if (targetCultureInfo == null)
{
targetCultureInfo = CultureInfo.CurrentCulture;
}
if (session == null)
{
session = EventLogSession.GlobalSession;
}
this.session = session;
this.providerName = providerName;
this.cultureInfo = targetCultureInfo;
this.logFilePath = logFilePath;
this.handle = NativeWrapper.EvtOpenProviderMetadata(this.session.Handle, this.providerName, this.logFilePath, this.cultureInfo.LCID, 0);
this.syncObject = new object();
}
internal ProviderMetadata(string providerName, EventLogSession session, CultureInfo targetCultureInfo, string logFilePath)
{
this.handle = EventLogHandle.Zero;
this.defaultProviderHandle = EventLogHandle.Zero;
EventLogPermissionHolder.GetEventLogPermission().Demand();
if (targetCultureInfo == null)
{
targetCultureInfo = CultureInfo.CurrentCulture;
}
if (session == null)
{
session = EventLogSession.GlobalSession;
}
this.session = session;
this.providerName = providerName;
this.cultureInfo = targetCultureInfo;
this.logFilePath = logFilePath;
this.handle = NativeWrapper.EvtOpenProviderMetadata(this.session.Handle, this.providerName, this.logFilePath, this.cultureInfo.LCID, 0);
this.syncObject = new object();
}
public IEnumerable <string> GetLogNames()
{
List <string> namesList = new List <string>(100);
using (EventLogHandle channelEnum = NativeWrapper.EvtOpenChannelEnum(this.Handle, 0))
{
bool finish = false;
do
{
string s = NativeWrapper.EvtNextChannelPath(channelEnum, ref finish);
if (finish == false)
{
namesList.Add(s);
}
}while (finish == false);
return(namesList);
}
}
public IEnumerable <string> GetProviderNames()
{
List <string> namesList = new List <string>(100);
using (EventLogHandle ProviderEnum = NativeWrapper.EvtOpenProviderEnum(this.Handle, 0))
{
bool finish = false;
do
{
string s = NativeWrapper.EvtNextPublisherId(ProviderEnum, ref finish);
if (finish == false)
{
namesList.Add(s);
}
}while (finish == false);
return(namesList);
}
}
public EventLogPropertySelector(IEnumerable<string> propertyQueries)
{
string[] strArray;
EventLogPermissionHolder.GetEventLogPermission().Demand();
if (propertyQueries == null)
{
throw new ArgumentNullException("propertyQueries");
}
ICollection<string> is2 = propertyQueries as ICollection<string>;
if (is2 != null)
{
strArray = new string[is2.Count];
is2.CopyTo(strArray, 0);
}
else
{
strArray = new List<string>(propertyQueries).ToArray();
}
this.renderContextHandleValues = NativeWrapper.EvtCreateRenderContext(strArray.Length, strArray, Microsoft.Win32.UnsafeNativeMethods.EvtRenderContextFlags.EvtRenderContextValues);
}
public EventLogPropertySelector(IEnumerable <string> propertyQueries)
{
string[] strArray;
EventLogPermissionHolder.GetEventLogPermission().Demand();
if (propertyQueries == null)
{
throw new ArgumentNullException("propertyQueries");
}
ICollection <string> is2 = propertyQueries as ICollection <string>;
if (is2 != null)
{
strArray = new string[is2.Count];
is2.CopyTo(strArray, 0);
}
else
{
strArray = new List <string>(propertyQueries).ToArray();
}
this.renderContextHandleValues = NativeWrapper.EvtCreateRenderContext(strArray.Length, strArray, Microsoft.Win32.UnsafeNativeMethods.EvtRenderContextFlags.EvtRenderContextValues);
}
internal ProviderMetadata(string providerName, EventLogSession session, CultureInfo targetCultureInfo, string logFilePath)
{
if (targetCultureInfo == null)
{
targetCultureInfo = CultureInfo.CurrentCulture;
}
if (session == null)
{
session = EventLogSession.GlobalSession;
}
_session = session;
_providerName = providerName;
_cultureInfo = targetCultureInfo;
_logFilePath = logFilePath;
_handle = NativeWrapper.EvtOpenProviderMetadata(_session.Handle, _providerName, _logFilePath, 0, 0);
_syncObject = new object();
}
internal EventLogInformation(EventLogSession session, string channelName, PathType pathType)
{
EventLogPermissionHolder.GetEventLogPermission().Demand();
EventLogHandle handle = NativeWrapper.EvtOpenLog(session.Handle, channelName, pathType);
using (handle)
{
this.creationTime = (DateTime?)NativeWrapper.EvtGetLogInfo(handle, Microsoft.Win32.UnsafeNativeMethods.EvtLogPropertyId.EvtLogCreationTime);
this.lastAccessTime = (DateTime?)NativeWrapper.EvtGetLogInfo(handle, Microsoft.Win32.UnsafeNativeMethods.EvtLogPropertyId.EvtLogLastAccessTime);
this.lastWriteTime = (DateTime?)NativeWrapper.EvtGetLogInfo(handle, Microsoft.Win32.UnsafeNativeMethods.EvtLogPropertyId.EvtLogLastWriteTime);
long?nullable = (long?)NativeWrapper.EvtGetLogInfo(handle, Microsoft.Win32.UnsafeNativeMethods.EvtLogPropertyId.EvtLogFileSize);
this.fileSize = nullable.HasValue ? new long?(nullable.GetValueOrDefault()) : null;
int?nullable3 = (int?)NativeWrapper.EvtGetLogInfo(handle, Microsoft.Win32.UnsafeNativeMethods.EvtLogPropertyId.EvtLogAttributes);
this.fileAttributes = nullable3.HasValue ? new int?(nullable3.GetValueOrDefault()) : null;
long?nullable5 = (long?)NativeWrapper.EvtGetLogInfo(handle, Microsoft.Win32.UnsafeNativeMethods.EvtLogPropertyId.EvtLogNumberOfLogRecords);
this.recordCount = nullable5.HasValue ? new long?(nullable5.GetValueOrDefault()) : null;
long?nullable7 = (long?)NativeWrapper.EvtGetLogInfo(handle, Microsoft.Win32.UnsafeNativeMethods.EvtLogPropertyId.EvtLogOldestRecordNumber);
this.oldestRecordNumber = nullable7.HasValue ? new long?(nullable7.GetValueOrDefault()) : null;
this.isLogFull = (bool?)NativeWrapper.EvtGetLogInfo(handle, Microsoft.Win32.UnsafeNativeMethods.EvtLogPropertyId.EvtLogFull);
}
}
public EventLogPropertySelector(IEnumerable<string> propertyQueries)
{
if (propertyQueries == null)
throw new ArgumentNullException("propertyQueries");
string[] paths;
ICollection<string> coll = propertyQueries as ICollection<string>;
if (coll != null)
{
paths = new string[coll.Count];
coll.CopyTo(paths, 0);
}
else
{
List<string> queries;
queries = new List<string>(propertyQueries);
paths = queries.ToArray();
}
_renderContextHandleValues = NativeWrapper.EvtCreateRenderContext(paths.Length, paths, UnsafeNativeMethods.EvtRenderContextFlags.EvtRenderContextValues);
}
public EventLogPropertySelector(IEnumerable<string> propertyQueries) {
EventLogPermissionHolder.GetEventLogPermission().Demand();
if (propertyQueries == null)
throw new ArgumentNullException("propertyQueries");
string[] paths;
ICollection<string> coll = propertyQueries as ICollection<string>;
if (coll != null) {
paths = new string[coll.Count];
coll.CopyTo(paths, 0);
}
else {
List<string> queries;
queries = new List<string>(propertyQueries);
paths = queries.ToArray();
}
renderContextHandleValues = NativeWrapper.EvtCreateRenderContext(paths.Length, paths, UnsafeNativeMethods.EvtRenderContextFlags.EvtRenderContextValues);
}
public EventLogSession(string server, string domain, string user, SecureString password, SessionAuthentication logOnType)
{
EventLogPermissionHolder.GetEventLogPermission().Demand();
if (server == null)
{
server = "localhost";
}
syncObject = new object();
this.server = server;
this.domain = domain;
this.user = user;
this.logOnType = logOnType;
UnsafeNativeMethods.EvtRpcLogin erLogin = new UnsafeNativeMethods.EvtRpcLogin
{
Server = this.server,
User = this.user,
Domain = this.domain,
Flags = (int)this.logOnType,
Password = CoTaskMemUnicodeSafeHandle.Zero
};
try
{
if (password != null)
{
erLogin.Password.SetMemory(Marshal.SecureStringToCoTaskMemUnicode(password));
}
//open a session using the erLogin structure.
handle = NativeWrapper.EvtOpenSession(UnsafeNativeMethods.EvtLoginClass.EvtRpcLogin, ref erLogin, 0, 0);
}
finally
{
erLogin.Password.Close();
}
}
internal void StartSubscribing()
{
if (this.isSubscribing)
{
throw new InvalidOperationException();
}
int flags = 0;
if (this.bookmark != null)
{
flags |= 3;
}
else if (this.readExistingEvents)
{
flags |= 2;
}
else
{
flags |= 1;
}
if (this.eventQuery.TolerateQueryErrors)
{
flags |= 0x1000;
}
EventLogPermissionHolder.GetEventLogPermission().Demand();
this.callbackThreadId = -1;
this.unregisterDoneHandle = new AutoResetEvent(false);
this.subscriptionWaitHandle = new AutoResetEvent(false);
EventLogHandle bookmarkHandleFromBookmark = EventLogRecord.GetBookmarkHandleFromBookmark(this.bookmark);
using (bookmarkHandleFromBookmark)
{
this.handle = NativeWrapper.EvtSubscribe(this.eventQuery.Session.Handle, this.subscriptionWaitHandle.SafeWaitHandle, this.eventQuery.Path, this.eventQuery.Query, bookmarkHandleFromBookmark, IntPtr.Zero, IntPtr.Zero, flags);
}
this.isSubscribing = true;
this.RequestEvents();
this.registeredWaitHandle = ThreadPool.RegisterWaitForSingleObject(this.subscriptionWaitHandle, new WaitOrTimerCallback(this.SubscribedEventsAvailableCallback), null, -1, false);
}
internal object GetProviderListProperty(EventLogHandle providerHandle, UnsafeNativeMethods.EvtPublisherMetadataPropertyId metadataProperty)
{
EventLogHandle elHandle = EventLogHandle.Zero;
try
{
UnsafeNativeMethods.EvtPublisherMetadataPropertyId propName;
UnsafeNativeMethods.EvtPublisherMetadataPropertyId propValue;
UnsafeNativeMethods.EvtPublisherMetadataPropertyId propMessageId;
ObjectTypeName objectTypeName;
List <EventLevel> levelList = null;
List <EventOpcode> opcodeList = null;
List <EventKeyword> keywordList = null;
List <EventTask> taskList = null;
elHandle = NativeWrapper.EvtGetPublisherMetadataPropertyHandle(providerHandle, metadataProperty);
int arraySize = NativeWrapper.EvtGetObjectArraySize(elHandle);
switch (metadataProperty)
{
case UnsafeNativeMethods.EvtPublisherMetadataPropertyId.EvtPublisherMetadataLevels:
propName = UnsafeNativeMethods.EvtPublisherMetadataPropertyId.EvtPublisherMetadataLevelName;
propValue = UnsafeNativeMethods.EvtPublisherMetadataPropertyId.EvtPublisherMetadataLevelValue;
propMessageId = UnsafeNativeMethods.EvtPublisherMetadataPropertyId.EvtPublisherMetadataLevelMessageID;
objectTypeName = ObjectTypeName.Level;
levelList = new List <EventLevel>(arraySize);
break;
case UnsafeNativeMethods.EvtPublisherMetadataPropertyId.EvtPublisherMetadataOpcodes:
propName = UnsafeNativeMethods.EvtPublisherMetadataPropertyId.EvtPublisherMetadataOpcodeName;
propValue = UnsafeNativeMethods.EvtPublisherMetadataPropertyId.EvtPublisherMetadataOpcodeValue;
propMessageId = UnsafeNativeMethods.EvtPublisherMetadataPropertyId.EvtPublisherMetadataOpcodeMessageID;
objectTypeName = ObjectTypeName.Opcode;
opcodeList = new List <EventOpcode>(arraySize);
break;
case UnsafeNativeMethods.EvtPublisherMetadataPropertyId.EvtPublisherMetadataKeywords:
propName = UnsafeNativeMethods.EvtPublisherMetadataPropertyId.EvtPublisherMetadataKeywordName;
propValue = UnsafeNativeMethods.EvtPublisherMetadataPropertyId.EvtPublisherMetadataKeywordValue;
propMessageId = UnsafeNativeMethods.EvtPublisherMetadataPropertyId.EvtPublisherMetadataKeywordMessageID;
objectTypeName = ObjectTypeName.Keyword;
keywordList = new List <EventKeyword>(arraySize);
break;
case UnsafeNativeMethods.EvtPublisherMetadataPropertyId.EvtPublisherMetadataTasks:
propName = UnsafeNativeMethods.EvtPublisherMetadataPropertyId.EvtPublisherMetadataTaskName;
propValue = UnsafeNativeMethods.EvtPublisherMetadataPropertyId.EvtPublisherMetadataTaskValue;
propMessageId = UnsafeNativeMethods.EvtPublisherMetadataPropertyId.EvtPublisherMetadataTaskMessageID;
objectTypeName = ObjectTypeName.Task;
taskList = new List <EventTask>(arraySize);
break;
default:
return(null);
}
for (int index = 0; index < arraySize; index++)
{
string generalName = (string)NativeWrapper.EvtGetObjectArrayProperty(elHandle, index, (int)propName);
uint generalValue = 0;
long generalValueKeyword = 0;
if (objectTypeName != ObjectTypeName.Keyword)
{
generalValue = (uint)NativeWrapper.EvtGetObjectArrayProperty(elHandle, index, (int)propValue);
}
else
{
generalValueKeyword = unchecked ((long)((ulong)NativeWrapper.EvtGetObjectArrayProperty(elHandle, index, (int)propValue)));
}
int generalMessageId = unchecked ((int)((uint)NativeWrapper.EvtGetObjectArrayProperty(elHandle, index, (int)propMessageId)));
string generalDisplayName = null;
if (generalMessageId == -1)
{
if (providerHandle != _defaultProviderHandle)
{
if (_defaultProviderHandle.IsInvalid)
{
_defaultProviderHandle = NativeWrapper.EvtOpenProviderMetadata(_session.Handle, null, null, 0, 0);
}
switch (objectTypeName)
{
case ObjectTypeName.Level:
generalDisplayName = FindStandardLevelDisplayName(generalName, generalValue);
break;
case ObjectTypeName.Opcode:
generalDisplayName = FindStandardOpcodeDisplayName(generalName, generalValue >> 16);
break;
case ObjectTypeName.Keyword:
generalDisplayName = FindStandardKeywordDisplayName(generalName, generalValueKeyword);
break;
case ObjectTypeName.Task:
generalDisplayName = FindStandardTaskDisplayName(generalName, generalValue);
break;
default:
generalDisplayName = null;
break;
}
}
}
else
{
generalDisplayName = NativeWrapper.EvtFormatMessage(providerHandle, unchecked ((uint)generalMessageId));
}
switch (objectTypeName)
{
case ObjectTypeName.Level:
levelList.Add(new EventLevel(generalName, (int)generalValue, generalDisplayName));
break;
case ObjectTypeName.Opcode:
opcodeList.Add(new EventOpcode(generalName, (int)(generalValue >> 16), generalDisplayName));
break;
case ObjectTypeName.Keyword:
keywordList.Add(new EventKeyword(generalName, (long)generalValueKeyword, generalDisplayName));
break;
case ObjectTypeName.Task:
Guid taskGuid = (Guid)NativeWrapper.EvtGetObjectArrayProperty(elHandle, index, (int)UnsafeNativeMethods.EvtPublisherMetadataPropertyId.EvtPublisherMetadataTaskEventGuid);
taskList.Add(new EventTask(generalName, (int)generalValue, generalDisplayName, taskGuid));
break;
default:
return(null);
}
}
switch (objectTypeName)
{
case ObjectTypeName.Level:
return(levelList);
case ObjectTypeName.Opcode:
return(opcodeList);
case ObjectTypeName.Keyword:
return(keywordList);
case ObjectTypeName.Task:
return(taskList);
}
return(null);
}
finally
{
elHandle.Dispose();
}
}
internal void StartSubscribing() {
if (this.isSubscribing)
throw new InvalidOperationException();
int flag = 0;
if (bookmark != null)
flag |= (int)UnsafeNativeMethods.EvtSubscribeFlags.EvtSubscribeStartAfterBookmark;
else if (this.readExistingEvents)
flag |= (int)UnsafeNativeMethods.EvtSubscribeFlags.EvtSubscribeStartAtOldestRecord;
else
flag |= (int)UnsafeNativeMethods.EvtSubscribeFlags.EvtSubscribeToFutureEvents;
if (this.eventQuery.TolerateQueryErrors)
flag |= (int)UnsafeNativeMethods.EvtSubscribeFlags.EvtSubscribeTolerateQueryErrors;
EventLogPermissionHolder.GetEventLogPermission().Demand();
this.callbackThreadId = -1;
this.unregisterDoneHandle = new AutoResetEvent(false);
this.subscriptionWaitHandle = new AutoResetEvent(false);
EventLogHandle bookmarkHandle = EventLogRecord.GetBookmarkHandleFromBookmark(bookmark);
using (bookmarkHandle) {
handle = NativeWrapper.EvtSubscribe(this.eventQuery.Session.Handle,
this.subscriptionWaitHandle.SafeWaitHandle,
this.eventQuery.Path,
this.eventQuery.Query,
bookmarkHandle,
IntPtr.Zero,
IntPtr.Zero,
flag);
}
this.isSubscribing = true;
RequestEvents();
this.registeredWaitHandle = ThreadPool.RegisterWaitForSingleObject(
this.subscriptionWaitHandle,
new WaitOrTimerCallback(SubscribedEventsAvailableCallback),
null,
-1,
false);
}
internal void StartSubscribing()
{
if (this.isSubscribing)
{
throw new InvalidOperationException();
}
int flags = 0;
if (this.bookmark != null)
{
flags |= 3;
}
else if (this.readExistingEvents)
{
flags |= 2;
}
else
{
flags |= 1;
}
if (this.eventQuery.TolerateQueryErrors)
{
flags |= 0x1000;
}
EventLogPermissionHolder.GetEventLogPermission().Demand();
this.callbackThreadId = -1;
this.unregisterDoneHandle = new AutoResetEvent(false);
this.subscriptionWaitHandle = new AutoResetEvent(false);
EventLogHandle bookmarkHandleFromBookmark = EventLogRecord.GetBookmarkHandleFromBookmark(this.bookmark);
using (bookmarkHandleFromBookmark)
{
this.handle = NativeWrapper.EvtSubscribe(this.eventQuery.Session.Handle, this.subscriptionWaitHandle.SafeWaitHandle, this.eventQuery.Path, this.eventQuery.Query, bookmarkHandleFromBookmark, IntPtr.Zero, IntPtr.Zero, flags);
}
this.isSubscribing = true;
this.RequestEvents();
this.registeredWaitHandle = ThreadPool.RegisterWaitForSingleObject(this.subscriptionWaitHandle, new WaitOrTimerCallback(this.SubscribedEventsAvailableCallback), null, -1, false);
}
public EventLogReader(EventLogQuery eventQuery, EventBookmark bookmark)
{
if (eventQuery == null)
{
throw new ArgumentNullException("eventQuery");
}
string logfile = null;
if (eventQuery.ThePathType == PathType.FilePath)
{
logfile = eventQuery.Path;
}
_cachedMetadataInformation = new ProviderMetadataCachedInformation(eventQuery.Session, logfile, 50);
//explicit data
_eventQuery = eventQuery;
//implicit
_batchSize = 64;
_eventsBuffer = new IntPtr[_batchSize];
//
// compute the flag.
//
int flag = 0;
if (_eventQuery.ThePathType == PathType.LogName)
{
flag |= (int)UnsafeNativeMethods.EvtQueryFlags.EvtQueryChannelPath;
}
else
{
flag |= (int)UnsafeNativeMethods.EvtQueryFlags.EvtQueryFilePath;
}
if (_eventQuery.ReverseDirection)
{
flag |= (int)UnsafeNativeMethods.EvtQueryFlags.EvtQueryReverseDirection;
}
if (_eventQuery.TolerateQueryErrors)
{
flag |= (int)UnsafeNativeMethods.EvtQueryFlags.EvtQueryTolerateQueryErrors;
}
_handle = NativeWrapper.EvtQuery(_eventQuery.Session.Handle,
_eventQuery.Path, _eventQuery.Query,
flag);
EventLogHandle bookmarkHandle = EventLogRecord.GetBookmarkHandleFromBookmark(bookmark);
if (!bookmarkHandle.IsInvalid)
{
using (bookmarkHandle)
{
NativeWrapper.EvtSeek(_handle, 1, bookmarkHandle, 0, UnsafeNativeMethods.EvtSeekFlags.EvtSeekRelativeToBookmark);
}
}
}
public static string EvtNextPublisherId(EventLogHandle handle, ref bool finish)
{
int num;
StringBuilder publisherIdBuffer = new StringBuilder(null);
bool flag = Microsoft.Win32.UnsafeNativeMethods.EvtNextPublisherId(handle, 0, publisherIdBuffer, out num);
int errorCode = Marshal.GetLastWin32Error();
if (!flag)
{
if (errorCode == 0x103)
{
finish = true;
return null;
}
if (errorCode != 0x7a)
{
EventLogException.Throw(errorCode);
}
}
publisherIdBuffer.EnsureCapacity(num);
flag = Microsoft.Win32.UnsafeNativeMethods.EvtNextPublisherId(handle, num, publisherIdBuffer, out num);
errorCode = Marshal.GetLastWin32Error();
if (!flag)
{
EventLogException.Throw(errorCode);
}
return publisherIdBuffer.ToString();
}
public static IEnumerable<string> EvtFormatMessageRenderKeywords(EventLogHandle pmHandle, EventLogHandle eventHandle, Microsoft.Win32.UnsafeNativeMethods.EvtFormatMessageFlags flag)
{
IEnumerable<string> enumerable;
EventLogPermissionHolder.GetEventLogPermission().Demand();
IntPtr zero = IntPtr.Zero;
try
{
int num;
List<string> list = new List<string>();
bool flag2 = Microsoft.Win32.UnsafeNativeMethods.EvtFormatMessageBuffer(pmHandle, eventHandle, 0, 0, IntPtr.Zero, flag, 0, IntPtr.Zero, out num);
int errorCode = Marshal.GetLastWin32Error();
if (!flag2)
{
switch (errorCode)
{
case 0x3ab9:
case 0x3afc:
case 0x3ab3:
case 0x3ab4:
case 0x717:
return list.AsReadOnly();
}
if (errorCode != 0x7a)
{
EventLogException.Throw(errorCode);
}
}
zero = Marshal.AllocHGlobal((int) (num * 2));
flag2 = Microsoft.Win32.UnsafeNativeMethods.EvtFormatMessageBuffer(pmHandle, eventHandle, 0, 0, IntPtr.Zero, flag, num, zero, out num);
errorCode = Marshal.GetLastWin32Error();
if (!flag2)
{
switch (errorCode)
{
case 0x3ab9:
case 0x3afc:
return list;
case 0x3ab3:
case 0x3ab4:
return list;
case 0x717:
return list;
}
EventLogException.Throw(errorCode);
}
IntPtr ptr = zero;
while (true)
{
string str = Marshal.PtrToStringAuto(ptr);
if (string.IsNullOrEmpty(str))
{
break;
}
list.Add(str);
ptr = new IntPtr((((long) ptr) + (str.Length * 2)) + 2L);
}
enumerable = list.AsReadOnly();
}
finally
{
if (zero != IntPtr.Zero)
{
Marshal.FreeHGlobal(zero);
}
}
return enumerable;
}
internal void SetupUserContext()
{
EventLogPermissionHolder.GetEventLogPermission().Demand();
lock (this.syncObject)
{
if (this.renderContextHandleUser.IsInvalid)
{
this.renderContextHandleUser = NativeWrapper.EvtCreateRenderContext(0, null, Microsoft.Win32.UnsafeNativeMethods.EvtRenderContextFlags.EvtRenderContextUser);
}
}
}
public static object EvtGetQueryInfo(EventLogHandle handle, Microsoft.Win32.UnsafeNativeMethods.EvtQueryPropertyId enumType)
{
object obj2;
IntPtr zero = IntPtr.Zero;
int bufferRequired = 0;
try
{
bool flag = Microsoft.Win32.UnsafeNativeMethods.EvtGetQueryInfo(handle, enumType, 0, IntPtr.Zero, ref bufferRequired);
int errorCode = Marshal.GetLastWin32Error();
if (!flag && (errorCode != 0x7a))
{
EventLogException.Throw(errorCode);
}
zero = Marshal.AllocHGlobal(bufferRequired);
flag = Microsoft.Win32.UnsafeNativeMethods.EvtGetQueryInfo(handle, enumType, bufferRequired, zero, ref bufferRequired);
errorCode = Marshal.GetLastWin32Error();
if (!flag)
{
EventLogException.Throw(errorCode);
}
Microsoft.Win32.UnsafeNativeMethods.EvtVariant val = (Microsoft.Win32.UnsafeNativeMethods.EvtVariant) Marshal.PtrToStructure(zero, typeof(Microsoft.Win32.UnsafeNativeMethods.EvtVariant));
obj2 = ConvertToObject(val);
}
finally
{
if (zero != IntPtr.Zero)
{
Marshal.FreeHGlobal(zero);
}
}
return obj2;
}
internal static EventLogHandle EvtGetPublisherMetadataPropertyHandle(EventLogHandle pmHandle, Microsoft.Win32.UnsafeNativeMethods.EvtPublisherMetadataPropertyId thePropertyId)
{
EventLogHandle handle;
IntPtr zero = IntPtr.Zero;
try
{
int num;
bool flag = Microsoft.Win32.UnsafeNativeMethods.EvtGetPublisherMetadataProperty(pmHandle, thePropertyId, 0, 0, IntPtr.Zero, out num);
int errorCode = Marshal.GetLastWin32Error();
if (!flag && (errorCode != 0x7a))
{
EventLogException.Throw(errorCode);
}
zero = Marshal.AllocHGlobal(num);
flag = Microsoft.Win32.UnsafeNativeMethods.EvtGetPublisherMetadataProperty(pmHandle, thePropertyId, 0, num, zero, out num);
errorCode = Marshal.GetLastWin32Error();
if (!flag)
{
EventLogException.Throw(errorCode);
}
Microsoft.Win32.UnsafeNativeMethods.EvtVariant val = (Microsoft.Win32.UnsafeNativeMethods.EvtVariant) Marshal.PtrToStructure(zero, typeof(Microsoft.Win32.UnsafeNativeMethods.EvtVariant));
handle = ConvertToSafeHandle(val);
}
finally
{
if (zero != IntPtr.Zero)
{
Marshal.FreeHGlobal(zero);
}
}
return handle;
}
public static string EvtFormatMessage(EventLogHandle handle, uint msgId)
{
int num;
if (s_platformNotSupported)
{
throw new PlatformNotSupportedException();
}
StringBuilder buffer = new StringBuilder(null);
bool flag = Microsoft.Win32.UnsafeNativeMethods.EvtFormatMessage(handle, EventLogHandle.Zero, msgId, 0, null, Microsoft.Win32.UnsafeNativeMethods.EvtFormatMessageFlags.EvtFormatMessageId, 0, buffer, out num);
int errorCode = Marshal.GetLastWin32Error();
if ((!flag && (errorCode != 0x3ab5)) && ((errorCode != 0x3ab6) && (errorCode != 0x3ab7)))
{
switch (errorCode)
{
case 0x3ab9:
case 0x3afc:
case 0x3ab3:
case 0x3ab4:
case 0x717:
return null;
}
if (errorCode != 0x7a)
{
EventLogException.Throw(errorCode);
}
}
buffer.EnsureCapacity(num);
flag = Microsoft.Win32.UnsafeNativeMethods.EvtFormatMessage(handle, EventLogHandle.Zero, msgId, 0, null, Microsoft.Win32.UnsafeNativeMethods.EvtFormatMessageFlags.EvtFormatMessageId, num, buffer, out num);
errorCode = Marshal.GetLastWin32Error();
if ((!flag && (errorCode != 0x3ab5)) && ((errorCode != 0x3ab6) && (errorCode != 0x3ab7)))
{
switch (errorCode)
{
case 0x3ab9:
case 0x3afc:
case 0x3ab3:
case 0x3ab4:
case 0x717:
return null;
case 0x3ab5:
return null;
}
EventLogException.Throw(errorCode);
}
return buffer.ToString();
}
public static int EvtGetObjectArraySize(EventLogHandle objectArray)
{
int num;
bool flag = Microsoft.Win32.UnsafeNativeMethods.EvtGetObjectArraySize(objectArray, out num);
int errorCode = Marshal.GetLastWin32Error();
if (!flag)
{
EventLogException.Throw(errorCode);
}
return num;
}
public static object EvtGetObjectArrayProperty(EventLogHandle objArrayHandle, int index, int thePropertyId)
{
object obj2;
IntPtr zero = IntPtr.Zero;
try
{
int num;
bool flag = Microsoft.Win32.UnsafeNativeMethods.EvtGetObjectArrayProperty(objArrayHandle, thePropertyId, index, 0, 0, IntPtr.Zero, out num);
int errorCode = Marshal.GetLastWin32Error();
if (!flag && (errorCode != 0x7a))
{
EventLogException.Throw(errorCode);
}
zero = Marshal.AllocHGlobal(num);
flag = Microsoft.Win32.UnsafeNativeMethods.EvtGetObjectArrayProperty(objArrayHandle, thePropertyId, index, 0, num, zero, out num);
errorCode = Marshal.GetLastWin32Error();
if (!flag)
{
EventLogException.Throw(errorCode);
}
Microsoft.Win32.UnsafeNativeMethods.EvtVariant val = (Microsoft.Win32.UnsafeNativeMethods.EvtVariant) Marshal.PtrToStructure(zero, typeof(Microsoft.Win32.UnsafeNativeMethods.EvtVariant));
obj2 = ConvertToObject(val);
}
finally
{
if (zero != IntPtr.Zero)
{
Marshal.FreeHGlobal(zero);
}
}
return obj2;
}
public static string EvtFormatMessageRenderName(EventLogHandle pmHandle, EventLogHandle eventHandle, Microsoft.Win32.UnsafeNativeMethods.EvtFormatMessageFlags flag)
{
int num;
EventLogPermissionHolder.GetEventLogPermission().Demand();
StringBuilder buffer = new StringBuilder(null);
bool flag2 = Microsoft.Win32.UnsafeNativeMethods.EvtFormatMessage(pmHandle, eventHandle, 0, 0, null, flag, 0, buffer, out num);
int errorCode = Marshal.GetLastWin32Error();
if (!flag2 && (errorCode != 0x3ab5))
{
switch (errorCode)
{
case 0x3ab9:
case 0x3afc:
case 0x3ab3:
case 0x3ab4:
case 0x717:
return null;
}
if (errorCode != 0x7a)
{
EventLogException.Throw(errorCode);
}
}
buffer.EnsureCapacity(num);
flag2 = Microsoft.Win32.UnsafeNativeMethods.EvtFormatMessage(pmHandle, eventHandle, 0, 0, null, flag, num, buffer, out num);
errorCode = Marshal.GetLastWin32Error();
if (!flag2 && (errorCode != 0x3ab5))
{
switch (errorCode)
{
case 0x3ab9:
case 0x3afc:
case 0x3ab3:
case 0x3ab4:
case 0x717:
return null;
}
EventLogException.Throw(errorCode);
}
return buffer.ToString();
}
internal object GetProviderListProperty(EventLogHandle providerHandle, Microsoft.Win32.UnsafeNativeMethods.EvtPublisherMetadataPropertyId metadataProperty)
{
object obj2;
EventLogHandle zero = EventLogHandle.Zero;
EventLogPermissionHolder.GetEventLogPermission().Demand();
try
{
Microsoft.Win32.UnsafeNativeMethods.EvtPublisherMetadataPropertyId evtPublisherMetadataOpcodeName;
Microsoft.Win32.UnsafeNativeMethods.EvtPublisherMetadataPropertyId evtPublisherMetadataOpcodeValue;
Microsoft.Win32.UnsafeNativeMethods.EvtPublisherMetadataPropertyId evtPublisherMetadataOpcodeMessageID;
ObjectTypeName opcode;
List <EventLevel> list = null;
List <EventOpcode> list2 = null;
List <EventKeyword> list3 = null;
List <EventTask> list4 = null;
zero = NativeWrapper.EvtGetPublisherMetadataPropertyHandle(providerHandle, metadataProperty);
int capacity = NativeWrapper.EvtGetObjectArraySize(zero);
switch (metadataProperty)
{
case Microsoft.Win32.UnsafeNativeMethods.EvtPublisherMetadataPropertyId.EvtPublisherMetadataOpcodes:
evtPublisherMetadataOpcodeName = Microsoft.Win32.UnsafeNativeMethods.EvtPublisherMetadataPropertyId.EvtPublisherMetadataOpcodeName;
evtPublisherMetadataOpcodeValue = Microsoft.Win32.UnsafeNativeMethods.EvtPublisherMetadataPropertyId.EvtPublisherMetadataOpcodeValue;
evtPublisherMetadataOpcodeMessageID = Microsoft.Win32.UnsafeNativeMethods.EvtPublisherMetadataPropertyId.EvtPublisherMetadataOpcodeMessageID;
opcode = ObjectTypeName.Opcode;
list2 = new List <EventOpcode>(capacity);
break;
case Microsoft.Win32.UnsafeNativeMethods.EvtPublisherMetadataPropertyId.EvtPublisherMetadataKeywords:
evtPublisherMetadataOpcodeName = Microsoft.Win32.UnsafeNativeMethods.EvtPublisherMetadataPropertyId.EvtPublisherMetadataKeywordName;
evtPublisherMetadataOpcodeValue = Microsoft.Win32.UnsafeNativeMethods.EvtPublisherMetadataPropertyId.EvtPublisherMetadataKeywordValue;
evtPublisherMetadataOpcodeMessageID = Microsoft.Win32.UnsafeNativeMethods.EvtPublisherMetadataPropertyId.EvtPublisherMetadataKeywordMessageID;
opcode = ObjectTypeName.Keyword;
list3 = new List <EventKeyword>(capacity);
break;
case Microsoft.Win32.UnsafeNativeMethods.EvtPublisherMetadataPropertyId.EvtPublisherMetadataLevels:
evtPublisherMetadataOpcodeName = Microsoft.Win32.UnsafeNativeMethods.EvtPublisherMetadataPropertyId.EvtPublisherMetadataLevelName;
evtPublisherMetadataOpcodeValue = Microsoft.Win32.UnsafeNativeMethods.EvtPublisherMetadataPropertyId.EvtPublisherMetadataLevelValue;
evtPublisherMetadataOpcodeMessageID = Microsoft.Win32.UnsafeNativeMethods.EvtPublisherMetadataPropertyId.EvtPublisherMetadataLevelMessageID;
opcode = ObjectTypeName.Level;
list = new List <EventLevel>(capacity);
break;
case Microsoft.Win32.UnsafeNativeMethods.EvtPublisherMetadataPropertyId.EvtPublisherMetadataTasks:
evtPublisherMetadataOpcodeName = Microsoft.Win32.UnsafeNativeMethods.EvtPublisherMetadataPropertyId.EvtPublisherMetadataTaskName;
evtPublisherMetadataOpcodeValue = Microsoft.Win32.UnsafeNativeMethods.EvtPublisherMetadataPropertyId.EvtPublisherMetadataTaskValue;
evtPublisherMetadataOpcodeMessageID = Microsoft.Win32.UnsafeNativeMethods.EvtPublisherMetadataPropertyId.EvtPublisherMetadataTaskMessageID;
opcode = ObjectTypeName.Task;
list4 = new List <EventTask>(capacity);
break;
default:
return(null);
}
for (int i = 0; i < capacity; i++)
{
string name = (string)NativeWrapper.EvtGetObjectArrayProperty(zero, i, (int)evtPublisherMetadataOpcodeName);
uint num3 = 0;
long num4 = 0L;
if (opcode != ObjectTypeName.Keyword)
{
num3 = (uint)NativeWrapper.EvtGetObjectArrayProperty(zero, i, (int)evtPublisherMetadataOpcodeValue);
}
else
{
num4 = (long)((ulong)NativeWrapper.EvtGetObjectArrayProperty(zero, i, (int)evtPublisherMetadataOpcodeValue));
}
int num5 = (int)((uint)NativeWrapper.EvtGetObjectArrayProperty(zero, i, (int)evtPublisherMetadataOpcodeMessageID));
string displayName = null;
if (num5 == -1)
{
if (providerHandle != this.defaultProviderHandle)
{
if (this.defaultProviderHandle.IsInvalid)
{
this.defaultProviderHandle = NativeWrapper.EvtOpenProviderMetadata(this.session.Handle, null, null, this.cultureInfo.LCID, 0);
}
switch (opcode)
{
case ObjectTypeName.Level:
displayName = this.FindStandardLevelDisplayName(name, num3);
goto Label_01BA;
case ObjectTypeName.Opcode:
displayName = this.FindStandardOpcodeDisplayName(name, num3 >> 0x10);
goto Label_01BA;
case ObjectTypeName.Task:
displayName = this.FindStandardTaskDisplayName(name, num3);
goto Label_01BA;
case ObjectTypeName.Keyword:
displayName = this.FindStandardKeywordDisplayName(name, num4);
goto Label_01BA;
}
displayName = null;
}
}
else
{
displayName = NativeWrapper.EvtFormatMessage(providerHandle, (uint)num5);
}
Label_01BA:
switch (opcode)
{
case ObjectTypeName.Level:
list.Add(new EventLevel(name, (int)num3, displayName));
break;
case ObjectTypeName.Opcode:
list2.Add(new EventOpcode(name, (int)(num3 >> 0x10), displayName));
break;
case ObjectTypeName.Task:
{
Guid guid = (Guid)NativeWrapper.EvtGetObjectArrayProperty(zero, i, 0x12);
list4.Add(new EventTask(name, (int)num3, displayName, guid));
break;
}
case ObjectTypeName.Keyword:
list3.Add(new EventKeyword(name, num4, displayName));
break;
default:
return(null);
}
}
switch (opcode)
{
case ObjectTypeName.Level:
return(list);
case ObjectTypeName.Opcode:
return(list2);
case ObjectTypeName.Task:
return(list4);
case ObjectTypeName.Keyword:
return(list3);
}
obj2 = null;
}
finally
{
zero.Close();
}
return(obj2);
}
public static bool EvtNext(EventLogHandle queryHandle, int eventSize, IntPtr[] events, int timeout, int flags, ref int returned)
{
bool flag = Microsoft.Win32.UnsafeNativeMethods.EvtNext(queryHandle, eventSize, events, timeout, flags, ref returned);
int errorCode = Marshal.GetLastWin32Error();
if (!flag && (errorCode != 0x103))
{
EventLogException.Throw(errorCode);
}
return (errorCode == 0);
}
public static EventLogHandle EvtNextEventMetadata(EventLogHandle eventMetadataEnum, int flags)
{
EventLogHandle handle = Microsoft.Win32.UnsafeNativeMethods.EvtNextEventMetadata(eventMetadataEnum, flags);
int errorCode = Marshal.GetLastWin32Error();
if (!handle.IsInvalid)
{
return handle;
}
if (errorCode != 0x103)
{
EventLogException.Throw(errorCode);
}
return null;
}
public static object EvtGetPublisherMetadataProperty(EventLogHandle pmHandle, Microsoft.Win32.UnsafeNativeMethods.EvtPublisherMetadataPropertyId thePropertyId)
{
object obj2;
IntPtr zero = IntPtr.Zero;
EventLogPermissionHolder.GetEventLogPermission().Demand();
try
{
int num;
bool flag = Microsoft.Win32.UnsafeNativeMethods.EvtGetPublisherMetadataProperty(pmHandle, thePropertyId, 0, 0, IntPtr.Zero, out num);
int errorCode = Marshal.GetLastWin32Error();
if (!flag && (errorCode != 0x7a))
{
EventLogException.Throw(errorCode);
}
zero = Marshal.AllocHGlobal(num);
flag = Microsoft.Win32.UnsafeNativeMethods.EvtGetPublisherMetadataProperty(pmHandle, thePropertyId, 0, num, zero, out num);
errorCode = Marshal.GetLastWin32Error();
if (!flag)
{
EventLogException.Throw(errorCode);
}
Microsoft.Win32.UnsafeNativeMethods.EvtVariant val = (Microsoft.Win32.UnsafeNativeMethods.EvtVariant) Marshal.PtrToStructure(zero, typeof(Microsoft.Win32.UnsafeNativeMethods.EvtVariant));
obj2 = ConvertToObject(val);
}
finally
{
if (zero != IntPtr.Zero)
{
Marshal.FreeHGlobal(zero);
}
}
return obj2;
}
public static string EvtFormatMessageFormatDescription(EventLogHandle handle, EventLogHandle eventHandle, string[] values)
{
int num;
if (s_platformNotSupported)
{
throw new PlatformNotSupportedException();
}
EventLogPermissionHolder.GetEventLogPermission().Demand();
Microsoft.Win32.UnsafeNativeMethods.EvtStringVariant[] variantArray = new Microsoft.Win32.UnsafeNativeMethods.EvtStringVariant[values.Length];
for (int i = 0; i < values.Length; i++)
{
variantArray[i].Type = 1;
variantArray[i].StringVal = values[i];
}
StringBuilder buffer = new StringBuilder(null);
bool flag = Microsoft.Win32.UnsafeNativeMethods.EvtFormatMessage(handle, eventHandle, uint.MaxValue, values.Length, variantArray, Microsoft.Win32.UnsafeNativeMethods.EvtFormatMessageFlags.EvtFormatMessageEvent, 0, buffer, out num);
int errorCode = Marshal.GetLastWin32Error();
if (!flag && (errorCode != 0x3ab5))
{
switch (errorCode)
{
case 0x3ab9:
case 0x3afc:
case 0x3ab3:
case 0x3ab4:
case 0x717:
return null;
}
if (errorCode != 0x7a)
{
EventLogException.Throw(errorCode);
}
}
buffer.EnsureCapacity(num);
flag = Microsoft.Win32.UnsafeNativeMethods.EvtFormatMessage(handle, eventHandle, uint.MaxValue, values.Length, variantArray, Microsoft.Win32.UnsafeNativeMethods.EvtFormatMessageFlags.EvtFormatMessageEvent, num, buffer, out num);
errorCode = Marshal.GetLastWin32Error();
if (!flag && (errorCode != 0x3ab5))
{
switch (errorCode)
{
case 0x3ab9:
case 0x3afc:
case 0x3ab3:
case 0x3ab4:
case 0x717:
return null;
}
EventLogException.Throw(errorCode);
}
return buffer.ToString();
}