1 /* Copyright (c) 2016 Minoru Sakamoto, All Rights Reserved 2 * 3 * The contents of this file is dual-licensed under 2 4 * alternative Open Source/Free licenses: LGPL 2.1 or later and 5 * Apache License 2.0. (starting with JNA version 4.0.0). 6 * 7 * You can freely decide which license you want to apply to 8 * the project. 9 * 10 * You may obtain a copy of the LGPL License at: 11 * 12 * http://www.gnu.org/licenses/licenses.html 13 * 14 * A copy is also included in the downloadable source code package 15 * containing JNA, in file "LGPL2.1". 16 * 17 * You may obtain a copy of the Apache License at: 18 * 19 * http://www.apache.org/licenses/ 20 * 21 * A copy is also included in the downloadable source code package 22 * containing JNA, in file "AL2.0". 23 */ 24 package com.sun.jna.platform.win32; 25 26 import com.sun.jna.Callback; 27 import com.sun.jna.Native; 28 import com.sun.jna.Pointer; 29 import com.sun.jna.platform.win32.Winevt.EVT_HANDLE; 30 import com.sun.jna.platform.win32.Winevt.EVT_VARIANT; 31 import com.sun.jna.ptr.IntByReference; 32 import com.sun.jna.win32.StdCallLibrary; 33 import com.sun.jna.win32.W32APIOptions; 34 35 /** 36 * wevtapi.dll Interface 37 * 38 * @author Minoru Sakamoto 39 */ 40 public interface Wevtapi extends StdCallLibrary { 41 Wevtapi INSTANCE = (Wevtapi) Native.load("wevtapi", Wevtapi.class, W32APIOptions.UNICODE_OPTIONS); 42 43 /** 44 * Establishes a connection to a remote computer that you can use when calling the other Windows Event Log functions. 45 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa385462(v=vs.85).aspx 46 * 47 * @param LoginClass [in] The connection method to use to connect to the remote computer. For possible values, 48 * see the {@link Winevt.EVT_LOGIN_CLASS} enumeration. 49 * @param Login [in] A EVT_RPC_LOGIN structure that identifies the remote computer that you want to connect 50 * to, the user's credentials, and the type of authentication to use when connecting. 51 * @param Timeout [in] Reserved. Must be zero. 52 * @param Flags [in]Reserved. Must be zero. 53 * @return If successful, the function returns a session handle that you can use to access event log information 54 * on the remote computer; otherwise, NULL. If NULL, call {@link Kernel32#GetLastError} function to get 55 * the error code. 56 */ EvtOpenSession(int LoginClass, Winevt.EVT_RPC_LOGIN Login, int Timeout, int Flags)57 EVT_HANDLE EvtOpenSession(int LoginClass, Winevt.EVT_RPC_LOGIN Login, int Timeout, int Flags); 58 59 /** 60 * Closes an open handle. 61 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa385344(v=vs.85).aspx 62 * 63 * @param Object [in] An open event handle to close. 64 * @return True The function succeeded, False The function failed. To get the error code, 65 * call the {@link Kernel32#GetLastError} function. 66 */ EvtClose(EVT_HANDLE Object)67 boolean EvtClose(EVT_HANDLE Object); 68 69 /** 70 * Cancels all pending operations on a handle. 71 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa385335(v=vs.85).aspx 72 * 73 * @param Object The handle whose operation you want to cancel. You can cancel the following operations: 74 * <ul> 75 * <li>{@link Wevtapi#EvtClearLog}</li> 76 * <li>{@link Wevtapi#EvtExportLog}</li> 77 * <li>{@link Wevtapi#EvtNext}</li> 78 * <li>{@link Wevtapi#EvtQuery}</li> 79 * <li>{@link Wevtapi#EvtSeek}</li> 80 * <li>{@link Wevtapi#EvtSubscribe}</li> 81 * </ul> 82 * To cancel the {@link Wevtapi#EvtClearLog}, {@link Wevtapi#EvtExportLog}, {@link Wevtapi#EvtQuery}, 83 * and EvtSubscribe operations, you must pass the session handle. To specify the default 84 * session (local session), set this parameter to NULL. 85 * @return True The function succeeded, False The function failed. To get the error code, call 86 * the {@link Kernel32#GetLastError} function. 87 */ EvtCancel(EVT_HANDLE Object)88 boolean EvtCancel(EVT_HANDLE Object); 89 90 /** 91 * Gets a text message that contains the extended error information for the current error. 92 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa385380(v=vs.85).aspx 93 * 94 * @param BufferSize [in] The size of the Buffer buffer, in characters. 95 * @param Buffer [in] A caller-allocated string buffer that will receive the extended error information. 96 * You can set this parameter to NULL to determine the required buffer size. 97 * @param BufferUsed [out] The size, in characters, of the caller-allocated buffer that the function used or 98 * the required buffer size if the function fails with ERROR_INSUFFICIENT_BUFFER. 99 * @return The return value is ERROR_SUCCESS if the call succeeded; otherwise, a Win32 error code. 100 */ EvtGetExtendedStatus(int BufferSize, char[] Buffer, IntByReference BufferUsed)101 int EvtGetExtendedStatus(int BufferSize, char[] Buffer, IntByReference BufferUsed); 102 103 /** 104 * Runs a query to retrieve events from a channel or log file that match the specified query criteria. 105 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa385466(v=vs.85).aspx 106 * 107 * @param Session [in] A remote session handle that the {@link Wevtapi#EvtOpenSession} function returns. 108 * Set to NULL to query for events on the local computer. 109 * @param Path [in] The name of the channel or the full path to a log file that contains the events that 110 * you want to query. You can specify an .evt, .evtx, or.etl log file. The path is required 111 * if the Query parameter contains an XPath query; the path is ignored if the Query parameter 112 * contains a structured XML query and the query specifies the path. 113 * @param Query [in] A query that specifies the types of events that you want to retrieve. You can specify 114 * an XPath 1.0 query or structured XML query. If your XPath contains more than 20 expressions, 115 * use a structured XML query. To receive all events, set this parameter to NULL or "*". 116 * @param Flags [in] One or more flags that specify the order that you want to receive the events and 117 * whether you are querying against a channel or log file. For possible values, 118 * see the {@link Winevt.EVT_QUERY_FLAGS} enumeration. 119 * @return A handle to the query results if successful; otherwise, NULL. If the function returns NULL, 120 * call the {@link Kernel32#GetLastError} function to get the error code. 121 */ EvtQuery(EVT_HANDLE Session, String Path, String Query, int Flags)122 EVT_HANDLE EvtQuery(EVT_HANDLE Session, String Path, String Query, int Flags); 123 124 /** 125 * Gets the next event from the query or subscription results. 126 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa385405(v=vs.85).aspx 127 * 128 * @param ResultSet [in] The handle to a query or subscription result set that 129 * the {@link Wevtapi#EvtQuery} function or the {@link Wevtapi#EvtSubscribe} function returns. 130 * @param EventArraySize [in] The number of elements in the EventArray array. The function will try to retrieve 131 * this number of elements from the result set. 132 * @param EventArray [in] A pointer to an array of handles that will be set to the handles to the events from 133 * the result set. 134 * @param Timeout [in] The number of milliseconds that you are willing to wait for a result. 135 * Set to INFINITE to indicate no time-out value. If the time-out expires, the last error is 136 * set to ERROR_TIMEOUT. 137 * @param Flags [in] Reserved. Must be zero. 138 * @param Returned [out] The number of handles in the array that are set. 139 * @return True The function succeeded, False The function failed. To get the error code, call 140 * the {@link Kernel32#GetLastError} function. 141 */ EvtNext(EVT_HANDLE ResultSet, int EventArraySize, EVT_HANDLE[] EventArray, int Timeout, int Flags, IntByReference Returned)142 boolean EvtNext(EVT_HANDLE ResultSet, int EventArraySize, EVT_HANDLE[] EventArray, int Timeout, int Flags, 143 IntByReference Returned); 144 145 /** 146 * Seeks to a specific event in a query result set. 147 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa385481(v=vs.85).aspx 148 * 149 * @param ResultSet [in] The handle to a query result set that 150 * the {@link Wevtapi#EvtQuery} function returns. 151 * @param Position [in] The zero-based offset to an event in the result set. The flag that you specify 152 * in the Flags parameter indicates the beginning relative position in the result set from 153 * which to seek. For example, you can seek from the beginning of the results or from the end of 154 * the results. Set to 0 to move to the relative position specified by the flag. 155 * @param Bookmark [in] A handle to a bookmark that the {@link Wevtapi#EvtCreateBookmark}function returns. 156 * The bookmark identifies an event in the result set to which you want to seek. 157 * Set this parameter only if the Flags parameter has the EvtSeekRelativeToBookmark flag set. 158 * @param Timeout [in] Reserved. Must be zero. 159 * @param Flags [in] One or more flags that indicate the relative position in the result set from which to seek. 160 * For possible values, see the {@link Winevt.EVT_SEEK_FLAGS} enumeration. 161 * @return True The function was successful, False The function failed. To get the error code, call 162 * the {@link Kernel32#GetLastError} function. 163 */ EvtSeek(EVT_HANDLE ResultSet, long Position, EVT_HANDLE Bookmark, int Timeout, int Flags)164 boolean EvtSeek(EVT_HANDLE ResultSet, long Position, EVT_HANDLE Bookmark, int Timeout, int Flags); 165 166 /** 167 * Creates a subscription that will receive current and future events from a channel or log file 168 * that match the specified query criteria. 169 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa385487(v=vs.85).aspx 170 * 171 * @param Session [in] A remote session handle that the {@link Wevtapi#EvtOpenSession} function returns. 172 * Set to NULL to subscribe to events on the local computer. 173 * @param SignalEvent [in] The handle to an event object that the service will signal when new events are 174 * available that match your query criteria. This parameter must be NULL if the Callback 175 * parameter is not NULL. 176 * @param ChannelPath [in] The name of the Admin or Operational channel that contains the events that you want to 177 * subscribe to (you cannot subscribe to Analytic or Debug channels). The path is required 178 * if the Query parameter contains an XPath query; the path is ignored if the Query parameter 179 * contains a structured XML query. 180 * @param Query [in] A query that specifies the types of events that you want the subscription service to 181 * return. You can specify an XPath 1.0 query or structured XML query. If your XPath contains 182 * more than 20 expressions, use a structured XML query. To receive all events, set this 183 * parameter to NULL or "*". 184 * @param Bookmark [in] A handle to a bookmark that identifies the starting point for the subscription. To get 185 * a bookmark handle, call the {@link Wevtapi#EvtCreateBookmark} function. You must set 186 * this parameter if the Flags parameter contains the EvtSubscribeStartAfterBookmark flag; 187 * otherwise, NULL. 188 * @param Context [in] A caller-defined context value that the subscription service will pass to the specified 189 * callback each time it delivers an event. 190 * @param Callback [in] Pointer to your EVT_SUBSCRIBE_CALLBACK callback function that will receive 191 * the subscription events. This parameter must be NULL if the SignalEvent parameter is not NULL. 192 * @param Flags [in] One or more flags that specify when to start subscribing to events. For example, if you 193 * specify {@link Winevt.EVT_SUBSCRIBE_FLAGS#EvtSubscribeStartAtOldestRecord}, the service will 194 * retrieve all current and future events that match your query criteria; however, if you specify 195 * {@link Winevt.EVT_SUBSCRIBE_FLAGS#EvtSubscribeToFutureEvents}, the service returns only 196 * future events that match your query criteria. For possible values,see 197 * the {@link Winevt.EVT_SUBSCRIBE_FLAGS} enumeration. 198 * @return A handle to the subscription if successful; otherwise, NULL. If the function returns NULL, 199 * call the {@link Kernel32#GetLastError} function to get the error code. 200 * You must call the EvtClose function with the subscription handle when done. 201 */ EvtSubscribe(EVT_HANDLE Session, EVT_HANDLE SignalEvent, String ChannelPath, String Query, EVT_HANDLE Bookmark, Pointer Context, Callback Callback, int Flags)202 EVT_HANDLE EvtSubscribe(EVT_HANDLE Session, EVT_HANDLE SignalEvent, String ChannelPath, String Query, EVT_HANDLE Bookmark, 203 Pointer Context, Callback Callback, int Flags); 204 205 /** 206 * Creates a context that specifies the information in the event that you want to render. 207 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa385352(v=vs.85).aspx 208 * 209 * @param ValuePathsCount [in] The number of XPath expressions in the ValuePaths parameter. 210 * @param ValuePaths [in] An array of XPath expressions that uniquely identify a node or attribute in 211 * the event that you want to render. The expressions must not contain the OR or AND operator. 212 * Set to NULL if the {@link Winevt.EVT_RENDER_CONTEXT_FLAGS#EvtRenderContextValues} context 213 * flag is not set in the Flags parameter. 214 * @param Flags [in] One or more flags that identify the information in the event that you want to render. 215 * For example, the system information, user information, or specific values. 216 * For possible values, see the {@link Winevt.EVT_RENDER_CONTEXT_FLAGS} enumeration. 217 * @return A context handle that you use when calling the {@link Wevtapi#EvtRender}function to render the contents 218 * of an event; otherwise, NULL. If NULL, call the {@link Kernel32#GetLastError} function to get the error code. 219 */ EvtCreateRenderContext(int ValuePathsCount, String[] ValuePaths, int Flags)220 EVT_HANDLE EvtCreateRenderContext(int ValuePathsCount, String[] ValuePaths, int Flags); 221 222 /** 223 * Renders an XML fragment based on the rendering context that you specify. 224 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa385471(v=vs.85).aspx 225 * 226 * @param Context [in] A handle to the rendering context that the {@link Wevtapi#EvtCreateRenderContext} 227 * function returns. This parameter must be set to NULL if the Flags parameter is set to 228 * {@link Winevt.EVT_RENDER_FLAGS#EvtRenderEventXml} or 229 * {@link Winevt.EVT_RENDER_FLAGS#EvtRenderBookmark}. 230 * @param Fragment [in] A handle to an event or to a bookmark. Set this parameter to a bookmark handle 231 * if the Flags parameter is set to {@link Winevt.EVT_RENDER_FLAGS#EvtRenderEventXml}; 232 * otherwise, set to an event handle. 233 * @param Flags [in] A flag that identifies what to render. For example, the entire event or specific 234 * properties of the event. For possible values,see the {@link Winevt.EVT_RENDER_FLAGS} 235 * enumeration. 236 * @param BufferSize [in] The size of the Buffer buffer, in bytes. 237 * @param Buffer [in] A caller-allocated buffer that will receive the rendered output. The contents is 238 * a null-terminated Unicode string if the Flags parameter is set to 239 * {@link Winevt.EVT_RENDER_FLAGS#EvtRenderEventXml} or 240 * {@link Winevt.EVT_RENDER_FLAGS#EvtRenderBookmark}. Otherwise, if Flags is set to 241 * {@link Winevt.EVT_RENDER_FLAGS#EvtRenderEventValues}, the buffer 242 * contains an array of EVT_VARIANT structures; one for each property specified by 243 * the rendering context. The PropertyCount parameter contains the number of elements 244 * in the array. 245 * @param BufferUsed [out] The size, in bytes, of the caller-allocated buffer that the function used or 246 * the required buffer size if the function fails with ERROR_INSUFFICIENT_BUFFER. 247 * @param PropertyCount [out] The number of the properties in the Buffer parameter if the Flags parameter is set 248 * to {@link Winevt.EVT_RENDER_FLAGS#EvtRenderEventValues}; otherwise, zero. 249 * @return True The function was successful, False The function failed. To get the error code, call 250 * the {@link Kernel32#GetLastError} function. 251 */ EvtRender(EVT_HANDLE Context, EVT_HANDLE Fragment, int Flags, int BufferSize, Pointer Buffer, IntByReference BufferUsed, IntByReference PropertyCount)252 boolean EvtRender(EVT_HANDLE Context, EVT_HANDLE Fragment, int Flags, int BufferSize, Pointer Buffer, 253 IntByReference BufferUsed, IntByReference PropertyCount); 254 255 /** 256 * Formats a message string. 257 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa385359(v=vs.85).aspx 258 * 259 * @param PublisherMetadata [in] A handle to the provider's metadata that 260 * the {@link Wevtapi#EvtOpenPublisherMetadata} function returns. The handle acts as 261 * a formatting context for the event or message identifier. 262 * <p> 263 * You can set this parameter to NULL if the Windows Event Collector service forwarded 264 * the event. Forwarded events include a RenderingInfo section that contains the rendered 265 * message strings. You can also set this parameter to NULL if the event property that 266 * you are formatting is defined in the Winmeta.xml file (for example, if level is set 267 * to win:Error). In the latter case, the service uses the Winmeta provider as 268 * the formatting context and will format only those message strings that you reference 269 * in your event that are defined in the Winmeta.xml file. 270 * @param Event [in] A handle to an event. The Flags parameter specifies the message string in 271 * the event that you want to format. This parameter must be NULL if the Flags parameter 272 * is set to EvtFormatMessageId. 273 * @param MessageId [in] The resource identifier of the message string that you want to format. 274 * To get the resource identifier for a message string, call 275 * the {@link Wevtapi#EvtGetPublisherMetadataProperty} function. Set this parameter only 276 * if the Flags parameter is set to EvtFormatMessageId. 277 * @param ValueCount [in] The number of values in the Values parameter. 278 * @param Values [in] An array of insertion values to use when formatting the event's message string. 279 * Typically, you set this parameter to NULL and the function gets the insertion values 280 * from the event data itself. You would use this parameter to override the default 281 * behavior and supply the insertion values to use. For example, you might use this 282 * parameter if you wanted to resolve a SID to a principal name before inserting the value. 283 * <p> 284 * To override the insertion values, the Flags parameter must be set to 285 * {@link Winevt.EVT_FORMAT_MESSAGE_FLAGS#EvtFormatMessageEvent}, 286 * {@link Winevt.EVT_FORMAT_MESSAGE_FLAGS#EvtFormatMessageXml}, or 287 * {@link Winevt.EVT_FORMAT_MESSAGE_FLAGS#EvtFormatMessageId}, If Flags is set to 288 * {@link Winevt.EVT_FORMAT_MESSAGE_FLAGS#EvtFormatMessageId}, the resource identifier 289 * must identify the event's message string. 290 * @param Flags [in] A flag that specifies the message string in the event to format. For possible 291 * values, see the {@link Winevt.EVT_FORMAT_MESSAGE_FLAGS} enumeration. 292 * @param BufferSize [in] The size of the Buffer buffer, in characters. 293 * @param Buffer [in] A caller-allocated buffer that will receive the formatted message string. 294 * You can set this parameter to NULL to determine the required buffer size. 295 * @param BufferUsed [out] The size, in characters of the caller-allocated buffer that the function used 296 * or the required buffer size if the function fails with ERROR_INSUFFICIENT_BUFFER. 297 * @return True The function was successful, False The function failed. To get the error code, call 298 * the {@link Kernel32#GetLastError} function. 299 */ EvtFormatMessage(EVT_HANDLE PublisherMetadata, EVT_HANDLE Event, int MessageId, int ValueCount, EVT_VARIANT[] Values, int Flags, int BufferSize, char[] Buffer, IntByReference BufferUsed)300 boolean EvtFormatMessage(EVT_HANDLE PublisherMetadata, EVT_HANDLE Event, int MessageId, int ValueCount, EVT_VARIANT[] Values, 301 int Flags, int BufferSize, char[] Buffer, IntByReference BufferUsed); 302 303 /** 304 * Gets a handle to a channel or log file that you can then use to get information about the channel or log file. 305 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa385447(v=vs.85).aspx 306 * 307 * @param Session [in] A remote session handle that the {@link Wevtapi#EvtOpenSession} function returns. 308 * Set to NULL to open a channel or log on the local computer. 309 * @param Path [in] The name of the channel or the full path to the exported log file. 310 * @param Flags [in] A flag that determines whether the Path parameter points to a log file or channel. 311 * For possible values, see the {@link Winevt.EVT_OPEN_LOG_FLAGS} enumeration. 312 * @return If successful, the function returns a handle to the file or channel; 313 * otherwise, NULL. If NULL, call {@link Kernel32#GetLastError} function to get the error code. 314 */ EvtOpenLog(EVT_HANDLE Session, String Path, int Flags)315 EVT_HANDLE EvtOpenLog(EVT_HANDLE Session, String Path, int Flags); 316 317 /** 318 * Gets information about a channel or log file. 319 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa385385(v=vs.85).aspx 320 * 321 * @param Log [in] A handle to the channel or log file that the {@link Wevtapi#EvtOpenLog} 322 * function returns. 323 * @param PropertyId [in] The identifier of the property to retrieve. For a list of property 324 * identifiers, see the {@link Winevt.EVT_LOG_PROPERTY_ID} enumeration. 325 * @param PropertyValueBufferSize [in] The size of the PropertyValueBuffer buffer, in bytes. 326 * @param PropertyValueBuffer [in] A caller-allocated buffer that will receive the property value. The buffer 327 * contains an EVT_VARIANT object. You can set this parameter to NULL to determine 328 * the required buffer size. 329 * @param PropertyValueBufferUsed [out] The size, in bytes, of the caller-allocated buffer that 330 * the function used or the required buffer size if the function fails 331 * with ERROR_INSUFFICIENT_BUFFER. 332 * @return True The function was successful, False The function failed. To get the error code, call 333 * the {@link Kernel32#GetLastError} function. 334 */ EvtGetLogInfo(EVT_HANDLE Log, int PropertyId, int PropertyValueBufferSize, Pointer PropertyValueBuffer, IntByReference PropertyValueBufferUsed)335 boolean EvtGetLogInfo(EVT_HANDLE Log, int PropertyId, int PropertyValueBufferSize, Pointer PropertyValueBuffer, 336 IntByReference PropertyValueBufferUsed); 337 338 /** 339 * Removes all events from the specified channel and writes them to the target log file. 340 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa385340(v=vs.85).aspx 341 * 342 * @param Session [in, optional] A remote session handle that the {@link Wevtapi#EvtOpenSession} function 343 * returns. Set to NULL for local channels. 344 * @param ChannelPath [in] The name of the channel to clear. 345 * @param TargetFilePath [in, optional] The full path to the target log file that will receive the events. 346 * Set to NULL to clear the log file and not save the events. 347 * @param Flags [in] Reserved. Must be zero. 348 * @return True The function was successful, False The function failed. To get the error code, call 349 * the {@link Kernel32#GetLastError} function. 350 */ EvtClearLog(EVT_HANDLE Session, String ChannelPath, String TargetFilePath, int Flags)351 boolean EvtClearLog(EVT_HANDLE Session, String ChannelPath, String TargetFilePath, int Flags); 352 353 /** 354 * Copies events from the specified channel or log file and writes them to the target log file. 355 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa385355(v=vs.85).aspx 356 * 357 * @param Session [in, optional] A remote session handle that the {@link Wevtapi#EvtOpenSession} function 358 * returns. Set to NULL for local channels. 359 * @param Path [in] The name of the channel or the full path to a log file that contains the events that 360 * you want to export. If the Query parameter contains an XPath query, you must specify 361 * the channel or log file. If the Flags parameter contains 362 * {@link Winevt.EVT_EXPORTLOG_FLAGS#EvtExportLogFilePath}, you must specify the log file. 363 * If the Query parameter contains a structured XML query, the channel or path that you 364 * specify here must match the channel or path in the query. If the Flags parameter contains 365 * {@link Winevt.EVT_EXPORTLOG_FLAGS#EvtExportLogChannelPath}, this parameter can be NULL 366 * if the query is a structured XML query that specifies the channel. 367 * @param Query [in] A query that specifies the types of events that you want to export. You can specify 368 * an XPath 1.0 query or structured XML query. If your XPath contains more than 20 expressions, 369 * use a structured XML query. To export all events, set this parameter to NULL or "*". 370 * @param TargetFilePath [in] The full path to the target log file that will receive the events. 371 * The target log file must not exist. 372 * @param Flags [in] Flags that indicate whether the events come from a channel or log file. For possible 373 * values, see the {@link Winevt.EVT_EXPORTLOG_FLAGS#EvtExportLogChannelPath} enumeration. 374 * @return True The function was successful, False The function failed. To get the error code, call 375 * the {@link Kernel32#GetLastError} function. 376 */ EvtExportLog(EVT_HANDLE Session, String Path, String Query, String TargetFilePath, int Flags)377 boolean EvtExportLog(EVT_HANDLE Session, String Path, String Query, String TargetFilePath, int Flags); 378 379 /** 380 * Adds localized strings to the events in the specified log file. 381 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa385232(v=vs.85).aspx 382 * 383 * @param Session [in] A remote session handle that the {@link Wevtapi#EvtOpenSession} function returns. 384 * Set to NULL for local channels. 385 * @param LogFilePath [in] The full path to the exported log file that contains the events to localize. 386 * @param Locale [in] The locale to use to localize the strings that the service adds to the events in 387 * the log file. If zero, the function uses the calling thread's locale. If the provider's 388 * resources does not contain the locale, the string is empty. 389 * @param Flags [in] Reserved. Must be zero. 390 * @return True The function succeeded, False The function failed. To get the error code, 391 * call the {@link Kernel32#GetLastError} function. 392 */ EvtArchiveExportedLog(EVT_HANDLE Session, String LogFilePath, int Locale, int Flags)393 boolean EvtArchiveExportedLog(EVT_HANDLE Session, String LogFilePath, int Locale, int Flags); 394 395 /** 396 * Gets a handle that you use to enumerate the list of channels that are registered on the computer. 397 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa385437(v=vs.85).aspx 398 * 399 * @param Session [in] A remote session handle that the {@link Wevtapi#EvtOpenSession} function returns. 400 * Set to NULL to enumerate the channels on the local computer. 401 * @param Flags [in] Reserved. Must be zero. 402 * @return If successful, the function returns a handle to the list of channel names that are registered on 403 * the computer; otherwise, NULL. If NULL, call {@link Kernel32#GetLastError} function to get the error code. 404 */ EvtOpenChannelEnum(EVT_HANDLE Session, int Flags)405 EVT_HANDLE EvtOpenChannelEnum(EVT_HANDLE Session, int Flags); 406 407 /** 408 * Gets a channel name from the enumerator. 409 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa385412(v=vs.85).aspx 410 * 411 * @param ChannelEnum [in] A handle to the enumerator that the {@link Wevtapi#EvtOpenChannelEnum} 412 * function returns. 413 * @param ChannelPathBufferSize [in] The size of the ChannelPathBuffer buffer, in characters. 414 * @param ChannelPathBuffer [in] A caller-allocated buffer that will receive the name of the channel. 415 * You can set this parameter to NULL to determine the required buffer size. 416 * @param ChannelPathBufferUsed [out] The size, in characters, of the caller-allocated buffer that the function 417 * used or the required buffer size if the function fails with ERROR_INSUFFICIENT_BUFFER. 418 * @return True The function succeeded, False The function failed. To get the error code, 419 * call the {@link Kernel32#GetLastError} function. 420 */ EvtNextChannelPath(EVT_HANDLE ChannelEnum, int ChannelPathBufferSize, char[] ChannelPathBuffer, IntByReference ChannelPathBufferUsed)421 boolean EvtNextChannelPath(EVT_HANDLE ChannelEnum, int ChannelPathBufferSize, char[] ChannelPathBuffer, 422 IntByReference ChannelPathBufferUsed); 423 424 /** 425 * Gets a handle that you use to read or modify a channel's configuration property. 426 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa385430(v=vs.85).aspx 427 * 428 * @param Session [in] A remote session handle that the {@link Wevtapi#EvtOpenSession} function returns. 429 * Set to NULL to access a channel on the local computer. 430 * @param ChannelPath [in] The name of the channel to access. 431 * @param Flags [in] Reserved. Must be zero. 432 * @return If successful, the function returns a handle to the channel's configuration; 433 * otherwise, NULL. If NULL, call GetLastError function to get the error code. 434 */ EvtOpenChannelConfig(EVT_HANDLE Session, String ChannelPath, int Flags)435 EVT_HANDLE EvtOpenChannelConfig(EVT_HANDLE Session, String ChannelPath, int Flags); 436 437 /** 438 * Saves the changes made to a channel's configuration. 439 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa385477(v=vs.85).aspx 440 * 441 * @param ChannelConfig [in] A handle to the channel's configuration properties that 442 * the {@link Wevtapi#EvtOpenChannelConfig} function returns. 443 * @param Flags [in] Reserved. Must be zero. 444 * @return True The function succeeded, False The function failed. To get the error code, 445 * call the {@link Kernel32#GetLastError} function. 446 */ EvtSaveChannelConfig(EVT_HANDLE ChannelConfig, int Flags)447 boolean EvtSaveChannelConfig(EVT_HANDLE ChannelConfig, int Flags); 448 449 /** 450 * Sets the specified configuration property of a channel. 451 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa385484(v=vs.85).aspx 452 * 453 * @param ChannelConfig [in] A handle to the channel's configuration properties that 454 * the {@link Wevtapi#EvtOpenChannelConfig} function returns. 455 * @param PropertyId [in] The identifier of the channel property to set. For a list of property identifiers, 456 * see the {@link Winevt.EVT_CHANNEL_CONFIG_PROPERTY_ID} enumeration. 457 * @param Flags [in] Reserved. Must be zero. 458 * @param PropertyValue [in] The property value to set. 459 * A caller-allocated buffer that contains the new configuration property value. 460 * The buffer contains an EVT_VARIANT object. Be sure to set the configuration value and 461 * variant type. 462 * @return True The function succeeded, False The function failed. To get the error code, 463 * call the {@link Kernel32#GetLastError} function. 464 */ EvtSetChannelConfigProperty(EVT_HANDLE ChannelConfig, int PropertyId, int Flags, EVT_VARIANT PropertyValue)465 boolean EvtSetChannelConfigProperty(EVT_HANDLE ChannelConfig, int PropertyId, int Flags, EVT_VARIANT PropertyValue); 466 467 /** 468 * Gets the specified channel configuration property. 469 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa385362(v=vs.85).aspx 470 * 471 * @param ChannelConfig [in] A handle to the channel's configuration properties that 472 * the {@link Wevtapi#EvtOpenChannelConfig} function returns. 473 * @param PropertyId [in] The identifier of the channel property to retrieve. For a list of property 474 * identifiers, see the {@link Winevt.EVT_CHANNEL_CONFIG_PROPERTY_ID} enumeration. 475 * @param Flags [in] Reserved. Must be zero. 476 * @param PropertyValueBufferSize [in] The size of the PropertyValueBuffer buffer, in bytes. 477 * @param PropertyValueBuffer [in] A caller-allocated buffer that will receive the configuration property. 478 * The buffer contains an EVT_VARIANT object. You can set this parameter to NULL 479 * to determine the required buffer size. 480 * @param PropertyValueBufferUsed [out] The size, in bytes, of the caller-allocated buffer that the function 481 * used or the required buffer size if the function fails with ERROR_INSUFFICIENT_BUFFER. 482 * @return True The function succeeded, False The function failed. To get the error code, 483 * call the {@link Kernel32#GetLastError} function. 484 */ EvtGetChannelConfigProperty(EVT_HANDLE ChannelConfig, int PropertyId, int Flags, int PropertyValueBufferSize, Pointer PropertyValueBuffer, IntByReference PropertyValueBufferUsed)485 boolean EvtGetChannelConfigProperty(EVT_HANDLE ChannelConfig, int PropertyId, int Flags, int PropertyValueBufferSize, 486 Pointer PropertyValueBuffer, IntByReference PropertyValueBufferUsed); 487 488 /** 489 * Gets a handle that you use to enumerate the list of registered providers on the computer. 490 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa385451(v=vs.85).aspx 491 * 492 * @param Session [in] A remote session handle that the {@link Wevtapi#EvtOpenSession} function returns. 493 * Set to NULL to enumerate the registered providers on the local computer. 494 * @param Flags [in] Reserved. Must be zero. 495 * @return If successful, the function returns a handle to the list of registered providers; 496 * otherwise, NULL. If NULL, call {@link Kernel32#GetLastError} function to get the error code. 497 */ EvtOpenPublisherEnum(EVT_HANDLE Session, int Flags)498 EVT_HANDLE EvtOpenPublisherEnum(EVT_HANDLE Session, int Flags); 499 500 /** 501 * Gets the identifier of a provider from the enumerator. 502 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa385425(v=vs.85).aspx 503 * 504 * @param PublisherEnum [in] A handle to the registered providers enumerator that 505 * the {@link Wevtapi#EvtOpenPublisherEnum} function returns. 506 * @param PublisherIdBufferSize [in] The size of the PublisherIdBuffer buffer, in characters. 507 * @param PublisherIdBuffer [in] A caller-allocated buffer that will receive the name of the registered 508 * provider. You can set this parameter to NULL to determine the required buffer size. 509 * @param PublisherIdBufferUsed [out] The size, in characters, of the caller-allocated buffer that the function 510 * used or the required buffer size if the function fails with ERROR_INSUFFICIENT_BUFFER. 511 * @return If successful, the function returns a handle to the list of registered providers; 512 * otherwise, NULL. If NULL, call {@link Kernel32#GetLastError} function to get the error code. 513 */ EvtNextPublisherId(EVT_HANDLE PublisherEnum, int PublisherIdBufferSize, char[] PublisherIdBuffer, IntByReference PublisherIdBufferUsed)514 boolean EvtNextPublisherId(EVT_HANDLE PublisherEnum, int PublisherIdBufferSize, char[] PublisherIdBuffer, 515 IntByReference PublisherIdBufferUsed); 516 517 /** 518 * Gets a handle that you use to read the specified provider's metadata. 519 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa385458(v=vs.85).aspx 520 * 521 * @param EvtHandleSession [in, optional] A remote session handle that the {@link Wevtapi#EvtOpenSession} 522 * function returns. Set to NULL to get the metadata for a provider on the local computer. 523 * @param PublisherIdentity [in] The name of the provider. To enumerate the names of the providers registered on 524 * the computer, call the {@link Wevtapi#EvtOpenPublisherEnum} function. 525 * @param LogFilePath [in, optional] The full path to an archived log file that contains the events that 526 * the provider logged. An archived log file also contains the provider's metadata. Use 527 * this parameter when the provider is not registered on the local computer. Set to NULL 528 * when reading the metadata from a registered provider.. 529 * @param Locale [in] The locale identifier to use when accessing the localized metadata from 530 * the provider. To create the locale identifier, use the MAKELCID macro. Set to 0 to use 531 * the locale identifier of the calling thread. 532 * @param Flags [in] Reserved. Must be zero. 533 * @return If successful, the function returns a handle to the provider's metadata; 534 * otherwise, NULL. If NULL, call {@link Kernel32#GetLastError} function to get the error code. 535 */ EvtOpenPublisherMetadata(EVT_HANDLE EvtHandleSession, String PublisherIdentity, String LogFilePath, int Locale, int Flags)536 EVT_HANDLE EvtOpenPublisherMetadata(EVT_HANDLE EvtHandleSession, String PublisherIdentity, String LogFilePath, int Locale, int Flags); 537 538 /** 539 * Gets the specified provider metadata property. 540 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa385399(v=vs.85).aspx 541 * 542 * @param PublisherMetadata [in] A handle to the metadata that 543 * the {@link Wevtapi#EvtOpenPublisherMetadata} function returns. 544 * @param PropertyId [in] The identifier of the metadata property to retrieve. 545 * For a list of property identifiers, see 546 * the {@link Winevt.EVT_PUBLISHER_METADATA_PROPERTY_ID} enumeration. 547 * @param Flags [in] Reserved. Must be zero. 548 * @param PublisherMetadataPropertyBufferSize [in] The size of the PublisherMetadataPropertyBuffer buffer, 549 * in bytes. 550 * @param PublisherMetadataPropertyBuffer [in] A caller-allocated buffer that will receive the metadata 551 * property. The buffer contains an EVT_VARIANT object. You can set this 552 * parameter to NULL to determine the required buffer size. 553 * @param PublisherMetadataPropertyBufferUsed [out] The size, in bytes, of the caller-allocated buffer that 554 * the function used or the required buffer size if the function fails 555 * with ERROR_INSUFFICIENT_BUFFER. 556 * @return True The function succeeded, False The function failed. To get the error code, 557 * call the {@link Kernel32#GetLastError} function. 558 */ EvtGetPublisherMetadataProperty(EVT_HANDLE PublisherMetadata, int PropertyId, int Flags, int PublisherMetadataPropertyBufferSize, Pointer PublisherMetadataPropertyBuffer, IntByReference PublisherMetadataPropertyBufferUsed)559 boolean EvtGetPublisherMetadataProperty(EVT_HANDLE PublisherMetadata, int PropertyId, int Flags, 560 int PublisherMetadataPropertyBufferSize, 561 Pointer PublisherMetadataPropertyBuffer, 562 IntByReference PublisherMetadataPropertyBufferUsed); 563 564 /** 565 * Gets a handle that you use to enumerate the list of events that the provider defines. 566 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa385446(v=vs.85).aspx 567 * 568 * @param PublisherMetadata [in] A handle to the provider's metadata that 569 * the {@link Wevtapi#EvtOpenPublisherMetadata} function returns. 570 * @param Flags [in] Reserved. Must be zero. 571 * @return If successful, the function returns a handle to the list of events that the provider defines; 572 * otherwise, NULL. If NULL, call {@link Kernel32#GetLastError} function to get the error code. 573 */ EvtOpenEventMetadataEnum(EVT_HANDLE PublisherMetadata, int Flags)574 EVT_HANDLE EvtOpenEventMetadataEnum(EVT_HANDLE PublisherMetadata, int Flags); 575 576 /** 577 * Gets an event definition from the enumerator. 578 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa385419(v=vs.85).asp 579 * 580 * @param EventMetadataEnum [in] A handle to the event definition enumerator that 581 * the {@link Wevtapi#EvtOpenEventMetadataEnum} function returns. 582 * @param Flags [in] Reserved. Must be zero. 583 * @return If successful, the function returns a handle to the event's metadata; 584 * otherwise, NULL. If NULL, call {@link Kernel32#GetLastError} function to get the error code. 585 */ EvtNextEventMetadata(EVT_HANDLE EventMetadataEnum, int Flags)586 EVT_HANDLE EvtNextEventMetadata(EVT_HANDLE EventMetadataEnum, int Flags); 587 588 /** 589 * Gets the specified event metadata property. 590 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa385376(v=vs.85).aspx 591 * 592 * @param EventMetadata [in] A handle to the event metadata that 593 * the {@link Wevtapi#EvtNextEventMetadata} function returns. 594 * @param PropertyId [in] The identifier of the metadata property to retrieve. For a list of 595 * property identifiers, see 596 * the {@link Winevt.EVT_EVENT_METADATA_PROPERTY_ID} enumeration. 597 * @param Flags [in] Reserved. Must be zero. 598 * @param EventMetadataPropertyBufferSize [in] The size of the EventMetadataPropertyBuffer buffer, in bytes. 599 * @param Buffer [in] A caller-allocated buffer that will receive the metadata property. 600 * The buffer contains an EVT_VARIANT object. You can set this parameter to 601 * NULL to determine the required buffer size. 602 * @param BufferUsed [out] The size, in bytes, of the caller-allocated buffer that 603 * the function used or the required buffer size if the function fails 604 * with ERROR_INSUFFICIENT_BUFFER. 605 * @return True The function succeeded, False The function failed. To get the error code, 606 * call the {@link Kernel32#GetLastError} function. 607 */ EvtGetEventMetadataProperty(EVT_HANDLE EventMetadata, int PropertyId, int Flags, int EventMetadataPropertyBufferSize, Pointer Buffer, IntByReference BufferUsed)608 boolean EvtGetEventMetadataProperty(EVT_HANDLE EventMetadata, int PropertyId, int Flags, 609 int EventMetadataPropertyBufferSize, Pointer Buffer, IntByReference BufferUsed); 610 611 /** 612 * Gets the number of elements in the array of objects. 613 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa385394(v=vs.85).aspx 614 * 615 * @param ObjectArray [in] A handle to an array of objects that 616 * the {@link Wevtapi#EvtGetPublisherMetadataProperty} function returns. 617 * @param ObjectArraySize [out] The number of elements in the array. 618 * @return True The function succeeded, False The function failed. To get the error code, 619 * call the {@link Kernel32#GetLastError} function. 620 */ EvtGetObjectArraySize(Pointer ObjectArray, IntByReference ObjectArraySize)621 boolean EvtGetObjectArraySize(Pointer ObjectArray, IntByReference ObjectArraySize); 622 623 /** 624 * Gets a provider metadata property from the specified object in the array. 625 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa385389(v=vs.85).aspx 626 * 627 * @param ObjectArray [in] A handle to an array of objects that 628 * the {@link Wevtapi#EvtGetPublisherMetadataProperty} function returns. 629 * @param PropertyId [in] The property identifier of the metadata property that you want to get from 630 * the specified object. For possible values, see the Remarks section of 631 * {@link Winevt.EVT_PUBLISHER_METADATA_PROPERTY_ID}. 632 * @param ArrayIndex [in] The zero-based index of the object in the array. 633 * @param Flags [in] Reserved. Must be zero. 634 * @param PropertyValueBufferSize [in] The size of the PropertyValueBuffer buffer, in bytes. 635 * @param PropertyValueBuffer [in] A caller-allocated buffer that will receive the metadata property. 636 * The buffer contains an EVT_VARIANT object. You can set this parameter to NULL 637 * to determine the required buffer size. 638 * @param PropertyValueBufferUsed [in] The size, in bytes, of the caller-allocated buffer that the function used 639 * or the required buffer size if the function fails with ERROR_INSUFFICIENT_BUFFER. 640 * @return True The function succeeded, False The function failed. To get the error code, 641 * call the {@link Kernel32#GetLastError} function. 642 */ EvtGetObjectArrayProperty(Pointer ObjectArray, int PropertyId, int ArrayIndex, int Flags, int PropertyValueBufferSize, Pointer PropertyValueBuffer, IntByReference PropertyValueBufferUsed)643 boolean EvtGetObjectArrayProperty(Pointer ObjectArray, int PropertyId, int ArrayIndex, int Flags, 644 int PropertyValueBufferSize, Pointer PropertyValueBuffer, 645 IntByReference PropertyValueBufferUsed); 646 647 /** 648 * Gets information about a query that you ran that identifies the list of channels or log files that the query 649 * attempted to access. The function also gets a list of return codes that indicates the success or failure of each 650 * access. 651 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa820606(v=vs.85).aspx 652 * 653 * @param QueryOrSubscription [in] A handle to the query that the {@link Wevtapi#EvtQuery} or 654 * {@link Wevtapi#EvtSubscribe} function returns. 655 * @param PropertyId [in] The identifier of the query information to retrieve. For a list of 656 * identifiers, see the {@link Winevt.EVT_QUERY_PROPERTY_ID} enumeration. 657 * @param PropertyValueBufferSize [in] The size of the PropertyValueBuffer buffer, in bytes. 658 * @param PropertyValueBuffer [in] A caller-allocated buffer that will receive the query information. 659 * The buffer contains an EVT_VARIANT object. You can set this parameter to NULL to 660 * determine the required buffer size. 661 * @param PropertyValueBufferUsed [out] The size, in bytes, of the caller-allocated buffer that the 662 * function used or the required buffer size if the function fails 663 * with ERROR_INSUFFICIENT_BUFFER. 664 * @return True The function succeeded, False The function failed. To get the error code, 665 * call the {@link Kernel32#GetLastError} function. 666 */ EvtGetQueryInfo(EVT_HANDLE QueryOrSubscription, int PropertyId, int PropertyValueBufferSize, Pointer PropertyValueBuffer, IntByReference PropertyValueBufferUsed)667 boolean EvtGetQueryInfo(EVT_HANDLE QueryOrSubscription, int PropertyId, int PropertyValueBufferSize, 668 Pointer PropertyValueBuffer, IntByReference PropertyValueBufferUsed); 669 670 /** 671 * Creates a bookmark that identifies an event in a channel. 672 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa385348(v=vs.85).aspx 673 * 674 * @param BookmarkXml [in, optional] An XML string that contains the bookmark or NULL if creating a bookmark. 675 * @return A handle to the bookmark if the call succeeds; 676 * otherwise, NULL. If NULL, call the {@link Kernel32#GetLastError} function to get the error code. 677 */ EvtCreateBookmark(String BookmarkXml)678 EVT_HANDLE EvtCreateBookmark(String BookmarkXml); 679 680 /** 681 * Updates the bookmark with information that identifies the specified event. 682 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa385489(v=vs.85).aspx 683 * 684 * @param Bookmark [in] The handle to the bookmark to be updated. The {@link Wevtapi#EvtCreateBookmark} function 685 * returns this handle. 686 * @param Event [in] The handle to the event to bookmark. 687 * @return True The function succeeded, False The function failed. To get the error code, 688 * call the {@link Kernel32#GetLastError} function. 689 */ EvtUpdateBookmark(EVT_HANDLE Bookmark, EVT_HANDLE Event)690 boolean EvtUpdateBookmark(EVT_HANDLE Bookmark, EVT_HANDLE Event); 691 692 /** 693 * Gets information that identifies the structured XML query that selected the event and the channel or log file 694 * that contained the event. 695 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa385372(v=vs.85).aspx 696 * 697 * @param Event [in] A handle to an event for which you want to retrieve information. 698 * @param PropertyId [in] A flag that identifies the information to retrieve. For example, the query 699 * identifier or the path. For possible values, 700 * see the {@link Winevt.EVT_EVENT_PROPERTY_ID} enumeration. 701 * @param PropertyValueBufferSize [in] The size of the PropertyValueBuffer buffer, in bytes. 702 * @param PropertyValueBuffer [in] A caller-allocated buffer that will receive the information. The buffer 703 * contains an EVT_VARIANT object. You can set this parameter to NULL to determine 704 * the required buffer size. 705 * @param PropertyValueBufferUsed [in] The size, in bytes, of the caller-allocated buffer that the function used 706 * or the required buffer size if the function fails with ERROR_INSUFFICIENT_BUFFER. 707 * @return True The function succeeded, False The function failed. To get the error code, 708 * call the {@link Kernel32#GetLastError} function. 709 */ EvtGetEventInfo(EVT_HANDLE Event, int PropertyId, int PropertyValueBufferSize, Pointer PropertyValueBuffer, IntByReference PropertyValueBufferUsed)710 boolean EvtGetEventInfo(EVT_HANDLE Event, int PropertyId, int PropertyValueBufferSize, Pointer PropertyValueBuffer, 711 IntByReference PropertyValueBufferUsed); 712 713 } 714