1 // ==++== 2 // 3 // Copyright (c) Microsoft Corporation. All rights reserved. 4 // 5 // ==--== 6 /*============================================================ 7 ** 8 ** Class: UnsafeNativeMethods 9 ** 10 ============================================================*/ 11 namespace Microsoft.Win32 { 12 13 using Microsoft.Win32; 14 using Microsoft.Win32.SafeHandles; 15 using System; 16 using System.Configuration.Assemblies; 17 using System.Runtime.CompilerServices; 18 using System.Runtime.ConstrainedExecution; 19 using System.Runtime.InteropServices; 20 using System.Runtime.Remoting; 21 using System.Security.Principal; 22 using System.Runtime.Serialization; 23 using System.Threading; 24 using System.Runtime.Versioning; 25 using System.Security; 26 using System.Security.Permissions; 27 using System.Text; 28 using System.Diagnostics.Eventing; 29 using System.Diagnostics.Eventing.Reader; 30 31 [SuppressUnmanagedCodeSecurityAttribute()] 32 internal static class UnsafeNativeMethods { 33 34 internal const String KERNEL32 = "kernel32.dll"; 35 internal const String ADVAPI32 = "advapi32.dll"; 36 internal const String WEVTAPI = "wevtapi.dll"; 37 internal static readonly IntPtr NULL = IntPtr.Zero; 38 39 // 40 // Win32 IO 41 // 42 internal const int CREDUI_MAX_USERNAME_LENGTH = 513; 43 44 45 // WinError.h codes: 46 47 internal const int ERROR_SUCCESS = 0x0; 48 internal const int ERROR_FILE_NOT_FOUND = 0x2; 49 internal const int ERROR_PATH_NOT_FOUND = 0x3; 50 internal const int ERROR_ACCESS_DENIED = 0x5; 51 internal const int ERROR_INVALID_HANDLE = 0x6; 52 53 // Can occurs when filled buffers are trying to flush to disk, but disk IOs are not fast enough. 54 // This happens when the disk is slow and event traffic is heavy. 55 // Eventually, there are no more free (empty) buffers and the event is dropped. 56 internal const int ERROR_NOT_ENOUGH_MEMORY = 0x8; 57 58 internal const int ERROR_INVALID_DRIVE = 0xF; 59 internal const int ERROR_NO_MORE_FILES = 0x12; 60 internal const int ERROR_NOT_READY = 0x15; 61 internal const int ERROR_BAD_LENGTH = 0x18; 62 internal const int ERROR_SHARING_VIOLATION = 0x20; 63 internal const int ERROR_LOCK_VIOLATION = 0x21; // 33 64 internal const int ERROR_HANDLE_EOF = 0x26; // 38 65 internal const int ERROR_FILE_EXISTS = 0x50; 66 internal const int ERROR_INVALID_PARAMETER = 0x57; // 87 67 internal const int ERROR_BROKEN_PIPE = 0x6D; // 109 68 internal const int ERROR_INSUFFICIENT_BUFFER = 0x7A; // 122 69 internal const int ERROR_INVALID_NAME = 0x7B; 70 internal const int ERROR_BAD_PATHNAME = 0xA1; 71 internal const int ERROR_ALREADY_EXISTS = 0xB7; 72 internal const int ERROR_ENVVAR_NOT_FOUND = 0xCB; 73 internal const int ERROR_FILENAME_EXCED_RANGE = 0xCE; // filename too long 74 internal const int ERROR_PIPE_BUSY = 0xE7; // 231 75 internal const int ERROR_NO_DATA = 0xE8; // 232 76 internal const int ERROR_PIPE_NOT_CONNECTED = 0xE9; // 233 77 internal const int ERROR_MORE_DATA = 0xEA; 78 internal const int ERROR_NO_MORE_ITEMS = 0x103; // 259 79 internal const int ERROR_PIPE_CONNECTED = 0x217; // 535 80 internal const int ERROR_PIPE_LISTENING = 0x218; // 536 81 internal const int ERROR_OPERATION_ABORTED = 0x3E3; // 995; For IO Cancellation 82 internal const int ERROR_IO_PENDING = 0x3E5; // 997 83 internal const int ERROR_NOT_FOUND = 0x490; // 1168 84 85 // The event size is larger than the allowed maximum (64k - header). 86 internal const int ERROR_ARITHMETIC_OVERFLOW = 0x216; // 534 87 88 internal const int ERROR_RESOURCE_LANG_NOT_FOUND = 0x717; // 1815 89 90 91 // Event log specific codes: 92 93 internal const int ERROR_EVT_MESSAGE_NOT_FOUND = 15027; 94 internal const int ERROR_EVT_MESSAGE_ID_NOT_FOUND = 15028; 95 internal const int ERROR_EVT_UNRESOLVED_VALUE_INSERT = 15029; 96 internal const int ERROR_EVT_UNRESOLVED_PARAMETER_INSERT = 15030; 97 internal const int ERROR_EVT_MAX_INSERTS_REACHED = 15031; 98 internal const int ERROR_EVT_MESSAGE_LOCALE_NOT_FOUND = 15033; 99 internal const int ERROR_MUI_FILE_NOT_FOUND = 15100; 100 101 102 internal const int SECURITY_SQOS_PRESENT = 0x00100000; 103 internal const int SECURITY_ANONYMOUS = 0 << 16; 104 internal const int SECURITY_IDENTIFICATION = 1 << 16; 105 internal const int SECURITY_IMPERSONATION = 2 << 16; 106 internal const int SECURITY_DELEGATION = 3 << 16; 107 108 internal const int GENERIC_READ = unchecked((int)0x80000000); 109 internal const int GENERIC_WRITE = 0x40000000; 110 111 internal const int STD_INPUT_HANDLE = -10; 112 internal const int STD_OUTPUT_HANDLE = -11; 113 internal const int STD_ERROR_HANDLE = -12; 114 115 internal const int DUPLICATE_SAME_ACCESS = 0x00000002; 116 117 internal const int PIPE_ACCESS_INBOUND = 1; 118 internal const int PIPE_ACCESS_OUTBOUND = 2; 119 internal const int PIPE_ACCESS_DUPLEX = 3; 120 internal const int PIPE_TYPE_BYTE = 0; 121 internal const int PIPE_TYPE_MESSAGE = 4; 122 internal const int PIPE_READMODE_BYTE = 0; 123 internal const int PIPE_READMODE_MESSAGE = 2; 124 internal const int PIPE_UNLIMITED_INSTANCES = 255; 125 126 internal const int FILE_FLAG_FIRST_PIPE_INSTANCE = 0x00080000; 127 internal const int FILE_SHARE_READ = 0x00000001; 128 internal const int FILE_SHARE_WRITE = 0x00000002; 129 internal const int FILE_ATTRIBUTE_NORMAL = 0x00000080; 130 131 internal const int FILE_FLAG_OVERLAPPED = 0x40000000; 132 133 internal const int OPEN_EXISTING = 3; 134 135 // From WinBase.h 136 internal const int FILE_TYPE_DISK = 0x0001; 137 internal const int FILE_TYPE_CHAR = 0x0002; 138 internal const int FILE_TYPE_PIPE = 0x0003; 139 140 // Memory mapped file constants 141 internal const int MEM_COMMIT = 0x1000; 142 internal const int MEM_RESERVE = 0x2000; 143 internal const int INVALID_FILE_SIZE = -1; 144 internal const int PAGE_READWRITE = 0x04; 145 internal const int PAGE_READONLY = 0x02; 146 internal const int PAGE_WRITECOPY = 0x08; 147 internal const int PAGE_EXECUTE_READ = 0x20; 148 internal const int PAGE_EXECUTE_READWRITE = 0x40; 149 150 internal const int FILE_MAP_COPY = 0x0001; 151 internal const int FILE_MAP_WRITE = 0x0002; 152 internal const int FILE_MAP_READ = 0x0004; 153 internal const int FILE_MAP_EXECUTE = 0x0020; 154 155 [StructLayout(LayoutKind.Sequential)] 156 internal class SECURITY_ATTRIBUTES { 157 internal int nLength; 158 [SecurityCritical] 159 internal unsafe byte* pSecurityDescriptor; 160 internal int bInheritHandle; 161 } 162 163 [DllImport(KERNEL32)] 164 [SecurityCritical] GetFileType(SafeFileHandle handle)165 internal static extern int GetFileType(SafeFileHandle handle); 166 167 [DllImport(KERNEL32, SetLastError = true)] 168 [SecurityCritical] WriteFile(SafeFileHandle handle, byte* bytes, int numBytesToWrite, out int numBytesWritten, NativeOverlapped* lpOverlapped)169 internal static unsafe extern int WriteFile(SafeFileHandle handle, byte* bytes, int numBytesToWrite, 170 out int numBytesWritten, NativeOverlapped* lpOverlapped); 171 172 // Disallow access to all non-file devices from methods that take 173 // a String. This disallows DOS devices like "con:", "com1:", 174 // "lpt1:", etc. Use this to avoid security problems, like allowing 175 // a web client asking a server for "http://server/com1.aspx" and 176 // then causing a worker process to hang. 177 [DllImport(KERNEL32, CharSet = CharSet.Auto, SetLastError = true)] 178 [SecurityCritical] CreateFile(String lpFileName, int dwDesiredAccess, System.IO.FileShare dwShareMode, SECURITY_ATTRIBUTES securityAttrs, System.IO.FileMode dwCreationDisposition, int dwFlagsAndAttributes, IntPtr hTemplateFile)179 private static extern SafeFileHandle CreateFile(String lpFileName, 180 int dwDesiredAccess, System.IO.FileShare dwShareMode, 181 SECURITY_ATTRIBUTES securityAttrs, System.IO.FileMode dwCreationDisposition, 182 int dwFlagsAndAttributes, IntPtr hTemplateFile); 183 184 [ResourceExposure(ResourceScope.Machine)] 185 [ResourceConsumption(ResourceScope.Machine)] 186 [SecurityCritical] SafeCreateFile(String lpFileName, int dwDesiredAccess, System.IO.FileShare dwShareMode, SECURITY_ATTRIBUTES securityAttrs, System.IO.FileMode dwCreationDisposition, int dwFlagsAndAttributes, IntPtr hTemplateFile)187 internal static SafeFileHandle SafeCreateFile(String lpFileName, 188 int dwDesiredAccess, System.IO.FileShare dwShareMode, 189 SECURITY_ATTRIBUTES securityAttrs, System.IO.FileMode dwCreationDisposition, 190 int dwFlagsAndAttributes, IntPtr hTemplateFile) { 191 SafeFileHandle handle = CreateFile(lpFileName, dwDesiredAccess, dwShareMode, 192 securityAttrs, dwCreationDisposition, 193 dwFlagsAndAttributes, hTemplateFile); 194 195 if (!handle.IsInvalid) { 196 int fileType = UnsafeNativeMethods.GetFileType(handle); 197 if (fileType != UnsafeNativeMethods.FILE_TYPE_DISK) { 198 handle.Dispose(); 199 throw new NotSupportedException(SR.GetString(SR.NotSupported_IONonFileDevices)); 200 } 201 } 202 return handle; 203 } 204 205 206 // From WinBase.h 207 internal const int SEM_FAILCRITICALERRORS = 1; 208 209 [DllImport(KERNEL32, SetLastError = false)] 210 [ResourceExposure(ResourceScope.Process)] 211 [SecurityCritical] SetErrorMode(int newMode)212 internal static extern int SetErrorMode(int newMode); 213 214 [DllImport(KERNEL32, SetLastError = true, EntryPoint = "SetFilePointer")] 215 [ResourceExposure(ResourceScope.None)] 216 [SecurityCritical] SetFilePointerWin32(SafeFileHandle handle, int lo, int* hi, int origin)217 private unsafe static extern int SetFilePointerWin32(SafeFileHandle handle, int lo, int* hi, int origin); 218 219 [ResourceExposure(ResourceScope.None)] 220 [SecurityCritical] SetFilePointer(SafeFileHandle handle, long offset, System.IO.SeekOrigin origin, out int hr)221 internal unsafe static long SetFilePointer(SafeFileHandle handle, long offset, System.IO.SeekOrigin origin, out int hr) { 222 hr = 0; 223 int lo = (int)offset; 224 int hi = (int)(offset >> 32); 225 lo = SetFilePointerWin32(handle, lo, &hi, (int)origin); 226 227 if (lo == -1 && ((hr = Marshal.GetLastWin32Error()) != 0)) 228 return -1; 229 return (long)(((ulong)((uint)hi)) << 32) | ((uint)lo); 230 } 231 232 // 233 // ErrorCode & format 234 // 235 236 // Use this to translate error codes like the above into HRESULTs like 237 238 // 0x80070006 for ERROR_INVALID_HANDLE MakeHRFromErrorCode(int errorCode)239 internal static int MakeHRFromErrorCode(int errorCode) { 240 return unchecked(((int)0x80070000) | errorCode); 241 } 242 243 // for win32 error message formatting 244 private const int FORMAT_MESSAGE_IGNORE_INSERTS = 0x00000200; 245 private const int FORMAT_MESSAGE_FROM_SYSTEM = 0x00001000; 246 private const int FORMAT_MESSAGE_ARGUMENT_ARRAY = 0x00002000; 247 248 249 [DllImport(KERNEL32, CharSet = CharSet.Auto, BestFitMapping = false)] 250 [SecurityCritical] FormatMessage(int dwFlags, IntPtr lpSource, int dwMessageId, int dwLanguageId, StringBuilder lpBuffer, int nSize, IntPtr va_list_arguments)251 internal static extern int FormatMessage(int dwFlags, IntPtr lpSource, 252 int dwMessageId, int dwLanguageId, StringBuilder lpBuffer, 253 int nSize, IntPtr va_list_arguments); 254 255 // Gets an error message for a Win32 error code. 256 [SecurityCritical] GetMessage(int errorCode)257 internal static String GetMessage(int errorCode) { 258 StringBuilder sb = new StringBuilder(512); 259 int result = UnsafeNativeMethods.FormatMessage(FORMAT_MESSAGE_IGNORE_INSERTS | 260 FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ARGUMENT_ARRAY, 261 UnsafeNativeMethods.NULL, errorCode, 0, sb, sb.Capacity, UnsafeNativeMethods.NULL); 262 if (result != 0) { 263 // result is the # of characters copied to the StringBuilder on NT, 264 // but on Win9x, it appears to be the number of MBCS buffer. 265 // Just give up and return the String as-is... 266 String s = sb.ToString(); 267 return s; 268 } 269 else { 270 return "UnknownError_Num " + errorCode; 271 } 272 } 273 274 275 // 276 // SafeLibraryHandle 277 // 278 279 [DllImport(KERNEL32, CharSet = System.Runtime.InteropServices.CharSet.Unicode, SetLastError = true)] 280 [ResourceExposure(ResourceScope.Machine)] 281 [SecurityCritical] LoadLibraryEx(string libFilename, IntPtr reserved, int flags)282 internal static extern SafeLibraryHandle LoadLibraryEx(string libFilename, IntPtr reserved, int flags); 283 284 [DllImport(KERNEL32, CharSet = System.Runtime.InteropServices.CharSet.Unicode)] 285 [return: MarshalAs(UnmanagedType.Bool)] 286 [ResourceExposure(ResourceScope.None)] 287 [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)] 288 [SecurityCritical] FreeLibrary(IntPtr hModule)289 internal static extern bool FreeLibrary(IntPtr hModule); 290 291 292 // 293 // Pipe 294 // 295 296 [DllImport(KERNEL32, SetLastError = true)] 297 [return: MarshalAs(UnmanagedType.Bool)] 298 [SecurityCritical] CloseHandle(IntPtr handle)299 internal static extern bool CloseHandle(IntPtr handle); 300 301 [DllImport(KERNEL32, CharSet = CharSet.Auto, SetLastError = true)] 302 [SecurityCritical] GetCurrentProcess()303 internal static extern IntPtr GetCurrentProcess(); 304 305 [DllImport(KERNEL32, CharSet = CharSet.Auto, SetLastError = true)] 306 [SecurityCritical] 307 [return: MarshalAs(UnmanagedType.Bool)] DuplicateHandle(IntPtr hSourceProcessHandle, SafePipeHandle hSourceHandle, IntPtr hTargetProcessHandle, out SafePipeHandle lpTargetHandle, uint dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, uint dwOptions)308 internal static extern bool DuplicateHandle(IntPtr hSourceProcessHandle, 309 SafePipeHandle hSourceHandle, IntPtr hTargetProcessHandle, out SafePipeHandle lpTargetHandle, 310 uint dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, uint dwOptions); 311 312 [DllImport(KERNEL32)] 313 [SecurityCritical] GetFileType(SafePipeHandle handle)314 internal static extern int GetFileType(SafePipeHandle handle); 315 316 [DllImport(KERNEL32, CharSet = CharSet.Auto, SetLastError = true)] 317 [SecurityCritical] 318 [return: MarshalAs(UnmanagedType.Bool)] CreatePipe(out SafePipeHandle hReadPipe, out SafePipeHandle hWritePipe, SECURITY_ATTRIBUTES lpPipeAttributes, int nSize)319 internal static extern bool CreatePipe(out SafePipeHandle hReadPipe, 320 out SafePipeHandle hWritePipe, SECURITY_ATTRIBUTES lpPipeAttributes, int nSize); 321 322 323 [DllImport(KERNEL32, EntryPoint="CreateFile", CharSet = CharSet.Auto, SetLastError = true, BestFitMapping = false)] 324 [SecurityCritical] CreateNamedPipeClient(String lpFileName, int dwDesiredAccess, System.IO.FileShare dwShareMode, UnsafeNativeMethods.SECURITY_ATTRIBUTES securityAttrs, System.IO.FileMode dwCreationDisposition, int dwFlagsAndAttributes, IntPtr hTemplateFile)325 internal static extern SafePipeHandle CreateNamedPipeClient(String lpFileName, 326 int dwDesiredAccess, System.IO.FileShare dwShareMode, 327 UnsafeNativeMethods.SECURITY_ATTRIBUTES securityAttrs, System.IO.FileMode dwCreationDisposition, 328 int dwFlagsAndAttributes, IntPtr hTemplateFile); 329 330 [DllImport(KERNEL32, SetLastError = true)] 331 [SecurityCritical] 332 [return: MarshalAs(UnmanagedType.Bool)] ConnectNamedPipe(SafePipeHandle handle, NativeOverlapped* overlapped)333 unsafe internal static extern bool ConnectNamedPipe(SafePipeHandle handle, NativeOverlapped* overlapped); 334 335 [DllImport(KERNEL32, SetLastError = true)] 336 [SecurityCritical] 337 [return: MarshalAs(UnmanagedType.Bool)] ConnectNamedPipe(SafePipeHandle handle, IntPtr overlapped)338 internal static extern bool ConnectNamedPipe(SafePipeHandle handle, IntPtr overlapped); 339 340 [DllImport(KERNEL32, SetLastError = true, CharSet = CharSet.Auto, BestFitMapping = false)] 341 [SecurityCritical] 342 [return: MarshalAs(UnmanagedType.Bool)] WaitNamedPipe(String name, int timeout)343 public static extern bool WaitNamedPipe(String name, int timeout); 344 345 [DllImport(KERNEL32, CharSet = CharSet.Auto, SetLastError = true)] 346 [SecurityCritical] 347 [return: MarshalAs(UnmanagedType.Bool)] GetNamedPipeHandleState(SafePipeHandle hNamedPipe, out int lpState, IntPtr lpCurInstances, IntPtr lpMaxCollectionCount, IntPtr lpCollectDataTimeout, IntPtr lpUserName, int nMaxUserNameSize)348 internal static extern bool GetNamedPipeHandleState(SafePipeHandle hNamedPipe, out int lpState, 349 IntPtr lpCurInstances, IntPtr lpMaxCollectionCount, IntPtr lpCollectDataTimeout, 350 IntPtr lpUserName, int nMaxUserNameSize); 351 352 [DllImport(KERNEL32, CharSet = CharSet.Auto, SetLastError = true)] 353 [SecurityCritical] 354 [return: MarshalAs(UnmanagedType.Bool)] GetNamedPipeHandleState(SafePipeHandle hNamedPipe, IntPtr lpState, out int lpCurInstances, IntPtr lpMaxCollectionCount, IntPtr lpCollectDataTimeout, IntPtr lpUserName, int nMaxUserNameSize)355 internal static extern bool GetNamedPipeHandleState(SafePipeHandle hNamedPipe, IntPtr lpState, 356 out int lpCurInstances, IntPtr lpMaxCollectionCount, IntPtr lpCollectDataTimeout, 357 IntPtr lpUserName, int nMaxUserNameSize); 358 359 [DllImport(KERNEL32, CharSet = CharSet.Auto, SetLastError = true, BestFitMapping = false)] 360 [SecurityCritical] 361 [return: MarshalAs(UnmanagedType.Bool)] GetNamedPipeHandleState(SafePipeHandle hNamedPipe, IntPtr lpState, IntPtr lpCurInstances, IntPtr lpMaxCollectionCount, IntPtr lpCollectDataTimeout, StringBuilder lpUserName, int nMaxUserNameSize)362 internal static extern bool GetNamedPipeHandleState(SafePipeHandle hNamedPipe, IntPtr lpState, 363 IntPtr lpCurInstances, IntPtr lpMaxCollectionCount, IntPtr lpCollectDataTimeout, 364 StringBuilder lpUserName, int nMaxUserNameSize); 365 366 [DllImport(KERNEL32, CharSet = CharSet.Auto, SetLastError = true)] 367 [SecurityCritical] 368 [return: MarshalAs(UnmanagedType.Bool)] GetNamedPipeInfo(SafePipeHandle hNamedPipe, out int lpFlags, IntPtr lpOutBufferSize, IntPtr lpInBufferSize, IntPtr lpMaxInstances )369 internal static extern bool GetNamedPipeInfo(SafePipeHandle hNamedPipe, 370 out int lpFlags, 371 IntPtr lpOutBufferSize, 372 IntPtr lpInBufferSize, 373 IntPtr lpMaxInstances 374 ); 375 376 [DllImport(KERNEL32, CharSet = CharSet.Auto, SetLastError = true)] 377 [SecurityCritical] 378 [return: MarshalAs(UnmanagedType.Bool)] GetNamedPipeInfo(SafePipeHandle hNamedPipe, IntPtr lpFlags, out int lpOutBufferSize, IntPtr lpInBufferSize, IntPtr lpMaxInstances )379 internal static extern bool GetNamedPipeInfo(SafePipeHandle hNamedPipe, 380 IntPtr lpFlags, 381 out int lpOutBufferSize, 382 IntPtr lpInBufferSize, 383 IntPtr lpMaxInstances 384 ); 385 386 [DllImport(KERNEL32, CharSet = CharSet.Auto, SetLastError = true)] 387 [SecurityCritical] 388 [return: MarshalAs(UnmanagedType.Bool)] GetNamedPipeInfo(SafePipeHandle hNamedPipe, IntPtr lpFlags, IntPtr lpOutBufferSize, out int lpInBufferSize, IntPtr lpMaxInstances )389 internal static extern bool GetNamedPipeInfo(SafePipeHandle hNamedPipe, 390 IntPtr lpFlags, 391 IntPtr lpOutBufferSize, 392 out int lpInBufferSize, 393 IntPtr lpMaxInstances 394 ); 395 396 [DllImport(KERNEL32, CharSet = CharSet.Auto, SetLastError = true)] 397 [SecurityCritical] 398 [return: MarshalAs(UnmanagedType.Bool)] SetNamedPipeHandleState( SafePipeHandle hNamedPipe, int* lpMode, IntPtr lpMaxCollectionCount, IntPtr lpCollectDataTimeout )399 internal static unsafe extern bool SetNamedPipeHandleState( 400 SafePipeHandle hNamedPipe, 401 int* lpMode, 402 IntPtr lpMaxCollectionCount, 403 IntPtr lpCollectDataTimeout 404 ); 405 406 [DllImport(KERNEL32, SetLastError = true)] 407 [SecurityCritical] 408 [return: MarshalAs(UnmanagedType.Bool)] DisconnectNamedPipe(SafePipeHandle hNamedPipe)409 internal static extern bool DisconnectNamedPipe(SafePipeHandle hNamedPipe); 410 411 [DllImport(KERNEL32, SetLastError = true)] 412 [SecurityCritical] 413 [return: MarshalAs(UnmanagedType.Bool)] FlushFileBuffers(SafePipeHandle hNamedPipe)414 internal static extern bool FlushFileBuffers(SafePipeHandle hNamedPipe); 415 416 [DllImport(ADVAPI32, SetLastError = true)] 417 [SecurityCritical] 418 [return: MarshalAs(UnmanagedType.Bool)] 419 [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)] RevertToSelf()420 internal static extern bool RevertToSelf(); 421 422 [DllImport(ADVAPI32, SetLastError = true)] 423 [SecurityCritical] 424 [return: MarshalAs(UnmanagedType.Bool)] 425 [ReliabilityContract(Consistency.WillNotCorruptState, Cer.MayFail)] ImpersonateNamedPipeClient(SafePipeHandle hNamedPipe)426 internal static extern bool ImpersonateNamedPipeClient(SafePipeHandle hNamedPipe); 427 428 [DllImport(KERNEL32, SetLastError = true, BestFitMapping = false, CharSet = CharSet.Auto)] 429 [SecurityCritical] CreateNamedPipe(string pipeName, int openMode, int pipeMode, int maxInstances, int outBufferSize, int inBufferSize, int defaultTimeout, SECURITY_ATTRIBUTES securityAttributes)430 internal static extern SafePipeHandle CreateNamedPipe(string pipeName, 431 int openMode, int pipeMode, int maxInstances, 432 int outBufferSize, int inBufferSize, int defaultTimeout, 433 SECURITY_ATTRIBUTES securityAttributes); 434 435 // Note there are two different ReadFile prototypes - this is to use 436 // the type system to force you to not trip across a "feature" in 437 // Win32's async IO support. You can't do the following three things 438 // simultaneously: overlapped IO, free the memory for the overlapped 439 // struct in a callback (or an EndRead method called by that callback), 440 // and pass in an address for the numBytesRead parameter. 441 // < 442 443 [DllImport(KERNEL32, SetLastError = true)] 444 [SecurityCritical] ReadFile(SafePipeHandle handle, byte* bytes, int numBytesToRead, IntPtr numBytesRead_mustBeZero, NativeOverlapped* overlapped)445 unsafe internal static extern int ReadFile(SafePipeHandle handle, byte* bytes, int numBytesToRead, 446 IntPtr numBytesRead_mustBeZero, NativeOverlapped* overlapped); 447 448 [DllImport(KERNEL32, SetLastError = true)] 449 [SecurityCritical] ReadFile(SafePipeHandle handle, byte* bytes, int numBytesToRead, out int numBytesRead, IntPtr mustBeZero)450 unsafe internal static extern int ReadFile(SafePipeHandle handle, byte* bytes, int numBytesToRead, 451 out int numBytesRead, IntPtr mustBeZero); 452 453 // Note there are two different WriteFile prototypes - this is to use 454 // the type system to force you to not trip across a "feature" in 455 // Win32's async IO support. You can't do the following three things 456 // simultaneously: overlapped IO, free the memory for the overlapped 457 // struct in a callback (or an EndWrite method called by that callback), 458 // and pass in an address for the numBytesRead parameter. 459 // < 460 461 [DllImport(KERNEL32, SetLastError = true)] 462 [SecurityCritical] WriteFile(SafePipeHandle handle, byte* bytes, int numBytesToWrite, IntPtr numBytesWritten_mustBeZero, NativeOverlapped* lpOverlapped)463 internal static unsafe extern int WriteFile(SafePipeHandle handle, byte* bytes, int numBytesToWrite, 464 IntPtr numBytesWritten_mustBeZero, NativeOverlapped* lpOverlapped); 465 466 [DllImport(KERNEL32, SetLastError = true)] 467 [SecurityCritical] WriteFile(SafePipeHandle handle, byte* bytes, int numBytesToWrite, out int numBytesWritten, IntPtr mustBeZero)468 internal static unsafe extern int WriteFile(SafePipeHandle handle, byte* bytes, int numBytesToWrite, 469 out int numBytesWritten, IntPtr mustBeZero); 470 471 [DllImport(KERNEL32, SetLastError = true)] 472 [SecurityCritical] SetEndOfFile(IntPtr hNamedPipe)473 internal static extern bool SetEndOfFile(IntPtr hNamedPipe); 474 475 // 476 // ETW Methods 477 // 478 // 479 // Callback 480 // 481 #pragma warning disable 618 // Ssytem.Core still uses SecurityRuleSet.Level1 482 [SecurityCritical(SecurityCriticalScope.Everything)] 483 #pragma warning restore 618 EtwEnableCallback( [In] ref Guid sourceId, [In] int isEnabled, [In] byte level, [In] long matchAnyKeywords, [In] long matchAllKeywords, [In] void* filterData, [In] void* callbackContext )484 internal unsafe delegate void EtwEnableCallback( 485 [In] ref Guid sourceId, 486 [In] int isEnabled, 487 [In] byte level, 488 [In] long matchAnyKeywords, 489 [In] long matchAllKeywords, 490 [In] void* filterData, 491 [In] void* callbackContext 492 ); 493 494 // 495 // Registration APIs 496 // 497 [DllImport(ADVAPI32, ExactSpelling = true, EntryPoint = "EventRegister", CharSet = System.Runtime.InteropServices.CharSet.Unicode)] 498 [SecurityCritical] EventRegister( [In] ref Guid providerId, [In]EtwEnableCallback enableCallback, [In]void* callbackContext, [In][Out]ref long registrationHandle )499 internal static extern unsafe uint EventRegister( 500 [In] ref Guid providerId, 501 [In]EtwEnableCallback enableCallback, 502 [In]void* callbackContext, 503 [In][Out]ref long registrationHandle 504 ); 505 506 [DllImport(ADVAPI32, ExactSpelling = true, EntryPoint = "EventUnregister", CharSet = System.Runtime.InteropServices.CharSet.Unicode)] 507 [SecurityCritical] EventUnregister([In] long registrationHandle)508 internal static extern int EventUnregister([In] long registrationHandle); 509 510 511 // 512 // Control (Is Enabled) APIs 513 // 514 [DllImport(ADVAPI32, ExactSpelling = true, EntryPoint = "EventEnabled", CharSet = System.Runtime.InteropServices.CharSet.Unicode)] 515 [SecurityCritical] EventEnabled([In] long registrationHandle, [In] ref System.Diagnostics.Eventing.EventDescriptor eventDescriptor)516 internal static extern int EventEnabled([In] long registrationHandle, [In] ref System.Diagnostics.Eventing.EventDescriptor eventDescriptor); 517 518 [DllImport(ADVAPI32, ExactSpelling = true, EntryPoint = "EventProviderEnabled", CharSet = System.Runtime.InteropServices.CharSet.Unicode)] 519 [SecurityCritical] EventProviderEnabled([In] long registrationHandle, [In] byte level, [In] long keywords)520 internal static extern int EventProviderEnabled([In] long registrationHandle, [In] byte level, [In] long keywords); 521 522 // 523 // Writing (Publishing/Logging) APIs 524 // 525 [DllImport(ADVAPI32, ExactSpelling = true, EntryPoint = "EventWrite", CharSet = System.Runtime.InteropServices.CharSet.Unicode)] 526 [SecurityCritical] EventWrite( [In] long registrationHandle, [In] ref EventDescriptor eventDescriptor, [In] uint userDataCount, [In] void* userData )527 internal static extern unsafe uint EventWrite( 528 [In] long registrationHandle, 529 [In] ref EventDescriptor eventDescriptor, 530 [In] uint userDataCount, 531 [In] void* userData 532 ); 533 534 // 535 // Writing (Publishing/Logging) APIs 536 // 537 [DllImport(ADVAPI32, ExactSpelling = true, EntryPoint = "EventWrite", CharSet = System.Runtime.InteropServices.CharSet.Unicode)] 538 [SecurityCritical] EventWrite( [In] long registrationHandle, [In] EventDescriptor* eventDescriptor, [In] uint userDataCount, [In] void* userData )539 internal static extern unsafe uint EventWrite( 540 [In] long registrationHandle, 541 [In] EventDescriptor* eventDescriptor, 542 [In] uint userDataCount, 543 [In] void* userData 544 ); 545 546 [DllImport(ADVAPI32, ExactSpelling = true, EntryPoint = "EventWriteTransfer", CharSet = System.Runtime.InteropServices.CharSet.Unicode)] 547 [SecurityCritical] EventWriteTransfer( [In] long registrationHandle, [In] ref EventDescriptor eventDescriptor, [In] Guid* activityId, [In] Guid* relatedActivityId, [In] uint userDataCount, [In] void* userData )548 internal static extern unsafe uint EventWriteTransfer( 549 [In] long registrationHandle, 550 [In] ref EventDescriptor eventDescriptor, 551 [In] Guid* activityId, 552 [In] Guid* relatedActivityId, 553 [In] uint userDataCount, 554 [In] void* userData 555 ); 556 557 [DllImport(ADVAPI32, ExactSpelling = true, EntryPoint = "EventWriteString", CharSet = System.Runtime.InteropServices.CharSet.Unicode)] 558 [SecurityCritical] EventWriteString( [In] long registrationHandle, [In] byte level, [In] long keywords, [In] char* message )559 internal static extern unsafe uint EventWriteString( 560 [In] long registrationHandle, 561 [In] byte level, 562 [In] long keywords, 563 [In] char* message 564 ); 565 // 566 // ActivityId Control APIs 567 // 568 [DllImport(ADVAPI32, ExactSpelling = true, EntryPoint = "EventActivityIdControl", CharSet = System.Runtime.InteropServices.CharSet.Unicode)] 569 [SecurityCritical] EventActivityIdControl([In] int ControlCode, [In][Out] ref Guid ActivityId)570 internal static extern unsafe uint EventActivityIdControl([In] int ControlCode, [In][Out] ref Guid ActivityId); 571 572 // Native PERFLIB V2 Provider APIs. 573 // 574 [StructLayout(LayoutKind.Explicit, Size = 40)] 575 internal struct PerfCounterSetInfoStruct { // PERF_COUNTERSET_INFO structure defined in perflib.h 576 [FieldOffset(0)] internal Guid CounterSetGuid; 577 [FieldOffset(16)] internal Guid ProviderGuid; 578 [FieldOffset(32)] internal uint NumCounters; 579 [FieldOffset(36)] internal uint InstanceType; 580 } 581 [StructLayout(LayoutKind.Explicit, Size = 32)] 582 internal struct PerfCounterInfoStruct { // PERF_COUNTER_INFO structure defined in perflib.h 583 [FieldOffset(0)] internal uint CounterId; 584 [FieldOffset(4)] internal uint CounterType; 585 [FieldOffset(8)] internal Int64 Attrib; 586 [FieldOffset(16)] internal uint Size; 587 [FieldOffset(20)] internal uint DetailLevel; 588 [FieldOffset(24)] internal uint Scale; 589 [FieldOffset(28)] internal uint Offset; 590 } 591 [StructLayout(LayoutKind.Explicit, Size = 32)] 592 internal struct PerfCounterSetInstanceStruct { // PERF_COUNTERSET_INSTANCE structure defined in perflib.h 593 [FieldOffset(0)] internal Guid CounterSetGuid; 594 [FieldOffset(16)] internal uint dwSize; 595 [FieldOffset(20)] internal uint InstanceId; 596 [FieldOffset(24)] internal uint InstanceNameOffset; 597 [FieldOffset(28)] internal uint InstanceNameSize; 598 } 599 600 #pragma warning disable 618 // Ssytem.Core still uses SecurityRuleSet.Level1 601 [SecurityCritical(SecurityCriticalScope.Everything)] 602 #pragma warning restore 618 PERFLIBREQUEST( [In] uint RequestCode, [In] void * Buffer, [In] uint BufferSize )603 internal unsafe delegate uint PERFLIBREQUEST( 604 [In] uint RequestCode, 605 [In] void * Buffer, 606 [In] uint BufferSize 607 ); 608 609 [DllImport(ADVAPI32, ExactSpelling = true, EntryPoint = "PerfStartProvider", CharSet = CharSet.Unicode)] 610 [SecurityCritical] PerfStartProvider( [In] ref Guid ProviderGuid, [In] PERFLIBREQUEST ControlCallback, [Out] out SafePerfProviderHandle phProvider )611 internal static extern unsafe uint PerfStartProvider( 612 [In] ref Guid ProviderGuid, 613 [In] PERFLIBREQUEST ControlCallback, 614 [Out] out SafePerfProviderHandle phProvider 615 ); 616 [DllImport(ADVAPI32, ExactSpelling = true, EntryPoint = "PerfStopProvider", CharSet = CharSet.Unicode)] 617 [SecurityCritical] PerfStopProvider( [In] IntPtr hProvider )618 internal static extern unsafe uint PerfStopProvider( 619 [In] IntPtr hProvider 620 ); 621 [DllImport(ADVAPI32, ExactSpelling = true, EntryPoint = "PerfSetCounterSetInfo", CharSet = CharSet.Unicode)] 622 [SecurityCritical] PerfSetCounterSetInfo( [In] SafePerfProviderHandle hProvider, [In][Out] PerfCounterSetInfoStruct * pTemplate, [In] uint dwTemplateSize )623 internal static extern unsafe uint PerfSetCounterSetInfo( 624 [In] SafePerfProviderHandle hProvider, 625 [In][Out] PerfCounterSetInfoStruct * pTemplate, 626 [In] uint dwTemplateSize 627 ); 628 [DllImport(ADVAPI32, SetLastError = true, ExactSpelling = true, EntryPoint = "PerfCreateInstance", CharSet = CharSet.Unicode)] 629 [SecurityCritical] PerfCreateInstance( [In] SafePerfProviderHandle hProvider, [In] ref Guid CounterSetGuid, [In] String szInstanceName, [In] uint dwInstance )630 internal static extern unsafe PerfCounterSetInstanceStruct* PerfCreateInstance( 631 [In] SafePerfProviderHandle hProvider, 632 [In] ref Guid CounterSetGuid, 633 [In] String szInstanceName, 634 [In] uint dwInstance 635 ); 636 [DllImport(ADVAPI32, ExactSpelling = true, EntryPoint = "PerfDeleteInstance", CharSet = CharSet.Unicode)] 637 [SecurityCritical] PerfDeleteInstance( [In] SafePerfProviderHandle hProvider, [In] PerfCounterSetInstanceStruct * InstanceBlock )638 internal static extern unsafe uint PerfDeleteInstance( 639 [In] SafePerfProviderHandle hProvider, 640 [In] PerfCounterSetInstanceStruct * InstanceBlock 641 ); 642 [DllImport(ADVAPI32, ExactSpelling = true, EntryPoint = "PerfSetCounterRefValue", CharSet = CharSet.Unicode)] 643 [SecurityCritical] PerfSetCounterRefValue( [In] SafePerfProviderHandle hProvider, [In] PerfCounterSetInstanceStruct * pInstance, [In] uint CounterId, [In] void * lpAddr )644 internal static extern unsafe uint PerfSetCounterRefValue( 645 [In] SafePerfProviderHandle hProvider, 646 [In] PerfCounterSetInstanceStruct * pInstance, 647 [In] uint CounterId, 648 [In] void * lpAddr 649 ); 650 651 // 652 // EventLog 653 // 654 [Flags] 655 internal enum EvtQueryFlags { 656 EvtQueryChannelPath = 0x1, 657 EvtQueryFilePath = 0x2, 658 EvtQueryForwardDirection = 0x100, 659 EvtQueryReverseDirection = 0x200, 660 EvtQueryTolerateQueryErrors = 0x1000 661 } 662 663 [Flags] 664 internal enum EvtSubscribeFlags { 665 EvtSubscribeToFutureEvents = 1, 666 EvtSubscribeStartAtOldestRecord = 2, 667 EvtSubscribeStartAfterBookmark = 3, 668 EvtSubscribeTolerateQueryErrors = 0x1000, 669 EvtSubscribeStrict = 0x10000 670 } 671 672 /// <summary> 673 /// Evt Variant types 674 /// </summary> 675 internal enum EvtVariantType { 676 EvtVarTypeNull = 0, 677 EvtVarTypeString = 1, 678 EvtVarTypeAnsiString = 2, 679 EvtVarTypeSByte = 3, 680 EvtVarTypeByte = 4, 681 EvtVarTypeInt16 = 5, 682 EvtVarTypeUInt16 = 6, 683 EvtVarTypeInt32 = 7, 684 EvtVarTypeUInt32 = 8, 685 EvtVarTypeInt64 = 9, 686 EvtVarTypeUInt64 = 10, 687 EvtVarTypeSingle = 11, 688 EvtVarTypeDouble = 12, 689 EvtVarTypeBoolean = 13, 690 EvtVarTypeBinary = 14, 691 EvtVarTypeGuid = 15, 692 EvtVarTypeSizeT = 16, 693 EvtVarTypeFileTime = 17, 694 EvtVarTypeSysTime = 18, 695 EvtVarTypeSid = 19, 696 EvtVarTypeHexInt32 = 20, 697 EvtVarTypeHexInt64 = 21, 698 // these types used internally 699 EvtVarTypeEvtHandle = 32, 700 EvtVarTypeEvtXml = 35, 701 //Array = 128 702 EvtVarTypeStringArray = 129, 703 EvtVarTypeUInt32Array = 136 704 } 705 706 internal enum EvtMasks { 707 EVT_VARIANT_TYPE_MASK = 0x7f, 708 EVT_VARIANT_TYPE_ARRAY = 128 709 } 710 711 [StructLayout(LayoutKind.Sequential)] 712 internal struct SystemTime { 713 [MarshalAs(UnmanagedType.U2)] 714 public short Year; 715 [MarshalAs(UnmanagedType.U2)] 716 public short Month; 717 [MarshalAs(UnmanagedType.U2)] 718 public short DayOfWeek; 719 [MarshalAs(UnmanagedType.U2)] 720 public short Day; 721 [MarshalAs(UnmanagedType.U2)] 722 public short Hour; 723 [MarshalAs(UnmanagedType.U2)] 724 public short Minute; 725 [MarshalAs(UnmanagedType.U2)] 726 public short Second; 727 [MarshalAs(UnmanagedType.U2)] 728 public short Milliseconds; 729 } 730 731 [StructLayout(LayoutKind.Explicit, CharSet = CharSet.Auto)] 732 #pragma warning disable 618 // Ssytem.Core still uses SecurityRuleSet.Level1 733 [SecurityCritical(SecurityCriticalScope.Everything)] 734 #pragma warning restore 618 735 internal struct EvtVariant { 736 [FieldOffset(0)] 737 public UInt32 UInteger; 738 [FieldOffset(0)] 739 public Int32 Integer; 740 [FieldOffset(0)] 741 public byte UInt8; 742 [FieldOffset(0)] 743 public short Short; 744 [FieldOffset(0)] 745 public ushort UShort; 746 [FieldOffset(0)] 747 public UInt32 Bool; 748 [FieldOffset(0)] 749 public Byte ByteVal; 750 [FieldOffset(0)] 751 public byte SByte; 752 [FieldOffset(0)] 753 public UInt64 ULong; 754 [FieldOffset(0)] 755 public Int64 Long; 756 [FieldOffset(0)] 757 public Single Single; 758 [FieldOffset(0)] 759 public Double Double; 760 [FieldOffset(0)] 761 public IntPtr StringVal; 762 [FieldOffset(0)] 763 public IntPtr AnsiString; 764 [FieldOffset(0)] 765 public IntPtr SidVal; 766 [FieldOffset(0)] 767 public IntPtr Binary; 768 [FieldOffset(0)] 769 public IntPtr Reference; 770 [FieldOffset(0)] 771 public IntPtr Handle; 772 [FieldOffset(0)] 773 public IntPtr GuidReference; 774 [FieldOffset(0)] 775 public UInt64 FileTime; 776 [FieldOffset(0)] 777 public IntPtr SystemTime; 778 [FieldOffset(0)] 779 public IntPtr SizeT; 780 [FieldOffset(8)] 781 public UInt32 Count; // number of elements (not length) in bytes. 782 [FieldOffset(12)] 783 public UInt32 Type; 784 } 785 786 internal enum EvtEventPropertyId { 787 EvtEventQueryIDs = 0, 788 EvtEventPath = 1 789 } 790 791 /// <summary> 792 /// The query flags to get information about query 793 /// </summary> 794 internal enum EvtQueryPropertyId { 795 EvtQueryNames = 0, //String; //Variant will be array of EvtVarTypeString 796 EvtQueryStatuses = 1 //UInt32; //Variant will be Array of EvtVarTypeUInt32 797 } 798 799 /// <summary> 800 /// Publisher Metadata properties 801 /// </summary> 802 internal enum EvtPublisherMetadataPropertyId { 803 EvtPublisherMetadataPublisherGuid = 0, // EvtVarTypeGuid 804 EvtPublisherMetadataResourceFilePath = 1, // EvtVarTypeString 805 EvtPublisherMetadataParameterFilePath = 2, // EvtVarTypeString 806 EvtPublisherMetadataMessageFilePath = 3, // EvtVarTypeString 807 EvtPublisherMetadataHelpLink = 4, // EvtVarTypeString 808 EvtPublisherMetadataPublisherMessageID = 5, // EvtVarTypeUInt32 809 810 EvtPublisherMetadataChannelReferences = 6, // EvtVarTypeEvtHandle, ObjectArray 811 EvtPublisherMetadataChannelReferencePath = 7, // EvtVarTypeString 812 EvtPublisherMetadataChannelReferenceIndex = 8, // EvtVarTypeUInt32 813 EvtPublisherMetadataChannelReferenceID = 9, // EvtVarTypeUInt32 814 EvtPublisherMetadataChannelReferenceFlags = 10, // EvtVarTypeUInt32 815 EvtPublisherMetadataChannelReferenceMessageID = 11, // EvtVarTypeUInt32 816 817 EvtPublisherMetadataLevels = 12, // EvtVarTypeEvtHandle, ObjectArray 818 EvtPublisherMetadataLevelName = 13, // EvtVarTypeString 819 EvtPublisherMetadataLevelValue = 14, // EvtVarTypeUInt32 820 EvtPublisherMetadataLevelMessageID = 15, // EvtVarTypeUInt32 821 822 EvtPublisherMetadataTasks = 16, // EvtVarTypeEvtHandle, ObjectArray 823 EvtPublisherMetadataTaskName = 17, // EvtVarTypeString 824 EvtPublisherMetadataTaskEventGuid = 18, // EvtVarTypeGuid 825 EvtPublisherMetadataTaskValue = 19, // EvtVarTypeUInt32 826 EvtPublisherMetadataTaskMessageID = 20, // EvtVarTypeUInt32 827 828 EvtPublisherMetadataOpcodes = 21, // EvtVarTypeEvtHandle, ObjectArray 829 EvtPublisherMetadataOpcodeName = 22, // EvtVarTypeString 830 EvtPublisherMetadataOpcodeValue = 23, // EvtVarTypeUInt32 831 EvtPublisherMetadataOpcodeMessageID = 24, // EvtVarTypeUInt32 832 833 EvtPublisherMetadataKeywords = 25, // EvtVarTypeEvtHandle, ObjectArray 834 EvtPublisherMetadataKeywordName = 26, // EvtVarTypeString 835 EvtPublisherMetadataKeywordValue = 27, // EvtVarTypeUInt64 836 EvtPublisherMetadataKeywordMessageID = 28//, // EvtVarTypeUInt32 837 //EvtPublisherMetadataPropertyIdEND 838 } 839 840 internal enum EvtChannelReferenceFlags { 841 EvtChannelReferenceImported = 1 842 } 843 844 internal enum EvtEventMetadataPropertyId { 845 EventMetadataEventID, // EvtVarTypeUInt32 846 EventMetadataEventVersion, // EvtVarTypeUInt32 847 EventMetadataEventChannel, // EvtVarTypeUInt32 848 EventMetadataEventLevel, // EvtVarTypeUInt32 849 EventMetadataEventOpcode, // EvtVarTypeUInt32 850 EventMetadataEventTask, // EvtVarTypeUInt32 851 EventMetadataEventKeyword, // EvtVarTypeUInt64 852 EventMetadataEventMessageID,// EvtVarTypeUInt32 853 EventMetadataEventTemplate // EvtVarTypeString 854 //EvtEventMetadataPropertyIdEND 855 } 856 857 //CHANNEL CONFIGURATION 858 internal enum EvtChannelConfigPropertyId { 859 EvtChannelConfigEnabled = 0, // EvtVarTypeBoolean 860 EvtChannelConfigIsolation, // EvtVarTypeUInt32, EVT_CHANNEL_ISOLATION_TYPE 861 EvtChannelConfigType, // EvtVarTypeUInt32, EVT_CHANNEL_TYPE 862 EvtChannelConfigOwningPublisher, // EvtVarTypeString 863 EvtChannelConfigClassicEventlog, // EvtVarTypeBoolean 864 EvtChannelConfigAccess, // EvtVarTypeString 865 EvtChannelLoggingConfigRetention, // EvtVarTypeBoolean 866 EvtChannelLoggingConfigAutoBackup, // EvtVarTypeBoolean 867 EvtChannelLoggingConfigMaxSize, // EvtVarTypeUInt64 868 EvtChannelLoggingConfigLogFilePath, // EvtVarTypeString 869 EvtChannelPublishingConfigLevel, // EvtVarTypeUInt32 870 EvtChannelPublishingConfigKeywords, // EvtVarTypeUInt64 871 EvtChannelPublishingConfigControlGuid, // EvtVarTypeGuid 872 EvtChannelPublishingConfigBufferSize, // EvtVarTypeUInt32 873 EvtChannelPublishingConfigMinBuffers, // EvtVarTypeUInt32 874 EvtChannelPublishingConfigMaxBuffers, // EvtVarTypeUInt32 875 EvtChannelPublishingConfigLatency, // EvtVarTypeUInt32 876 EvtChannelPublishingConfigClockType, // EvtVarTypeUInt32, EVT_CHANNEL_CLOCK_TYPE 877 EvtChannelPublishingConfigSidType, // EvtVarTypeUInt32, EVT_CHANNEL_SID_TYPE 878 EvtChannelPublisherList, // EvtVarTypeString | EVT_VARIANT_TYPE_ARRAY 879 EvtChannelConfigPropertyIdEND 880 } 881 882 //LOG INFORMATION 883 internal enum EvtLogPropertyId { 884 EvtLogCreationTime = 0, // EvtVarTypeFileTime 885 EvtLogLastAccessTime, // EvtVarTypeFileTime 886 EvtLogLastWriteTime, // EvtVarTypeFileTime 887 EvtLogFileSize, // EvtVarTypeUInt64 888 EvtLogAttributes, // EvtVarTypeUInt32 889 EvtLogNumberOfLogRecords, // EvtVarTypeUInt64 890 EvtLogOldestRecordNumber, // EvtVarTypeUInt64 891 EvtLogFull, // EvtVarTypeBoolean 892 } 893 894 internal enum EvtExportLogFlags { 895 EvtExportLogChannelPath = 1, 896 EvtExportLogFilePath = 2, 897 EvtExportLogTolerateQueryErrors = 0x1000 898 } 899 900 //RENDERING 901 internal enum EvtRenderContextFlags { 902 EvtRenderContextValues = 0, // Render specific properties 903 EvtRenderContextSystem = 1, // Render all system properties (System) 904 EvtRenderContextUser = 2 // Render all user properties (User/EventData) 905 } 906 907 internal enum EvtRenderFlags { 908 EvtRenderEventValues = 0, // Variants 909 EvtRenderEventXml = 1, // XML 910 EvtRenderBookmark = 2 // Bookmark 911 } 912 913 internal enum EvtFormatMessageFlags { 914 EvtFormatMessageEvent = 1, 915 EvtFormatMessageLevel = 2, 916 EvtFormatMessageTask = 3, 917 EvtFormatMessageOpcode = 4, 918 EvtFormatMessageKeyword = 5, 919 EvtFormatMessageChannel = 6, 920 EvtFormatMessageProvider = 7, 921 EvtFormatMessageId = 8, 922 EvtFormatMessageXml = 9 923 } 924 925 internal enum EvtSystemPropertyId { 926 EvtSystemProviderName = 0, // EvtVarTypeString 927 EvtSystemProviderGuid, // EvtVarTypeGuid 928 EvtSystemEventID, // EvtVarTypeUInt16 929 EvtSystemQualifiers, // EvtVarTypeUInt16 930 EvtSystemLevel, // EvtVarTypeUInt8 931 EvtSystemTask, // EvtVarTypeUInt16 932 EvtSystemOpcode, // EvtVarTypeUInt8 933 EvtSystemKeywords, // EvtVarTypeHexInt64 934 EvtSystemTimeCreated, // EvtVarTypeFileTime 935 EvtSystemEventRecordId, // EvtVarTypeUInt64 936 EvtSystemActivityID, // EvtVarTypeGuid 937 EvtSystemRelatedActivityID, // EvtVarTypeGuid 938 EvtSystemProcessID, // EvtVarTypeUInt32 939 EvtSystemThreadID, // EvtVarTypeUInt32 940 EvtSystemChannel, // EvtVarTypeString 941 EvtSystemComputer, // EvtVarTypeString 942 EvtSystemUserID, // EvtVarTypeSid 943 EvtSystemVersion, // EvtVarTypeUInt8 944 EvtSystemPropertyIdEND 945 } 946 947 //SESSION 948 internal enum EvtLoginClass { 949 EvtRpcLogin = 1 950 } 951 952 [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)] 953 internal struct EvtRpcLogin { 954 [MarshalAs(UnmanagedType.LPWStr)] 955 public string Server; 956 [MarshalAs(UnmanagedType.LPWStr)] 957 public string User; 958 [MarshalAs(UnmanagedType.LPWStr)] 959 public string Domain; 960 [SecurityCritical] 961 public CoTaskMemUnicodeSafeHandle Password; 962 public int Flags; 963 } 964 965 966 //SEEK 967 [Flags] 968 internal enum EvtSeekFlags { 969 EvtSeekRelativeToFirst = 1, 970 EvtSeekRelativeToLast = 2, 971 EvtSeekRelativeToCurrent = 3, 972 EvtSeekRelativeToBookmark = 4, 973 EvtSeekOriginMask = 7, 974 EvtSeekStrict = 0x10000 975 } 976 977 [DllImport(WEVTAPI, CallingConvention = CallingConvention.Winapi, SetLastError = true)] 978 [SecurityCritical] EvtQuery( EventLogHandle session, [MarshalAs(UnmanagedType.LPWStr)]string path, [MarshalAs(UnmanagedType.LPWStr)]string query, int flags)979 internal static extern EventLogHandle EvtQuery( 980 EventLogHandle session, 981 [MarshalAs(UnmanagedType.LPWStr)]string path, 982 [MarshalAs(UnmanagedType.LPWStr)]string query, 983 int flags); 984 985 //SEEK 986 [DllImport(WEVTAPI, CharSet = CharSet.Auto, SetLastError = true)] 987 [SecurityCritical] 988 [return: MarshalAs(UnmanagedType.Bool)] EvtSeek( EventLogHandle resultSet, long position, EventLogHandle bookmark, int timeout, [MarshalAs(UnmanagedType.I4)]EvtSeekFlags flags )989 internal static extern bool EvtSeek( 990 EventLogHandle resultSet, 991 long position, 992 EventLogHandle bookmark, 993 int timeout, 994 [MarshalAs(UnmanagedType.I4)]EvtSeekFlags flags 995 ); 996 997 [DllImport(WEVTAPI, CallingConvention = CallingConvention.Winapi, SetLastError = true)] 998 [SecurityCritical] EvtSubscribe( EventLogHandle session, SafeWaitHandle signalEvent, [MarshalAs(UnmanagedType.LPWStr)]string path, [MarshalAs(UnmanagedType.LPWStr)]string query, EventLogHandle bookmark, IntPtr context, IntPtr callback, int flags)999 internal static extern EventLogHandle EvtSubscribe( 1000 EventLogHandle session, 1001 SafeWaitHandle signalEvent, 1002 [MarshalAs(UnmanagedType.LPWStr)]string path, 1003 [MarshalAs(UnmanagedType.LPWStr)]string query, 1004 EventLogHandle bookmark, 1005 IntPtr context, 1006 IntPtr callback, 1007 int flags); 1008 1009 [DllImport(WEVTAPI, CallingConvention = CallingConvention.Winapi, SetLastError = true)] 1010 [SecurityCritical] 1011 [return: MarshalAs(UnmanagedType.Bool)] EvtNext( EventLogHandle queryHandle, int eventSize, [MarshalAs(UnmanagedType.LPArray)] IntPtr[] events, int timeout, int flags, ref int returned)1012 internal static extern bool EvtNext( 1013 EventLogHandle queryHandle, 1014 int eventSize, 1015 [MarshalAs(UnmanagedType.LPArray)] IntPtr[] events, 1016 int timeout, 1017 int flags, 1018 ref int returned); 1019 1020 [DllImport(WEVTAPI, CallingConvention = CallingConvention.Winapi, SetLastError = true)] 1021 [SecurityCritical] 1022 [return: MarshalAs(UnmanagedType.Bool)] EvtCancel(EventLogHandle handle)1023 internal static extern bool EvtCancel(EventLogHandle handle); 1024 1025 [DllImport(WEVTAPI)] 1026 [ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)] 1027 [SecurityCritical] 1028 [return: MarshalAs(UnmanagedType.Bool)] EvtClose(IntPtr handle)1029 internal static extern bool EvtClose(IntPtr handle); 1030 1031 /* 1032 [DllImport(WEVTAPI, EntryPoint = "EvtClose", SetLastError = true)] 1033 public static extern bool EvtClose( 1034 IntPtr eventHandle 1035 ); 1036 */ 1037 1038 [DllImport(WEVTAPI, CharSet = CharSet.Auto, SetLastError = true)] 1039 [SecurityCritical] 1040 [return: MarshalAs(UnmanagedType.Bool)] EvtGetEventInfo( EventLogHandle eventHandle, [MarshalAs(UnmanagedType.I4)]EvtEventPropertyId propertyId, int bufferSize, IntPtr bufferPtr, out int bufferUsed )1041 internal static extern bool EvtGetEventInfo( 1042 EventLogHandle eventHandle, 1043 //int propertyId 1044 [MarshalAs(UnmanagedType.I4)]EvtEventPropertyId propertyId, 1045 int bufferSize, 1046 IntPtr bufferPtr, 1047 out int bufferUsed 1048 ); 1049 1050 [DllImport(WEVTAPI, CharSet = CharSet.Auto, SetLastError = true)] 1051 [SecurityCritical] 1052 [return: MarshalAs(UnmanagedType.Bool)] EvtGetQueryInfo( EventLogHandle queryHandle, [MarshalAs(UnmanagedType.I4)]EvtQueryPropertyId propertyId, int bufferSize, IntPtr buffer, ref int bufferRequired )1053 internal static extern bool EvtGetQueryInfo( 1054 EventLogHandle queryHandle, 1055 [MarshalAs(UnmanagedType.I4)]EvtQueryPropertyId propertyId, 1056 int bufferSize, 1057 IntPtr buffer, 1058 ref int bufferRequired 1059 ); 1060 1061 //PUBLISHER METADATA 1062 [DllImport(WEVTAPI, CharSet = CharSet.Auto, SetLastError = true)] 1063 [SecurityCritical] EvtOpenPublisherMetadata( EventLogHandle session, [MarshalAs(UnmanagedType.LPWStr)] string publisherId, [MarshalAs(UnmanagedType.LPWStr)] string logFilePath, int locale, int flags )1064 internal static extern EventLogHandle EvtOpenPublisherMetadata( 1065 EventLogHandle session, 1066 [MarshalAs(UnmanagedType.LPWStr)] string publisherId, 1067 [MarshalAs(UnmanagedType.LPWStr)] string logFilePath, 1068 int locale, 1069 int flags 1070 ); 1071 1072 [DllImport(WEVTAPI, CharSet = CharSet.Auto, SetLastError = true)] 1073 [SecurityCritical] 1074 [return: MarshalAs(UnmanagedType.Bool)] EvtGetPublisherMetadataProperty( EventLogHandle publisherMetadataHandle, [MarshalAs(UnmanagedType.I4)] EvtPublisherMetadataPropertyId propertyId, int flags, int publisherMetadataPropertyBufferSize, IntPtr publisherMetadataPropertyBuffer, out int publisherMetadataPropertyBufferUsed )1075 internal static extern bool EvtGetPublisherMetadataProperty( 1076 EventLogHandle publisherMetadataHandle, 1077 [MarshalAs(UnmanagedType.I4)] EvtPublisherMetadataPropertyId propertyId, 1078 int flags, 1079 int publisherMetadataPropertyBufferSize, 1080 IntPtr publisherMetadataPropertyBuffer, 1081 out int publisherMetadataPropertyBufferUsed 1082 ); 1083 1084 //NEW 1085 1086 [DllImport(WEVTAPI, CharSet = CharSet.Auto, SetLastError = true)] 1087 [SecurityCritical] 1088 [return: MarshalAs(UnmanagedType.Bool)] EvtGetObjectArraySize( EventLogHandle objectArray, out int objectArraySize )1089 internal static extern bool EvtGetObjectArraySize( 1090 EventLogHandle objectArray, 1091 out int objectArraySize 1092 ); 1093 1094 [DllImport(WEVTAPI, CharSet = CharSet.Auto, SetLastError = true)] 1095 [SecurityCritical] 1096 [return: MarshalAs(UnmanagedType.Bool)] EvtGetObjectArrayProperty( EventLogHandle objectArray, int propertyId, int arrayIndex, int flags, int propertyValueBufferSize, IntPtr propertyValueBuffer, out int propertyValueBufferUsed )1097 internal static extern bool EvtGetObjectArrayProperty( 1098 EventLogHandle objectArray, 1099 int propertyId, 1100 int arrayIndex, 1101 int flags, 1102 int propertyValueBufferSize, 1103 IntPtr propertyValueBuffer, 1104 out int propertyValueBufferUsed 1105 ); 1106 1107 //NEW 2 1108 [DllImport(WEVTAPI, CharSet = CharSet.Auto, SetLastError = true)] 1109 [SecurityCritical] EvtOpenEventMetadataEnum( EventLogHandle publisherMetadata, int flags )1110 internal static extern EventLogHandle EvtOpenEventMetadataEnum( 1111 EventLogHandle publisherMetadata, 1112 int flags 1113 ); 1114 1115 [DllImport(WEVTAPI, CharSet = CharSet.Auto, SetLastError = true)] 1116 [SecurityCritical] 1117 //public static extern IntPtr EvtNextEventMetadata( EvtNextEventMetadata( EventLogHandle eventMetadataEnum, int flags )1118 internal static extern EventLogHandle EvtNextEventMetadata( 1119 EventLogHandle eventMetadataEnum, 1120 int flags 1121 ); 1122 1123 [DllImport(WEVTAPI, CharSet = CharSet.Auto, SetLastError = true)] 1124 [SecurityCritical] 1125 [return: MarshalAs(UnmanagedType.Bool)] EvtGetEventMetadataProperty( EventLogHandle eventMetadata, [MarshalAs(UnmanagedType.I4)] EvtEventMetadataPropertyId propertyId, int flags, int eventMetadataPropertyBufferSize, IntPtr eventMetadataPropertyBuffer, out int eventMetadataPropertyBufferUsed )1126 internal static extern bool EvtGetEventMetadataProperty( 1127 EventLogHandle eventMetadata, 1128 [MarshalAs(UnmanagedType.I4)] EvtEventMetadataPropertyId propertyId, 1129 int flags, 1130 int eventMetadataPropertyBufferSize, 1131 IntPtr eventMetadataPropertyBuffer, 1132 out int eventMetadataPropertyBufferUsed 1133 ); 1134 1135 1136 //Channel Configuration Native Api 1137 1138 [DllImport(WEVTAPI, CharSet = CharSet.Auto, SetLastError = true)] 1139 [SecurityCritical] EvtOpenChannelEnum( EventLogHandle session, int flags )1140 internal static extern EventLogHandle EvtOpenChannelEnum( 1141 EventLogHandle session, 1142 int flags 1143 ); 1144 1145 [DllImport(WEVTAPI, CharSet = CharSet.Auto, SetLastError = true)] 1146 [SecurityCritical] 1147 [return: MarshalAs(UnmanagedType.Bool)] EvtNextChannelPath( EventLogHandle channelEnum, int channelPathBufferSize, [Out, MarshalAs(UnmanagedType.LPWStr)]StringBuilder channelPathBuffer, out int channelPathBufferUsed )1148 internal static extern bool EvtNextChannelPath( 1149 EventLogHandle channelEnum, 1150 int channelPathBufferSize, 1151 //StringBuilder channelPathBuffer, 1152 [Out, MarshalAs(UnmanagedType.LPWStr)]StringBuilder channelPathBuffer, 1153 out int channelPathBufferUsed 1154 ); 1155 1156 1157 [DllImport(WEVTAPI, CharSet = CharSet.Auto, SetLastError = true)] 1158 [SecurityCritical] EvtOpenPublisherEnum( EventLogHandle session, int flags )1159 internal static extern EventLogHandle EvtOpenPublisherEnum( 1160 EventLogHandle session, 1161 int flags 1162 ); 1163 1164 [DllImport(WEVTAPI, CharSet = CharSet.Auto, SetLastError = true)] 1165 [SecurityCritical] 1166 [return: MarshalAs(UnmanagedType.Bool)] EvtNextPublisherId( EventLogHandle publisherEnum, int publisherIdBufferSize, [Out, MarshalAs(UnmanagedType.LPWStr)]StringBuilder publisherIdBuffer, out int publisherIdBufferUsed )1167 internal static extern bool EvtNextPublisherId( 1168 EventLogHandle publisherEnum, 1169 int publisherIdBufferSize, 1170 [Out, MarshalAs(UnmanagedType.LPWStr)]StringBuilder publisherIdBuffer, 1171 out int publisherIdBufferUsed 1172 ); 1173 1174 [DllImport(WEVTAPI, CharSet = CharSet.Auto, SetLastError = true)] 1175 [SecurityCritical] EvtOpenChannelConfig( EventLogHandle session, [MarshalAs(UnmanagedType.LPWStr)]String channelPath, int flags )1176 internal static extern EventLogHandle EvtOpenChannelConfig( 1177 EventLogHandle session, 1178 [MarshalAs(UnmanagedType.LPWStr)]String channelPath, 1179 int flags 1180 ); 1181 1182 [DllImport(WEVTAPI, CharSet = CharSet.Auto, SetLastError = true)] 1183 [SecurityCritical] 1184 [return: MarshalAs(UnmanagedType.Bool)] EvtSaveChannelConfig( EventLogHandle channelConfig, int flags )1185 internal static extern bool EvtSaveChannelConfig( 1186 EventLogHandle channelConfig, 1187 int flags 1188 ); 1189 1190 1191 [DllImport(WEVTAPI, CharSet = CharSet.Auto, SetLastError = true)] 1192 [SecurityCritical] 1193 [return: MarshalAs(UnmanagedType.Bool)] EvtSetChannelConfigProperty( EventLogHandle channelConfig, [MarshalAs(UnmanagedType.I4)]EvtChannelConfigPropertyId propertyId, int flags, ref EvtVariant propertyValue )1194 internal static extern bool EvtSetChannelConfigProperty( 1195 EventLogHandle channelConfig, 1196 [MarshalAs(UnmanagedType.I4)]EvtChannelConfigPropertyId propertyId, 1197 int flags, 1198 ref EvtVariant propertyValue 1199 ); 1200 1201 1202 [DllImport(WEVTAPI, CharSet = CharSet.Auto, SetLastError = true)] 1203 [SecurityCritical] 1204 [return: MarshalAs(UnmanagedType.Bool)] EvtGetChannelConfigProperty( EventLogHandle channelConfig, [MarshalAs(UnmanagedType.I4)]EvtChannelConfigPropertyId propertyId, int flags, int propertyValueBufferSize, IntPtr propertyValueBuffer, out int propertyValueBufferUsed )1205 internal static extern bool EvtGetChannelConfigProperty( 1206 EventLogHandle channelConfig, 1207 [MarshalAs(UnmanagedType.I4)]EvtChannelConfigPropertyId propertyId, 1208 int flags, 1209 int propertyValueBufferSize, 1210 IntPtr propertyValueBuffer, 1211 out int propertyValueBufferUsed 1212 ); 1213 1214 //Log Information Native Api 1215 1216 [DllImport(WEVTAPI, CharSet = CharSet.Auto, SetLastError = true)] 1217 [SecurityCritical] EvtOpenLog( EventLogHandle session, [MarshalAs(UnmanagedType.LPWStr)] string path, [MarshalAs(UnmanagedType.I4)]PathType flags )1218 internal static extern EventLogHandle EvtOpenLog( 1219 EventLogHandle session, 1220 [MarshalAs(UnmanagedType.LPWStr)] string path, 1221 [MarshalAs(UnmanagedType.I4)]PathType flags 1222 ); 1223 1224 1225 [DllImport(WEVTAPI, CharSet = CharSet.Auto, SetLastError = true)] 1226 [SecurityCritical] 1227 [return: MarshalAs(UnmanagedType.Bool)] EvtGetLogInfo( EventLogHandle log, [MarshalAs(UnmanagedType.I4)]EvtLogPropertyId propertyId, int propertyValueBufferSize, IntPtr propertyValueBuffer, out int propertyValueBufferUsed )1228 internal static extern bool EvtGetLogInfo( 1229 EventLogHandle log, 1230 [MarshalAs(UnmanagedType.I4)]EvtLogPropertyId propertyId, 1231 int propertyValueBufferSize, 1232 IntPtr propertyValueBuffer, 1233 out int propertyValueBufferUsed 1234 ); 1235 1236 //LOG MANIPULATION 1237 1238 [DllImport(WEVTAPI, CharSet = CharSet.Auto, SetLastError = true)] 1239 [SecurityCritical] 1240 [return: MarshalAs(UnmanagedType.Bool)] EvtExportLog( EventLogHandle session, [MarshalAs(UnmanagedType.LPWStr)]string channelPath, [MarshalAs(UnmanagedType.LPWStr)]string query, [MarshalAs(UnmanagedType.LPWStr)]string targetFilePath, int flags )1241 internal static extern bool EvtExportLog( 1242 EventLogHandle session, 1243 [MarshalAs(UnmanagedType.LPWStr)]string channelPath, 1244 [MarshalAs(UnmanagedType.LPWStr)]string query, 1245 [MarshalAs(UnmanagedType.LPWStr)]string targetFilePath, 1246 int flags 1247 ); 1248 1249 [DllImport(WEVTAPI, CharSet = CharSet.Auto, SetLastError = true)] 1250 [SecurityCritical] 1251 [return: MarshalAs(UnmanagedType.Bool)] EvtArchiveExportedLog( EventLogHandle session, [MarshalAs(UnmanagedType.LPWStr)]string logFilePath, int locale, int flags )1252 internal static extern bool EvtArchiveExportedLog( 1253 EventLogHandle session, 1254 [MarshalAs(UnmanagedType.LPWStr)]string logFilePath, 1255 int locale, 1256 int flags 1257 ); 1258 1259 [DllImport(WEVTAPI, CharSet = CharSet.Auto, SetLastError = true)] 1260 [SecurityCritical] 1261 [return: MarshalAs(UnmanagedType.Bool)] EvtClearLog( EventLogHandle session, [MarshalAs(UnmanagedType.LPWStr)]string channelPath, [MarshalAs(UnmanagedType.LPWStr)]string targetFilePath, int flags )1262 internal static extern bool EvtClearLog( 1263 EventLogHandle session, 1264 [MarshalAs(UnmanagedType.LPWStr)]string channelPath, 1265 [MarshalAs(UnmanagedType.LPWStr)]string targetFilePath, 1266 int flags 1267 ); 1268 1269 //RENDERING 1270 [DllImport(WEVTAPI, CharSet = CharSet.Auto, SetLastError = true)] 1271 [SecurityCritical] EvtCreateRenderContext( Int32 valuePathsCount, [MarshalAs(UnmanagedType.LPArray,ArraySubType = UnmanagedType.LPWStr)] String[] valuePaths, [MarshalAs(UnmanagedType.I4)]EvtRenderContextFlags flags )1272 internal static extern EventLogHandle EvtCreateRenderContext( 1273 Int32 valuePathsCount, 1274 [MarshalAs(UnmanagedType.LPArray,ArraySubType = UnmanagedType.LPWStr)] 1275 String[] valuePaths, 1276 [MarshalAs(UnmanagedType.I4)]EvtRenderContextFlags flags 1277 ); 1278 1279 [DllImport(WEVTAPI, CallingConvention = CallingConvention.Winapi, SetLastError = true)] 1280 [SecurityCritical] 1281 [return: MarshalAs(UnmanagedType.Bool)] EvtRender( EventLogHandle context, EventLogHandle eventHandle, EvtRenderFlags flags, int buffSize, [Out, MarshalAs(UnmanagedType.LPWStr)]StringBuilder buffer, out int buffUsed, out int propCount )1282 internal static extern bool EvtRender( 1283 EventLogHandle context, 1284 EventLogHandle eventHandle, 1285 EvtRenderFlags flags, 1286 int buffSize, 1287 [Out, MarshalAs(UnmanagedType.LPWStr)]StringBuilder buffer, 1288 out int buffUsed, 1289 out int propCount 1290 ); 1291 1292 1293 [DllImport(WEVTAPI, EntryPoint = "EvtRender", CallingConvention = CallingConvention.Winapi, SetLastError = true)] 1294 [SecurityCritical] 1295 [return: MarshalAs(UnmanagedType.Bool)] EvtRender( EventLogHandle context, EventLogHandle eventHandle, EvtRenderFlags flags, int buffSize, IntPtr buffer, out int buffUsed, out int propCount )1296 internal static extern bool EvtRender( 1297 EventLogHandle context, 1298 EventLogHandle eventHandle, 1299 EvtRenderFlags flags, 1300 int buffSize, 1301 IntPtr buffer, 1302 out int buffUsed, 1303 out int propCount 1304 ); 1305 1306 1307 [StructLayout(LayoutKind.Explicit, CharSet = CharSet.Auto)] 1308 internal struct EvtStringVariant { 1309 [MarshalAs(UnmanagedType.LPWStr),FieldOffset(0)] 1310 public string StringVal; 1311 [FieldOffset(8)] 1312 public UInt32 Count; 1313 [FieldOffset(12)] 1314 public UInt32 Type; 1315 }; 1316 1317 [DllImport(WEVTAPI, CharSet = CharSet.Auto, SetLastError = true)] 1318 [SecurityCritical] 1319 [return: MarshalAs(UnmanagedType.Bool)] EvtFormatMessage( EventLogHandle publisherMetadataHandle, EventLogHandle eventHandle, uint messageId, int valueCount, EvtStringVariant [] values, [MarshalAs(UnmanagedType.I4)]EvtFormatMessageFlags flags, int bufferSize, [Out, MarshalAs(UnmanagedType.LPWStr)]StringBuilder buffer, out int bufferUsed )1320 internal static extern bool EvtFormatMessage( 1321 EventLogHandle publisherMetadataHandle, 1322 EventLogHandle eventHandle, 1323 uint messageId, 1324 int valueCount, 1325 EvtStringVariant [] values, 1326 [MarshalAs(UnmanagedType.I4)]EvtFormatMessageFlags flags, 1327 int bufferSize, 1328 [Out, MarshalAs(UnmanagedType.LPWStr)]StringBuilder buffer, 1329 out int bufferUsed 1330 ); 1331 1332 [DllImport(WEVTAPI, EntryPoint = "EvtFormatMessage", CallingConvention = CallingConvention.Winapi, CharSet = CharSet.Auto, SetLastError = true)] 1333 [SecurityCritical] 1334 [return: MarshalAs(UnmanagedType.Bool)] EvtFormatMessageBuffer( EventLogHandle publisherMetadataHandle, EventLogHandle eventHandle, uint messageId, int valueCount, IntPtr values, [MarshalAs(UnmanagedType.I4)]EvtFormatMessageFlags flags, int bufferSize, IntPtr buffer, out int bufferUsed )1335 internal static extern bool EvtFormatMessageBuffer( 1336 EventLogHandle publisherMetadataHandle, 1337 EventLogHandle eventHandle, 1338 uint messageId, 1339 int valueCount, 1340 IntPtr values, 1341 [MarshalAs(UnmanagedType.I4)]EvtFormatMessageFlags flags, 1342 int bufferSize, 1343 IntPtr buffer, 1344 out int bufferUsed 1345 ); 1346 1347 //SESSION 1348 [DllImport(WEVTAPI, CharSet = CharSet.Auto, SetLastError = true)] 1349 [SecurityCritical] EvtOpenSession( [MarshalAs(UnmanagedType.I4)]EvtLoginClass loginClass, ref EvtRpcLogin login, int timeout, int flags )1350 internal static extern EventLogHandle EvtOpenSession( 1351 [MarshalAs(UnmanagedType.I4)]EvtLoginClass loginClass, 1352 ref EvtRpcLogin login, 1353 int timeout, 1354 int flags 1355 ); 1356 1357 //BOOKMARK 1358 [DllImport(WEVTAPI, EntryPoint = "EvtCreateBookmark", CharSet = CharSet.Auto, SetLastError = true)] 1359 [SecurityCritical] EvtCreateBookmark( [MarshalAs(UnmanagedType.LPWStr)] string bookmarkXml )1360 internal static extern EventLogHandle EvtCreateBookmark( 1361 [MarshalAs(UnmanagedType.LPWStr)] string bookmarkXml 1362 ); 1363 1364 [DllImport(WEVTAPI, CharSet = CharSet.Auto, SetLastError = true)] 1365 [SecurityCritical] 1366 [return: MarshalAs(UnmanagedType.Bool)] EvtUpdateBookmark( EventLogHandle bookmark, EventLogHandle eventHandle )1367 internal static extern bool EvtUpdateBookmark( 1368 EventLogHandle bookmark, 1369 EventLogHandle eventHandle 1370 ); 1371 // 1372 // EventLog 1373 // 1374 1375 // 1376 // Memory Mapped File 1377 // 1378 [StructLayout(LayoutKind.Sequential)] 1379 #pragma warning disable 618 // Ssytem.Core still uses SecurityRuleSet.Level1 1380 [SecurityCritical(SecurityCriticalScope.Everything)] 1381 #pragma warning restore 618 1382 internal unsafe struct MEMORY_BASIC_INFORMATION { 1383 internal void* BaseAddress; 1384 internal void* AllocationBase; 1385 internal uint AllocationProtect; 1386 internal UIntPtr RegionSize; 1387 internal uint State; 1388 internal uint Protect; 1389 internal uint Type; 1390 } 1391 1392 [StructLayout(LayoutKind.Sequential)] 1393 internal struct SYSTEM_INFO { 1394 internal int dwOemId; // This is a union of a DWORD and a struct containing 2 WORDs. 1395 internal int dwPageSize; 1396 internal IntPtr lpMinimumApplicationAddress; 1397 internal IntPtr lpMaximumApplicationAddress; 1398 internal IntPtr dwActiveProcessorMask; 1399 internal int dwNumberOfProcessors; 1400 internal int dwProcessorType; 1401 internal int dwAllocationGranularity; 1402 internal short wProcessorLevel; 1403 internal short wProcessorRevision; 1404 } 1405 1406 [DllImport(KERNEL32, SetLastError = true)] 1407 [SecurityCritical] GetSystemInfo(ref SYSTEM_INFO lpSystemInfo)1408 internal static extern void GetSystemInfo(ref SYSTEM_INFO lpSystemInfo); 1409 1410 [DllImport(KERNEL32, ExactSpelling = true)] 1411 [SecurityCritical] 1412 [return: MarshalAs(UnmanagedType.Bool)] UnmapViewOfFile(IntPtr lpBaseAddress)1413 internal static extern bool UnmapViewOfFile(IntPtr lpBaseAddress); 1414 1415 [DllImport(KERNEL32, SetLastError = true)] 1416 [SecurityCritical] GetFileSize( SafeMemoryMappedFileHandle hFile, out int highSize )1417 internal static extern int GetFileSize( 1418 SafeMemoryMappedFileHandle hFile, 1419 out int highSize 1420 ); 1421 1422 [DllImport(KERNEL32, SetLastError = true)] 1423 [SecurityCritical] VirtualQuery( SafeMemoryMappedViewHandle address, ref MEMORY_BASIC_INFORMATION buffer, IntPtr sizeOfBuffer )1424 unsafe internal static extern IntPtr VirtualQuery( 1425 SafeMemoryMappedViewHandle address, 1426 ref MEMORY_BASIC_INFORMATION buffer, 1427 IntPtr sizeOfBuffer 1428 ); 1429 1430 [DllImport(KERNEL32, SetLastError = true, CharSet = CharSet.Auto, BestFitMapping = false)] 1431 [SecurityCritical] CreateFileMapping( SafeFileHandle hFile, SECURITY_ATTRIBUTES lpAttributes, int fProtect, int dwMaximumSizeHigh, int dwMaximumSizeLow, String lpName )1432 internal static extern SafeMemoryMappedFileHandle CreateFileMapping( 1433 SafeFileHandle hFile, 1434 SECURITY_ATTRIBUTES lpAttributes, 1435 int fProtect, 1436 int dwMaximumSizeHigh, 1437 int dwMaximumSizeLow, 1438 String lpName 1439 ); 1440 1441 [DllImport(KERNEL32, ExactSpelling = true, SetLastError = true)] 1442 [SecurityCritical] 1443 [return: MarshalAs(UnmanagedType.Bool)] FlushViewOfFile( byte* lpBaseAddress, IntPtr dwNumberOfBytesToFlush )1444 unsafe internal static extern bool FlushViewOfFile( 1445 byte* lpBaseAddress, 1446 IntPtr dwNumberOfBytesToFlush 1447 ); 1448 1449 [DllImport(KERNEL32, SetLastError = true, CharSet = CharSet.Auto, BestFitMapping = false)] 1450 [SecurityCritical] OpenFileMapping( int dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, string lpName )1451 internal static extern SafeMemoryMappedFileHandle OpenFileMapping( 1452 int dwDesiredAccess, 1453 [MarshalAs(UnmanagedType.Bool)] 1454 bool bInheritHandle, 1455 string lpName 1456 ); 1457 1458 [DllImport(KERNEL32, SetLastError = true, ExactSpelling = true)] 1459 [SecurityCritical] MapViewOfFile( SafeMemoryMappedFileHandle handle, int dwDesiredAccess, uint dwFileOffsetHigh, uint dwFileOffsetLow, UIntPtr dwNumberOfBytesToMap )1460 internal static extern SafeMemoryMappedViewHandle MapViewOfFile( 1461 SafeMemoryMappedFileHandle handle, 1462 int dwDesiredAccess, 1463 uint dwFileOffsetHigh, 1464 uint dwFileOffsetLow, 1465 UIntPtr dwNumberOfBytesToMap 1466 ); 1467 1468 [DllImport(KERNEL32, SetLastError = true)] 1469 [SecurityCritical] VirtualAlloc( SafeMemoryMappedViewHandle address, UIntPtr numBytes, int commitOrReserve, int pageProtectionMode )1470 unsafe internal static extern IntPtr VirtualAlloc( 1471 SafeMemoryMappedViewHandle address, 1472 UIntPtr numBytes, 1473 int commitOrReserve, 1474 int pageProtectionMode 1475 ); 1476 1477 [SecurityCritical] GlobalMemoryStatusEx(ref MEMORYSTATUSEX lpBuffer)1478 internal static bool GlobalMemoryStatusEx(ref MEMORYSTATUSEX lpBuffer) 1479 { 1480 lpBuffer.dwLength = (uint)Marshal.SizeOf(typeof(MEMORYSTATUSEX)); 1481 return GlobalMemoryStatusExNative(ref lpBuffer); 1482 } 1483 1484 [DllImport(KERNEL32, CharSet = CharSet.Auto, SetLastError = true, EntryPoint = "GlobalMemoryStatusEx")] 1485 [SecurityCritical] 1486 [return: MarshalAs(UnmanagedType.Bool)] GlobalMemoryStatusExNative([In, Out] ref MEMORYSTATUSEX lpBuffer)1487 private static extern bool GlobalMemoryStatusExNative([In, Out] ref MEMORYSTATUSEX lpBuffer); 1488 1489 [DllImport(KERNEL32, SetLastError = true)] 1490 [SecurityCritical] CancelIoEx(SafeHandle handle, NativeOverlapped* lpOverlapped)1491 internal static unsafe extern bool CancelIoEx(SafeHandle handle, NativeOverlapped* lpOverlapped); 1492 1493 [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)] 1494 internal struct MEMORYSTATUSEX { 1495 internal uint dwLength; 1496 internal uint dwMemoryLoad; 1497 internal ulong ullTotalPhys; 1498 internal ulong ullAvailPhys; 1499 internal ulong ullTotalPageFile; 1500 internal ulong ullAvailPageFile; 1501 internal ulong ullTotalVirtual; 1502 internal ulong ullAvailVirtual; 1503 internal ulong ullAvailExtendedVirtual; 1504 } 1505 } 1506 } 1507