1 /* 2 * Unit tests for Event Logging functions 3 * 4 * Copyright (c) 2009 Paul Vriens 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2.1 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, write to the Free Software 18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA 19 */ 20 21 #include <stdarg.h> 22 23 #include "initguid.h" 24 #include "windef.h" 25 #include "winbase.h" 26 #include "winerror.h" 27 #include "winnt.h" 28 #include "winreg.h" 29 #include "sddl.h" 30 #include "wmistr.h" 31 #include "evntrace.h" 32 33 #include "wine/test.h" 34 35 static BOOL (WINAPI *pCreateWellKnownSid)(WELL_KNOWN_SID_TYPE,PSID,PSID,DWORD*); 36 static BOOL (WINAPI *pGetEventLogInformation)(HANDLE,DWORD,LPVOID,DWORD,LPDWORD); 37 38 static BOOL (WINAPI *pGetComputerNameExA)(COMPUTER_NAME_FORMAT,LPSTR,LPDWORD); 39 static BOOL (WINAPI *pWow64DisableWow64FsRedirection)(PVOID *); 40 static BOOL (WINAPI *pWow64RevertWow64FsRedirection)(PVOID); 41 42 static void init_function_pointers(void) 43 { 44 HMODULE hadvapi32 = GetModuleHandleA("advapi32.dll"); 45 HMODULE hkernel32 = GetModuleHandleA("kernel32.dll"); 46 47 pCreateWellKnownSid = (void*)GetProcAddress(hadvapi32, "CreateWellKnownSid"); 48 pGetEventLogInformation = (void*)GetProcAddress(hadvapi32, "GetEventLogInformation"); 49 50 pGetComputerNameExA = (void*)GetProcAddress(hkernel32, "GetComputerNameExA"); 51 pWow64DisableWow64FsRedirection = (void*)GetProcAddress(hkernel32, "Wow64DisableWow64FsRedirection"); 52 pWow64RevertWow64FsRedirection = (void*)GetProcAddress(hkernel32, "Wow64RevertWow64FsRedirection"); 53 } 54 55 static BOOL create_backup(const char *filename) 56 { 57 HANDLE handle; 58 DWORD rc, attribs; 59 60 DeleteFileA(filename); 61 handle = OpenEventLogA(NULL, "Application"); 62 rc = BackupEventLogA(handle, filename); 63 if (!rc && GetLastError() == ERROR_PRIVILEGE_NOT_HELD) 64 { 65 skip("insufficient privileges to backup the eventlog\n"); 66 CloseEventLog(handle); 67 return FALSE; 68 } 69 ok(rc, "BackupEventLogA failed, le=%u\n", GetLastError()); 70 CloseEventLog(handle); 71 72 attribs = GetFileAttributesA(filename); 73 todo_wine 74 ok(attribs != INVALID_FILE_ATTRIBUTES, "Expected a backup file attribs=%#x le=%u\n", attribs, GetLastError()); 75 return TRUE; 76 } 77 78 static void test_open_close(void) 79 { 80 HANDLE handle; 81 BOOL ret; 82 83 SetLastError(0xdeadbeef); 84 ret = CloseEventLog(NULL); 85 ok(!ret, "Expected failure\n"); 86 ok(GetLastError() == ERROR_INVALID_HANDLE || 87 GetLastError() == ERROR_NOACCESS, /* W2K */ 88 "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError()); 89 90 SetLastError(0xdeadbeef); 91 handle = OpenEventLogA(NULL, NULL); 92 ok(handle == NULL, "Didn't expect a handle\n"); 93 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); 94 95 SetLastError(0xdeadbeef); 96 handle = OpenEventLogA("IDontExist", NULL); 97 ok(handle == NULL, "Didn't expect a handle\n"); 98 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); 99 100 SetLastError(0xdeadbeef); 101 handle = OpenEventLogA("IDontExist", "deadbeef"); 102 ok(handle == NULL, "Didn't expect a handle\n"); 103 ok(GetLastError() == RPC_S_SERVER_UNAVAILABLE || 104 GetLastError() == RPC_S_INVALID_NET_ADDR, /* Some Vista and Win7 */ 105 "Expected RPC_S_SERVER_UNAVAILABLE, got %d\n", GetLastError()); 106 107 /* This one opens the Application log */ 108 handle = OpenEventLogA(NULL, "deadbeef"); 109 ok(handle != NULL, "Expected a handle\n"); 110 ret = CloseEventLog(handle); 111 ok(ret, "Expected success\n"); 112 /* Close a second time */ 113 SetLastError(0xdeadbeef); 114 ret = CloseEventLog(handle); 115 todo_wine 116 { 117 ok(!ret, "Expected failure\n"); 118 ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError()); 119 } 120 121 /* Empty servername should be read as local server */ 122 handle = OpenEventLogA("", "Application"); 123 ok(handle != NULL, "Expected a handle\n"); 124 CloseEventLog(handle); 125 126 handle = OpenEventLogA(NULL, "Application"); 127 ok(handle != NULL, "Expected a handle\n"); 128 CloseEventLog(handle); 129 } 130 131 static void test_info(void) 132 { 133 HANDLE handle; 134 BOOL ret; 135 DWORD needed; 136 BYTE buffer[2 * sizeof(EVENTLOG_FULL_INFORMATION)]; 137 EVENTLOG_FULL_INFORMATION *efi = (void *)buffer; 138 139 if (!pGetEventLogInformation) 140 { 141 /* NT4 */ 142 win_skip("GetEventLogInformation is not available\n"); 143 return; 144 } 145 SetLastError(0xdeadbeef); 146 ret = pGetEventLogInformation(NULL, 1, NULL, 0, NULL); 147 ok(!ret, "Expected failure\n"); 148 ok(GetLastError() == ERROR_INVALID_LEVEL, "Expected ERROR_INVALID_LEVEL, got %d\n", GetLastError()); 149 150 SetLastError(0xdeadbeef); 151 ret = pGetEventLogInformation(NULL, EVENTLOG_FULL_INFO, NULL, 0, NULL); 152 ok(!ret, "Expected failure\n"); 153 ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError()); 154 155 handle = OpenEventLogA(NULL, "Application"); 156 157 SetLastError(0xdeadbeef); 158 ret = pGetEventLogInformation(handle, EVENTLOG_FULL_INFO, NULL, 0, NULL); 159 ok(!ret, "Expected failure\n"); 160 ok(GetLastError() == RPC_X_NULL_REF_POINTER, "Expected RPC_X_NULL_REF_POINTER, got %d\n", GetLastError()); 161 162 SetLastError(0xdeadbeef); 163 ret = pGetEventLogInformation(handle, EVENTLOG_FULL_INFO, NULL, 0, &needed); 164 ok(!ret, "Expected failure\n"); 165 ok(GetLastError() == RPC_X_NULL_REF_POINTER, "Expected RPC_X_NULL_REF_POINTER, got %d\n", GetLastError()); 166 167 SetLastError(0xdeadbeef); 168 ret = pGetEventLogInformation(handle, EVENTLOG_FULL_INFO, efi, 0, NULL); 169 ok(!ret, "Expected failure\n"); 170 ok(GetLastError() == RPC_X_NULL_REF_POINTER, "Expected RPC_X_NULL_REF_POINTER, got %d\n", GetLastError()); 171 172 SetLastError(0xdeadbeef); 173 needed = 0xdeadbeef; 174 efi->dwFull = 0xdeadbeef; 175 ret = pGetEventLogInformation(handle, EVENTLOG_FULL_INFO, efi, 0, &needed); 176 ok(!ret, "Expected failure\n"); 177 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError()); 178 ok(needed == sizeof(EVENTLOG_FULL_INFORMATION), "Expected sizeof(EVENTLOG_FULL_INFORMATION), got %d\n", needed); 179 ok(efi->dwFull == 0xdeadbeef, "Expected no change to the dwFull member\n"); 180 181 /* Not that we care, but on success last error is set to ERROR_IO_PENDING */ 182 efi->dwFull = 0xdeadbeef; 183 needed = sizeof(buffer); 184 ret = pGetEventLogInformation(handle, EVENTLOG_FULL_INFO, efi, needed, &needed); 185 ok(ret, "Expected success\n"); 186 ok(needed == sizeof(EVENTLOG_FULL_INFORMATION), "Expected sizeof(EVENTLOG_FULL_INFORMATION), got %d\n", needed); 187 ok(efi->dwFull == 0 || efi->dwFull == 1, "Expected 0 (not full) or 1 (full), got %d\n", efi->dwFull); 188 189 CloseEventLog(handle); 190 } 191 192 static void test_count(void) 193 { 194 HANDLE handle; 195 BOOL ret; 196 DWORD count; 197 const char backup[] = "backup.evt"; 198 199 SetLastError(0xdeadbeef); 200 ret = GetNumberOfEventLogRecords(NULL, NULL); 201 ok(!ret, "Expected failure\n"); 202 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); 203 204 SetLastError(0xdeadbeef); 205 count = 0xdeadbeef; 206 ret = GetNumberOfEventLogRecords(NULL, &count); 207 ok(!ret, "Expected failure\n"); 208 ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError()); 209 ok(count == 0xdeadbeef, "Expected count to stay unchanged\n"); 210 211 handle = OpenEventLogA(NULL, "Application"); 212 213 SetLastError(0xdeadbeef); 214 ret = GetNumberOfEventLogRecords(handle, NULL); 215 ok(!ret, "Expected failure\n"); 216 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); 217 218 count = 0xdeadbeef; 219 ret = GetNumberOfEventLogRecords(handle, &count); 220 ok(ret, "Expected success\n"); 221 ok(count != 0xdeadbeef, "Expected the number of records\n"); 222 223 CloseEventLog(handle); 224 225 /* Make a backup eventlog to work with */ 226 if (create_backup(backup)) 227 { 228 handle = OpenBackupEventLogA(NULL, backup); 229 todo_wine 230 ok(handle != NULL, "Expected a handle, le=%d\n", GetLastError()); 231 232 /* Does GetNumberOfEventLogRecords work with backup eventlogs? */ 233 count = 0xdeadbeef; 234 ret = GetNumberOfEventLogRecords(handle, &count); 235 todo_wine 236 { 237 ok(ret, "Expected success\n"); 238 ok(count != 0xdeadbeef, "Expected the number of records\n"); 239 } 240 241 CloseEventLog(handle); 242 DeleteFileA(backup); 243 } 244 } 245 246 static void test_oldest(void) 247 { 248 HANDLE handle; 249 BOOL ret; 250 DWORD oldest; 251 const char backup[] = "backup.evt"; 252 253 SetLastError(0xdeadbeef); 254 ret = GetOldestEventLogRecord(NULL, NULL); 255 ok(!ret, "Expected failure\n"); 256 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); 257 258 SetLastError(0xdeadbeef); 259 oldest = 0xdeadbeef; 260 ret = GetOldestEventLogRecord(NULL, &oldest); 261 ok(!ret, "Expected failure\n"); 262 ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError()); 263 ok(oldest == 0xdeadbeef, "Expected oldest to stay unchanged\n"); 264 265 handle = OpenEventLogA(NULL, "Application"); 266 267 SetLastError(0xdeadbeef); 268 ret = GetOldestEventLogRecord(handle, NULL); 269 ok(!ret, "Expected failure\n"); 270 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); 271 272 oldest = 0xdeadbeef; 273 ret = GetOldestEventLogRecord(handle, &oldest); 274 ok(ret, "Expected success\n"); 275 ok(oldest != 0xdeadbeef, "Expected the number of the oldest record\n"); 276 277 CloseEventLog(handle); 278 279 /* Make a backup eventlog to work with */ 280 if (create_backup(backup)) 281 { 282 handle = OpenBackupEventLogA(NULL, backup); 283 todo_wine 284 ok(handle != NULL, "Expected a handle\n"); 285 286 /* Does GetOldestEventLogRecord work with backup eventlogs? */ 287 oldest = 0xdeadbeef; 288 ret = GetOldestEventLogRecord(handle, &oldest); 289 todo_wine 290 { 291 ok(ret, "Expected success\n"); 292 ok(oldest != 0xdeadbeef, "Expected the number of the oldest record\n"); 293 } 294 295 CloseEventLog(handle); 296 DeleteFileA(backup); 297 } 298 } 299 300 static void test_backup(void) 301 { 302 HANDLE handle; 303 BOOL ret; 304 const char backup[] = "backup.evt"; 305 const char backup2[] = "backup2.evt"; 306 307 SetLastError(0xdeadbeef); 308 ret = BackupEventLogA(NULL, NULL); 309 ok(!ret, "Expected failure\n"); 310 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); 311 312 SetLastError(0xdeadbeef); 313 ret = BackupEventLogA(NULL, backup); 314 ok(!ret, "Expected failure\n"); 315 ok(GetFileAttributesA(backup) == INVALID_FILE_ATTRIBUTES, "Expected no backup file\n"); 316 317 handle = OpenEventLogA(NULL, "Application"); 318 319 SetLastError(0xdeadbeef); 320 ret = BackupEventLogA(handle, NULL); 321 ok(!ret, "Expected failure\n"); 322 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); 323 324 ret = BackupEventLogA(handle, backup); 325 if (!ret && GetLastError() == ERROR_PRIVILEGE_NOT_HELD) 326 { 327 skip("insufficient privileges for backup tests\n"); 328 CloseEventLog(handle); 329 return; 330 } 331 ok(ret, "Expected success\n"); 332 todo_wine 333 ok(GetFileAttributesA(backup) != INVALID_FILE_ATTRIBUTES, "Expected a backup file\n"); 334 335 /* Try to overwrite */ 336 SetLastError(0xdeadbeef); 337 ret = BackupEventLogA(handle, backup); 338 todo_wine 339 { 340 ok(!ret, "Expected failure\n"); 341 ok(GetLastError() == ERROR_ALREADY_EXISTS, "Expected ERROR_ALREADY_EXISTS, got %d\n", GetLastError()); 342 } 343 344 CloseEventLog(handle); 345 346 /* Can we make a backup of a backup? */ 347 handle = OpenBackupEventLogA(NULL, backup); 348 todo_wine 349 ok(handle != NULL, "Expected a handle\n"); 350 351 ret = BackupEventLogA(handle, backup2); 352 todo_wine 353 { 354 ok(ret, "Expected success\n"); 355 ok(GetFileAttributesA(backup2) != INVALID_FILE_ATTRIBUTES, "Expected a backup file\n"); 356 } 357 358 CloseEventLog(handle); 359 DeleteFileA(backup); 360 DeleteFileA(backup2); 361 } 362 363 static void test_read(void) 364 { 365 HANDLE handle; 366 BOOL ret; 367 DWORD count, toread, read, needed; 368 void *buf; 369 370 SetLastError(0xdeadbeef); 371 ret = ReadEventLogA(NULL, 0, 0, NULL, 0, NULL, NULL); 372 ok(!ret, "Expected failure\n"); 373 todo_wine 374 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); 375 376 read = 0xdeadbeef; 377 SetLastError(0xdeadbeef); 378 ret = ReadEventLogA(NULL, 0, 0, NULL, 0, &read, NULL); 379 ok(!ret, "Expected failure\n"); 380 ok(read == 0xdeadbeef, "Expected 'read' parameter to remain unchanged\n"); 381 todo_wine 382 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); 383 384 needed = 0xdeadbeef; 385 SetLastError(0xdeadbeef); 386 ret = ReadEventLogA(NULL, 0, 0, NULL, 0, NULL, &needed); 387 ok(!ret, "Expected failure\n"); 388 ok(needed == 0xdeadbeef, "Expected 'needed' parameter to remain unchanged\n"); 389 todo_wine 390 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); 391 392 /* 'read' and 'needed' are only filled when the needed buffer size is passed back or when the call succeeds */ 393 SetLastError(0xdeadbeef); 394 ret = ReadEventLogA(NULL, 0, 0, NULL, 0, &read, &needed); 395 ok(!ret, "Expected failure\n"); 396 todo_wine 397 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); 398 399 SetLastError(0xdeadbeef); 400 ret = ReadEventLogA(NULL, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 0, NULL, 0, NULL, NULL); 401 ok(!ret, "Expected failure\n"); 402 todo_wine 403 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); 404 405 SetLastError(0xdeadbeef); 406 ret = ReadEventLogA(NULL, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 0, NULL, 0, &read, &needed); 407 ok(!ret, "Expected failure\n"); 408 todo_wine 409 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); 410 411 buf = NULL; 412 SetLastError(0xdeadbeef); 413 ret = ReadEventLogA(NULL, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 414 0, buf, sizeof(EVENTLOGRECORD), &read, &needed); 415 ok(!ret, "Expected failure\n"); 416 todo_wine 417 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); 418 419 buf = HeapAlloc(GetProcessHeap(), 0, sizeof(EVENTLOGRECORD)); 420 SetLastError(0xdeadbeef); 421 ret = ReadEventLogA(NULL, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 422 0, buf, sizeof(EVENTLOGRECORD), &read, &needed); 423 ok(!ret, "Expected failure\n"); 424 todo_wine 425 ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError()); 426 HeapFree(GetProcessHeap(), 0, buf); 427 428 handle = OpenEventLogA(NULL, "Application"); 429 430 /* Show that we need the proper dwFlags with a (for the rest) proper call */ 431 buf = HeapAlloc(GetProcessHeap(), 0, sizeof(EVENTLOGRECORD)); 432 433 SetLastError(0xdeadbeef); 434 ret = ReadEventLogA(handle, 0, 0, buf, sizeof(EVENTLOGRECORD), &read, &needed); 435 ok(!ret, "Expected failure\n"); 436 todo_wine 437 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); 438 439 SetLastError(0xdeadbeef); 440 ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ, 0, buf, sizeof(EVENTLOGRECORD), &read, &needed); 441 ok(!ret, "Expected failure\n"); 442 todo_wine 443 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); 444 445 SetLastError(0xdeadbeef); 446 ret = ReadEventLogA(handle, EVENTLOG_SEEK_READ, 0, buf, sizeof(EVENTLOGRECORD), &read, &needed); 447 ok(!ret, "Expected failure\n"); 448 todo_wine 449 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); 450 451 SetLastError(0xdeadbeef); 452 ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ | EVENTLOG_BACKWARDS_READ, 453 0, buf, sizeof(EVENTLOGRECORD), &read, &needed); 454 ok(!ret, "Expected failure\n"); 455 todo_wine 456 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); 457 458 SetLastError(0xdeadbeef); 459 ret = ReadEventLogA(handle, EVENTLOG_SEEK_READ | EVENTLOG_FORWARDS_READ | EVENTLOG_BACKWARDS_READ, 460 0, buf, sizeof(EVENTLOGRECORD), &read, &needed); 461 ok(!ret, "Expected failure\n"); 462 todo_wine 463 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); 464 465 SetLastError(0xdeadbeef); 466 ret = ReadEventLogA(handle, EVENTLOG_SEEK_READ | EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 467 0, buf, sizeof(EVENTLOGRECORD), &read, &needed); 468 ok(!ret, "Expected failure\n"); 469 todo_wine 470 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); 471 472 HeapFree(GetProcessHeap(), 0, buf); 473 474 /* First check if there are any records (in practice only on Wine: FIXME) */ 475 count = 0; 476 GetNumberOfEventLogRecords(handle, &count); 477 if (!count) 478 { 479 skip("No records in the 'Application' log\n"); 480 CloseEventLog(handle); 481 return; 482 } 483 484 /* Get the buffer size for the first record */ 485 buf = HeapAlloc(GetProcessHeap(), 0, sizeof(EVENTLOGRECORD)); 486 read = needed = 0xdeadbeef; 487 SetLastError(0xdeadbeef); 488 ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 489 0, buf, sizeof(EVENTLOGRECORD), &read, &needed); 490 ok(!ret, "Expected failure\n"); 491 ok(read == 0, "Expected no bytes read\n"); 492 ok(needed > sizeof(EVENTLOGRECORD), "Expected the needed buffersize to be bigger than sizeof(EVENTLOGRECORD)\n"); 493 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError()); 494 495 /* Read the first record */ 496 toread = needed; 497 buf = HeapReAlloc(GetProcessHeap(), 0, buf, toread); 498 read = needed = 0xdeadbeef; 499 SetLastError(0xdeadbeef); 500 ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 0, buf, toread, &read, &needed); 501 ok(ret, "Expected success\n"); 502 ok(read == toread || 503 broken(read < toread), /* NT4 wants a buffer size way bigger than just 1 record */ 504 "Expected the requested size to be read\n"); 505 ok(needed == 0, "Expected no extra bytes to be read\n"); 506 HeapFree(GetProcessHeap(), 0, buf); 507 508 CloseEventLog(handle); 509 } 510 511 static void test_openbackup(void) 512 { 513 HANDLE handle, handle2, file; 514 DWORD written; 515 const char backup[] = "backup.evt"; 516 const char text[] = "Just some text"; 517 518 SetLastError(0xdeadbeef); 519 handle = OpenBackupEventLogA(NULL, NULL); 520 ok(handle == NULL, "Didn't expect a handle\n"); 521 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); 522 523 SetLastError(0xdeadbeef); 524 handle = OpenBackupEventLogA(NULL, "idontexist.evt"); 525 ok(handle == NULL, "Didn't expect a handle\n"); 526 ok(GetLastError() == ERROR_FILE_NOT_FOUND, "Expected ERROR_FILE_NOT_FOUND, got %d\n", GetLastError()); 527 528 SetLastError(0xdeadbeef); 529 handle = OpenBackupEventLogA("IDontExist", NULL); 530 ok(handle == NULL, "Didn't expect a handle\n"); 531 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError()); 532 533 SetLastError(0xdeadbeef); 534 handle = OpenBackupEventLogA("IDontExist", "idontexist.evt"); 535 ok(handle == NULL, "Didn't expect a handle\n"); 536 ok(GetLastError() == RPC_S_SERVER_UNAVAILABLE || 537 GetLastError() == RPC_S_INVALID_NET_ADDR, /* Some Vista and Win7 */ 538 "Expected RPC_S_SERVER_UNAVAILABLE, got %d\n", GetLastError()); 539 540 /* Make a backup eventlog to work with */ 541 if (create_backup(backup)) 542 { 543 /* FIXME: Wine stops here */ 544 if (GetFileAttributesA(backup) == INVALID_FILE_ATTRIBUTES) 545 { 546 skip("We don't have a backup eventlog to work with\n"); 547 return; 548 } 549 550 SetLastError(0xdeadbeef); 551 handle = OpenBackupEventLogA("IDontExist", backup); 552 ok(handle == NULL, "Didn't expect a handle\n"); 553 ok(GetLastError() == RPC_S_SERVER_UNAVAILABLE || 554 GetLastError() == RPC_S_INVALID_NET_ADDR, /* Some Vista and Win7 */ 555 "Expected RPC_S_SERVER_UNAVAILABLE, got %d\n", GetLastError()); 556 557 /* Empty servername should be read as local server */ 558 handle = OpenBackupEventLogA("", backup); 559 ok(handle != NULL, "Expected a handle\n"); 560 CloseEventLog(handle); 561 562 handle = OpenBackupEventLogA(NULL, backup); 563 ok(handle != NULL, "Expected a handle\n"); 564 565 /* Can we open that same backup eventlog more than once? */ 566 handle2 = OpenBackupEventLogA(NULL, backup); 567 ok(handle2 != NULL, "Expected a handle\n"); 568 ok(handle2 != handle, "Didn't expect the same handle\n"); 569 CloseEventLog(handle2); 570 571 CloseEventLog(handle); 572 DeleteFileA(backup); 573 } 574 575 /* Is there any content checking done? */ 576 file = CreateFileA(backup, GENERIC_WRITE, 0, NULL, CREATE_NEW, 0, NULL); 577 CloseHandle(file); 578 SetLastError(0xdeadbeef); 579 handle = OpenBackupEventLogA(NULL, backup); 580 ok(handle == NULL, "Didn't expect a handle\n"); 581 ok(GetLastError() == ERROR_NOT_ENOUGH_MEMORY || 582 GetLastError() == ERROR_EVENTLOG_FILE_CORRUPT, /* Vista and Win7 */ 583 "Expected ERROR_NOT_ENOUGH_MEMORY, got %d\n", GetLastError()); 584 CloseEventLog(handle); 585 DeleteFileA(backup); 586 587 file = CreateFileA(backup, GENERIC_WRITE, 0, NULL, CREATE_NEW, 0, NULL); 588 WriteFile(file, text, sizeof(text), &written, NULL); 589 CloseHandle(file); 590 SetLastError(0xdeadbeef); 591 handle = OpenBackupEventLogA(NULL, backup); 592 ok(handle == NULL, "Didn't expect a handle\n"); 593 ok(GetLastError() == ERROR_EVENTLOG_FILE_CORRUPT, "Expected ERROR_EVENTLOG_FILE_CORRUPT, got %d\n", GetLastError()); 594 CloseEventLog(handle); 595 DeleteFileA(backup); 596 } 597 598 static void test_clear(void) 599 { 600 HANDLE handle; 601 BOOL ret; 602 const char backup[] = "backup.evt"; 603 const char backup2[] = "backup2.evt"; 604 605 SetLastError(0xdeadbeef); 606 ret = ClearEventLogA(NULL, NULL); 607 ok(!ret, "Expected failure\n"); 608 ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError()); 609 610 /* Make a backup eventlog to work with */ 611 if (!create_backup(backup)) 612 return; 613 614 SetLastError(0xdeadbeef); 615 ret = ClearEventLogA(NULL, backup); 616 ok(!ret, "Expected failure\n"); 617 ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError()); 618 619 handle = OpenBackupEventLogA(NULL, backup); 620 todo_wine 621 ok(handle != NULL, "Expected a handle\n"); 622 623 /* A real eventlog would fail with ERROR_ALREADY_EXISTS */ 624 SetLastError(0xdeadbeef); 625 ret = ClearEventLogA(handle, backup); 626 ok(!ret, "Expected failure\n"); 627 /* The eventlog service runs under an account that doesn't have the necessary 628 * permissions on the users home directory on a default Vista+ system. 629 */ 630 ok(GetLastError() == ERROR_INVALID_HANDLE || 631 GetLastError() == ERROR_ACCESS_DENIED, /* Vista+ */ 632 "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError()); 633 634 /* Show that ClearEventLog only works for real eventlogs. */ 635 SetLastError(0xdeadbeef); 636 ret = ClearEventLogA(handle, backup2); 637 ok(!ret, "Expected failure\n"); 638 ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError()); 639 ok(GetFileAttributesA(backup2) == INVALID_FILE_ATTRIBUTES, "Expected no backup file\n"); 640 641 SetLastError(0xdeadbeef); 642 ret = ClearEventLogA(handle, NULL); 643 ok(!ret, "Expected failure\n"); 644 ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError()); 645 646 CloseEventLog(handle); 647 todo_wine 648 ok(DeleteFileA(backup), "Could not delete the backup file\n"); 649 } 650 651 static const char eventlogsvc[] = "SYSTEM\\CurrentControlSet\\Services\\Eventlog"; 652 static const char eventlogname[] = "Wine"; 653 static const char eventsources[][11] = { "WineSrc", "WineSrc1", "WineSrc20", "WineSrc300" }; 654 655 static BOOL create_new_eventlog(void) 656 { 657 HKEY key, eventkey; 658 BOOL bret = FALSE; 659 LONG lret; 660 DWORD i; 661 662 /* First create our eventlog */ 663 lret = RegOpenKeyA(HKEY_LOCAL_MACHINE, eventlogsvc, &key); 664 if (lret != ERROR_SUCCESS) 665 { 666 skip("Could not open the EventLog service registry key\n"); 667 return FALSE; 668 } 669 lret = RegCreateKeyA(key, eventlogname, &eventkey); 670 if (lret != ERROR_SUCCESS) 671 { 672 skip("Could not create the eventlog '%s' registry key\n", eventlogname); 673 goto cleanup; 674 } 675 676 /* Create some event sources, the registry value 'Sources' is updated automatically */ 677 for (i = 0; i < sizeof(eventsources)/sizeof(eventsources[0]); i++) 678 { 679 HKEY srckey; 680 681 lret = RegCreateKeyA(eventkey, eventsources[i], &srckey); 682 if (lret != ERROR_SUCCESS) 683 { 684 skip("Could not create the eventsource '%s' registry key\n", eventsources[i]); 685 goto cleanup; 686 } 687 RegFlushKey(srckey); 688 RegCloseKey(srckey); 689 } 690 691 bret = TRUE; 692 693 /* The flushing of the registry (here and above) gives us some assurance 694 * that we are not to quickly writing events as 'Sources' could still be 695 * not updated. 696 */ 697 RegFlushKey(eventkey); 698 cleanup: 699 RegCloseKey(eventkey); 700 RegCloseKey(key); 701 702 return bret; 703 } 704 705 static const char *one_string[] = { "First string" }; 706 static const char *two_strings[] = { "First string", "Second string" }; 707 static const struct 708 { 709 const char *evt_src; 710 WORD evt_type; 711 WORD evt_cat; 712 DWORD evt_id; 713 BOOL evt_sid; 714 WORD evt_numstrings; 715 const char **evt_strings; 716 } read_write [] = 717 { 718 { eventlogname, EVENTLOG_INFORMATION_TYPE, 1, 1, FALSE, 1, one_string }, 719 { eventsources[0], EVENTLOG_WARNING_TYPE, 1, 2, FALSE, 0, NULL }, 720 { eventsources[1], EVENTLOG_AUDIT_FAILURE, 1, 3, FALSE, 2, two_strings }, 721 { eventsources[2], EVENTLOG_ERROR_TYPE, 1, 4, FALSE, 0, NULL }, 722 { eventsources[3], EVENTLOG_WARNING_TYPE, 1, 5, FALSE, 1, one_string }, 723 { eventlogname, EVENTLOG_SUCCESS, 2, 6, TRUE, 2, two_strings }, 724 { eventsources[0], EVENTLOG_AUDIT_FAILURE, 2, 7, TRUE, 0, NULL }, 725 { eventsources[1], EVENTLOG_AUDIT_SUCCESS, 2, 8, TRUE, 2, two_strings }, 726 { eventsources[2], EVENTLOG_WARNING_TYPE, 2, 9, TRUE, 0, NULL }, 727 { eventsources[3], EVENTLOG_ERROR_TYPE, 2, 10, TRUE, 1, one_string } 728 }; 729 730 static void test_readwrite(void) 731 { 732 HANDLE handle; 733 PSID user; 734 DWORD sidsize, count; 735 BOOL ret, sidavailable; 736 BOOL on_vista = FALSE; /* Used to indicate Vista, W2K8 or Win7 */ 737 DWORD i; 738 char *localcomputer = NULL; 739 DWORD size; 740 741 if (pCreateWellKnownSid) 742 { 743 sidsize = SECURITY_MAX_SID_SIZE; 744 user = HeapAlloc(GetProcessHeap(), 0, sidsize); 745 SetLastError(0xdeadbeef); 746 pCreateWellKnownSid(WinInteractiveSid, NULL, user, &sidsize); 747 sidavailable = TRUE; 748 } 749 else 750 { 751 win_skip("Skipping some SID related tests\n"); 752 sidavailable = FALSE; 753 user = NULL; 754 } 755 756 /* Write an event with an incorrect event type. This will fail on Windows 7 757 * but succeed on all others, hence it's not part of the struct. 758 */ 759 handle = OpenEventLogA(NULL, eventlogname); 760 if (!handle) 761 { 762 /* Intermittently seen on NT4 when tests are run immediately after boot */ 763 win_skip("Could not get a handle to the eventlog\n"); 764 goto cleanup; 765 } 766 767 count = 0xdeadbeef; 768 GetNumberOfEventLogRecords(handle, &count); 769 if (count != 0) 770 { 771 /* Needed for W2K3 without a service pack */ 772 win_skip("We most likely opened the Application eventlog\n"); 773 CloseEventLog(handle); 774 Sleep(2000); 775 776 handle = OpenEventLogA(NULL, eventlogname); 777 count = 0xdeadbeef; 778 GetNumberOfEventLogRecords(handle, &count); 779 if (count != 0) 780 { 781 win_skip("We didn't open our new eventlog\n"); 782 CloseEventLog(handle); 783 goto cleanup; 784 } 785 } 786 787 SetLastError(0xdeadbeef); 788 ret = ReportEventA(handle, 0x20, 0, 0, NULL, 0, 0, NULL, NULL); 789 if (!ret && GetLastError() == ERROR_CRC) 790 { 791 win_skip("Win7 fails when using incorrect event types\n"); 792 ret = ReportEventA(handle, 0, 0, 0, NULL, 0, 0, NULL, NULL); 793 ok(ret, "Expected success : %d\n", GetLastError()); 794 } 795 else 796 { 797 void *buf; 798 DWORD read, needed = 0; 799 EVENTLOGRECORD *record; 800 801 ok(ret, "Expected success : %d\n", GetLastError()); 802 803 /* Needed to catch earlier Vista (with no ServicePack for example) */ 804 buf = HeapAlloc(GetProcessHeap(), 0, sizeof(EVENTLOGRECORD)); 805 if (!(ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 806 0, buf, sizeof(EVENTLOGRECORD), &read, &needed)) && 807 GetLastError() == ERROR_INSUFFICIENT_BUFFER) 808 { 809 buf = HeapReAlloc(GetProcessHeap(), 0, buf, needed); 810 ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 811 0, buf, needed, &read, &needed); 812 } 813 if (ret) 814 { 815 record = (EVENTLOGRECORD *)buf; 816 817 /* Vista and W2K8 return EVENTLOG_SUCCESS, Windows versions before return 818 * the written eventtype (0x20 in this case). 819 */ 820 if (record->EventType == EVENTLOG_SUCCESS) 821 on_vista = TRUE; 822 } 823 HeapFree(GetProcessHeap(), 0, buf); 824 } 825 826 /* This will clear the eventlog. The record numbering for new 827 * events however differs on Vista SP1+. Before Vista the first 828 * event would be numbered 1, on Vista SP1+ it's higher as we already 829 * had at least one event (more in case of multiple test runs without 830 * a reboot). 831 */ 832 ClearEventLogA(handle, NULL); 833 CloseEventLog(handle); 834 835 /* Write a bunch of events while using different event sources */ 836 for (i = 0; i < sizeof(read_write)/sizeof(read_write[0]); i++) 837 { 838 DWORD oldest; 839 BOOL run_sidtests = read_write[i].evt_sid & sidavailable; 840 841 /* We don't need to use RegisterEventSource to report events */ 842 if (i % 2) 843 handle = OpenEventLogA(NULL, read_write[i].evt_src); 844 else 845 handle = RegisterEventSourceA(NULL, read_write[i].evt_src); 846 ok(handle != NULL, "Expected a handle\n"); 847 848 SetLastError(0xdeadbeef); 849 ret = ReportEventA(handle, read_write[i].evt_type, read_write[i].evt_cat, 850 read_write[i].evt_id, run_sidtests ? user : NULL, 851 read_write[i].evt_numstrings, 0, read_write[i].evt_strings, NULL); 852 ok(ret, "Expected ReportEvent success : %d\n", GetLastError()); 853 854 count = 0xdeadbeef; 855 SetLastError(0xdeadbeef); 856 ret = GetNumberOfEventLogRecords(handle, &count); 857 ok(ret, "Expected GetNumberOfEventLogRecords success : %d\n", GetLastError()); 858 todo_wine 859 ok(count == (i + 1), "Expected %d records, got %d\n", i + 1, count); 860 861 oldest = 0xdeadbeef; 862 ret = GetOldestEventLogRecord(handle, &oldest); 863 ok(ret, "Expected GetOldestEventLogRecord success : %d\n", GetLastError()); 864 todo_wine 865 ok(oldest == 1 || 866 (oldest > 1 && oldest != 0xdeadbeef), /* Vista SP1+, W2K8 and Win7 */ 867 "Expected oldest to be 1 or higher, got %d\n", oldest); 868 if (oldest > 1 && oldest != 0xdeadbeef) 869 on_vista = TRUE; 870 871 SetLastError(0xdeadbeef); 872 if (i % 2) 873 ret = CloseEventLog(handle); 874 else 875 ret = DeregisterEventSource(handle); 876 ok(ret, "Expected success : %d\n", GetLastError()); 877 } 878 879 handle = OpenEventLogA(NULL, eventlogname); 880 count = 0xdeadbeef; 881 ret = GetNumberOfEventLogRecords(handle, &count); 882 ok(ret, "Expected success\n"); 883 todo_wine 884 ok(count == i, "Expected %d records, got %d\n", i, count); 885 CloseEventLog(handle); 886 887 if (count == 0) 888 { 889 skip("No events were written to the eventlog\n"); 890 goto cleanup; 891 } 892 893 /* Report only once */ 894 if (on_vista) 895 skip("There is no DWORD alignment enforced for UserSid on Vista, W2K8 or Win7\n"); 896 897 if (on_vista && pGetComputerNameExA) 898 { 899 /* New Vista+ behavior */ 900 size = 0; 901 SetLastError(0xdeadbeef); 902 pGetComputerNameExA(ComputerNameDnsFullyQualified, NULL, &size); 903 localcomputer = HeapAlloc(GetProcessHeap(), 0, size); 904 pGetComputerNameExA(ComputerNameDnsFullyQualified, localcomputer, &size); 905 } 906 else 907 { 908 size = MAX_COMPUTERNAME_LENGTH + 1; 909 localcomputer = HeapAlloc(GetProcessHeap(), 0, size); 910 GetComputerNameA(localcomputer, &size); 911 } 912 913 /* Read all events from our created eventlog, one by one */ 914 handle = OpenEventLogA(NULL, eventlogname); 915 ok(handle != NULL, "Failed to open Event Log, got %d\n", GetLastError()); 916 i = 0; 917 for (;;) 918 { 919 void *buf; 920 DWORD read, needed; 921 EVENTLOGRECORD *record; 922 char *sourcename, *computername; 923 int k; 924 char *ptr; 925 BOOL run_sidtests = read_write[i].evt_sid & sidavailable; 926 927 buf = HeapAlloc(GetProcessHeap(), 0, sizeof(EVENTLOGRECORD)); 928 SetLastError(0xdeadbeef); 929 ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 930 0, buf, sizeof(EVENTLOGRECORD), &read, &needed); 931 ok(!ret, "Expected failure\n"); 932 if (!ret && GetLastError() != ERROR_INSUFFICIENT_BUFFER) 933 { 934 HeapFree(GetProcessHeap(), 0, buf); 935 ok(GetLastError() == ERROR_HANDLE_EOF, "record %d, got %d\n", i, GetLastError()); 936 break; 937 } 938 939 buf = HeapReAlloc(GetProcessHeap(), 0, buf, needed); 940 ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 941 0, buf, needed, &read, &needed); 942 ok(ret, "Expected success: %d\n", GetLastError()); 943 944 record = (EVENTLOGRECORD *)buf; 945 946 ok(record->Length == read, 947 "Expected %d, got %d\n", read, record->Length); 948 ok(record->Reserved == 0x654c664c, 949 "Expected 0x654c664c, got %d\n", record->Reserved); 950 ok(record->RecordNumber == i + 1 || 951 (on_vista && (record->RecordNumber > i + 1)), 952 "Expected %d or higher, got %d\n", i + 1, record->RecordNumber); 953 ok(record->EventID == read_write[i].evt_id, 954 "Expected %d, got %d\n", read_write[i].evt_id, record->EventID); 955 ok(record->EventType == read_write[i].evt_type, 956 "Expected %d, got %d\n", read_write[i].evt_type, record->EventType); 957 ok(record->NumStrings == read_write[i].evt_numstrings, 958 "Expected %d, got %d\n", read_write[i].evt_numstrings, record->NumStrings); 959 ok(record->EventCategory == read_write[i].evt_cat, 960 "Expected %d, got %d\n", read_write[i].evt_cat, record->EventCategory); 961 962 sourcename = (char *)((BYTE *)buf + sizeof(EVENTLOGRECORD)); 963 ok(!lstrcmpA(sourcename, read_write[i].evt_src), "Expected '%s', got '%s'\n", 964 read_write[i].evt_src, sourcename); 965 966 computername = (char *)((BYTE *)buf + sizeof(EVENTLOGRECORD) + lstrlenA(sourcename) + 1); 967 ok(!lstrcmpiA(computername, localcomputer), "Expected '%s', got '%s'\n", 968 localcomputer, computername); 969 970 /* Before Vista, UserSid was aligned on a DWORD boundary. Next to that if 971 * no padding was actually required a 0 DWORD was still used for padding. No 972 * application should be relying on the padding as we are working with offsets 973 * anyway. 974 */ 975 976 if (!on_vista) 977 { 978 DWORD calculated_sidoffset = sizeof(EVENTLOGRECORD) + lstrlenA(sourcename) + 1 + lstrlenA(computername) + 1; 979 980 /* We are already DWORD aligned, there should still be some padding */ 981 if ((((UINT_PTR)buf + calculated_sidoffset) % sizeof(DWORD)) == 0) 982 ok(*(DWORD *)((BYTE *)buf + calculated_sidoffset) == 0, "Expected 0\n"); 983 984 ok((((UINT_PTR)buf + record->UserSidOffset) % sizeof(DWORD)) == 0, "Expected DWORD alignment\n"); 985 } 986 987 if (run_sidtests) 988 { 989 ok(record->UserSidLength == sidsize, "Expected %d, got %d\n", sidsize, record->UserSidLength); 990 } 991 else 992 { 993 ok(record->StringOffset == record->UserSidOffset, "Expected offsets to be the same\n"); 994 ok(record->UserSidLength == 0, "Expected 0, got %d\n", record->UserSidLength); 995 } 996 997 ok(record->DataLength == 0, "Expected 0, got %d\n", record->DataLength); 998 999 ptr = (char *)((BYTE *)buf + record->StringOffset); 1000 for (k = 0; k < record->NumStrings; k++) 1001 { 1002 ok(!lstrcmpA(ptr, two_strings[k]), "Expected '%s', got '%s'\n", two_strings[k], ptr); 1003 ptr += lstrlenA(ptr) + 1; 1004 } 1005 1006 ok(record->Length == *(DWORD *)((BYTE *)buf + record->Length - sizeof(DWORD)), 1007 "Expected the closing DWORD to contain the length of the record\n"); 1008 1009 HeapFree(GetProcessHeap(), 0, buf); 1010 i++; 1011 } 1012 CloseEventLog(handle); 1013 1014 /* Test clearing a real eventlog */ 1015 handle = OpenEventLogA(NULL, eventlogname); 1016 ok(handle != NULL, "Failed to open Event Log, got %d\n", GetLastError()); 1017 1018 SetLastError(0xdeadbeef); 1019 ret = ClearEventLogA(handle, NULL); 1020 ok(ret, "Expected success\n"); 1021 1022 count = 0xdeadbeef; 1023 ret = GetNumberOfEventLogRecords(handle, &count); 1024 ok(ret, "Expected success\n"); 1025 ok(count == 0, "Expected an empty eventlog, got %d records\n", count); 1026 1027 CloseEventLog(handle); 1028 1029 cleanup: 1030 HeapFree(GetProcessHeap(), 0, localcomputer); 1031 HeapFree(GetProcessHeap(), 0, user); 1032 } 1033 1034 /* Before Vista: 1035 * 1036 * Creating an eventlog on Windows (via the registry) automatically leads 1037 * to creation of a REG_MULTI_SZ named 'Sources'. This value lists all the 1038 * potential event sources for this eventlog. 'Sources' is automatically 1039 * updated when a new key (aka event source) is created. 1040 * 1041 * Although the updating of registry keys is almost instantaneously, we 1042 * check it after some other tests to assure we are not querying the 1043 * registry or file system to quickly. 1044 * 1045 * NT4 and higher: 1046 * 1047 * The eventlog file itself is also automatically created, even before we 1048 * start writing events. 1049 */ 1050 static char eventlogfile[MAX_PATH]; 1051 static void test_autocreation(void) 1052 { 1053 HKEY key, eventkey; 1054 DWORD type, size; 1055 LONG ret; 1056 int i; 1057 char *p; 1058 char sources[sizeof(eventsources)]; 1059 char sysdir[MAX_PATH]; 1060 void *redir = 0; 1061 1062 RegOpenKeyA(HKEY_LOCAL_MACHINE, eventlogsvc, &key); 1063 RegOpenKeyA(key, eventlogname, &eventkey); 1064 1065 size = sizeof(sources); 1066 sources[0] = 0; 1067 ret = RegQueryValueExA(eventkey, "Sources", NULL, &type, (LPBYTE)sources, &size); 1068 if (ret == ERROR_SUCCESS) 1069 { 1070 char sources_verify[sizeof(eventsources)]; 1071 1072 ok(type == REG_MULTI_SZ, "Expected a REG_MULTI_SZ, got %d\n", type); 1073 1074 /* Build the expected string */ 1075 memset(sources_verify, 0, sizeof(sources_verify)); 1076 p = sources_verify; 1077 for (i = sizeof(eventsources)/sizeof(eventsources[0]); i > 0; i--) 1078 { 1079 lstrcpyA(p, eventsources[i - 1]); 1080 p += (lstrlenA(eventsources[i - 1]) + 1); 1081 } 1082 lstrcpyA(p, eventlogname); 1083 1084 ok(!memcmp(sources, sources_verify, size), 1085 "Expected a correct 'Sources' value (size : %d)\n", size); 1086 } 1087 1088 RegCloseKey(eventkey); 1089 RegCloseKey(key); 1090 1091 /* The directory that holds the eventlog files could be redirected */ 1092 if (pWow64DisableWow64FsRedirection) 1093 pWow64DisableWow64FsRedirection(&redir); 1094 1095 /* On Windows we also automatically get an eventlog file */ 1096 GetSystemDirectoryA(sysdir, sizeof(sysdir)); 1097 1098 /* NT4 - W2K3 */ 1099 lstrcpyA(eventlogfile, sysdir); 1100 lstrcatA(eventlogfile, "\\config\\"); 1101 lstrcatA(eventlogfile, eventlogname); 1102 lstrcatA(eventlogfile, ".evt"); 1103 1104 if (GetFileAttributesA(eventlogfile) == INVALID_FILE_ATTRIBUTES) 1105 { 1106 /* Vista+ */ 1107 lstrcpyA(eventlogfile, sysdir); 1108 lstrcatA(eventlogfile, "\\winevt\\Logs\\"); 1109 lstrcatA(eventlogfile, eventlogname); 1110 lstrcatA(eventlogfile, ".evtx"); 1111 } 1112 1113 todo_wine 1114 ok(GetFileAttributesA(eventlogfile) != INVALID_FILE_ATTRIBUTES, 1115 "Expected an eventlog file\n"); 1116 1117 if (pWow64RevertWow64FsRedirection) 1118 pWow64RevertWow64FsRedirection(redir); 1119 } 1120 1121 static void cleanup_eventlog(void) 1122 { 1123 BOOL bret; 1124 LONG lret; 1125 HKEY key; 1126 DWORD i; 1127 char winesvc[MAX_PATH]; 1128 1129 /* Delete the registry tree */ 1130 lstrcpyA(winesvc, eventlogsvc); 1131 lstrcatA(winesvc, "\\"); 1132 lstrcatA(winesvc, eventlogname); 1133 1134 RegOpenKeyA(HKEY_LOCAL_MACHINE, winesvc, &key); 1135 for (i = 0; i < sizeof(eventsources)/sizeof(eventsources[0]); i++) 1136 RegDeleteKeyA(key, eventsources[i]); 1137 RegDeleteValueA(key, "Sources"); 1138 RegCloseKey(key); 1139 lret = RegDeleteKeyA(HKEY_LOCAL_MACHINE, winesvc); 1140 ok(lret == ERROR_SUCCESS, "Could not delete the registry tree : %d\n", lret); 1141 1142 /* A handle to the eventlog is locked by services.exe. We can only 1143 * delete the eventlog file after reboot. 1144 */ 1145 bret = MoveFileExA(eventlogfile, NULL, MOVEFILE_DELAY_UNTIL_REBOOT); 1146 ok(bret, "Expected MoveFileEx to succeed: %d\n", GetLastError()); 1147 } 1148 1149 static void test_start_trace(void) 1150 { 1151 const char sessionname[] = "wine"; 1152 const char filepath[] = "wine.etl"; 1153 const char filepath2[] = "eniw.etl"; 1154 EVENT_TRACE_PROPERTIES *properties; 1155 TRACEHANDLE handle; 1156 LONG buffersize; 1157 LONG ret; 1158 1159 buffersize = sizeof(EVENT_TRACE_PROPERTIES) + sizeof(sessionname) + sizeof(filepath); 1160 properties = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, buffersize); 1161 properties->Wnode.BufferSize = buffersize; 1162 properties->Wnode.Flags = WNODE_FLAG_TRACED_GUID; 1163 properties->LogFileMode = EVENT_TRACE_FILE_MODE_NONE; 1164 properties->LoggerNameOffset = sizeof(EVENT_TRACE_PROPERTIES); 1165 properties->LogFileNameOffset = sizeof(EVENT_TRACE_PROPERTIES) + sizeof(sessionname); 1166 strcpy((char *)properties + properties->LogFileNameOffset, filepath); 1167 1168 properties->Wnode.BufferSize = 0; 1169 ret = StartTraceA(&handle, sessionname, properties); 1170 todo_wine 1171 ok(ret == ERROR_BAD_LENGTH || 1172 ret == ERROR_INVALID_PARAMETER, /* XP and 2k3 */ 1173 "Expected ERROR_BAD_LENGTH, got %d\n", ret); 1174 properties->Wnode.BufferSize = buffersize; 1175 1176 ret = StartTraceA(&handle, "this name is too long", properties); 1177 todo_wine 1178 ok(ret == ERROR_BAD_LENGTH, "Expected ERROR_BAD_LENGTH, got %d\n", ret); 1179 1180 ret = StartTraceA(&handle, sessionname, NULL); 1181 todo_wine 1182 ok(ret == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", ret); 1183 1184 ret = StartTraceA(NULL, sessionname, properties); 1185 todo_wine 1186 ok(ret == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", ret); 1187 1188 properties->LogFileNameOffset = 1; 1189 ret = StartTraceA(&handle, sessionname, properties); 1190 todo_wine 1191 ok(ret == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", ret); 1192 properties->LogFileNameOffset = sizeof(EVENT_TRACE_PROPERTIES) + sizeof(sessionname); 1193 1194 properties->LoggerNameOffset = 1; 1195 ret = StartTraceA(&handle, sessionname, properties); 1196 todo_wine 1197 ok(ret == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", ret); 1198 properties->LoggerNameOffset = sizeof(EVENT_TRACE_PROPERTIES); 1199 1200 properties->LogFileMode = EVENT_TRACE_FILE_MODE_SEQUENTIAL | EVENT_TRACE_FILE_MODE_CIRCULAR; 1201 ret = StartTraceA(&handle, sessionname, properties); 1202 todo_wine 1203 ok(ret == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", ret); 1204 properties->LogFileMode = EVENT_TRACE_FILE_MODE_NONE; 1205 /* XP creates a file we can't delete, so change the filepath to something else */ 1206 strcpy((char *)properties + properties->LogFileNameOffset, filepath2); 1207 1208 properties->Wnode.Guid = SystemTraceControlGuid; 1209 ret = StartTraceA(&handle, sessionname, properties); 1210 todo_wine 1211 ok(ret == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", ret); 1212 memset(&properties->Wnode.Guid, 0, sizeof(properties->Wnode.Guid)); 1213 1214 properties->LogFileNameOffset = 0; 1215 ret = StartTraceA(&handle, sessionname, properties); 1216 todo_wine 1217 ok(ret == ERROR_BAD_PATHNAME, "Expected ERROR_BAD_PATHNAME, got %d\n", ret); 1218 properties->LogFileNameOffset = sizeof(EVENT_TRACE_PROPERTIES) + sizeof(sessionname); 1219 1220 ret = StartTraceA(&handle, sessionname, properties); 1221 if (ret == ERROR_ACCESS_DENIED) 1222 { 1223 skip("need admin rights\n"); 1224 goto done; 1225 } 1226 ok(ret == ERROR_SUCCESS, "Expected success, got %d\n", ret); 1227 1228 ret = StartTraceA(&handle, sessionname, properties); 1229 todo_wine 1230 ok(ret == ERROR_ALREADY_EXISTS || 1231 ret == ERROR_SHARING_VIOLATION, /* 2k3 */ 1232 "Expected ERROR_ALREADY_EXISTS, got %d\n", ret); 1233 1234 /* clean up */ 1235 ControlTraceA(handle, sessionname, properties, EVENT_TRACE_CONTROL_STOP); 1236 done: 1237 HeapFree(GetProcessHeap(), 0, properties); 1238 DeleteFileA(filepath); 1239 } 1240 1241 START_TEST(eventlog) 1242 { 1243 SetLastError(0xdeadbeef); 1244 CloseEventLog(NULL); 1245 if (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED) 1246 { 1247 win_skip("Event log functions are not implemented\n"); 1248 return; 1249 } 1250 1251 init_function_pointers(); 1252 1253 /* Parameters only */ 1254 test_open_close(); 1255 test_info(); 1256 test_count(); 1257 test_oldest(); 1258 test_backup(); 1259 test_openbackup(); 1260 test_read(); 1261 test_clear(); 1262 1263 /* Functional tests */ 1264 if (create_new_eventlog()) 1265 { 1266 test_readwrite(); 1267 test_autocreation(); 1268 cleanup_eventlog(); 1269 } 1270 1271 /* Trace tests */ 1272 test_start_trace(); 1273 } 1274