WindowsNT Event Log Viewer

#include "EventLogThreads.h"
#include "_Constants.h"
#include "_GlobalVars.h"
#include "_Utils.h"
#include "SysMain.h"
#include "resource.h"
#include <ctype.h>

#define MAX_MSG_LENGTH 1024

unsigned int __stdcall 
FillEventLogList(LPVOID lpParam)
{
	EVENTLOGFILTER *pelf = 0;
	int nRetVal = 0;
	HWND hParentWnd = 0, hwndDlg = 0, hwndLV = 0, hwndProgr = 0;
	HANDLE hEventLog = 0;
	DWORD dwEventLogRecords = 0, dwOldestEventLogRecord = 0, dwEvLogCounter = 0, dwNumberOfBytesToRead = 0, 
		dwBytesRead = 0, dwMinNumberOfBytesNeeded = 0, dwCancel = 0, dwClose = 0;
	LPVOID lpEventLogRecordBuffer = 0;
	TCHAR chFakeBuffer;
	BOOL bRetVal = FALSE;
	BOOL fExit = FALSE;
	UINT uStep = 0, uStepAt = 0, uPos = 0, uOffset = 0;
	TCHAR lpUNCServerName[_MAX_PATH + 1], lpszEventLogSourceName[_MAX_PATH + 1], lpszErrMsg[1024];

	// get thread parameter structure address...
	pelf = (EVENTLOGFILTER *)lpParam;
	// ...and retrieve the appropriate handles
	hwndDlg	= pelf->hwndDlg;
	hwndLV	= pelf->hwndLV;
	hwndProgr = pelf->hwndProgr;

	// get parent window...
	hParentWnd = GetParent(hwndDlg);
	// ...and set user data to 1 (the window has thread running) - will be reset to 0 when thread will terminate
	SetWindowLong(hParentWnd, GWL_USERDATA, (LONG)pelf); 

	// resize dialog
	MDIChild_ResizeDlg(hwndDlg, TRUE);

	// format UNC machine name to work with
	wsprintf(lpUNCServerName, _T("\\\\%s"), pelf->lpszComputerName);

	// establish what kind of event log section will show the list
	if(g_fApplication)
		_tcscpy(lpszEventLogSourceName, _T("Application"));				//	APPLICATION
	else if(g_fSystem)
		_tcscpy(lpszEventLogSourceName, _T("System"));					//	SYSTEM
	else if(g_fSecurity)
		_tcscpy(lpszEventLogSourceName, _T("Security"));				//	SECURITY
	else if(g_fCustom)
		_tcscpy(lpszEventLogSourceName, pelf->lpszCustomEventFileName);	//	CUSTOM
	else
	{
		nRetVal = -1;
		goto _cleanup_;
	}

	dwCancel = WaitForSingleObject(pelf->hCancelEvent, 0);
	dwClose = WaitForSingleObject(pelf->hCloseEvent, 0);
	while(!fExit)
	{
		if(g_fCustom)
			hEventLog = OpenBackupEventLog((LPCTSTR)lpUNCServerName, (LPCTSTR)lpszEventLogSourceName);
		else
			hEventLog = OpenEventLog((LPCTSTR)lpUNCServerName, (LPCTSTR)lpszEventLogSourceName);

		if(hEventLog)
		{
			if(GetNumberOfEventLogRecords(hEventLog, &dwEventLogRecords) && 
				GetOldestEventLogRecord(hEventLog, &dwOldestEventLogRecord))
			{
				SendMessage(hwndProgr, PBM_SETRANGE, (WPARAM)0, (LPARAM)MAKELPARAM(0, 100));
				uStepAt = (dwEventLogRecords / 100) + 1;

				for(dwEvLogCounter = dwOldestEventLogRecord; 
					dwEvLogCounter < (dwOldestEventLogRecord + dwEventLogRecords); 
					dwEvLogCounter++)
				{
					uStep++;
					if(uStep % uStepAt == 0)
						hwndProgr && SendMessage(hwndProgr, PBM_SETPOS, (WPARAM)++uPos, 0);

					dwCancel = WaitForSingleObject(pelf->hCancelEvent, 0);
					if(dwCancel == WAIT_OBJECT_0)
						goto _canceled_;
					dwClose = WaitForSingleObject(pelf->hCloseEvent, 0);
					if(dwClose == WAIT_OBJECT_0)
						goto _close_;

					lpEventLogRecordBuffer		= (LPVOID)&chFakeBuffer;
					dwNumberOfBytesToRead		= 1;
					dwMinNumberOfBytesNeeded	= 1;

	_retry_:
					bRetVal = ReadEventLog(hEventLog, EVENTLOG_SEEK_READ | EVENTLOG_FORWARDS_READ, dwEvLogCounter, 
						lpEventLogRecordBuffer, dwNumberOfBytesToRead, &dwBytesRead, &dwMinNumberOfBytesNeeded);

					if(!bRetVal)
					{
						g_dwLastError = GetLastError();

						if(g_dwLastError == ERROR_INSUFFICIENT_BUFFER)
						{
							lpEventLogRecordBuffer = (LPVOID)GlobalAlloc(GPTR, dwMinNumberOfBytesNeeded);
							if(lpEventLogRecordBuffer == (void *)0)
								goto _allocationfailure_;

							dwNumberOfBytesToRead = dwMinNumberOfBytesNeeded;
							goto _retry_;
						}
						else
							goto _unknownerror_;
					}
					else
					{
						PEVENTLOGRECORD pELR = 0;
						TCHAR *lpszSourceName = 0, lpszUserName[_MAX_PATH + 1], *lpszComputerName = 0,
							lpszRefDomainName[_MAX_PATH + 1], *szSIDType = 0, *szSIDName = 0, sz2[32],
							*szExpandedString = 0, szSubmitTime[32], szWriteTime[32];
						DWORD dwSourceNameLen = 0, dwComputerNameLen = 0, cbName = _MAX_PATH + 1, 
							cbRefDomainName = _MAX_PATH + 1, dwSIDTypeLen = 0, dwSidSize = 0, dwEventTypeLen = 0;
						PSID pUserSID = 0;
						SID_NAME_USE _SidNameUse = (SID_NAME_USE)(SidTypeUser - 1);
						BOOL bRetVal = FALSE;
						LPBYTE pStrings = 0, pData = 0;
						UINT x = 0, uSize, uStringOffset, uStepOfString = 0, uImage = 0;

						pELR	= (PEVENTLOGRECORD)lpEventLogRecordBuffer;

						uOffset	= sizeof(EVENTLOGRECORD);
						lpszSourceName = (TCHAR *)GlobalAlloc(GPTR, (_MAX_PATH + 1) * sizeof(TCHAR));
						strcpy(lpszSourceName, (LPTSTR)((LPBYTE)pELR + uOffset));
						dwSourceNameLen = strlen(lpszSourceName);

						uOffset	+= strlen(lpszSourceName) + sizeof(TCHAR);
						lpszComputerName = (TCHAR *)GlobalAlloc(GPTR, (_MAX_PATH + 1) * sizeof(TCHAR));
						strcpy(lpszComputerName, (LPTSTR)((LPBYTE)pELR + uOffset));
						dwComputerNameLen = strlen(lpszComputerName);

						uOffset += strlen(lpszComputerName) + sizeof(TCHAR);

						dwSIDTypeLen = 32;
						szSIDType = (TCHAR *)GlobalAlloc(GPTR, (dwSIDTypeLen + 1) * sizeof(TCHAR));

						if(pELR->UserSidLength > 0)
						{
							pUserSID = (SID *)GlobalAlloc(GPTR, pELR->UserSidLength);
							memcpy(pUserSID, (PSID)((LPBYTE)pELR + pELR->UserSidOffset), pELR->UserSidLength);
							
							cbName = cbRefDomainName = _MAX_PATH + 1;
							*lpszRefDomainName = *lpszUserName = '\0';

							bRetVal = LookupAccountSid(0, pUserSID, 
								lpszUserName, &cbName, 
								lpszRefDomainName, &cbRefDomainName, 
								&_SidNameUse);

							if(bRetVal)
							{
								if(bRetVal)
								{
									dwSIDTypeLen = 32;
									GetNameUse(_SidNameUse, szSIDType, &dwSIDTypeLen);

									dwSidSize = (15 + 12 + (12 * (*GetSidSubAuthorityCount(pUserSID))) + 1) * sizeof(TCHAR);
									szSIDName = (TCHAR *)GlobalAlloc(GPTR, (dwSidSize + 1) * sizeof(TCHAR));
									ConvertSid(pUserSID, szSIDName, &dwSidSize); 
								}
								else
								{
									strcpy(lpszRefDomainName, "N/A");
									strcpy(lpszUserName, "N/A");
									strcpy(szSIDType, "N/A");
								}
							}
							else
							{
							}
						}
						else
						{
							strcpy(lpszRefDomainName, "N/A");
							strcpy(lpszUserName, "N/A");
							strcpy(szSIDType, "N/A");
						}

						uSize = 0, uStringOffset = pELR->StringOffset;
						uSize = pELR->DataOffset - pELR->StringOffset;

						// Strings
						if(uSize > 0)
						{
							pStrings = (LPBYTE)GlobalAlloc(GPTR, uSize * sizeof(BYTE));
							memcpy(pStrings, (LPBYTE)pELR + uStringOffset, uSize);

							//	Strings
							uStepOfString = 0;
							szExpandedString = (TCHAR *)GlobalAlloc(GPTR, (uSize + MAX_MSG_LENGTH) * sizeof(TCHAR));
							for(x = 0; x < pELR->NumStrings; x++)
							{
								if(x == 0)
								{
									strcpy(szExpandedString, (TCHAR *)pStrings + uStepOfString);
									if(x < (UINT)pELR->NumStrings - 1)
										strcat(szExpandedString, ",");
								}
								else
									strcat(szExpandedString, (TCHAR *)pStrings + uStepOfString);

								uStepOfString = strlen((TCHAR *)pStrings + uStepOfString) + 1;
							}
						}

						//	Data
						pData = (LPBYTE)GlobalAlloc(GPTR, pELR->DataLength * sizeof(BYTE));
						memcpy(pData, (LPBYTE)((LPBYTE)pELR + pELR->DataOffset), pELR->DataLength);

						dwEventTypeLen = 32;
						GetEventLogType(sz2, pELR->EventType, &dwEventTypeLen);
						GetEventLogImage(&uImage, pELR->EventType);

						lstrcpyn(szSubmitTime, asctime(localtime((time_t *)&(pELR->TimeGenerated))), 25);
						lstrcpyn(szWriteTime, asctime(localtime((time_t *)&(pELR->TimeWritten))), 25);

						InsertRowInList(hwndLV, 9, &dwEvLogCounter, 
							lpszSourceName, 
							lpszUserName, 
							szSIDName, 
							lpszRefDomainName, 
							sz2, uImage, 
							szSubmitTime, szWriteTime);

						SafeDeletePointer(pData, pELR->DataLength);
						SafeDeletePointer(szExpandedString, uSize); 
						SafeDeletePointer(pStrings, pELR->DataOffset - pELR->StringOffset);
						SafeDeletePointer(szSIDName, dwSidSize + 1);
						SafeDeletePointer(szSIDType, dwSIDTypeLen + 1);
						SafeDeletePointer(lpszSourceName, dwSourceNameLen);
						SafeDeletePointer(lpszComputerName, dwComputerNameLen);
						SafeDeletePointer(pUserSID, pELR->UserSidLength);
						SafeDeletePointer(lpEventLogRecordBuffer, dwNumberOfBytesToRead);
					}
				}

				goto _cleanup_;
			}
			else
				ReportLastError(0, 0, TRUE);

	_unknownerror_:
			ReportLastError(lpszErrMsg, 0, TRUE);
			goto _cleanup_;

	_allocationfailure_:
			LoadString(g_hInstance, IDS_ERR_ALLOCATIONFAILURE, lpszErrMsg, 1024);
			MessageBox(0, lpszErrMsg, 0, MB_OK | MB_ICONSTOP);
			goto _cleanup_;

	_canceled_:
			nRetVal = 1;
			goto _cleanup_;

	_close_:
			nRetVal = 2;
			goto _cleanup_;

	_cleanup_:
			fExit = TRUE;

			CloseEventLog(hEventLog);
			hEventLog = 0;
		}
		else
		{
			fExit = TRUE;
			ReportLastError(0, 0, TRUE);
		}
	}

	// final cleanup on dialog
	if(nRetVal != 2)
	{
		if(IsWindow(hwndDlg))
			MDIChild_ResizeDlg(hwndDlg, FALSE);
		if(IsWindow(hParentWnd))
			SetWindowLong(hParentWnd, GWL_USERDATA, (LONG)0);
	}

	CloseHandle(pelf->hCancelEvent);
	CloseHandle(pelf->hCloseEvent);

	GlobalFree(pelf);
	pelf = 0;

	return nRetVal;
}

int CALLBACK 
CompareItems(LPARAM lParam1, LPARAM lParam2, LPARAM lParamSort)
{
	int nIdx1	= (int)lParam1;
	int nIdx2	= (int)lParam2;
	
	int nRetVal = 0;
	
	DLGSORTDATA *pSortData	= (DLGSORTDATA *)lParamSort;
	
	HWND hDlg	= (HWND)(pSortData->hDlg);
	HWND hwndLV = (HWND)(GetDlgItem(hDlg, IDL_EVENTS));
	
	int nSubItemColIdx		= pSortData->nColIdx;
	int nSortOrder			= pSortData->nSortOrder;
	int nSortType			= pSortData->nSortType;

	TCHAR lpsz1[_MAX_PATH + 1], lpsz2[_MAX_PATH + 1];

	ListView_GetItemText(hwndLV, nIdx1, nSubItemColIdx, lpsz1, _MAX_PATH + 1);
	ListView_GetItemText(hwndLV, nIdx2, nSubItemColIdx, lpsz2, _MAX_PATH + 1);

	if(nSortOrder == ASCENDING)
	{
		if(nSortType == STRING)
			nRetVal = _tcsicmp(lpsz1, lpsz2);
		else if(nSortType == NUMERIC)
		{
			int n1 = atoi(lpsz1), n2 = atoi(lpsz2);
			nRetVal = n1 < n2 ? -1 : n1 == n2 ? 0 : 1;
		}
		else
			nRetVal = 0;
	}
	else if(nSortOrder == DESCENDING)
	{
		if(nSortType == STRING)
			nRetVal = -1 * _tcsicmp(lpsz1, lpsz2);
		else if(nSortType == NUMERIC)
		{
			int n1 = atoi(lpsz1), n2 = atoi(lpsz2);
			nRetVal = (n1 < n2) ? 1 : ((n1 == n2) ? 0 : -1);
		}
		else
			nRetVal = 0;
	}
	else
		nRetVal = 0; // none

	return nRetVal;
}

unsigned int __stdcall 
ShowEventData(LPVOID lpParam)
{
	LPEVENTID peid = (LPEVENTID)lpParam;

//	if(pdt->pDlg->m_strSource.IsEmpty())
//	{
//		LocalFree(pdt);
//		return 0L;
//	}

	int   nRetVal = 0;

	HWND  hwndDlg			= peid->hwndDlg;
	HWND  hwndEditStrings	= GetDlgItem(hwndDlg, IDE_STRINGS);
	HWND  hwndEditData		= GetDlgItem(hwndDlg, IDE_DATA);
	DWORD dwRecId			= peid->dwEventId;

	TCHAR  lpUNCServerName[_MAX_PATH + 1];
	TCHAR  lpSourceName[_MAX_PATH + 1];

	HANDLE  hEventLog				= 0;
	
	DWORD  dwEventLogRecords		= 0;
	DWORD  dwOldestEventLogRecord	= 0;
	DWORD  dwEvLogCounter			= 0;

	LPVOID lpEventLogRecordBuffer	= 0;
	char   chFakeBuffer				= ' ';
	DWORD  dwNumberOfBytesToRead	= 0;
	DWORD  dwBytesRead				= 0;
	DWORD  dwMinNumberOfBytesNeeded	= 0;
	BOOL    bRetVal					= FALSE;
	TCHAR	lpszEventLogSourceName[_MAX_PATH + 1];

	wsprintf(lpUNCServerName, _T("\\\\%s"), peid->lpszMachineName);
	wsprintf(lpSourceName, _T("%s"), peid->lpszEventName);

	if(g_fApplication)
		_tcscpy(lpszEventLogSourceName, _T("Application"));
	else if(g_fSystem)
		_tcscpy(lpszEventLogSourceName, _T("System"));
	else if(g_fSecurity)
		_tcscpy(lpszEventLogSourceName, _T("Security"));
//	else if(g_fCustom)
//		_tcscpy(lpszEventLogSourceName, _T("Application"));
	else
	{
		nRetVal = -1;
		goto _cleanup_;
	}

	hEventLog = OpenEventLog((LPCTSTR)lpUNCServerName, (LPCTSTR)lpszEventLogSourceName);
	if(hEventLog)
	{
		if(GetNumberOfEventLogRecords(hEventLog, &dwEventLogRecords) && 
			GetOldestEventLogRecord(hEventLog, &dwOldestEventLogRecord))
		{
			for(dwEvLogCounter = dwOldestEventLogRecord; 
				dwEvLogCounter <= (dwOldestEventLogRecord + dwEventLogRecords); 
				dwEvLogCounter++)
			{
				if(dwEvLogCounter != dwRecId)
					continue;

				lpEventLogRecordBuffer		= (LPVOID)&chFakeBuffer;
				dwNumberOfBytesToRead		= 1;
				dwMinNumberOfBytesNeeded	= 0;

_retry_:
				bRetVal = ReadEventLog(hEventLog, EVENTLOG_SEEK_READ | EVENTLOG_FORWARDS_READ, dwEvLogCounter, 
					lpEventLogRecordBuffer, dwNumberOfBytesToRead, &dwBytesRead, &dwMinNumberOfBytesNeeded);

				if(!bRetVal)
				{
					g_dwLastError = GetLastError();

					if(g_dwLastError == ERROR_INSUFFICIENT_BUFFER)
					{
						lpEventLogRecordBuffer = (LPVOID)GlobalAlloc(GPTR, dwMinNumberOfBytesNeeded);
						if(lpEventLogRecordBuffer == (void *)0)
							goto _allocationfailure_;

						dwNumberOfBytesToRead = dwMinNumberOfBytesNeeded;
						goto _retry_;
					}
					else
						goto _unknownerror_;
				}
				else
				{
					PEVENTLOGRECORD pELR = 0;
					LPBYTE			pData = 0;
					HMODULE hModule = 0;
					TCHAR szExeFile[_MAX_PATH + 1], szExeFilePath[_MAX_PATH + 1];
					HKEY   hk						= (HKEY)0;
					TCHAR  szKeyName[_MAX_PATH + 1];
					DWORD dwMaxPath;
					DWORD dwType;
					LPBYTE			pStrings = 0;
					UINT uStringOffset;
					TCHAR *szExpandedString;
					LPVOID lpszBuffer = 0;
					
					pELR	= (PEVENTLOGRECORD)lpEventLogRecordBuffer;

					pData = (LPBYTE)GlobalAlloc(GPTR, pELR->DataLength * sizeof(BYTE));
					memcpy(pData, (LPBYTE)((LPBYTE)pELR + pELR->DataOffset), pELR->DataLength);

					{
						UINT x, uStepOfString = 0;

						pStrings = (LPBYTE)GlobalAlloc(GPTR, pELR->DataOffset - pELR->StringOffset * sizeof(BYTE));
						memcpy(pStrings, (LPBYTE)pELR + pELR->StringOffset, pELR->DataOffset - pELR->StringOffset);

						szExpandedString = (TCHAR *)GlobalAlloc(GPTR, (pELR->DataOffset - pELR->StringOffset + 1024) * sizeof(TCHAR));
						for(x = 0; x < pELR->NumStrings; x++)
						{
							if(x == 0)
							{
								strcpy(szExpandedString, (TCHAR *)pStrings + uStepOfString);
								if(x < (UINT)pELR->NumStrings - 1)
									strcat(szExpandedString, ",");
							}
							else
								strcat(szExpandedString, (TCHAR *)pStrings + uStepOfString);

							uStepOfString = strlen((TCHAR *)pStrings + uStepOfString) + 1;
						}

						wsprintf(szKeyName, _T("SYSTEM\\CurrentControlSet\\Services\\EventLog\\%s\\%s"), 
							lpszEventLogSourceName, peid->lpszEventName);
						if(RegOpenKeyEx(HKEY_LOCAL_MACHINE, szKeyName, 0L, KEY_READ, &hk) == NOERROR)
						{
							dwMaxPath = _MAX_PATH + 1;
							if(RegQueryValueEx(hk, _T("EventMessageFile"), 0, &dwType, (LPBYTE)szExeFile, &dwMaxPath) == NOERROR)
							{
								if(ExpandEnvironmentStrings(szExeFile, szExeFilePath, _MAX_PATH + 1) == 0)
									strcpy(szExeFilePath, szExeFile);

								hModule = LoadLibraryEx(szExeFilePath, 0, DONT_RESOLVE_DLL_REFERENCES);
								if(hModule)
								{
									TCHAR **_sz = (TCHAR**)GlobalAlloc(GPTR, (pELR->NumStrings) * sizeof(TCHAR *));
									register UINT z;

									uStringOffset = 0;
									for(z = 0; z < pELR->NumStrings; z++)
									{
										_sz[z] = (TCHAR *)GlobalAlloc(GPTR, 
											(strlen((TCHAR *)pStrings + uStringOffset) + 1) * sizeof(TCHAR));
										strcpy(_sz[z], (TCHAR *)pStrings + uStringOffset);

										uStringOffset += strlen((TCHAR *)pStrings + uStringOffset) + 1;
									}

									FormatMessage(
										FORMAT_MESSAGE_ALLOCATE_BUFFER | 
										FORMAT_MESSAGE_FROM_HMODULE | 
										FORMAT_MESSAGE_FROM_SYSTEM | 
										FORMAT_MESSAGE_ARGUMENT_ARRAY,
										hModule, pELR->EventID, 0, (LPTSTR)&lpszBuffer, 1024, 
										_sz
									);

									for(z = 0; z < pELR->NumStrings; z++)
									{
										SafeDeletePointer(_sz[z], strlen(_sz[z]));
										_sz[z] = 0;
									}
									SafeDeletePointer(_sz, (pELR->NumStrings) * sizeof(TCHAR *));
									_sz = 0;

									if(lpszBuffer)
									{
										strcpy(szExpandedString, (TCHAR *)lpszBuffer);
										uStringOffset = strlen(szExpandedString);
									}

									if(lpszBuffer)
										LocalFree(lpszBuffer);

									FreeLibrary(hModule);
								}
							}						
							RegCloseKey(hk);
						}

						SendMessage(hwndEditStrings, WM_SETTEXT, 0, (LPARAM)(LPCTSTR)szExpandedString);

						SafeDeletePointer(szExpandedString, strlen(szExpandedString));
					}

					{
						TCHAR _str[1024];
						_tcscpy(_str, _T(""));
						if(pELR->DataLength > 0)
						{
							register UINT x;

							for(x = 0; x < pELR->DataLength; x += 8)
							{
								TCHAR _strAux[1024];
								register UINT y;

								wsprintf(_strAux, "%.4x: ", x);
								_tcscat(_str, _strAux);

								for(y = x; y < x + 8; y++)
								{
									wsprintf(_strAux, "%.2x ", pData[y]);
									_tcscat(_str, _strAux);
								}
								_tcscat(_str, _T("  "));

								for(y = x; y < x + 8; y++)
								{
									if(!isprint((int)pData[y]))
										_tcscat(_str, _T("."));
									else
									{
										TCHAR s[2];
										s[0] = (TCHAR)pData[y];
										s[1] = '\0';
										_tcscat(_str, s);
									}
								}
								_tcscat(_str, _T("\r\n"));
							}
						}
						else
							_tcscat(_str, _T("No data available."));

						SendMessage(hwndEditData, WM_SETTEXT, 0, (LPARAM)(LPCTSTR)_str);
					}
				}
			}

			goto _cleanup_;
		}
		else
			ReportLastError(0, 0, TRUE);

_unknownerror_:
		MessageBox(0, TEXT("Unknown error."), 0, MB_OK | MB_ICONSTOP);
		goto _cleanup_;

_allocationfailure_:
		MessageBox(0, TEXT("Allocation failure."), 0, MB_OK | MB_ICONSTOP);
		goto _cleanup_;

_cleanup_:
		CloseEventLog(hEventLog);
		hEventLog = 0;
	}
	else
		ReportLastError(0, 0, TRUE);

	#pragma warning(disable:4127)
	SafeDeletePointer(peid, sizeof(EVENTID));

	return 0L;
}