1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
|
/*++
Copyright (c) 1990 Microsoft Corporation
Module Name:
DATA.C
Abstract:
Thie file contains all the global data elements of the eventlog service.
Author:
Rajen Shah (rajens) 10-Jul-1991
[Environment:]
User Mode - Win32, except for NTSTATUS returned by some functions.
Revision History:
10-Jul-1991 RajenS
created
--*/
//
// INCLUDES
//
#include <eventp.h>
#include <elfcfg.h>
//
// Debug flag used to control ElfDbgPrint
//
DWORD ElfDebug = 0;
//
// Handles used for the LPC port.
//
HANDLE ElfConnectionPortHandle;
HANDLE ElfCommunicationPortHandle;
// The heads of various linked lists
//
LIST_ENTRY LogFilesHead; // Log files
RTL_CRITICAL_SECTION LogFileCritSec; // Accessing log files
LIST_ENTRY LogModuleHead; // Modules registered for logging
RTL_CRITICAL_SECTION LogModuleCritSec; // Accessing log files
LIST_ENTRY LogHandleListHead; // Context-handles for log handles
RTL_CRITICAL_SECTION LogHandleCritSec; // Accessing log handles
LIST_ENTRY QueuedEventListHead; // Deferred events to write
RTL_CRITICAL_SECTION QueuedEventCritSec; // Accessing the deferred events
LIST_ENTRY QueuedMessageListHead; // Deferred messagebox
RTL_CRITICAL_SECTION QueuedMessageCritSec; // Accessing the deferred mb's
HANDLE ElfDoneEvent; // Event to wait for service termination
//
// Service-related global data
//
SERVICE_STATUS_HANDLE ElfServiceStatusHandle;
LPWSTR wname_Eventlogsvc = L"EVENTLOG"; // UNICODE name
CHAR name_Eventlogsvc[] = "EVENTLOG"; // ASCII name
//
// The following resource is used to serialize access to the resources
// of the Eventlog service at the highest level. It is used to make sure
// that the threads that write/read/clear the log file(s) do not step over
// the threads that monitor the registry and deal with service control
// operations.
//
// The threads that operate on the log file(s) have Shared access to the
// resource, since they are further serialized on the file that they are
// working on.
//
// The threads that will modify the internal data structures, or the state
// of the service, need Exclusive access to the resource so that we can
// control access to the data structures and log files.
//
RTL_RESOURCE GlobalElfResource;
//
// This is used by the Backup API to signify which 4K block of the log it's
// currently reading. This is used to prevent a writer from overwriting this
// block while it is reading it. The event is used to let a writer block if
// it was going to overwrite the current backup block, and get pulsed when
// the backup thread moves to the next block.
PVOID ElfBackupPointer;
HANDLE ElfBackupEvent;
//
// Handle for the LPC thread
//
HANDLE LPCThreadHandle;
//
// Handle for the MessageBox thread
//
HANDLE MBThreadHandle;
//
// Handle and ID for the registry monitor thread
//
HANDLE RegistryThreadHandle=NULL;
DWORD RegistryThreadId;
//
// Bitmask of things that have been allocated and/or started by the
// service. When the service terminates, this is what needs to be
// cleaned.
//
ULONG EventFlags; // Keep track of what is allocated
//
// Record used to indicate the end of the event records in the file.
//
ELF_EOF_RECORD EOFRecord = {ELFEOFRECORDSIZE,
0x11111111,
0x22222222,
0x33333333,
0x44444444,
FILEHEADERBUFSIZE,
FILEHEADERBUFSIZE,
1,
1,
ELFEOFRECORDSIZE
};
//
// Default module to use if no match is found, APPLICATION
//
PLOGMODULE ElfDefaultLogModule;
//
// Module for the eventlog service itself
//
PLOGMODULE ElfModule;
//
// Handle (key) to the event log node in the registry.
// This is set up by Elfmain().
//
HANDLE hEventLogNode = NULL; // Initialize to NULL
//
// Used to create a unigue module name for backup logs
//
DWORD BackupModuleNumber;
//
// NT well-known SIDs
//
PSVCS_GLOBAL_DATA ElfGlobalData;
//
// Global anonymous logon sid - used in log ACL's. The only SID allocated
// specifically by the eventlog service, all others are passed in from
// the service controller in ElfGlobalData.
//
PSID AnonymousLogonSid = NULL;
//
// The local computer name. Used when we generate events ourself.
//
LPWSTR LocalComputerName = NULL;
ULONG ComputerNameLength;
//
// Shutdown Flag
//
BOOL EventlogShutdown = FALSE;
HANDLE ElfGlobalSvcRefHandle=NULL;
//
// This is the string used in the title bar of the Message Box
// used to display log full messages.
// GlobalMessageBoxTitle will either point to the default string, or
// to the string allocated in the format Message function.
//
WCHAR DefaultMessageBoxTitle[]=L"Eventlog Service";
LPWSTR GlobalAllocatedMsgTitle=NULL;
LPWSTR GlobalMessageBoxTitle=DefaultMessageBoxTitle;
#ifdef _CAIRO_
//
// The eventlog service links to ALERTSYS.DLL by hand (eventlog.c) after
// eventlog initialization, since this dll's initialization code requires
// a running eventlog service.
//
HINSTANCE ghAlertSysDll = NULL;
PREPORTALERT gpfReportAlert = NULL;
#endif // _CAIRO_
|
