6 Appendix A: Full IDL
For ease of implementation, the full IDL is provided as follows, where "ms-dtyp.idl" is the IDL found in [MS-DTYP] section 5, Appendix A: Full MS-DTYP IDL.
-
import "ms-dtyp.idl"; [ uuid(82273FDC-E32A-18C3-3F78-827929DC23EA), version(0.0), #ifdef __midl ms_union, #endif // __midl pointer_default(unique) ] interface eventlog { // the following line(s) commented out to avoid redefinition of MS-DTYP types //typedef long NTSTATUS; #define MAX_STRINGS 0x00000100 #define MAX_SINGLE_EVENT 0x0003FFFF #define MAX_BATCH_BUFF 0x0007FFFF typedef struct _RPC_STRING { unsigned short Length; unsigned short MaximumLength; [size_is(MaximumLength)] char* Buffer; } RPC_STRING, *PRPC_STRING; typedef struct _RPC_CLIENT_ID { unsigned long UniqueProcess; unsigned long UniqueThread; } RPC_CLIENT_ID, *PRPC_CLIENT_ID; typedef [handle, unique] wchar_t * EVENTLOG_HANDLE_W; typedef [handle, unique] char * EVENTLOG_HANDLE_A; typedef [context_handle] void * IELF_HANDLE; typedef [context_handle] void ** PIELF_HANDLE; typedef [range(0, MAX_BATCH_BUFF)] unsigned long RULONG; NTSTATUS ElfrClearELFW ( [in] IELF_HANDLE LogHandle, [in,unique] PRPC_UNICODE_STRING BackupFileName ); NTSTATUS ElfrBackupELFW ( [in] IELF_HANDLE LogHandle, [in] PRPC_UNICODE_STRING BackupFileName ); NTSTATUS ElfrCloseEL ( [in,out] IELF_HANDLE * LogHandle ); NTSTATUS ElfrDeregisterEventSource ( [in,out] IELF_HANDLE * LogHandle ); NTSTATUS ElfrNumberOfRecords( [in] IELF_HANDLE LogHandle, [out] unsigned long * NumberOfRecords ); NTSTATUS ElfrOldestRecord( [in] IELF_HANDLE LogHandle, [out] unsigned long * OldestRecordNumber ); NTSTATUS ElfrChangeNotify( [in] IELF_HANDLE LogHandle, [in] RPC_CLIENT_ID ClientId, [in] ULONG Event ); NTSTATUS ElfrOpenELW ( [in] EVENTLOG_HANDLE_W UNCServerName, [in] PRPC_UNICODE_STRING ModuleName, [in] PRPC_UNICODE_STRING RegModuleName, [in] unsigned long MajorVersion, [in] unsigned long MinorVersion, [out] IELF_HANDLE * LogHandle ); NTSTATUS ElfrRegisterEventSourceW ( [in] EVENTLOG_HANDLE_W UNCServerName, [in] PRPC_UNICODE_STRING ModuleName, [in] PRPC_UNICODE_STRING RegModuleName, [in] unsigned long MajorVersion, [in] unsigned long MinorVersion, [out] IELF_HANDLE * LogHandle ); NTSTATUS ElfrOpenBELW ( [in] EVENTLOG_HANDLE_W UNCServerName, [in] PRPC_UNICODE_STRING BackupFileName, [in] unsigned long MajorVersion, [in] unsigned long MinorVersion, [out] IELF_HANDLE * LogHandle ); NTSTATUS ElfrReadELW ( [in] IELF_HANDLE LogHandle, [in] unsigned long ReadFlags, [in] unsigned long RecordOffset, [in] RULONG NumberOfBytesToRead, [out, size_is(NumberOfBytesToRead)] unsigned char * Buffer, [out] unsigned long * NumberOfBytesRead, [out] unsigned long * MinNumberOfBytesNeeded ); NTSTATUS ElfrReportEventW ( [in] IELF_HANDLE LogHandle, [in] unsigned long Time, [in] unsigned short EventType, [in] unsigned short EventCategory, [in] unsigned long EventID, [in, range(0, 256)] unsigned short NumStrings, [in, range(0, 61440)] unsigned long DataSize, [in] PRPC_UNICODE_STRING ComputerName, [in, unique] PRPC_SID UserSID, [in, size_is(NumStrings), unique] PRPC_UNICODE_STRING Strings[*], [in, size_is(DataSize), unique] unsigned char * Data, [in] unsigned short Flags, [in,out,unique] unsigned long * RecordNumber, [in,out,unique] unsigned long * TimeWritten ); NTSTATUS ElfrClearELFA ( [in] IELF_HANDLE LogHandle, [in,unique] PRPC_STRING BackupFileName ); NTSTATUS ElfrBackupELFA ( [in] IELF_HANDLE LogHandle, [in] PRPC_STRING BackupFileName ); NTSTATUS ElfrOpenELA ( [in] EVENTLOG_HANDLE_A UNCServerName, [in] PRPC_STRING ModuleName, [in] PRPC_STRING RegModuleName, [in] unsigned long MajorVersion, [in] unsigned long MinorVersion, [out] IELF_HANDLE * LogHandle ); NTSTATUS ElfrRegisterEventSourceA ( [in] EVENTLOG_HANDLE_A UNCServerName, [in] PRPC_STRING ModuleName, [in] PRPC_STRING RegModuleName, [in] unsigned long MajorVersion, [in] unsigned long MinorVersion, [out] IELF_HANDLE * LogHandle ); NTSTATUS ElfrOpenBELA ( [in] EVENTLOG_HANDLE_A UNCServerName, [in] PRPC_STRING BackupFileName, [in] unsigned long MajorVersion, [in] unsigned long MinorVersion, [out] IELF_HANDLE * LogHandle ); NTSTATUS ElfrReadELA ( [in] IELF_HANDLE LogHandle, [in] unsigned long ReadFlags, [in] unsigned long RecordOffset, [in] RULONG NumberOfBytesToRead, [out, size_is(NumberOfBytesToRead)] unsigned char * Buffer, [out] unsigned long * NumberOfBytesRead, [out] unsigned long * MinNumberOfBytesNeeded ); -
NTSTATUS ElfrReportEventA ( [in] IELF_HANDLE LogHandle, [in] unsigned long Time, [in] unsigned short EventType, [in] unsigned short EventCategory, [in] unsigned long EventID, [in, range(0, 256)] unsigned short NumStrings, [in, range(0, 61440)] unsigned long DataSize, [in] PRPC_STRING ComputerName, [in, unique] PRPC_SID UserSID, [in, size_is(NumStrings), unique] PRPC_STRING Strings[*], [in, size_is(DataSize), unique] unsigned char * Data, [in] unsigned short Flags, [in,out,unique] unsigned long * RecordNumber, [in,out,unique] unsigned long * TimeWritten ); void Opnum19NotUsedOnWire(void); void Opnum20NotUsedOnWire(void); void Opnum21NotUsedOnWire(void); NTSTATUS ElfrGetLogInformation( [in] IELF_HANDLE LogHandle, [in] unsigned long InfoLevel, [out, size_is(cbBufSize)] unsigned char * lpBuffer, [in, range(0, 1024)] unsigned long cbBufSize, [out] unsigned long * pcbBytesNeeded ); void Opnum23NotUsedOnWire(void);
-
NTSTATUS ElfrReportEventAndSourceW ( [in] IELF_HANDLE LogHandle, [in] unsigned long Time, [in] unsigned short EventType, [in] unsigned short EventCategory, [in] unsigned long EventID, [in] PRPC_UNICODE_STRING SourceName, [in, range(0, 256)] unsigned short NumStrings, [in, range(0, 61440)] unsigned long DataSize, [in] PRPC_UNICODE_STRING ComputerName, [in, unique] PRPC_SID UserSID, [in, size_is(NumStrings), unique] PRPC_UNICODE_STRING Strings[*], [in, size_is(DataSize), unique] unsigned char * Data, [in] unsigned short Flags, [in,out,unique] unsigned long * RecordNumber, [in,out,unique] unsigned long * TimeWritten ); NTSTATUS ElfrReportEventExW( [in] IELF_HANDLE LogHandle, [in] PFILETIME TimeGenerated, [in] unsigned short EventType, [in] unsigned short EventCategory, [in] unsigned long EventID, [in, range(0, 256)] unsigned short NumStrings, [in, range(0, 61440)] unsigned long DataSize, [in] PRPC_UNICODE_STRING ComputerName, [in, unique] PRPC_SID UserSID, [in, size_is(NumStrings), unique] PRPC_UNICODE_STRING Strings[*], [in, size_is(DataSize), unique] unsigned char* Data, [in] unsigned short Flags, [in, out, unique] unsigned long* RecordNumber ); NTSTATUS ElfrReportEventExA( [in] IELF_HANDLE LogHandle, [in] PFILETIME TimeGenerated, [in] unsigned short EventType, [in] unsigned short EventCategory, [in] unsigned long EventID, [in, range(0, 256)] unsigned short NumStrings, [in, range(0, 61440)] unsigned long DataSize, [in] PRPC_STRING ComputerName, [in, unique] PRPC_SID UserSID, [in, size_is(NumStrings), unique] PRPC_STRING Strings[*], [in, size_is(DataSize), unique] unsigned char* Data, [in] unsigned short Flags, [in, out, unique] unsigned long* RecordNumber ); }