3.1.4.15 ElfrReportEventAndSourceW (Opnum 24)
This method<32> instructs the server to write an event to an event log. It differs from the other methods for writing an event by specifying the event source at the time of the write. The other methods for writing an event required the event source to be specified when the handle was opened for write.
-
NTSTATUS ElfrReportEventAndSourceW( [in] IELF_HANDLE LogHandle, [in] unsigned long Time, [in] unsigned short EventType, [in] unsigned short EventCategory, [in] unsigned long EventID, [in] PRPC_UNICODE_STRING SourceName, [in, range(0, 256)] unsigned short NumStrings, [in, range(0, 61440)] unsigned long DataSize, [in] PRPC_UNICODE_STRING ComputerName, [in, unique] PRPC_SID UserSID, [in, size_is(NumStrings), unique] PRPC_UNICODE_STRING Strings[*], [in, size_is(DataSize), unique] unsigned char* Data, [in] unsigned short Flags, [in, out, unique] unsigned long* RecordNumber, [in, out, unique] unsigned long* TimeWritten );
LogHandle: Handle to an event log. This parameter is a server context handle, as specified in section 2.2.6. This handle MUST NOT be obtained via the ElfrOpenBELA (section 3.1.4.2) method or the ElfrOpenBELW (section 3.1.4.1) method.
Time: Time at which the event was generated by the event source (not the time at which the event was logged). The time MUST be expressed as the number of seconds since 00:00:00 on January 1, 1970 (UTC).
EventType: Type of the event, as specified in section 2.2.2.
EventCategory: Event category, as specified in section 1.8.5.
EventID: EventID, as specified in section 3.1.1.4.
SourceName: Specifies the name of the event source.
NumStrings: Number of strings in the array pointed to by the Strings parameter. If no strings are present, this value MUST be set to zero.
DataSize: Number of bytes of event-specific raw binary data to write to the log. This binary data is passed in the Data parameter. If no event-specific data is present, this parameter MUST be set to zero.
ComputerName: A string to assist in identifying the machine that generated the event. In practice, the name of the computer. There are no character restrictions on this field's content (for example, a FQDN can be used).
UserSID: Either NULL or a user SID. If this is NULL, the event is to have a zero length UserSid field.
Strings: Strings containing text information specific to the event. This parameter MUST be a valid pointer. If the NumStrings parameter is zero, this parameter MUST be NULL. For example, an event relating to file deletion could use a string to specify the path of the file being deleted.
Data: Pointer to a buffer that contains binary information specific to the event. This parameter MUST be a valid pointer (or NULL), even if the DataSize parameter is zero.
Flags: Unused. MUST be set to zero when sent and MUST be ignored on receipt.
RecordNumber: Unused. Can be set to any arbitrary value when sent, and any value sent by the client MUST be ignored on receipt by the server.
TimeWritten: Unused. Can be set to any arbitrary value when sent, and any value sent by the client MUST be ignored on receipt by the server.
Return Values: The method MUST return STATUS_SUCCESS (0x00000000) on success; otherwise, it MUST return an implementation-based, nonzero NTSTATUS value specified in [MS-ERREF].
Note If the method is not supported, the RPC transport itself (as opposed to this protocol) returns RPC_S_PROCNUM_OUT_OF_RANGE (0x6D1).
This method is almost identical to the ElfrReportEventW (section 3.1.4.13) method except that it has a SourceName parameter. The server uses this SourceName parameter to log the source into the event instead of retrieving the source name from the LogHandle parameter.