18.104.22.168 EvtRpcQueryNext (Opnum 11)
The EvtRpcQueryNext (Opnum 11) method is used by a client to get the next batch of records from a query result set.
error_status_t EvtRpcQueryNext( [in, context_handle] PCONTEXT_HANDLE_LOG_QUERY logQuery, [in] DWORD numRequestedRecords, [in] DWORD timeOutEnd, [in] DWORD flags, [out] DWORD* numActualRecords, [out, size_is(,*numActualRecords), range(0, MAX_RPC_RECORD_COUNT)] DWORD** eventDataIndices, [out, size_is(,*numActualRecords), range(0, MAX_RPC_RECORD_COUNT)] DWORD** eventDataSizes, [out] DWORD* resultBufferSize, [out, size_is(,*resultBufferSize), range(0, MAX_RPC_BATCH_SIZE)] BYTE** resultBuffer );
numRequestedRecords: A 32-bit unsigned integer that contains the number of events to return.<17>
timeOutEnd: A 32-bit unsigned integer that contains the maximum number of milliseconds to wait before returning, starting from the time the server begins processing the call.
flags: A 32-bit unsigned integer that MUST be set to zero when sent and MAY be ignored on receipt.<18>
numActualRecords: A pointer to a 32-bit unsigned integer that contains the value that, on success, MUST be set to the number of events that are retrieved. This is useful when the method times out without receiving the full number of events specified in numRequestedRecords. If the method fails, the client MUST NOT use the value.
eventDataIndices: A pointer to an array of 32-bit unsigned integers that contain the offsets (in bytes) within the resultBuffer for the events that are read.
eventDataSizes: A pointer to an array of 32-bit unsigned integers that contain the sizes (in bytes) within the resultBuffer for the events that are read.
resultBufferSize: A pointer to a 32-bit unsigned integer that contains the number of bytes of data returned in resultBuffer.
resultBuffer: A pointer to a byte-array that contains the result set of one or more events. The events MUST be in binary XML format, as specified in section 2.2.17.
Return Values: The method MUST return ERROR_SUCCESS (0x00000000) on success. The method MUST return ERROR_TIMEOUT (0x000005bf) if no records are found within the time-out period. The method MUST return ERROR_NO_MORE_ITEMS (0x00000103) once the query has finished going through all the log(s); otherwise, it MUST return a different implementation-specific nonzero value as specified in [MS-ERREF].
In response to this request from the client, the server MUST first validate the handle. The server MUST fail the operation if the handle is invalid. The server SHOULD save the log handle value it creates in the EvtRpcRegisterLogQuery method (as specified in section 22.214.171.124) in its handle table (as specified in section 126.96.36.199) and compare it with the handle passed here to perform the check.<19>
The server MUST return ERROR_INVALID_PARAMETER (0x00000057) if the handle is invalid.
If the above check is successful, the server MUST attempt to read through the event log(s) and copy any events that pass the filter into resultBuffer. As mentioned in section 188.8.131.52, the context handle corresponds to the log query object on the server side. So the server casts the logQuery handle to its internal log query object after the validation of the handle. The log query object contains the position which indicates how many records the client has already received. The server reads the next record after the position in the event log file. For each record it reads, it tries to match the query filter. If the event passes the filter, the server copies that event record into the client resultBuffer. The server MUST continue the operation until the number of events copied equals the number of events specified by the numRequestedRecords parameter, or until the duration of the call exceeds the number of milliseconds specified by the timeOutEnd parameter, or until there are no more records to be read. The server MUST update its position in the log query object to keep track of the next event record the server needs to return the next time a client calls this method. If the timeOutEnd parameter is 0xFFFFFFFF, the server SHOULD ignore the time-out and process the call as long as it needs without checking the time-out.
If the server cannot find any records in the time specified by the timeOutEnd parameter, it MUST return ERROR_TIMEOUT (0x000005bf).
If the server cannot find any records because it reached the end of the file, it MUST return ERROR_NO_MORE_ITEMS (0x00000103).
The server returns the result in the five output parameters: numActualRecords, eventDataIndices, eventDataSizes, resultBufferSize, and resultBuffer. On successful return, the numActualRecords contains the number of events in the resultBuffer. All the returned events are in BinXML format and they are packed as one binary blob in the resultBuffer. The total size of all these events are marked by resultBufferSize. Since all the events are packed together, there is a need to identify where the separator is for each event in the result. To do this, the server fills two arrays: eventDataIndices and eventDataSizes. Both arrays contain the numActualRecords of elements. For the eventDataIndices array, each array element is a 32-bit value which is the start position of each event in the resultBuffer. For the eventDataSizes array, each element is a 32-bit value which is the size of every event.
The server MUST return a value indicating success or failure for this operation.