Examples with EVT_HANDLE com.sun.jna.platform.win32.Winevt.EVT_HANDLE used on opensource projects

Search in sources :

Example 1 with EVT_HANDLE

use of com.sun.jna.platform.win32.Winevt.EVT_HANDLE in project jna by java-native-access.

the class WevtapiTest method testEvtOpenPublisherEnum.

public void testEvtOpenPublisherEnum() throws Exception {
    Winevt.EVT_RPC_LOGIN login = new Winevt.EVT_RPC_LOGIN("localhost", null, null, null, Winevt.EVT_RPC_LOGIN_FLAGS.EvtRpcLoginAuthDefault);
    EVT_HANDLE session = null;
    EVT_HANDLE publisherEnumHandle = null;
    List<String> publisherList = new ArrayList<String>();
    try {
        session = Wevtapi.INSTANCE.EvtOpenSession(Winevt.EVT_LOGIN_CLASS.EvtRpcLogin, login, 0, 0);
        if (session == null) {
            throw new Win32Exception(Kernel32.INSTANCE.GetLastError());
        }
        publisherEnumHandle = Wevtapi.INSTANCE.EvtOpenPublisherEnum(session, 0);
        if (publisherEnumHandle == null) {
            throw new Win32Exception(Kernel32.INSTANCE.GetLastError());
        }
        String providerName;
        while (true) {
            try {
                providerName = WevtapiUtil.EvtNextPublisherId(publisherEnumHandle);
            } catch (Win32Exception e) {
                if (e.getErrorCode() == WinError.ERROR_NO_MORE_ITEMS) {
                    break;
                } else {
                    throw e;
                }
            }
            publisherList.add(providerName);
        }
        assertThat(publisherList.size() > 0, is(true));
    } finally {
        if (publisherEnumHandle != null) {
            Wevtapi.INSTANCE.EvtClose(publisherEnumHandle);
        }
        if (session != null) {
            Wevtapi.INSTANCE.EvtClose(session);
        }
    }
}
Also used : EVT_HANDLE(com.sun.jna.platform.win32.Winevt.EVT_HANDLE) ArrayList(java.util.ArrayList)

Example 2 with EVT_HANDLE

use of com.sun.jna.platform.win32.Winevt.EVT_HANDLE in project jna by java-native-access.

the class WevtapiTest method testEvtOpenChannelEnum.

public void testEvtOpenChannelEnum() throws Exception {
    EVT_HANDLE channelHandle = null;
    List<String> channelList = new ArrayList<String>();
    try {
        channelHandle = Wevtapi.INSTANCE.EvtOpenChannelEnum(null, 0);
        if (channelHandle == null) {
            throw new Win32Exception(Kernel32.INSTANCE.GetLastError());
        }
        char[] buff = new char[1024];
        IntByReference buffUsed = new IntByReference();
        while (true) {
            if (!Wevtapi.INSTANCE.EvtNextChannelPath(channelHandle, buff.length, buff, buffUsed)) {
                if (Kernel32.INSTANCE.GetLastError() == WinError.ERROR_NO_MORE_ITEMS) {
                    break;
                } else if (Kernel32.INSTANCE.GetLastError() == WinError.ERROR_INSUFFICIENT_BUFFER) {
                    buff = new char[buffUsed.getValue()];
                    if (!Wevtapi.INSTANCE.EvtNextChannelPath(channelHandle, buff.length, buff, buffUsed)) {
                        throw new Win32Exception(Kernel32.INSTANCE.GetLastError());
                    }
                }
            }
            channelList.add(Native.toString(buff));
        }
        assertThat(channelList.size() > 0, is(true));
    } finally {
        if (channelHandle != null) {
            Wevtapi.INSTANCE.EvtClose(channelHandle);
        }
    }
}
Also used : IntByReference(com.sun.jna.ptr.IntByReference) EVT_HANDLE(com.sun.jna.platform.win32.Winevt.EVT_HANDLE) ArrayList(java.util.ArrayList)

Example 3 with EVT_HANDLE

use of com.sun.jna.platform.win32.Winevt.EVT_HANDLE in project jna by java-native-access.

the class WevtapiTest method testEvtOpenLog.

public void testEvtOpenLog() throws Exception {
    File testEvtx = new File(getClass().getResource("/res/WevtapiTest.sample1.evtx").toURI());
    EVT_HANDLE logHandle = Wevtapi.INSTANCE.EvtOpenLog(null, testEvtx.getAbsolutePath(), Winevt.EVT_OPEN_LOG_FLAGS.EvtOpenFilePath);
    if (logHandle == null) {
        throw new Win32Exception(Kernel32.INSTANCE.GetLastError());
    }
    Memory buff = new Memory(1024);
    IntByReference buffUsed = new IntByReference();
    if (!Wevtapi.INSTANCE.EvtGetLogInfo(logHandle, Winevt.EVT_LOG_PROPERTY_ID.EvtLogFileSize, (int) buff.size(), buff, buffUsed)) {
        if (Kernel32.INSTANCE.GetLastError() == WinError.ERROR_INSUFFICIENT_BUFFER) {
            buff = new Memory(buffUsed.getValue());
            if (!Wevtapi.INSTANCE.EvtGetLogInfo(logHandle, Winevt.EVT_LOG_PROPERTY_ID.EvtLogFileSize, (int) buff.size(), buff, buffUsed)) {
                throw new Win32Exception(Kernel32.INSTANCE.GetLastError());
            }
        } else {
            throw new Win32Exception(Kernel32.INSTANCE.GetLastError());
        }
    }
    assertThat(buff.getLong(0), is(69632L));
}
Also used : IntByReference(com.sun.jna.ptr.IntByReference) EVT_HANDLE(com.sun.jna.platform.win32.Winevt.EVT_HANDLE) Memory(com.sun.jna.Memory) File(java.io.File)

Example 4 with EVT_HANDLE

use of com.sun.jna.platform.win32.Winevt.EVT_HANDLE in project jna by java-native-access.

the class WevtapiTest method testModifyChannelConfig.

public void testModifyChannelConfig() throws Exception {
    EVT_HANDLE channelHandle = null;
    try {
        channelHandle = Wevtapi.INSTANCE.EvtOpenChannelConfig(null, "Application", 0);
        assertNotNull(channelHandle);
        Winevt.EVT_VARIANT evtVariant = WevtapiUtil.EvtGetChannelConfigProperty(channelHandle, EVT_CHANNEL_CONFIG_PROPERTY_ID.EvtChannelConfigClassicEventlog);
        assertThat(((WinDef.BOOL) evtVariant.getValue()).booleanValue(), is(true));
        Winevt.EVT_VARIANT setter = new Winevt.EVT_VARIANT();
        setter.setValue(Winevt.EVT_VARIANT_TYPE.EvtVarTypeBoolean, new BOOL(false));
        Wevtapi.INSTANCE.EvtSetChannelConfigProperty(channelHandle, EVT_CHANNEL_CONFIG_PROPERTY_ID.EvtChannelConfigClassicEventlog, 0, setter);
        evtVariant = WevtapiUtil.EvtGetChannelConfigProperty(channelHandle, EVT_CHANNEL_CONFIG_PROPERTY_ID.EvtChannelConfigClassicEventlog);
        assertThat(((WinDef.BOOL) evtVariant.getValue()).booleanValue(), is(false));
        setter.setValue(Winevt.EVT_VARIANT_TYPE.EvtVarTypeBoolean, new BOOL(true));
        Wevtapi.INSTANCE.EvtSetChannelConfigProperty(channelHandle, EVT_CHANNEL_CONFIG_PROPERTY_ID.EvtChannelConfigClassicEventlog, 0, setter);
        evtVariant = WevtapiUtil.EvtGetChannelConfigProperty(channelHandle, EVT_CHANNEL_CONFIG_PROPERTY_ID.EvtChannelConfigClassicEventlog);
        assertThat(((WinDef.BOOL) evtVariant.getValue()).booleanValue(), is(true));
    // Writing back is skipped neighter is EvtChannelConfigClassicEventlog
    // writable, nor is it a good idea to mess with the log of the developer machine
    } finally {
        if (channelHandle != null) {
            Wevtapi.INSTANCE.EvtClose(channelHandle);
        }
    }
}
Also used : EVT_HANDLE(com.sun.jna.platform.win32.Winevt.EVT_HANDLE) BOOL(com.sun.jna.platform.win32.WinDef.BOOL)

Example 5 with EVT_HANDLE

use of com.sun.jna.platform.win32.Winevt.EVT_HANDLE in project jna by java-native-access.

the class WevtapiTest method testReadEvents.

public void testReadEvents() throws Exception {
    EVT_HANDLE queryHandle = null;
    EVT_HANDLE contextHandle = null;
    File testEvtx = new File(getClass().getResource("/res/WevtapiTest.sample1.evtx").toURI());
    StringBuilder sb = new StringBuilder();
    try {
        // test EvtQuery
        queryHandle = Wevtapi.INSTANCE.EvtQuery(null, testEvtx.getPath(), null, Winevt.EVT_QUERY_FLAGS.EvtQueryFilePath);
        // test EvtCreateRenderContext
        String[] targets = { "Event/System/Provider/@Name", "Event/System/EventRecordID", "Event/System/EventID", "Event/EventData/Data", "Event/System/TimeCreated/@SystemTime" };
        contextHandle = Wevtapi.INSTANCE.EvtCreateRenderContext(targets.length, targets, Winevt.EVT_RENDER_CONTEXT_FLAGS.EvtRenderContextValues);
        // test EvtNext
        int eventArraySize = 10;
        int evtNextTimeout = 1000;
        int arrayIndex = 0;
        EVT_HANDLE[] eventArray = new EVT_HANDLE[eventArraySize];
        IntByReference returned = new IntByReference();
        SimpleDateFormat dateFormat = new SimpleDateFormat("yyyy-MM-dd");
        while (Wevtapi.INSTANCE.EvtNext(queryHandle, eventArraySize, eventArray, evtNextTimeout, 0, returned)) {
            // test EvtRender
            Memory buff;
            IntByReference propertyCount = new IntByReference();
            Winevt.EVT_VARIANT evtVariant = new Winevt.EVT_VARIANT();
            for (int i = 0; i < returned.getValue(); i++) {
                buff = WevtapiUtil.EvtRender(contextHandle, eventArray[i], Winevt.EVT_RENDER_FLAGS.EvtRenderEventValues, propertyCount);
                assertThat("PropertyCount", propertyCount.getValue(), is(5));
                useMemory(evtVariant, buff, 0);
                assertThat("Provider Name", (String) evtVariant.getValue(), is("testSource"));
                sb.append((String) evtVariant.getValue());
                useMemory(evtVariant, buff, 1);
                assertThat("EventRecordID", (Long) evtVariant.getValue(), is((long) arrayIndex * eventArraySize + i + 1));
                useMemory(evtVariant, buff, 2);
                assertThat("EventID", (Short) evtVariant.getValue(), is((short) (5000 + (arrayIndex * eventArraySize + i + 1))));
                useMemory(evtVariant, buff, 3);
                String[] args = (String[]) evtVariant.getValue();
                assertThat("Data#length", args.length, is(1));
                assertThat("Data#value", args[0], is("testMessage" + (arrayIndex * eventArraySize + i + 1)));
                useMemory(evtVariant, buff, 4);
                Date systemtime = ((WinBase.FILETIME) evtVariant.getValue()).toDate();
                assertThat("TimeCreated", dateFormat.format(systemtime), is("2016-08-17"));
            }
            arrayIndex++;
        }
        if (Kernel32.INSTANCE.GetLastError() != WinError.ERROR_SUCCESS && Kernel32.INSTANCE.GetLastError() != WinError.ERROR_NO_MORE_ITEMS) {
            throw new Win32Exception(Kernel32.INSTANCE.GetLastError());
        }
        assertThat(sb.length() > 0, is(true));
    } finally {
        // test EvtClose
        if (queryHandle != null) {
            Wevtapi.INSTANCE.EvtClose(queryHandle);
        }
        if (contextHandle != null) {
            Wevtapi.INSTANCE.EvtClose(contextHandle);
        }
    }
    // =========== Test accessing binary data and empty value ================
    queryHandle = null;
    contextHandle = null;
    testEvtx = new File(getClass().getResource("/res/WevtapiTest.sample2.evtx").toURI());
    try {
        queryHandle = Wevtapi.INSTANCE.EvtQuery(null, testEvtx.getPath(), null, Winevt.EVT_QUERY_FLAGS.EvtQueryFilePath);
        String[] targets = { "Event/EventData/Binary", "Event/System/Correlation" };
        contextHandle = Wevtapi.INSTANCE.EvtCreateRenderContext(targets.length, targets, Winevt.EVT_RENDER_CONTEXT_FLAGS.EvtRenderContextValues);
        int read = 0;
        int eventArraySize = 1;
        int evtNextTimeout = 1000;
        EVT_HANDLE[] eventArray = new EVT_HANDLE[eventArraySize];
        IntByReference returned = new IntByReference();
        while (Wevtapi.INSTANCE.EvtNext(queryHandle, eventArraySize, eventArray, evtNextTimeout, 0, returned)) {
            Memory buff;
            IntByReference propertyCount = new IntByReference();
            Winevt.EVT_VARIANT evtVariant = new Winevt.EVT_VARIANT();
            for (int i = 0; i < returned.getValue(); i++) {
                read++;
                buff = WevtapiUtil.EvtRender(contextHandle, eventArray[i], Winevt.EVT_RENDER_FLAGS.EvtRenderEventValues, propertyCount);
                assertThat("PropertyCount", propertyCount.getValue(), is(2));
                useMemory(evtVariant, buff, 0);
                assertThat("Binary", (byte[]) evtVariant.getValue(), is(new byte[] { (byte) 0xD9, (byte) 0x06, 0, 0 }));
                useMemory(evtVariant, buff, 1);
                assertThat("Correlation", evtVariant.getValue(), nullValue());
            }
        }
        assertThat(read, is(1));
    } finally {
        // test EvtClose
        if (queryHandle != null) {
            Wevtapi.INSTANCE.EvtClose(queryHandle);
        }
        if (contextHandle != null) {
            Wevtapi.INSTANCE.EvtClose(contextHandle);
        }
    }
    // =========== Test accessing GUID + SID data ================
    queryHandle = null;
    contextHandle = null;
    testEvtx = new File(getClass().getResource("/res/WevtapiTest.sample3.evtx").toURI());
    try {
        queryHandle = Wevtapi.INSTANCE.EvtQuery(null, testEvtx.getPath(), null, Winevt.EVT_QUERY_FLAGS.EvtQueryFilePath);
        String[] targets = { "Event/System/Security/@UserID", "Event/System/Provider/@Guid" };
        contextHandle = Wevtapi.INSTANCE.EvtCreateRenderContext(targets.length, targets, Winevt.EVT_RENDER_CONTEXT_FLAGS.EvtRenderContextValues);
        int read = 0;
        int eventArraySize = 1;
        int evtNextTimeout = 1000;
        EVT_HANDLE[] eventArray = new EVT_HANDLE[eventArraySize];
        IntByReference returned = new IntByReference();
        while (Wevtapi.INSTANCE.EvtNext(queryHandle, eventArraySize, eventArray, evtNextTimeout, 0, returned)) {
            Memory buff;
            IntByReference propertyCount = new IntByReference();
            Winevt.EVT_VARIANT evtVariant = new Winevt.EVT_VARIANT();
            for (int i = 0; i < returned.getValue(); i++) {
                read++;
                buff = WevtapiUtil.EvtRender(contextHandle, eventArray[i], Winevt.EVT_RENDER_FLAGS.EvtRenderEventValues, propertyCount);
                assertThat("PropertyCount", propertyCount.getValue(), is(2));
                useMemory(evtVariant, buff, 0);
                assertThat("Security#UserID", ((WinNT.PSID) evtVariant.getValue()).getSidString(), is("S-1-5-21-3178902164-3053647283-518304804-1001"));
                useMemory(evtVariant, buff, 1);
                assertThat("Provider#GUID", ((Guid.GUID) evtVariant.getValue()).toGuidString(), is("{B0AA8734-56F7-41CC-B2F4-DE228E98B946}"));
            }
        }
        assertThat(read, is(1));
    } finally {
        // test EvtClose
        if (queryHandle != null) {
            Wevtapi.INSTANCE.EvtClose(queryHandle);
        }
        if (contextHandle != null) {
            Wevtapi.INSTANCE.EvtClose(contextHandle);
        }
    }
}
Also used : IntByReference(com.sun.jna.ptr.IntByReference) Memory(com.sun.jna.Memory) Date(java.util.Date) EVT_HANDLE(com.sun.jna.platform.win32.Winevt.EVT_HANDLE) File(java.io.File) SimpleDateFormat(java.text.SimpleDateFormat)

Aggregations

EVT_HANDLE (com.sun.jna.platform.win32.Winevt.EVT_HANDLE)10 IntByReference (com.sun.jna.ptr.IntByReference)7 Memory (com.sun.jna.Memory)6 File (java.io.File)4 ArrayList (java.util.ArrayList)2 BOOL (com.sun.jna.platform.win32.WinDef.BOOL)1 EVT_VARIANT (com.sun.jna.platform.win32.Winevt.EVT_VARIANT)1 SimpleDateFormat (java.text.SimpleDateFormat)1 Date (java.util.Date)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial