Skip to content

Instantly share code, notes, and snippets.

@CynicRus

CynicRus/gist:ddc3995dc904731be32ed00c4f8fe2ea

Created August 4, 2021 21:45
Show Gist options
  • Save CynicRus/ddc3995dc904731be32ed00c4f8fe2ea to your computer and use it in GitHub Desktop.
Save CynicRus/ddc3995dc904731be32ed00c4f8fe2ea to your computer and use it in GitHub Desktop.
Download ZIP
winevt_h
Raw
gistfile1.txt
unit winevt_h;
{$ifdef FPC}
{$mode objfpc}{$H+}
{$EndIF}
interface
uses
Classes, SysUtils, Windows;
//https://msdn.microsoft.com/en-us/library/windows/desktop/aa385785%28v=vs.85%29.aspx
const
winevt = 'wevtapi.dll';
EVT_VARIANT_TYPE_MASK = $7f;
EVT_VARIANT_TYPE_ARRAY = 128;
EVT_READ_ACCESS = $1;
EVT_WRITE_ACCESS = $2;
EVT_CLEAR_ACCESS = $4;
EVT_ALL_ACCESS = $7;
type
EVT_HANDLE = THandle;
PEVT_HANDLE = ^Handle;
EVT_OBJECT_ARRAY_PROPERTY_HANDLE = THandle;
EVT_CHANNEL_CLOCK_TYPE = (EvtChannelClockTypeSystemTime = 0,
EvtChannelClockTypeQPC = 1);
EVT_CHANNEL_CONFIG_PROPERTY_ID = (EvtChannelConfigEnabled = 0,
EvtChannelConfigIsolation = 1,
EvtChannelConfigType = 2,
EvtChannelConfigOwningPublisher = 3,
EvtChannelConfigClassicEventlog = 4,
EvtChannelConfigAccess = 5,
EvtChannelLoggingConfigRetention = 6,
EvtChannelLoggingConfigAutoBackup = 7,
EvtChannelLoggingConfigMaxSize = 8,
EvtChannelLoggingConfigLogFilePath = 9,
EvtChannelPublishingConfigLevel = 10,
EvtChannelPublishingConfigKeywords = 11,
EvtChannelPublishingConfigControlGuid = 12,
EvtChannelPublishingConfigBufferSize = 13,
EvtChannelPublishingConfigMinBuffers = 14,
EvtChannelPublishingConfigMaxBuffers = 15,
EvtChannelPublishingConfigLatency = 16,
EvtChannelPublishingConfigClockType = 17,
EvtChannelPublishingConfigSidType = 18,
EvtChannelPublisherList = 19,
EvtChannelPublishingConfigFileMax = 20,
EvtChannelConfigPropertyIdEND = 21);
EVT_CHANNEL_ISOLATION_TYPE = (EvtChannelIsolationTypeApplication = 0,
EvtChannelIsolationTypeSystem = 1,
EvtChannelIsolationTypeCustom = 2);
EVT_CHANNEL_REFERENCE_FLAGS = (EvtChannelReferenceImported = $1);
EVT_CHANNEL_SID_TYPE = (EvtChannelSidTypeNone = 0,
EvtChannelSidTypePublishing = 1);
EVT_CHANNEL_TYPE = (EvtChannelTypeAdmin = 0,
EvtChannelTypeOperational = 1,
EvtChannelTypeAnalytic = 2,
EvtChannelTypeDebug = 3);
EVT_EVENT_METADATA_PROPERTY_ID = (EventMetadataEventID = 0,
EventMetadataEventVersion = 1,
EventMetadataEventChannel = 2,
EventMetadataEventLevel = 3,
EventMetadataEventOpcode = 4,
EventMetadataEventTask = 5,
EventMetadataEventKeyword = 6,
EventMetadataEventMessageID = 7,
EventMetadataEventTemplate = 8,
EvtEventMetadataPropertyIdEND = 9);
EVT_EVENT_PROPERTY_ID = (EvtEventQueryIDs = 0,
EvtEventPath = 1,
EvtEventPropertyIdEND = 2);
EVT_EXPORTLOG_FLAGS = (EvtExportLogChannelPath = $1,
EvtExportLogFilePath = $2,
EvtExportLogTolerateQueryErrors = $1000);
EVT_FORMAT_MESSAGE_FLAGS = (EvtFormatMessageEvent = 1,
EvtFormatMessageLevel = 2,
EvtFormatMessageTask = 3,
EvtFormatMessageOpcode = 4,
EvtFormatMessageKeyword = 5,
EvtFormatMessageChannel = 6,
EvtFormatMessageProvider = 7,
EvtFormatMessageId = 8,
EvtFormatMessageXml = 9);
EVT_LOG_PROPERTY_ID = (EvtLogCreationTime = 0,
EvtLogLastAccessTime = 1,
EvtLogLastWriteTime = 2,
EvtLogFileSize = 3,
EvtLogAttributes = 4,
EvtLogNumberOfLogRecords = 5,
EvtLogOldestRecordNumber = 6,
EvtLogFull = 7);
EVT_LOGIN_CLASS = (EvtRpcLogin = 1);
EVT_OPEN_LOG_FLAGS = (EvtOpenChannelPath = $1,
EvtOpenFilePath = $2);
EVT_PUBLISHER_METADATA_PROPERTY_ID =
(EvtPublisherMetadataPublisherGuid = 0,
EvtPublisherMetadataResourceFilePath,
EvtPublisherMetadataParameterFilePath,
EvtPublisherMetadataMessageFilePath,
EvtPublisherMetadataHelpLink,
EvtPublisherMetadataPublisherMessageID,
EvtPublisherMetadataChannelReferences,
EvtPublisherMetadataChannelReferencePath,
EvtPublisherMetadataChannelReferenceIndex,
EvtPublisherMetadataChannelReferenceID,
EvtPublisherMetadataChannelReferenceFlags,
EvtPublisherMetadataChannelReferenceMessageID,
EvtPublisherMetadataLevels,
EvtPublisherMetadataLevelName,
EvtPublisherMetadataLevelValue,
EvtPublisherMetadataLevelMessageID,
EvtPublisherMetadataTasks,
EvtPublisherMetadataTaskName,
EvtPublisherMetadataTaskEventGuid,
EvtPublisherMetadataTaskValue,
EvtPublisherMetadataTaskMessageID,
EvtPublisherMetadataOpcodes,
EvtPublisherMetadataOpcodeName,
EvtPublisherMetadataOpcodeValue,
EvtPublisherMetadataOpcodeMessageID,
EvtPublisherMetadataKeywords,
EvtPublisherMetadataKeywordName,
EvtPublisherMetadataKeywordValue,
EvtPublisherMetadataKeywordMessageID,
EvtPublisherMetadataPropertyIdEND);
EVT_QUERY_FLAGS = (EvtQueryChannelPath = $1,
EvtQueryFilePath = $2,
EvtQueryForwardDirection = $100,
EvtQueryReverseDirection = $200,
EvtQueryTolerateQueryErrors = $1000);
EVT_QUERY_PROPERTY_ID = (EvtQueryNames = 0,
EvtQueryStatuses = 1,
EvtQueryPropertyIdEND = 2);
EVT_RENDER_CONTEXT_FLAGS = (EvtRenderContextValues = 0,
EvtRenderContextSystem = 1,
EvtRenderContextUser = 2);
EVT_RENDER_FLAGS = (EvtRenderEventValues = 0,
EvtRenderEventXml = 1,
EvtRenderBookmark = 2);
EVT_RPC_LOGIN_FLAGS = (EvtRpcLoginAuthDefault = 0,
EvtRpcLoginAuthNegotiate = 1,
EvtRpcLoginAuthKerberos = 2,
EvtRpcLoginAuthNTLM = 3);
EVT_SEEK_FLAGS = (EvtSeekRelativeToFirst = 1,
EvtSeekRelativeToLast = 2,
EvtSeekRelativeToCurrent = 3,
EvtSeekRelativeToBookmark = 4,
EvtSeekOriginMask = 7,
EvtSeekStrict = $10000);
EVT_SUBSCRIBE_FLAGS = (EvtSubscribeToFutureEvents = 1,
EvtSubscribeStartAtOldestRecord = 2,
EvtSubscribeStartAfterBookmark = 3,
EvtSubscribeOriginMask = $3,
EvtSubscribeTolerateQueryErrors = $1000,
EvtSubscribeStrict = $10000);
EVT_SUBSCRIBE_NOTIFY_ACTION = (EvtSubscribeActionError = 0,
EvtSubscribeActionDeliver = 1);
EVT_SYSTEM_PROPERTY_ID = (EvtSystemProviderName = 0,
EvtSystemProviderGuid,
EvtSystemEventID,
EvtSystemQualifiers,
EvtSystemLevel,
EvtSystemTask,
EvtSystemOpcode,
EvtSystemKeywords,
EvtSystemTimeCreated,
EvtSystemEventRecordId,
EvtSystemActivityID,
EvtSystemRelatedActivityID,
EvtSystemProcessID,
EvtSystemThreadID,
EvtSystemChannel,
EvtSystemComputer,
EvtSystemUserID,
EvtSystemVersion,
EvtSystemPropertyIdEND);
EVT_VARIANT_TYPE = (EvtVarTypeNull = 0,
EvtVarTypeString = 1,
EvtVarTypeAnsiString = 2,
EvtVarTypeSByte = 3,
EvtVarTypeByte = 4,
EvtVarTypeInt16 = 5,
EvtVarTypeUInt16 = 6,
EvtVarTypeInt32 = 7,
EvtVarTypeUInt32 = 8,
EvtVarTypeInt64 = 9,
EvtVarTypeUInt64 = 10,
EvtVarTypeSingle = 11,
EvtVarTypeDouble = 12,
EvtVarTypeBoolean = 13,
EvtVarTypeBinary = 14,
EvtVarTypeGuid = 15,
EvtVarTypeSizeT = 16,
EvtVarTypeFileTime = 17,
EvtVarTypeSysTime = 18,
EvtVarTypeSid = 19,
EvtVarTypeHexInt32 = 20,
EvtVarTypeHexInt64 = 21,
EvtVarTypeEvtHandle = 32,
EvtVarTypeEvtXml = 35);
TEvtRPCLogin = record
Server: PWideChar;
User: PWideChar;
Domain: PWideChar;
Password: PWideChar;
Flags: PWideChar;
end;
{$packrecords C}
type TEvtVariant = record
Union: record
case dword of
0: (BooleanVal: boolean);
1: (SByteVal: Int8);
2: (Int16Val: int16);
3: (Int32Val: int32);
4: (Int64Val: int64);
5: (ByteVal: UInt8);
6: (UInt16Val: UInt16);
7: (UInt32Val: UInt32);
8: (UInt64Val: UInt64);
9: (SingleVal: single);
10: (DoubleVal: double);
11: (FileTimeVal: ULONGLONG);
12: (SysTimeVal: ^SYSTEMTIME);
13: (GuidVal: ^GUID);
14: (StringVal: PWideChar);
15: (AnsiStringVal: PChar);
16: (BinaryVal: PByte);
17: (SidVal: PSid);
18: (SizeTVal: size_t);
19: (EvtHandleVal: EVT_HANDLE);
20: (BooleanArr: PBoolean);
21: (SByteArr: PByte);
22: (Int16Arr: ^int16);
23: (Int32Arr: ^int32);
24: (Int64Arr: ^int64);
25: (ByteArr: PByte);
26: (UInt16Arr: ^UInt16);
27: (UInt32Arr: ^Uint32);
28: (UInt64Arr: ^Uint64);
29: (SingleArr: ^single);
30: (DoubleArr: ^double);
31: (FileTimeArr: ^FileTime);
32: (SysTimeArr: ^SystemTime);
33: (GuidArr: ^GUID);
34: (StringArr: ^PWideChar);
35: (AnsiStringArr: ^PChar);
36: (SidArr: ^PSid);
37: (SizeTArr: ^Size_T);
38: (XmlVal: PwideChar);
39: (XmlValArr: ^PWideChar);
end;
Count: Dword;
vType: EVT_VARIANT_TYPE;
end;
PEVT_VARIANT = ^TEvtVariant;
EVT_SUBSCRIBE_CALLBACK = function(Action: EVT_SUBSCRIBE_NOTIFY_ACTION;
UserContext: Pointer; Event: EVT_HANDLE): dword; stdcall;
function EvtArchiveExportedLog(Session: EVT_HANDLE; LogFilePath: PWideChar;
Locale: LCID; Flags: DWORD): boolean; stdcall; external winevt;
function EvtCancel(Obj: EVT_HANDLE): boolean; stdcall; external winevt;
function EvtClearLog(Session: EVT_HANDLE; ChannelPath: PwideChar;
TargetFilePath: PWideChar; Flags: DWORD): boolean; stdcall; external winevt;
function EvtClose(Obj: EVT_HANDLE): boolean; stdcall; external winevt;
function EvtCreateBookmark(BookmarkXML: PWideChar): boolean; stdcall; external winevt;
function EvtCreateRenderContext(ValuePathsCount: dword; ValuePaths: PPWideChar;
Flags: EVT_RENDER_CONTEXT_FLAGS): EVT_HANDLE; stdcall; external winevt;
function EvtExportLog(Session: EVT_HANDLE; Path, Query, TargetFilePath: PWideChar;
Flags: EVT_EXPORTLOG_FLAGS): boolean; stdcall; external winevt;
function EvtFormatMessage(PublisherMetadata, Event: EVT_HANDLE;
MessageID, ValueCount: dword; Values: PEVT_Variant; Flags, BufferSize: dword;
Buffer: PWideChar; BufferUsed: dword): boolean; stdcall; external winevt;
function EvtGetChannelConfigProperty(ChannelConfig: EVT_HANDLE;
PropertyID: EVT_CHANNEL_CONFIG_PROPERTY_ID; Flags, PropertyValueBufferSize: dword;
PropertyValueBuffer: PEVT_Variant; PropertyValueBufferUsed: Dword): boolean;
stdcall; external winevt;
function EvtGetEventInfo(Event: EVT_HANDLE; PropertyId: EVT_EVENT_PROPERTY_ID;
PropertyValueBufferSize: dword; PropertyValueBuffer: PEVT_Variant;
PropertyValueBufferUsed: Dword): boolean; stdcall; external winevt;
function EvtGetEventMetadataProperty(EventMetadata: EVT_HANDLE;
PropertyId: EVT_EVENT_METADATA_PROPERTY_ID; EventMetadataPropertyValueBufferSize: dword;
EventMetadataPropertyValueBuffer: PEVT_Variant;
EventMetadataPropertyValueBufferUsed: Dword): boolean; stdcall; external winevt;
function EvtGetExtendedStatus(BufferSize: Dword; Buffer: PWideChar;
BufferUsed: dword): dword; stdcall; external winevt;
function EvtGetLogInfo(Log: EVT_HANDLE; PropertyID: EVT_LOG_PROPERTY_ID;
PropertyValueBufferSize: dword; PropertyValueBuffer: PEVT_Variant;
PropertyValueBufferUsed: dword): boolean; stdcall; external winevt;
function EvtGetObjectArrayProperty(ObjArray: EVT_OBJECT_ARRAY_PROPERTY_HANDLE;
PropertyID, ArrayIndex, Flags: dword; PropertyValueBufferSize: dword;
PropertyValueBuffer: PEVT_Variant; PropertyValueBufferUsed: dword): boolean;
stdcall; external winevt;
function EvtGetObjectArraySize(ObjArray: EVT_OBJECT_ARRAY_PROPERTY_HANDLE;
ObjArraySize: Dword): boolean; stdcall; external winevt;
function EvtGetPublisherMetadataProperty(PublisherMetadata: EVT_HANDLE;
PropertyId: EVT_PUBLISHER_METADATA_PROPERTY_ID;
Flags, PublisherEventMetadataPropertyValueBufferSize: dword;
PublisherEventMetadataPropertyValueBuffer: PEVT_Variant;
PublisherEventMetadataPropertyValueBufferUsed: Dword): boolean; stdcall; external winevt;
function EvtGetQueryInfo(QueryOrSubscription: EVT_HANDLE;
PropertyID: EVT_QUERY_PROPERTY_ID; PropertyValueBufferSize: dword;
PropertyValueBuffer: PEVT_Variant; PropertyValueBufferUsed: dword): boolean;
stdcall; external winevt;
function EvtNext(ResultSet: EVT_HANDLE; EventArraySize: dword;
EventArray: PEVT_Handle; Timeout, Flags: dword; Returned: PDword): boolean;
stdcall; external winevt;
function EvtNextChannelPath(ChannelEnum: EVT_HANDLE;
ChannelPathValueBufferSize: dword; ChannelPathValueBuffer: PEVT_Variant;
ChannelPathBufferUsed: dword): boolean; stdcall; external winevt;
function EvtNextEventMetadata(EventMetadataEnum: EVT_HANDLE; Flags: dword): boolean;
stdcall; external winevt;
function EvtNextPublisherId(PublisherId: EVT_HANDLE; PublisherIdBufferSize: dword;
PublisherIdBuffer: PEVT_Variant; PublisherIdBufferUsed: dword): boolean;
stdcall; external winevt;
function EvtOpenChannelConfig(Session: EVT_HANDLE; ChannelPath: PwideChar;
Flags: dword): EVT_HANDLE; stdcall; external winevt;
function EvtOpenChannelEnum(Session: EVT_HANDLE; Flags: dword): EVT_HANDLE;
stdcall; external winevt;
function EvtOpenEventMetadataEnum(PublisherMetadata: EVT_HANDLE;
Flags: dword): EVT_HANDLE; stdcall; external winevt;
function EvtOpenLog(Session: EVT_HANDLE; Path: PwideChar;
Flags: EVT_OPEN_LOG_FLAGS): EVT_HANDLE; stdcall; external winevt;
function EvtOpenPublisherEnum(Session: EVT_HANDLE; Flags: dword): EVT_HANDLE;
stdcall; external winevt;
function EvtOpenPublisherMetadata(Session: EVT_HANDLE;
PublisherIdentity: PWideChar; LogFilePath: PwideChar; Locale: LCID;
Flags: dword): EVT_HANDLE;
stdcall; external winevt;
function EvtOpenSession(LoginClass: EVT_LOGIN_CLASS; Login: Pointer;
Timeout, Flags: dword): EVT_HANDLE; stdcall; external winevt;
function EvtQuery(Session: EVT_HANDLE; Path, Query: PWideChar; Flags: EVT_QUERY_FLAGS): EVT_HANDLE;
stdcall; external winevt;
function EvtRender(Context, Fragment: EVT_HANDLE; Flags:EVT_RENDER_FLAGS; BufferSize: dword;
Buffer: pointer; BufferUsed, PropertyCount: PDword): boolean; stdcall; external winevt;
function EvtSaveChannelConfig(ChannelConfig: EVT_HANDLE; Flags: dword): boolean;
stdcall; external winevt;
function EvtSeek(ResultSet: EVT_HANDLE; Position: LONGLONG;
Bookmark: EVT_HANDLE; Timeout, Flags: dword): boolean; stdcall; external winevt;
function EvtSetChannelConfigProperty(ChannelConfig: EVT_HANDLE;
PropertyID: EVT_CHANNEL_CONFIG_PROPERTY_ID; Flags: dword;
PropertyValue: PEVT_VARIANT): boolean; stdcall; external winevt;
function EvtSubscribe(Session: EVT_HANDLE; SignalEvent: EVT_HANDLE;
ChannelPath, Query: PWideChar; Bookmark: EVT_HANDLE; Context: pointer;
Callback: EVT_SUBSCRIBE_CALLBACK; Flags: dword): EVT_HANDLE; stdcall; external winevt;
function EvtUpdateBookmark(Bookmark, Event: EVT_HANDLE): boolean;
stdcall; external winevt;
implementation
end.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment