3.1.4.13 ElfrReportEventW (Opnum 11)

The ElfrReportEventW (Opnum 11) method writes events to the event log; the server receives these events from the client.

 NTSTATUS ElfrReportEventW(
   [in] IELF_HANDLE LogHandle,
   [in] unsigned long Time,
   [in] unsigned short EventType,
   [in] unsigned short EventCategory,
   [in] unsigned long EventID,
   [in, range(0, 256)] unsigned short NumStrings,
   [in, range(0, 61440)] unsigned long DataSize,
   [in] PRPC_UNICODE_STRING ComputerName,
   [in, unique] PRPC_SID UserSID,
   [in, size_is(NumStrings), unique] 
     PRPC_UNICODE_STRING Strings[*],
   [in, size_is(DataSize), unique] 
     unsigned char* Data,
   [in] unsigned short Flags,
   [in, out, unique] unsigned long* RecordNumber,
   [in, out, unique] unsigned long* TimeWritten
 );

LogHandle: Handle to an event log. This parameter is a server context handle, as specified in section 2.2.6. This handle MUST NOT be obtained via the ElfrOpenBELA (section 3.1.4.2) method or the ElfrOpenBELW (section 3.1.4.1) method. A handle received from either of those two methods will have the backup flag set, so the server checks this flag before calling this method.

Time: Time at which the event was generated by the event source (not the time at which the event was logged). The time MUST be expressed as the number of seconds since 00:00:00 on January 1, 1970 (UTC).

EventType: Type of the event, as specified in section 2.2.2.

EventCategory: Event category, as specified in section 1.8.5.

EventID: EventID, as specified in section 3.1.1.4.

NumStrings: Number of strings in the array pointed to by the Strings parameter. A value of zero indicates that no strings are present.

DataSize: Number of bytes of event-specific raw binary data to write to the log. This binary data is passed in the Data parameter. If the DataSize parameter is zero, event-specific data MUST NOT be present.

ComputerName: A string to assist in identifying the machine that generated the event. In practice, the name of the computer. There are no character restrictions on this field's content (for example, a FQDN can be used). The API is not intended to support dynamically changing computer names. The ComputerName parameter SHOULD<27> be cached the first time a client calls the API, and SHOULD use that name on subsequent calls until the machine is rebooted.

UserSID: Either NULL or a user SID. If this is NULL, the event is to have a zero length UserSid field.

Strings: Specifies strings containing information specific to the event. This parameter MUST be a valid pointer. If the NumStrings parameter is zero, this parameter MUST be NULL. For example, an event relating to file deletion could use a string to specify the path of the file being deleted.

Data: Pointer to the buffer that contains the event-specific binary data. This parameter MUST be a valid pointer (or NULL), even if the DataSize parameter is zero.

Flags: Unused. MUST be set to zero when sent and MUST be ignored on receipt.

RecordNumber: Unused. Can be set to any arbitrary value when sent, and any value sent by the client MUST be ignored on receipt by the server.

TimeWritten: Unused. Can be set to any arbitrary value when sent, and any value sent by the client MUST be ignored on receipt by the server.

Return Values: The method MUST return STATUS_SUCCESS (0x00000000) on success; otherwise, it MUST return an implementation-based, nonzero NTSTATUS value specified in [MS-ERREF].

In response to this request from the client, the server MUST first check that the handle is valid. The server MUST fail the operation with the error STATUS_INVALID_HANDLE (0xC0000008) if the handle is invalid.

If the handle comes from the ElfrOpenBELA (section 3.1.4.2) method or the ElfrOpenBELW (section 3.1.4.1) method, a backup flag is attached in the handle. The server MUST check that flag, and if the backup flag is set, the server MUST return STATUS_INVALID_HANDLE (0xC0000008).

The server SHOULD check that the EventType and the Time value are valid as specified.<28>

The server MUST check that the SID is valid if it is not NULL, and MUST fail the method if the UserSid is invalid with the error code STATUS_INVALID_PARAMETER (0xC000000D).<29>

If the handle is valid, the method MUST attempt to create an event with the supplied parameters and by setting the TimeWritten and the RecordNumber fields in the event. The TimeWritten MUST be obtained from the system clock. The server MUST get the RecordNumber from the state maintained for the event log. The server can get the last record in the event log file, read the record number from that record, and use that record number plus 1 as the new record number. The new record number SHOULD be set to the value in the event log file header so that the total number of records in the file is stored. The server SHOULD set the TimeWritten and RecordNumber parameters to the same values written to the event prior to returning from this method.<30>

The server MUST ignore the TimeWritten and RecordNumber parameters received from the client.

Note that write access to the event log is verified when the ElfrRegisterEventSourceW (section 3.1.4.5) method is called, and the event log handle is opened successfully. There is no write access check in the ElfrReportEventW (Opnum 11) method.

Then the server MUST attempt to store the event source name in the event. This event source was originally specified when the ElfrRegisterEventSourceW (section 3.1.4.5) method or the ElfrRegisterEventSourceA (section 3.1.4.6) method was called. The event source name is attached to the LogHandle when the ElfrRegisterEventSourceW (section 3.1.4.5) method or the ElfrRegisterEventSourceA (section 3.1.4.6) method returns. The server gets the event source name from the LogPublisher object (specified in section 3.1.1.5) that is contained in the LogHandle that was passed in, and logs it in the event.

If the above checks all succeed, the server MUST attempt to copy the event into the event log and attempt to update the log state so that the record number is incremented for the next write. The server returns STATUS_LOG_FILE_FULL (0xC0000188) when the live event log file is full (the log reaches its maximum allowed size and can't be overwritten) and returns STATUS_DISK_FULL (0xC000007F) when there is no physical disk space for the new event record.

The server MUST return a value indicating success or failure for this operation.