184.108.40.206 ElfrOpenBELW (Opnum 9)
The ElfrOpenBELW (Opnum 9) method instructs the server to return a handle to a backup event log. The caller MUST have permission to read the file containing the backup event log for this to succeed.
Note The server has an Access Control List (ACL) that is used to control access to the log. The protocol has no methods for reading or setting that ACL.
NTSTATUS ElfrOpenBELW( [in] EVENTLOG_HANDLE_W UNCServerName, [in] PRPC_UNICODE_STRING BackupFileName, [in] unsigned long MajorVersion, [in] unsigned long MinorVersion, [out] IELF_HANDLE* LogHandle );
UNCServerName: A server interface handle. A pointer to a Unicode string specifying the server, as specified in section 2.2.7. The client MUST map this string to an RPC binding handle, and the server MUST ignore this argument. See [C706] sections 4.3.5 and 220.127.116.11.
MajorVersion: Major version of the client. This value MUST be set to 1.
MinorVersion: Minor version of the client. This value MUST be set to 1.
LogHandle: Pointer to an event log handle. This parameter is a server context handle, as specified in section 2.2.6. This handle MUST be closed using the ElfrCloseEL (Opnum 2) (section 18.104.22.168) method once the handle is no longer needed. In the case when the client cannot call the ElfrCloseEL function, such as the abnormal termination of the client, this context handle will be revoked by the server so that there will not be any resource leaks. The processing rule to revoke a context handle that has been terminated abnormally is defined in [MS-RPCE] section 22.214.171.124.1.
Return Values: The method MUST return STATUS_SUCCESS on success; otherwise, it MUST return an implementation-based, nonzero NTSTATUS value specified in [MS-ERREF].
Note The value of STATUS_SUCCESS is 0x00000000.
In response to this request from the client, the server MUST fail the method if the BackupFileName parameter is NULL or empty, or is not a legal NT Object Path. In these cases, the server SHOULD return STATUS_INVALID_PARAMETER (0xC000000D).
The server MUST verify that the caller has read access to the file, and MUST fail the method if the caller does not have read access. The server SHOULD return STATUS_ACCESS_DENIED (0xC0000022) to indicate this failure.
The server MUST attempt to open the file, and MUST fail the method if the open does not succeed.
The server SHOULD return STATUS_OBJECT_PATH_NOT_FOUND (0xC000003A) for this case. The server MUST fail the method if the file exists but does not contain a backed up event log. In this case, the server SHOULD return STATUS_OBJECT_PATH_INVALID (0xC0000039).<15>
If the backup file happens to point to a live event log file, the server will still treat this as valid and will attempt to open it.
If all of the above checks succeed, the server MUST attempt to create a server context handle as specified in section 2.2.6, and if successful, assign it to the LogHandle parameter. Creating the handle only fails when there is not enough memory. In such a case, the server SHOULD return STATUS_NO_MEMORY (0xC0000017).
The server MUST return a value indicating success or failure for this operation.<16>