3.1.4.3 ElfrOpenELW (Opnum 7)
The ElfrOpenELW method instructs the server to return a server context handle to a live event log. The caller MUST<18> have permission to read the file that contains the event log for this to succeed.
-
NTSTATUS ElfrOpenELW( [in] EVENTLOG_HANDLE_W UNCServerName, [in] PRPC_UNICODE_STRING ModuleName, [in] PRPC_UNICODE_STRING RegModuleName, [in] unsigned long MajorVersion, [in] unsigned long MinorVersion, [out] IELF_HANDLE* LogHandle );
UNCServerName: A server interface handle. A pointer to a Unicode string specifying the server, as specified in section 2.2.7. The client MUST map this string to an RPC binding handle, and the server MUST ignore this argument, as specified in [C706] sections 4.3.5 and 5.1.5.2.
ModuleName: Specifies the event log name, as defined in section 1.8.2 and specified in section 2.2.11, for which a handle is needed.
RegModuleName: This parameter MUST be ignored by the server. Clients MUST specify an empty string.
MajorVersion: Major version of the client. This value MUST be set to 1.
MinorVersion: Minor version of the client. This value MUST be set to 1.
LogHandle: Pointer to an event log handle. This parameter is a server context handle, as specified in section 2.2.6. This handle MUST be closed by using the ElfrCloseEL (section 3.1.4.21) method once the handle is no longer needed. In the case when the client cannot call the ElfrCloseEL function such as the abnormal termination of the client, this context handle will be revoked by the server so that there will not be any resource leaks.
Return Values: The method MUST return STATUS_SUCCESS (0x00000000) on success; otherwise, it MUST return an implementation-based, nonzero NTSTATUS value specified in [MS-ERREF].
In response to this request from the client, the server MUST determine what event log the client is requesting the handle for. The server MUST treat the ModuleName parameter as the event log name itself, as specified in section 1.8.2. If the ModuleName parameter does not specify a known event log, the server MUST default to requesting access to the application log that MUST always exist. The server checks the known event logs by looking up the registry entries as specified in section 3.1.1.2. The application, security, and system are three predefined always existing logs, they are configured by the server once the machine is set up, the server configures them in the registry as follows.
-
HKEY_LOCAL_MACHINE\ system\currentcontrolset\services\eventlog\Application HKEY_LOCAL_MACHINE\ system\currentcontrolset\services\eventlog\Security HKEY_LOCAL_MACHINE\ system\currentcontrolset\services\eventlog\System
The server MUST verify that the caller has read access to the event log, and the server MUST fail the operation if the caller does not have read access to the log. The server SHOULD return STATUS_ACCESS_DENIED (0xC0000022) to indicate this failure.
If the checks above are successful, the server MUST attempt to create a server context handle as specified in section 2.2.6 to the wanted log and if successful, the server MUST return the handle via the LogHandle parameter. Creating the handle only fails in the case where the server runs out of memory resources. If that happens, the server MUST return STATUS_NO_MEMORY (0xC0000017).
The server MUST return a value indicating success or failure for this operation.