Share via

3.1.4.30 EvtRpcRetractConfig (Opnum 16)

  • Article

The EvtRpcRetractConfig (Opnum 16) method indicates to the server that the publisher or channel is to be removed.

 error_status_t EvtRpcRetractConfig(
   /* [in] RPC_BINDING_HANDLE binding, {the binding handle will be generated by MIDL} */
   [in, range(1, MAX_RPC_CHANNEL_NAME_LENGTH), string] 
     LPCWSTR path,
   [in] DWORD flags
 );

binding: An RPC binding handle as specified in section 2.2.21.

path: A pointer to a string that contains a channel or publisher name to be removed.

flags: A 32-bit unsigned integer that indicates how the path parameter is to be interpreted. This MUST be set as follows.

Value

Meaning

EvtRpcChannelPath

0x00000000

Path specifies a channel name.

EvtRpcPublisherName

0x00000001

Path specifies a publisher name.

Return Values: The method MUST return ERROR_SUCCESS (0x00000000) on success; otherwise, it MUST return an implementation-specific nonzero value as specified in [MS-ERREF].

In response to this request from the client, the server SHOULD first validate the path parameter.<60> The server MUST interpret the path parameter as a channel name if the flags parameter is equal to 0x00000000. The server SHOULD try to find if the specified channel name has been already registered in its channel table (as specified in section 3.1.1.5). If the flags value is 0x00000001, the server MUST interpret path as a publisher name. The server SHOULD then check if the publisher has been registered in its publisher table (as specified in section 3.1.1.3). The server SHOULD fail the operation if the validation of path fails. The server MAY return the error ERROR_INVALID_PARAMETER (0x00000057) to indicate such failure.<61>

Next, the server MUST verify that the caller has delete access to the information and MUST fail the method with the error ERROR_ACCESS_DENIED (0x00000005) if the caller does not have delete access. To perform the access check, the server SHOULD first determine the identity of the caller. Information determining the identity of the caller for the purpose of performing an access check is specified in [MS-RPCE] section 3.2.3.4.2. Then, if the client specifies a channel, the server SHOULD read the channel's access property (as specified in section 3.1.4.21) as the security descriptor string. Next, the server SHOULD be able to perform the write and clear access check using the Access Check algorithm (as specified in [MS-DTYP] section 2.5.3.2). If the access property is not present for the channel, the channel gets a default SDDL, which is "O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)".

If the above checks succeed, the server MUST delete the publisher entry from its publisher table or delete the channel from the channel table. Operations like deleting entries from the table SHOULD always be successful.

Any information in the channel table and publisher table MUST not be removed until this method is called.

The server MUST return a value indicating success or failure for this operation.