2 * Unit tests for Event Logging functions
4 * Copyright (c) 2009 Paul Vriens
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
30 #include "wine/test.h"
32 static BOOL (WINAPI *pCreateWellKnownSid)(WELL_KNOWN_SID_TYPE,PSID,PSID,DWORD*);
33 static BOOL (WINAPI *pGetEventLogInformation)(HANDLE,DWORD,LPVOID,DWORD,LPDWORD);
35 static BOOL (WINAPI *pGetComputerNameExA)(COMPUTER_NAME_FORMAT,LPSTR,LPDWORD);
36 static BOOL (WINAPI *pWow64DisableWow64FsRedirection)(PVOID *);
37 static BOOL (WINAPI *pWow64RevertWow64FsRedirection)(PVOID);
39 static void init_function_pointers(void)
41 HMODULE hadvapi32 = GetModuleHandleA("advapi32.dll");
42 HMODULE hkernel32 = GetModuleHandleA("kernel32.dll");
44 pCreateWellKnownSid = (void*)GetProcAddress(hadvapi32, "CreateWellKnownSid");
45 pGetEventLogInformation = (void*)GetProcAddress(hadvapi32, "GetEventLogInformation");
47 pGetComputerNameExA = (void*)GetProcAddress(hkernel32, "GetComputerNameExA");
48 pWow64DisableWow64FsRedirection = (void*)GetProcAddress(hkernel32, "Wow64DisableWow64FsRedirection");
49 pWow64RevertWow64FsRedirection = (void*)GetProcAddress(hkernel32, "Wow64RevertWow64FsRedirection");
52 static void create_backup(const char *filename)
56 DeleteFileA(filename);
57 handle = OpenEventLogA(NULL, "Application");
58 BackupEventLogA(handle, filename);
59 CloseEventLog(handle);
62 ok(GetFileAttributesA(filename) != INVALID_FILE_ATTRIBUTES, "Expected a backup file\n");
65 static void test_open_close(void)
70 SetLastError(0xdeadbeef);
71 ret = CloseEventLog(NULL);
72 ok(!ret, "Expected failure\n");
73 ok(GetLastError() == ERROR_INVALID_HANDLE ||
74 GetLastError() == ERROR_NOACCESS, /* W2K */
75 "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError());
77 SetLastError(0xdeadbeef);
78 handle = OpenEventLogA(NULL, NULL);
79 ok(handle == NULL, "Didn't expect a handle\n");
80 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
82 SetLastError(0xdeadbeef);
83 handle = OpenEventLogA("IDontExist", NULL);
84 ok(handle == NULL, "Didn't expect a handle\n");
85 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
87 SetLastError(0xdeadbeef);
88 handle = OpenEventLogA("IDontExist", "deadbeef");
89 ok(handle == NULL, "Didn't expect a handle\n");
90 ok(GetLastError() == RPC_S_SERVER_UNAVAILABLE ||
91 GetLastError() == RPC_S_INVALID_NET_ADDR, /* Some Vista and Win7 */
92 "Expected RPC_S_SERVER_UNAVAILABLE, got %d\n", GetLastError());
94 /* This one opens the Application log */
95 handle = OpenEventLogA(NULL, "deadbeef");
96 ok(handle != NULL, "Expected a handle\n");
97 ret = CloseEventLog(handle);
98 ok(ret, "Expected success\n");
99 /* Close a second time */
100 SetLastError(0xdeadbeef);
101 ret = CloseEventLog(handle);
104 ok(!ret, "Expected failure\n");
105 ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError());
108 /* Empty servername should be read as local server */
109 handle = OpenEventLogA("", "Application");
110 ok(handle != NULL, "Expected a handle\n");
111 CloseEventLog(handle);
113 handle = OpenEventLogA(NULL, "Application");
114 ok(handle != NULL, "Expected a handle\n");
115 CloseEventLog(handle);
118 static void test_info(void)
123 EVENTLOG_FULL_INFORMATION efi;
125 if (!pGetEventLogInformation)
128 win_skip("GetEventLogInformation is not available\n");
131 SetLastError(0xdeadbeef);
132 ret = pGetEventLogInformation(NULL, 1, NULL, 0, NULL);
133 ok(!ret, "Expected failure\n");
134 ok(GetLastError() == ERROR_INVALID_LEVEL, "Expected ERROR_INVALID_LEVEL, got %d\n", GetLastError());
136 SetLastError(0xdeadbeef);
137 ret = pGetEventLogInformation(NULL, EVENTLOG_FULL_INFO, NULL, 0, NULL);
138 ok(!ret, "Expected failure\n");
139 ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError());
141 handle = OpenEventLogA(NULL, "Application");
143 SetLastError(0xdeadbeef);
144 ret = pGetEventLogInformation(handle, EVENTLOG_FULL_INFO, NULL, 0, NULL);
145 ok(!ret, "Expected failure\n");
146 ok(GetLastError() == RPC_X_NULL_REF_POINTER, "Expected RPC_X_NULL_REF_POINTER, got %d\n", GetLastError());
148 SetLastError(0xdeadbeef);
149 ret = pGetEventLogInformation(handle, EVENTLOG_FULL_INFO, NULL, 0, &needed);
150 ok(!ret, "Expected failure\n");
151 ok(GetLastError() == RPC_X_NULL_REF_POINTER, "Expected RPC_X_NULL_REF_POINTER, got %d\n", GetLastError());
153 SetLastError(0xdeadbeef);
154 ret = pGetEventLogInformation(handle, EVENTLOG_FULL_INFO, (LPVOID)&efi, 0, NULL);
155 ok(!ret, "Expected failure\n");
156 ok(GetLastError() == RPC_X_NULL_REF_POINTER, "Expected RPC_X_NULL_REF_POINTER, got %d\n", GetLastError());
158 SetLastError(0xdeadbeef);
160 efi.dwFull = 0xdeadbeef;
161 ret = pGetEventLogInformation(handle, EVENTLOG_FULL_INFO, (LPVOID)&efi, 0, &needed);
162 ok(!ret, "Expected failure\n");
163 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
164 ok(needed == sizeof(EVENTLOG_FULL_INFORMATION), "Expected sizeof(EVENTLOG_FULL_INFORMATION), got %d\n", needed);
165 ok(efi.dwFull == 0xdeadbeef, "Expected no change to the dwFull member\n");
167 /* Not that we care, but on success last error is set to ERROR_IO_PENDING */
168 efi.dwFull = 0xdeadbeef;
170 ret = pGetEventLogInformation(handle, EVENTLOG_FULL_INFO, (LPVOID)&efi, needed, &needed);
171 ok(ret, "Expected success\n");
172 ok(needed == sizeof(EVENTLOG_FULL_INFORMATION), "Expected sizeof(EVENTLOG_FULL_INFORMATION), got %d\n", needed);
173 ok(efi.dwFull == 0 || efi.dwFull == 1, "Expected 0 (not full) or 1 (full), got %d\n", efi.dwFull);
175 CloseEventLog(handle);
178 static void test_count(void)
183 const char backup[] = "backup.evt";
185 SetLastError(0xdeadbeef);
186 ret = GetNumberOfEventLogRecords(NULL, NULL);
187 ok(!ret, "Expected failure\n");
188 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
190 SetLastError(0xdeadbeef);
192 ret = GetNumberOfEventLogRecords(NULL, &count);
193 ok(!ret, "Expected failure\n");
194 ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError());
195 ok(count == 0xdeadbeef, "Expected count to stay unchanged\n");
197 handle = OpenEventLogA(NULL, "Application");
199 SetLastError(0xdeadbeef);
200 ret = GetNumberOfEventLogRecords(handle, NULL);
201 ok(!ret, "Expected failure\n");
202 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
205 ret = GetNumberOfEventLogRecords(handle, &count);
206 ok(ret, "Expected success\n");
207 ok(count != 0xdeadbeef, "Expected the number of records\n");
209 CloseEventLog(handle);
211 /* Make a backup eventlog to work with */
212 create_backup(backup);
214 handle = OpenBackupEventLogA(NULL, backup);
216 ok(handle != NULL, "Expected a handle\n");
218 /* Does GetNumberOfEventLogRecords work with backup eventlogs? */
220 ret = GetNumberOfEventLogRecords(handle, &count);
223 ok(ret, "Expected success\n");
224 ok(count != 0xdeadbeef, "Expected the number of records\n");
227 CloseEventLog(handle);
231 static void test_oldest(void)
236 const char backup[] = "backup.evt";
238 SetLastError(0xdeadbeef);
239 ret = GetOldestEventLogRecord(NULL, NULL);
240 ok(!ret, "Expected failure\n");
241 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
243 SetLastError(0xdeadbeef);
245 ret = GetOldestEventLogRecord(NULL, &oldest);
246 ok(!ret, "Expected failure\n");
247 ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError());
248 ok(oldest == 0xdeadbeef, "Expected oldest to stay unchanged\n");
250 handle = OpenEventLogA(NULL, "Application");
252 SetLastError(0xdeadbeef);
253 ret = GetOldestEventLogRecord(handle, NULL);
254 ok(!ret, "Expected failure\n");
255 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
258 ret = GetOldestEventLogRecord(handle, &oldest);
259 ok(ret, "Expected success\n");
260 ok(oldest != 0xdeadbeef, "Expected the number of the oldest record\n");
262 CloseEventLog(handle);
264 /* Make a backup eventlog to work with */
265 create_backup(backup);
267 handle = OpenBackupEventLogA(NULL, backup);
269 ok(handle != NULL, "Expected a handle\n");
271 /* Does GetOldestEventLogRecord work with backup eventlogs? */
273 ret = GetOldestEventLogRecord(handle, &oldest);
276 ok(ret, "Expected success\n");
277 ok(oldest != 0xdeadbeef, "Expected the number of the oldest record\n");
280 CloseEventLog(handle);
284 static void test_backup(void)
288 const char backup[] = "backup.evt";
289 const char backup2[] = "backup2.evt";
291 SetLastError(0xdeadbeef);
292 ret = BackupEventLogA(NULL, NULL);
293 ok(!ret, "Expected failure\n");
294 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
296 SetLastError(0xdeadbeef);
297 ret = BackupEventLogA(NULL, backup);
298 ok(!ret, "Expected failure\n");
299 ok(GetFileAttributesA(backup) == INVALID_FILE_ATTRIBUTES, "Expected no backup file\n");
301 handle = OpenEventLogA(NULL, "Application");
303 SetLastError(0xdeadbeef);
304 ret = BackupEventLogA(handle, NULL);
305 ok(!ret, "Expected failure\n");
306 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
308 ret = BackupEventLogA(handle, backup);
309 ok(ret, "Expected success\n");
311 ok(GetFileAttributesA(backup) != INVALID_FILE_ATTRIBUTES, "Expected a backup file\n");
313 /* Try to overwrite */
314 SetLastError(0xdeadbeef);
315 ret = BackupEventLogA(handle, backup);
318 ok(!ret, "Expected failure\n");
319 ok(GetLastError() == ERROR_ALREADY_EXISTS, "Expected ERROR_ALREADY_EXISTS, got %d\n", GetLastError());
322 CloseEventLog(handle);
324 /* Can we make a backup of a backup? */
325 handle = OpenBackupEventLogA(NULL, backup);
327 ok(handle != NULL, "Expected a handle\n");
329 ret = BackupEventLogA(handle, backup2);
332 ok(ret, "Expected success\n");
333 ok(GetFileAttributesA(backup2) != INVALID_FILE_ATTRIBUTES, "Expected a backup file\n");
336 CloseEventLog(handle);
338 DeleteFileA(backup2);
341 static void test_read(void)
345 DWORD count, toread, read, needed;
348 SetLastError(0xdeadbeef);
349 ret = ReadEventLogA(NULL, 0, 0, NULL, 0, NULL, NULL);
350 ok(!ret, "Expected failure\n");
352 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
355 SetLastError(0xdeadbeef);
356 ret = ReadEventLogA(NULL, 0, 0, NULL, 0, &read, NULL);
357 ok(!ret, "Expected failure\n");
358 ok(read == 0xdeadbeef, "Expected 'read' parameter to remain unchanged\n");
360 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
363 SetLastError(0xdeadbeef);
364 ret = ReadEventLogA(NULL, 0, 0, NULL, 0, NULL, &needed);
365 ok(!ret, "Expected failure\n");
366 ok(needed == 0xdeadbeef, "Expected 'needed' parameter to remain unchanged\n");
368 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
370 /* 'read' and 'needed' are only filled when the needed buffer size is passed back or when the call succeeds */
371 SetLastError(0xdeadbeef);
372 ret = ReadEventLogA(NULL, 0, 0, NULL, 0, &read, &needed);
373 ok(!ret, "Expected failure\n");
375 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
377 SetLastError(0xdeadbeef);
378 ret = ReadEventLogA(NULL, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 0, NULL, 0, NULL, NULL);
379 ok(!ret, "Expected failure\n");
381 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
383 SetLastError(0xdeadbeef);
384 ret = ReadEventLogA(NULL, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 0, NULL, 0, &read, &needed);
385 ok(!ret, "Expected failure\n");
387 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
390 SetLastError(0xdeadbeef);
391 ret = ReadEventLogA(NULL, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ,
392 0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
393 ok(!ret, "Expected failure\n");
395 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
397 buf = HeapAlloc(GetProcessHeap(), 0, sizeof(EVENTLOGRECORD));
398 SetLastError(0xdeadbeef);
399 ret = ReadEventLogA(NULL, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ,
400 0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
401 ok(!ret, "Expected failure\n");
403 ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError());
404 HeapFree(GetProcessHeap(), 0, buf);
406 handle = OpenEventLogA(NULL, "Application");
408 /* Show that we need the proper dwFlags with a (for the rest) proper call */
409 buf = HeapAlloc(GetProcessHeap(), 0, sizeof(EVENTLOGRECORD));
411 SetLastError(0xdeadbeef);
412 ret = ReadEventLogA(handle, 0, 0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
413 ok(!ret, "Expected failure\n");
415 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
417 SetLastError(0xdeadbeef);
418 ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ, 0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
419 ok(!ret, "Expected failure\n");
421 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
423 SetLastError(0xdeadbeef);
424 ret = ReadEventLogA(handle, EVENTLOG_SEEK_READ, 0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
425 ok(!ret, "Expected failure\n");
427 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
429 SetLastError(0xdeadbeef);
430 ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ | EVENTLOG_BACKWARDS_READ,
431 0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
432 ok(!ret, "Expected failure\n");
434 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
436 SetLastError(0xdeadbeef);
437 ret = ReadEventLogA(handle, EVENTLOG_SEEK_READ | EVENTLOG_FORWARDS_READ | EVENTLOG_BACKWARDS_READ,
438 0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
439 ok(!ret, "Expected failure\n");
441 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
443 SetLastError(0xdeadbeef);
444 ret = ReadEventLogA(handle, EVENTLOG_SEEK_READ | EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ,
445 0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
446 ok(!ret, "Expected failure\n");
448 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
450 HeapFree(GetProcessHeap(), 0, buf);
452 /* First check if there are any records (in practice only on Wine: FIXME) */
454 GetNumberOfEventLogRecords(handle, &count);
457 skip("No records in the 'Application' log\n");
458 CloseEventLog(handle);
462 /* Get the buffer size for the first record */
463 buf = HeapAlloc(GetProcessHeap(), 0, sizeof(EVENTLOGRECORD));
464 read = needed = 0xdeadbeef;
465 SetLastError(0xdeadbeef);
466 ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ,
467 0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
468 ok(!ret, "Expected failure\n");
469 ok(read == 0, "Expected no bytes read\n");
470 ok(needed > sizeof(EVENTLOGRECORD), "Expected the needed buffersize to be bigger than sizeof(EVENTLOGRECORD)\n");
471 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
473 /* Read the first record */
475 buf = HeapReAlloc(GetProcessHeap(), 0, buf, toread);
476 read = needed = 0xdeadbeef;
477 SetLastError(0xdeadbeef);
478 ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 0, buf, toread, &read, &needed);
479 ok(ret, "Expected success\n");
481 broken(read < toread), /* NT4 wants a buffer size way bigger than just 1 record */
482 "Expected the requested size to be read\n");
483 ok(needed == 0, "Expected no extra bytes to be read\n");
484 HeapFree(GetProcessHeap(), 0, buf);
486 CloseEventLog(handle);
489 static void test_openbackup(void)
491 HANDLE handle, handle2, file;
493 const char backup[] = "backup.evt";
494 const char text[] = "Just some text";
496 SetLastError(0xdeadbeef);
497 handle = OpenBackupEventLogA(NULL, NULL);
498 ok(handle == NULL, "Didn't expect a handle\n");
499 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
501 SetLastError(0xdeadbeef);
502 handle = OpenBackupEventLogA(NULL, "idontexist.evt");
503 ok(handle == NULL, "Didn't expect a handle\n");
504 ok(GetLastError() == ERROR_FILE_NOT_FOUND, "Expected ERROR_FILE_NOT_FOUND, got %d\n", GetLastError());
506 SetLastError(0xdeadbeef);
507 handle = OpenBackupEventLogA("IDontExist", NULL);
508 ok(handle == NULL, "Didn't expect a handle\n");
509 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
511 SetLastError(0xdeadbeef);
512 handle = OpenBackupEventLogA("IDontExist", "idontexist.evt");
513 ok(handle == NULL, "Didn't expect a handle\n");
514 ok(GetLastError() == RPC_S_SERVER_UNAVAILABLE ||
515 GetLastError() == RPC_S_INVALID_NET_ADDR, /* Some Vista and Win7 */
516 "Expected RPC_S_SERVER_UNAVAILABLE, got %d\n", GetLastError());
518 /* Make a backup eventlog to work with */
519 create_backup(backup);
521 /* FIXME: Wine stops here */
522 if (GetFileAttributesA(backup) == INVALID_FILE_ATTRIBUTES)
524 skip("We don't have a backup eventlog to work with\n");
528 SetLastError(0xdeadbeef);
529 handle = OpenBackupEventLogA("IDontExist", backup);
530 ok(handle == NULL, "Didn't expect a handle\n");
531 ok(GetLastError() == RPC_S_SERVER_UNAVAILABLE ||
532 GetLastError() == RPC_S_INVALID_NET_ADDR, /* Some Vista and Win7 */
533 "Expected RPC_S_SERVER_UNAVAILABLE, got %d\n", GetLastError());
535 /* Empty servername should be read as local server */
536 handle = OpenBackupEventLogA("", backup);
537 ok(handle != NULL, "Expected a handle\n");
538 CloseEventLog(handle);
540 handle = OpenBackupEventLogA(NULL, backup);
541 ok(handle != NULL, "Expected a handle\n");
543 /* Can we open that same backup eventlog more than once? */
544 handle2 = OpenBackupEventLogA(NULL, backup);
545 ok(handle2 != NULL, "Expected a handle\n");
546 ok(handle2 != handle, "Didn't expect the same handle\n");
547 CloseEventLog(handle2);
549 CloseEventLog(handle);
552 /* Is there any content checking done? */
553 file = CreateFileA(backup, GENERIC_WRITE, 0, NULL, CREATE_NEW, 0, NULL);
555 SetLastError(0xdeadbeef);
556 handle = OpenBackupEventLogA(NULL, backup);
557 ok(handle == NULL, "Didn't expect a handle\n");
558 ok(GetLastError() == ERROR_NOT_ENOUGH_MEMORY ||
559 GetLastError() == ERROR_EVENTLOG_FILE_CORRUPT, /* Vista and Win7 */
560 "Expected ERROR_NOT_ENOUGH_MEMORY, got %d\n", GetLastError());
561 CloseEventLog(handle);
564 file = CreateFileA(backup, GENERIC_WRITE, 0, NULL, CREATE_NEW, 0, NULL);
565 WriteFile(file, text, sizeof(text), &written, NULL);
567 SetLastError(0xdeadbeef);
568 handle = OpenBackupEventLogA(NULL, backup);
569 ok(handle == NULL, "Didn't expect a handle\n");
570 ok(GetLastError() == ERROR_EVENTLOG_FILE_CORRUPT, "Expected ERROR_EVENTLOG_FILE_CORRUPT, got %d\n", GetLastError());
571 CloseEventLog(handle);
575 static void test_clear(void)
579 const char backup[] = "backup.evt";
580 const char backup2[] = "backup2.evt";
582 SetLastError(0xdeadbeef);
583 ret = ClearEventLogA(NULL, NULL);
584 ok(!ret, "Expected failure\n");
585 ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError());
587 /* Make a backup eventlog to work with */
588 create_backup(backup);
590 SetLastError(0xdeadbeef);
591 ret = ClearEventLogA(NULL, backup);
592 ok(!ret, "Expected failure\n");
593 ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError());
595 handle = OpenBackupEventLogA(NULL, backup);
597 ok(handle != NULL, "Expected a handle\n");
599 /* A real eventlog would fail with ERROR_ALREADY_EXISTS */
600 SetLastError(0xdeadbeef);
601 ret = ClearEventLogA(handle, backup);
602 ok(!ret, "Expected failure\n");
603 /* The eventlog service runs under an account that doesn't have the necessary
604 * permissions on the users home directory on a default Vista+ system.
606 ok(GetLastError() == ERROR_INVALID_HANDLE ||
607 GetLastError() == ERROR_ACCESS_DENIED, /* Vista+ */
608 "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError());
610 /* Show that ClearEventLog only works for real eventlogs. */
611 SetLastError(0xdeadbeef);
612 ret = ClearEventLogA(handle, backup2);
613 ok(!ret, "Expected failure\n");
614 ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError());
615 ok(GetFileAttributesA(backup2) == INVALID_FILE_ATTRIBUTES, "Expected no backup file\n");
617 SetLastError(0xdeadbeef);
618 ret = ClearEventLogA(handle, NULL);
619 ok(!ret, "Expected failure\n");
620 ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError());
622 CloseEventLog(handle);
624 ok(DeleteFileA(backup), "Could not delete the backup file\n");
627 static const char eventlogsvc[] = "SYSTEM\\CurrentControlSet\\Services\\Eventlog";
628 static const char eventlogname[] = "Wine";
629 static const char eventsources[][11] = { "WineSrc", "WineSrc1", "WineSrc20", "WineSrc300" };
631 static BOOL create_new_eventlog(void)
638 /* First create our eventlog */
639 lret = RegOpenKeyA(HKEY_LOCAL_MACHINE, eventlogsvc, &key);
640 /* FIXME: Wine stops here */
641 if (lret != ERROR_SUCCESS)
643 skip("Could not open the EventLog service registry key\n");
646 lret = RegCreateKeyA(key, eventlogname, &eventkey);
647 if (lret != ERROR_SUCCESS)
649 skip("Could not create the eventlog '%s' registry key\n", eventlogname);
653 /* Create some event sources, the registry value 'Sources' is updated automatically */
654 for (i = 0; i < sizeof(eventsources)/sizeof(eventsources[0]); i++)
658 lret = RegCreateKeyA(eventkey, eventsources[i], &srckey);
659 if (lret != ERROR_SUCCESS)
661 skip("Could not create the eventsource '%s' registry key\n", eventsources[i]);
670 /* The flushing of the registry (here and above) gives us some assurance
671 * that we are not to quickly writing events as 'Sources' could still be
674 RegFlushKey(eventkey);
676 RegCloseKey(eventkey);
682 static const char *one_string[] = { "First string" };
683 static const char *two_strings[] = { "First string", "Second string" };
692 const char **evt_strings;
695 { eventlogname, EVENTLOG_INFORMATION_TYPE, 1, 1, FALSE, 1, one_string },
696 { eventsources[0], EVENTLOG_WARNING_TYPE, 1, 2, FALSE, 0, NULL },
697 { eventsources[1], EVENTLOG_AUDIT_FAILURE, 1, 3, FALSE, 2, two_strings },
698 { eventsources[2], EVENTLOG_ERROR_TYPE, 1, 4, FALSE, 0, NULL },
699 { eventsources[3], EVENTLOG_WARNING_TYPE, 1, 5, FALSE, 1, one_string },
700 { eventlogname, EVENTLOG_SUCCESS, 2, 6, TRUE, 2, two_strings },
701 { eventsources[0], EVENTLOG_AUDIT_FAILURE, 2, 7, TRUE, 0, NULL },
702 { eventsources[1], EVENTLOG_AUDIT_SUCCESS, 2, 8, TRUE, 2, two_strings },
703 { eventsources[2], EVENTLOG_WARNING_TYPE, 2, 9, TRUE, 0, NULL },
704 { eventsources[3], EVENTLOG_ERROR_TYPE, 2, 10, TRUE, 1, one_string }
707 static void test_readwrite(void)
711 DWORD sidsize, count;
712 BOOL ret, sidavailable;
713 BOOL on_vista = FALSE; /* Used to indicate Vista, W2K8 or Win7 */
715 char *localcomputer = NULL;
718 if (pCreateWellKnownSid)
720 sidsize = SECURITY_MAX_SID_SIZE;
721 user = HeapAlloc(GetProcessHeap(), 0, sidsize);
722 SetLastError(0xdeadbeef);
723 pCreateWellKnownSid(WinInteractiveSid, NULL, user, &sidsize);
728 win_skip("Skipping some SID related tests\n");
729 sidavailable = FALSE;
733 /* Write an event with an incorrect event type. This will fail on Windows 7
734 * but succeed on all others, hence it's not part of the struct.
736 handle = OpenEventLogA(NULL, eventlogname);
739 /* Intermittently seen on NT4 when tests are run immediately after boot */
740 win_skip("Could not get a handle to the eventlog\n");
745 GetNumberOfEventLogRecords(handle, &count);
748 /* Needed for W2K3 without a service pack */
749 win_skip("We most likely opened the Application eventlog\n");
750 CloseEventLog(handle);
753 handle = OpenEventLogA(NULL, eventlogname);
755 GetNumberOfEventLogRecords(handle, &count);
758 win_skip("We didn't open our new eventlog\n");
759 CloseEventLog(handle);
764 SetLastError(0xdeadbeef);
765 ret = ReportEvent(handle, 0x20, 0, 0, NULL, 0, 0, NULL, NULL);
766 if (!ret && GetLastError() == ERROR_CRC)
768 win_skip("Win7 fails when using incorrect event types\n");
769 ret = ReportEvent(handle, 0, 0, 0, NULL, 0, 0, NULL, NULL);
770 ok(ret, "Expected success : %d\n", GetLastError());
775 DWORD read, needed = 0;
776 EVENTLOGRECORD *record;
778 ok(ret, "Expected success : %d\n", GetLastError());
780 /* Needed to catch earlier Vista (with no ServicePack for example) */
781 buf = HeapAlloc(GetProcessHeap(), 0, sizeof(EVENTLOGRECORD));
782 if (!(ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ,
783 0, buf, sizeof(EVENTLOGRECORD), &read, &needed)) &&
784 GetLastError() == ERROR_INSUFFICIENT_BUFFER)
786 buf = HeapReAlloc(GetProcessHeap(), 0, buf, needed);
787 ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ,
788 0, buf, needed, &read, &needed);
792 record = (EVENTLOGRECORD *)buf;
794 /* Vista and W2K8 return EVENTLOG_SUCCESS, Windows versions before return
795 * the written eventtype (0x20 in this case).
797 if (record->EventType == EVENTLOG_SUCCESS)
800 HeapFree(GetProcessHeap(), 0, buf);
803 /* This will clear the eventlog. The record numbering for new
804 * events however differs on Vista SP1+. Before Vista the first
805 * event would be numbered 1, on Vista SP1+ it's higher as we already
806 * had at least one event (more in case of multiple test runs without
809 ClearEventLogA(handle, NULL);
810 CloseEventLog(handle);
812 /* Write a bunch of events while using different event sources */
813 for (i = 0; i < sizeof(read_write)/sizeof(read_write[0]); i++)
816 BOOL run_sidtests = read_write[i].evt_sid & sidavailable;
818 /* We don't need to use RegisterEventSource to report events */
820 handle = OpenEventLogA(NULL, read_write[i].evt_src);
822 handle = RegisterEventSourceA(NULL, read_write[i].evt_src);
823 ok(handle != NULL, "Expected a handle\n");
825 SetLastError(0xdeadbeef);
826 ret = ReportEvent(handle, read_write[i].evt_type, read_write[i].evt_cat,
827 read_write[i].evt_id, run_sidtests ? user : NULL,
828 read_write[i].evt_numstrings, 0, read_write[i].evt_strings, NULL);
829 ok(ret, "Expected ReportEvent success : %d\n", GetLastError());
832 SetLastError(0xdeadbeef);
833 ret = GetNumberOfEventLogRecords(handle, &count);
834 ok(ret, "Expected GetNumberOfEventLogRecords success : %d\n", GetLastError());
835 ok(count == (i + 1), "Expected %d records, got %d\n", i + 1, count);
838 ret = GetOldestEventLogRecord(handle, &oldest);
839 ok(ret, "Expected GetOldestEventLogRecord success : %d\n", GetLastError());
841 (oldest > 1 && oldest != 0xdeadbeef), /* Vista SP1+, W2K8 and Win7 */
842 "Expected oldest to be 1 or higher, got %d\n", oldest);
843 if (oldest > 1 && oldest != 0xdeadbeef)
846 SetLastError(0xdeadbeef);
848 ret = CloseEventLog(handle);
850 ret = DeregisterEventSource(handle);
851 ok(ret, "Expected success : %d\n", GetLastError());
854 handle = OpenEventLogA(NULL, eventlogname);
856 ret = GetNumberOfEventLogRecords(handle, &count);
857 ok(ret, "Expected success\n");
858 ok(count == i, "Expected %d records, got %d\n", i, count);
859 CloseEventLog(handle);
863 skip("No events were written to the eventlog\n");
867 /* Report only once */
869 skip("There is no DWORD alignment enforced for UserSid on Vista, W2K8 or Win7\n");
871 if (on_vista && pGetComputerNameExA)
873 /* New Vista+ behavior */
875 SetLastError(0xdeadbeef);
876 pGetComputerNameExA(ComputerNameDnsFullyQualified, NULL, &size);
877 localcomputer = HeapAlloc(GetProcessHeap(), 0, size);
878 pGetComputerNameExA(ComputerNameDnsFullyQualified, localcomputer, &size);
882 size = MAX_COMPUTERNAME_LENGTH + 1;
883 localcomputer = HeapAlloc(GetProcessHeap(), 0, size);
884 GetComputerNameA(localcomputer, &size);
887 /* Read all events from our created eventlog, one by one */
888 handle = OpenEventLogA(NULL, eventlogname);
894 EVENTLOGRECORD *record;
895 char *sourcename, *computername;
898 BOOL run_sidtests = read_write[i].evt_sid & sidavailable;
900 buf = HeapAlloc(GetProcessHeap(), 0, sizeof(EVENTLOGRECORD));
901 SetLastError(0xdeadbeef);
902 ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ,
903 0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
904 if (!ret && GetLastError() == ERROR_HANDLE_EOF)
906 HeapFree(GetProcessHeap(), 0, buf);
909 ok(!ret, "Expected failure\n");
910 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
911 "Expected ERROR_INVALID_PARAMETER, got %d\n",GetLastError());
913 buf = HeapReAlloc(GetProcessHeap(), 0, buf, needed);
914 ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ,
915 0, buf, needed, &read, &needed);
916 ok(ret, "Expected success: %d\n", GetLastError());
918 record = (EVENTLOGRECORD *)buf;
920 ok(record->Length == read,
921 "Expected %d, got %d\n", read, record->Length);
922 ok(record->Reserved == 0x654c664c,
923 "Expected 0x654c664c, got %d\n", record->Reserved);
924 ok(record->RecordNumber == i + 1 ||
925 (on_vista && (record->RecordNumber > i + 1)),
926 "Expected %d or higher, got %d\n", i + 1, record->RecordNumber);
927 ok(record->EventID == read_write[i].evt_id,
928 "Expected %d, got %d\n", read_write[i].evt_id, record->EventID);
929 ok(record->EventType == read_write[i].evt_type,
930 "Expected %d, got %d\n", read_write[i].evt_type, record->EventType);
931 ok(record->NumStrings == read_write[i].evt_numstrings,
932 "Expected %d, got %d\n", read_write[i].evt_numstrings, record->NumStrings);
933 ok(record->EventCategory == read_write[i].evt_cat,
934 "Expected %d, got %d\n", read_write[i].evt_cat, record->EventCategory);
936 sourcename = (char *)((BYTE *)buf + sizeof(EVENTLOGRECORD));
937 ok(!lstrcmpA(sourcename, read_write[i].evt_src), "Expected '%s', got '%s'\n",
938 read_write[i].evt_src, sourcename);
940 computername = (char *)((BYTE *)buf + sizeof(EVENTLOGRECORD) + lstrlenA(sourcename) + 1);
941 ok(!lstrcmpiA(computername, localcomputer), "Expected '%s', got '%s'\n",
942 localcomputer, computername);
944 /* Before Vista, UserSid was aligned on a DWORD boundary. Next to that if
945 * no padding was actually required a 0 DWORD was still used for padding. No
946 * application should be relying on the padding as we are working with offsets
952 DWORD calculated_sidoffset = sizeof(EVENTLOGRECORD) + lstrlenA(sourcename) + 1 + lstrlenA(computername) + 1;
954 /* We are already DWORD aligned, there should still be some padding */
955 if ((((UINT_PTR)buf + calculated_sidoffset) % sizeof(DWORD)) == 0)
956 ok(*(DWORD *)((BYTE *)buf + calculated_sidoffset) == 0, "Expected 0\n");
958 ok((((UINT_PTR)buf + record->UserSidOffset) % sizeof(DWORD)) == 0, "Expected DWORD alignment\n");
963 ok(record->UserSidLength == sidsize, "Expected %d, got %d\n", sidsize, record->UserSidLength);
967 ok(record->StringOffset == record->UserSidOffset, "Expected offsets to be the same\n");
968 ok(record->UserSidLength == 0, "Expected 0, got %d\n", record->UserSidLength);
971 ok(record->DataLength == 0, "Expected 0, got %d\n", record->DataLength);
973 ptr = (char *)((BYTE *)buf + record->StringOffset);
974 for (k = 0; k < record->NumStrings; k++)
976 ok(!lstrcmpA(ptr, two_strings[k]), "Expected '%s', got '%s'\n", two_strings[k], ptr);
977 ptr += lstrlenA(ptr) + 1;
980 ok(record->Length == *(DWORD *)((BYTE *)buf + record->Length - sizeof(DWORD)),
981 "Expected the closing DWORD to contain the length of the record\n");
983 HeapFree(GetProcessHeap(), 0, buf);
986 CloseEventLog(handle);
988 /* Test clearing a real eventlog */
989 handle = OpenEventLogA(NULL, eventlogname);
991 SetLastError(0xdeadbeef);
992 ret = ClearEventLogA(handle, NULL);
993 ok(ret, "Expected success\n");
996 ret = GetNumberOfEventLogRecords(handle, &count);
997 ok(ret, "Expected success\n");
998 ok(count == 0, "Expected an empty eventlog, got %d records\n", count);
1000 CloseEventLog(handle);
1003 HeapFree(GetProcessHeap(), 0, localcomputer);
1004 HeapFree(GetProcessHeap(), 0, user);
1009 * Creating an eventlog on Windows (via the registry) automatically leads
1010 * to creation of a REG_MULTI_SZ named 'Sources'. This value lists all the
1011 * potential event sources for this eventlog. 'Sources' is automatically
1012 * updated when a new key (aka event source) is created.
1014 * Although the updating of registry keys is almost instantaneously, we
1015 * check it after some other tests to assure we are not querying the
1016 * registry or file system to quickly.
1020 * The eventlog file itself is also automatically created, even before we
1021 * start writing events.
1023 static char eventlogfile[MAX_PATH];
1024 static void test_autocreation(void)
1031 char sources[sizeof(eventsources)];
1032 char sysdir[MAX_PATH];
1035 RegOpenKeyA(HKEY_LOCAL_MACHINE, eventlogsvc, &key);
1036 RegOpenKeyA(key, eventlogname, &eventkey);
1038 size = sizeof(sources);
1040 ret = RegQueryValueExA(eventkey, "Sources", NULL, &type, (LPBYTE)sources, &size);
1041 if (ret == ERROR_SUCCESS)
1043 char sources_verify[sizeof(eventsources)];
1045 ok(type == REG_MULTI_SZ, "Expected a REG_MULTI_SZ, got %d\n", type);
1047 /* Build the expected string */
1048 memset(sources_verify, 0, sizeof(sources_verify));
1050 for (i = sizeof(eventsources)/sizeof(eventsources[0]); i > 0; i--)
1052 lstrcpyA(p, eventsources[i - 1]);
1053 p += (lstrlenA(eventsources[i - 1]) + 1);
1055 lstrcpyA(p, eventlogname);
1057 ok(!memcmp(sources, sources_verify, size),
1058 "Expected a correct 'Sources' value (size : %d)\n", size);
1061 RegCloseKey(eventkey);
1064 /* The directory that holds the eventlog files could be redirected */
1065 if (pWow64DisableWow64FsRedirection)
1066 pWow64DisableWow64FsRedirection(&redir);
1068 /* On Windows we also automatically get an eventlog file */
1069 GetSystemDirectoryA(sysdir, sizeof(sysdir));
1072 lstrcpyA(eventlogfile, sysdir);
1073 lstrcatA(eventlogfile, "\\config\\");
1074 lstrcatA(eventlogfile, eventlogname);
1075 lstrcatA(eventlogfile, ".evt");
1077 if (GetFileAttributesA(eventlogfile) == INVALID_FILE_ATTRIBUTES)
1080 lstrcpyA(eventlogfile, sysdir);
1081 lstrcatA(eventlogfile, "\\winevt\\Logs\\");
1082 lstrcatA(eventlogfile, eventlogname);
1083 lstrcatA(eventlogfile, ".evtx");
1086 ok(GetFileAttributesA(eventlogfile) != INVALID_FILE_ATTRIBUTES,
1087 "Expected an eventlog file\n");
1089 if (pWow64RevertWow64FsRedirection)
1090 pWow64RevertWow64FsRedirection(redir);
1093 static void cleanup_eventlog(void)
1099 char winesvc[MAX_PATH];
1101 /* Delete the registry tree */
1102 lstrcpyA(winesvc, eventlogsvc);
1103 lstrcatA(winesvc, "\\");
1104 lstrcatA(winesvc, eventlogname);
1106 RegOpenKeyA(HKEY_LOCAL_MACHINE, winesvc, &key);
1107 for (i = 0; i < sizeof(eventsources)/sizeof(eventsources[0]); i++)
1108 RegDeleteKeyA(key, eventsources[i]);
1109 RegDeleteValueA(key, "Sources");
1111 lret = RegDeleteKeyA(HKEY_LOCAL_MACHINE, winesvc);
1113 ok(lret == ERROR_SUCCESS, "Could not delete the registry tree : %d\n", lret);
1115 /* A handle to the eventlog is locked by services.exe. We can only
1116 * delete the eventlog file after reboot.
1118 bret = MoveFileExA(eventlogfile, NULL, MOVEFILE_DELAY_UNTIL_REBOOT);
1120 ok(bret, "Expected MoveFileEx to succeed: %d\n", GetLastError());
1123 START_TEST(eventlog)
1125 SetLastError(0xdeadbeef);
1126 CloseEventLog(NULL);
1127 if (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
1129 win_skip("Event log functions are not implemented\n");
1133 init_function_pointers();
1135 /* Parameters only */
1145 /* Functional tests */
1146 if (create_new_eventlog())
1149 test_autocreation();
projects / wine / blob