2 * Unit tests for Event Logging functions
4 * Copyright (c) 2009 Paul Vriens
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
30 #include "wine/test.h"
32 static BOOL (WINAPI *pCreateWellKnownSid)(WELL_KNOWN_SID_TYPE,PSID,PSID,DWORD*);
33 static BOOL (WINAPI *pGetEventLogInformation)(HANDLE,DWORD,LPVOID,DWORD,LPDWORD);
35 static void init_function_pointers(void)
37 HMODULE hadvapi32 = GetModuleHandleA("advapi32.dll");
39 pCreateWellKnownSid = (void*)GetProcAddress(hadvapi32, "CreateWellKnownSid");
40 pGetEventLogInformation = (void*)GetProcAddress(hadvapi32, "GetEventLogInformation");
43 static void create_backup(const char *filename)
47 DeleteFileA(filename);
48 handle = OpenEventLogA(NULL, "Application");
49 BackupEventLogA(handle, filename);
50 CloseEventLog(handle);
53 ok(GetFileAttributesA(filename) != INVALID_FILE_ATTRIBUTES, "Expected a backup file\n");
56 static void test_open_close(void)
61 SetLastError(0xdeadbeef);
62 ret = CloseEventLog(NULL);
63 ok(!ret, "Expected failure\n");
64 ok(GetLastError() == ERROR_INVALID_HANDLE ||
65 GetLastError() == ERROR_NOACCESS, /* W2K */
66 "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError());
68 SetLastError(0xdeadbeef);
69 handle = OpenEventLogA(NULL, NULL);
70 ok(handle == NULL, "Didn't expect a handle\n");
71 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
73 SetLastError(0xdeadbeef);
74 handle = OpenEventLogA("IDontExist", NULL);
75 ok(handle == NULL, "Didn't expect a handle\n");
76 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
78 SetLastError(0xdeadbeef);
79 handle = OpenEventLogA("IDontExist", "deadbeef");
80 ok(handle == NULL, "Didn't expect a handle\n");
81 ok(GetLastError() == RPC_S_SERVER_UNAVAILABLE ||
82 GetLastError() == RPC_S_INVALID_NET_ADDR, /* Some Vista and Win7 */
83 "Expected RPC_S_SERVER_UNAVAILABLE, got %d\n", GetLastError());
85 /* This one opens the Application log */
86 handle = OpenEventLogA(NULL, "deadbeef");
87 ok(handle != NULL, "Expected a handle\n");
88 ret = CloseEventLog(handle);
89 ok(ret, "Expected success\n");
90 /* Close a second time */
91 SetLastError(0xdeadbeef);
92 ret = CloseEventLog(handle);
95 ok(!ret, "Expected failure\n");
96 ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError());
99 /* Empty servername should be read as local server */
100 handle = OpenEventLogA("", "Application");
101 ok(handle != NULL, "Expected a handle\n");
102 CloseEventLog(handle);
104 handle = OpenEventLogA(NULL, "Application");
105 ok(handle != NULL, "Expected a handle\n");
106 CloseEventLog(handle);
109 static void test_info(void)
114 EVENTLOG_FULL_INFORMATION efi;
116 if (!pGetEventLogInformation)
119 win_skip("GetEventLogInformation is not available\n");
122 SetLastError(0xdeadbeef);
123 ret = pGetEventLogInformation(NULL, 1, NULL, 0, NULL);
124 ok(!ret, "Expected failure\n");
125 ok(GetLastError() == ERROR_INVALID_LEVEL, "Expected ERROR_INVALID_LEVEL, got %d\n", GetLastError());
127 SetLastError(0xdeadbeef);
128 ret = pGetEventLogInformation(NULL, EVENTLOG_FULL_INFO, NULL, 0, NULL);
129 ok(!ret, "Expected failure\n");
130 ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError());
132 handle = OpenEventLogA(NULL, "Application");
134 SetLastError(0xdeadbeef);
135 ret = pGetEventLogInformation(handle, EVENTLOG_FULL_INFO, NULL, 0, NULL);
136 ok(!ret, "Expected failure\n");
137 ok(GetLastError() == RPC_X_NULL_REF_POINTER, "Expected RPC_X_NULL_REF_POINTER, got %d\n", GetLastError());
139 SetLastError(0xdeadbeef);
140 ret = pGetEventLogInformation(handle, EVENTLOG_FULL_INFO, NULL, 0, &needed);
141 ok(!ret, "Expected failure\n");
142 ok(GetLastError() == RPC_X_NULL_REF_POINTER, "Expected RPC_X_NULL_REF_POINTER, got %d\n", GetLastError());
144 SetLastError(0xdeadbeef);
145 ret = pGetEventLogInformation(handle, EVENTLOG_FULL_INFO, (LPVOID)&efi, 0, NULL);
146 ok(!ret, "Expected failure\n");
147 ok(GetLastError() == RPC_X_NULL_REF_POINTER, "Expected RPC_X_NULL_REF_POINTER, got %d\n", GetLastError());
149 SetLastError(0xdeadbeef);
151 efi.dwFull = 0xdeadbeef;
152 ret = pGetEventLogInformation(handle, EVENTLOG_FULL_INFO, (LPVOID)&efi, 0, &needed);
153 ok(!ret, "Expected failure\n");
154 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Expected ERROR_INSUFFICIENT_BUFFER, got %d\n", GetLastError());
155 ok(needed == sizeof(EVENTLOG_FULL_INFORMATION), "Expected sizeof(EVENTLOG_FULL_INFORMATION), got %d\n", needed);
156 ok(efi.dwFull == 0xdeadbeef, "Expected no change to the dwFull member\n");
158 /* Not that we care, but on success last error is set to ERROR_IO_PENDING */
159 efi.dwFull = 0xdeadbeef;
161 ret = pGetEventLogInformation(handle, EVENTLOG_FULL_INFO, (LPVOID)&efi, needed, &needed);
162 ok(ret, "Expected success\n");
163 ok(needed == sizeof(EVENTLOG_FULL_INFORMATION), "Expected sizeof(EVENTLOG_FULL_INFORMATION), got %d\n", needed);
164 ok(efi.dwFull == 0 || efi.dwFull == 1, "Expected 0 (not full) or 1 (full), got %d\n", efi.dwFull);
166 CloseEventLog(handle);
169 static void test_count(void)
174 const char backup[] = "backup.evt";
176 SetLastError(0xdeadbeef);
177 ret = GetNumberOfEventLogRecords(NULL, NULL);
178 ok(!ret, "Expected failure\n");
179 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
181 SetLastError(0xdeadbeef);
183 ret = GetNumberOfEventLogRecords(NULL, &count);
184 ok(!ret, "Expected failure\n");
185 ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError());
186 ok(count == 0xdeadbeef, "Expected count to stay unchanged\n");
188 handle = OpenEventLogA(NULL, "Application");
190 SetLastError(0xdeadbeef);
191 ret = GetNumberOfEventLogRecords(handle, NULL);
192 ok(!ret, "Expected failure\n");
193 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
196 ret = GetNumberOfEventLogRecords(handle, &count);
197 ok(ret, "Expected success\n");
198 ok(count != 0xdeadbeef, "Expected the number of records\n");
200 CloseEventLog(handle);
202 /* Make a backup eventlog to work with */
203 create_backup(backup);
205 handle = OpenBackupEventLogA(NULL, backup);
207 ok(handle != NULL, "Expected a handle\n");
209 /* Does GetNumberOfEventLogRecords work with backup eventlogs? */
211 ret = GetNumberOfEventLogRecords(handle, &count);
214 ok(ret, "Expected success\n");
215 ok(count != 0xdeadbeef, "Expected the number of records\n");
218 CloseEventLog(handle);
222 static void test_oldest(void)
227 const char backup[] = "backup.evt";
229 SetLastError(0xdeadbeef);
230 ret = GetOldestEventLogRecord(NULL, NULL);
231 ok(!ret, "Expected failure\n");
232 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
234 SetLastError(0xdeadbeef);
236 ret = GetOldestEventLogRecord(NULL, &oldest);
237 ok(!ret, "Expected failure\n");
238 ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError());
239 ok(oldest == 0xdeadbeef, "Expected oldest to stay unchanged\n");
241 handle = OpenEventLogA(NULL, "Application");
243 SetLastError(0xdeadbeef);
244 ret = GetOldestEventLogRecord(handle, NULL);
245 ok(!ret, "Expected failure\n");
246 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
249 ret = GetOldestEventLogRecord(handle, &oldest);
250 ok(ret, "Expected success\n");
251 ok(oldest != 0xdeadbeef, "Expected the number of the oldest record\n");
253 CloseEventLog(handle);
255 /* Make a backup eventlog to work with */
256 create_backup(backup);
258 handle = OpenBackupEventLogA(NULL, backup);
260 ok(handle != NULL, "Expected a handle\n");
262 /* Does GetOldestEventLogRecord work with backup eventlogs? */
264 ret = GetOldestEventLogRecord(handle, &oldest);
267 ok(ret, "Expected success\n");
268 ok(oldest != 0xdeadbeef, "Expected the number of the oldest record\n");
271 CloseEventLog(handle);
275 static void test_backup(void)
279 const char backup[] = "backup.evt";
280 const char backup2[] = "backup2.evt";
282 SetLastError(0xdeadbeef);
283 ret = BackupEventLogA(NULL, NULL);
284 ok(!ret, "Expected failure\n");
285 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
287 SetLastError(0xdeadbeef);
288 ret = BackupEventLogA(NULL, backup);
289 ok(!ret, "Expected failure\n");
290 ok(GetFileAttributesA(backup) == INVALID_FILE_ATTRIBUTES, "Expected no backup file\n");
292 handle = OpenEventLogA(NULL, "Application");
294 SetLastError(0xdeadbeef);
295 ret = BackupEventLogA(handle, NULL);
296 ok(!ret, "Expected failure\n");
297 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
299 ret = BackupEventLogA(handle, backup);
300 ok(ret, "Expected success\n");
302 ok(GetFileAttributesA(backup) != INVALID_FILE_ATTRIBUTES, "Expected a backup file\n");
304 /* Try to overwrite */
305 SetLastError(0xdeadbeef);
306 ret = BackupEventLogA(handle, backup);
309 ok(!ret, "Expected failure\n");
310 ok(GetLastError() == ERROR_ALREADY_EXISTS, "Expected ERROR_ALREADY_EXISTS, got %d\n", GetLastError());
313 CloseEventLog(handle);
315 /* Can we make a backup of a backup? */
316 handle = OpenBackupEventLogA(NULL, backup);
318 ok(handle != NULL, "Expected a handle\n");
320 ret = BackupEventLogA(handle, backup2);
323 ok(ret, "Expected success\n");
324 ok(GetFileAttributesA(backup2) != INVALID_FILE_ATTRIBUTES, "Expected a backup file\n");
327 CloseEventLog(handle);
329 DeleteFileA(backup2);
332 static void test_read(void)
336 DWORD count, toread, read, needed;
339 SetLastError(0xdeadbeef);
340 ret = ReadEventLogA(NULL, 0, 0, NULL, 0, NULL, NULL);
341 ok(!ret, "Expected failure\n");
343 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
346 SetLastError(0xdeadbeef);
347 ret = ReadEventLogA(NULL, 0, 0, NULL, 0, &read, NULL);
348 ok(!ret, "Expected failure\n");
349 ok(read == 0xdeadbeef, "Expected 'read' parameter to remain unchanged\n");
351 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
354 SetLastError(0xdeadbeef);
355 ret = ReadEventLogA(NULL, 0, 0, NULL, 0, NULL, &needed);
356 ok(!ret, "Expected failure\n");
357 ok(needed == 0xdeadbeef, "Expected 'needed' parameter to remain unchanged\n");
359 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
361 /* 'read' and 'needed' are only filled when the needed buffer size is passed back or when the call succeeds */
362 SetLastError(0xdeadbeef);
363 ret = ReadEventLogA(NULL, 0, 0, NULL, 0, &read, &needed);
364 ok(!ret, "Expected failure\n");
366 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
368 SetLastError(0xdeadbeef);
369 ret = ReadEventLogA(NULL, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 0, NULL, 0, NULL, NULL);
370 ok(!ret, "Expected failure\n");
372 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
374 SetLastError(0xdeadbeef);
375 ret = ReadEventLogA(NULL, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 0, NULL, 0, &read, &needed);
376 ok(!ret, "Expected failure\n");
378 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
381 SetLastError(0xdeadbeef);
382 ret = ReadEventLogA(NULL, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ,
383 0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
384 ok(!ret, "Expected failure\n");
386 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
388 buf = HeapAlloc(GetProcessHeap(), 0, sizeof(EVENTLOGRECORD));
389 SetLastError(0xdeadbeef);
390 ret = ReadEventLogA(NULL, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ,
391 0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
392 ok(!ret, "Expected failure\n");
394 ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError());
395 HeapFree(GetProcessHeap(), 0, buf);
397 handle = OpenEventLogA(NULL, "Application");
399 /* Show that we need the proper dwFlags with a (for the rest) proper call */
400 buf = HeapAlloc(GetProcessHeap(), 0, sizeof(EVENTLOGRECORD));
402 SetLastError(0xdeadbeef);
403 ret = ReadEventLogA(handle, 0, 0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
404 ok(!ret, "Expected failure\n");
406 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
408 SetLastError(0xdeadbeef);
409 ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ, 0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
410 ok(!ret, "Expected failure\n");
412 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
414 SetLastError(0xdeadbeef);
415 ret = ReadEventLogA(handle, EVENTLOG_SEEK_READ, 0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
416 ok(!ret, "Expected failure\n");
418 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
420 SetLastError(0xdeadbeef);
421 ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ | EVENTLOG_BACKWARDS_READ,
422 0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
423 ok(!ret, "Expected failure\n");
425 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
427 SetLastError(0xdeadbeef);
428 ret = ReadEventLogA(handle, EVENTLOG_SEEK_READ | EVENTLOG_FORWARDS_READ | EVENTLOG_BACKWARDS_READ,
429 0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
430 ok(!ret, "Expected failure\n");
432 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
434 SetLastError(0xdeadbeef);
435 ret = ReadEventLogA(handle, EVENTLOG_SEEK_READ | EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ,
436 0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
437 ok(!ret, "Expected failure\n");
439 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
441 HeapFree(GetProcessHeap(), 0, buf);
443 /* First check if there are any records (in practice only on Wine: FIXME) */
445 GetNumberOfEventLogRecords(handle, &count);
448 skip("No records in the 'Application' log\n");
449 CloseEventLog(handle);
453 /* Get the buffer size for the first record */
454 buf = HeapAlloc(GetProcessHeap(), 0, sizeof(EVENTLOGRECORD));
455 read = needed = 0xdeadbeef;
456 SetLastError(0xdeadbeef);
457 ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ,
458 0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
459 ok(!ret, "Expected failure\n");
460 ok(read == 0, "Expected no bytes read\n");
461 ok(needed > sizeof(EVENTLOGRECORD), "Expected the needed buffersize to be bigger than sizeof(EVENTLOGRECORD)\n");
462 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
464 /* Read the first record */
466 buf = HeapReAlloc(GetProcessHeap(), 0, buf, toread);
467 read = needed = 0xdeadbeef;
468 SetLastError(0xdeadbeef);
469 ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 0, buf, toread, &read, &needed);
470 ok(ret, "Expected success\n");
472 broken(read < toread), /* NT4 wants a buffer size way bigger than just 1 record */
473 "Expected the requested size to be read\n");
474 ok(needed == 0, "Expected no extra bytes to be read\n");
475 HeapFree(GetProcessHeap(), 0, buf);
477 CloseEventLog(handle);
480 static void test_openbackup(void)
482 HANDLE handle, handle2, file;
484 const char backup[] = "backup.evt";
485 const char text[] = "Just some text";
487 SetLastError(0xdeadbeef);
488 handle = OpenBackupEventLogA(NULL, NULL);
489 ok(handle == NULL, "Didn't expect a handle\n");
490 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
492 SetLastError(0xdeadbeef);
493 handle = OpenBackupEventLogA(NULL, "idontexist.evt");
494 ok(handle == NULL, "Didn't expect a handle\n");
495 ok(GetLastError() == ERROR_FILE_NOT_FOUND, "Expected ERROR_FILE_NOT_FOUND, got %d\n", GetLastError());
497 SetLastError(0xdeadbeef);
498 handle = OpenBackupEventLogA("IDontExist", NULL);
499 ok(handle == NULL, "Didn't expect a handle\n");
500 ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %d\n", GetLastError());
502 SetLastError(0xdeadbeef);
503 handle = OpenBackupEventLogA("IDontExist", "idontexist.evt");
504 ok(handle == NULL, "Didn't expect a handle\n");
505 ok(GetLastError() == RPC_S_SERVER_UNAVAILABLE ||
506 GetLastError() == RPC_S_INVALID_NET_ADDR, /* Some Vista and Win7 */
507 "Expected RPC_S_SERVER_UNAVAILABLE, got %d\n", GetLastError());
509 /* Make a backup eventlog to work with */
510 create_backup(backup);
512 /* FIXME: Wine stops here */
513 if (GetFileAttributesA(backup) == INVALID_FILE_ATTRIBUTES)
515 skip("We don't have a backup eventlog to work with\n");
519 SetLastError(0xdeadbeef);
520 handle = OpenBackupEventLogA("IDontExist", backup);
521 ok(handle == NULL, "Didn't expect a handle\n");
522 ok(GetLastError() == RPC_S_SERVER_UNAVAILABLE ||
523 GetLastError() == RPC_S_INVALID_NET_ADDR, /* Some Vista and Win7 */
524 "Expected RPC_S_SERVER_UNAVAILABLE, got %d\n", GetLastError());
526 /* Empty servername should be read as local server */
527 handle = OpenBackupEventLogA("", backup);
528 ok(handle != NULL, "Expected a handle\n");
529 CloseEventLog(handle);
531 handle = OpenBackupEventLogA(NULL, backup);
532 ok(handle != NULL, "Expected a handle\n");
534 /* Can we open that same backup eventlog more than once? */
535 handle2 = OpenBackupEventLogA(NULL, backup);
536 ok(handle2 != NULL, "Expected a handle\n");
537 ok(handle2 != handle, "Didn't expect the same handle\n");
538 CloseEventLog(handle2);
540 CloseEventLog(handle);
543 /* Is there any content checking done? */
544 file = CreateFileA(backup, GENERIC_WRITE, 0, NULL, CREATE_NEW, 0, NULL);
546 SetLastError(0xdeadbeef);
547 handle = OpenBackupEventLogA(NULL, backup);
548 ok(handle == NULL, "Didn't expect a handle\n");
549 ok(GetLastError() == ERROR_NOT_ENOUGH_MEMORY ||
550 GetLastError() == ERROR_EVENTLOG_FILE_CORRUPT, /* Vista and Win7 */
551 "Expected ERROR_NOT_ENOUGH_MEMORY, got %d\n", GetLastError());
552 CloseEventLog(handle);
555 file = CreateFileA(backup, GENERIC_WRITE, 0, NULL, CREATE_NEW, 0, NULL);
556 WriteFile(file, text, sizeof(text), &written, NULL);
558 SetLastError(0xdeadbeef);
559 handle = OpenBackupEventLogA(NULL, backup);
560 ok(handle == NULL, "Didn't expect a handle\n");
561 ok(GetLastError() == ERROR_EVENTLOG_FILE_CORRUPT, "Expected ERROR_EVENTLOG_FILE_CORRUPT, got %d\n", GetLastError());
562 CloseEventLog(handle);
566 static void test_clear(void)
570 const char backup[] = "backup.evt";
571 const char backup2[] = "backup2.evt";
573 SetLastError(0xdeadbeef);
574 ret = ClearEventLogA(NULL, NULL);
575 ok(!ret, "Expected failure\n");
576 ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError());
578 /* Make a backup eventlog to work with */
579 create_backup(backup);
581 SetLastError(0xdeadbeef);
582 ret = ClearEventLogA(NULL, backup);
583 ok(!ret, "Expected failure\n");
584 ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError());
586 handle = OpenBackupEventLogA(NULL, backup);
588 ok(handle != NULL, "Expected a handle\n");
590 /* A real eventlog would fail with ERROR_ALREADY_EXISTS */
591 SetLastError(0xdeadbeef);
592 ret = ClearEventLogA(handle, backup);
593 ok(!ret, "Expected failure\n");
594 /* The eventlog service runs under an account that doesn't have the necessary
595 * permissions on the users home directory on a default Vista+ system.
597 ok(GetLastError() == ERROR_INVALID_HANDLE ||
598 GetLastError() == ERROR_ACCESS_DENIED, /* Vista+ */
599 "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError());
601 /* Show that ClearEventLog only works for real eventlogs. */
602 SetLastError(0xdeadbeef);
603 ret = ClearEventLogA(handle, backup2);
604 ok(!ret, "Expected failure\n");
605 ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError());
606 ok(GetFileAttributesA(backup2) == INVALID_FILE_ATTRIBUTES, "Expected no backup file\n");
608 SetLastError(0xdeadbeef);
609 ret = ClearEventLogA(handle, NULL);
610 ok(!ret, "Expected failure\n");
611 ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %d\n", GetLastError());
613 CloseEventLog(handle);
615 ok(DeleteFileA(backup), "Could not delete the backup file\n");
618 static const char eventlogsvc[] = "SYSTEM\\CurrentControlSet\\Services\\Eventlog";
619 static const char eventlogname[] = "Wine";
620 static const char eventsources[][11] = { "WineSrc", "WineSrc1", "WineSrc20", "WineSrc300" };
622 static BOOL create_new_eventlog(void)
629 /* First create our eventlog */
630 lret = RegOpenKeyA(HKEY_LOCAL_MACHINE, eventlogsvc, &key);
631 /* FIXME: Wine stops here */
632 if (lret != ERROR_SUCCESS)
634 skip("Could not open the EventLog service registry key\n");
637 lret = RegCreateKeyA(key, eventlogname, &eventkey);
638 if (lret != ERROR_SUCCESS)
640 skip("Could not create the eventlog '%s' registry key\n", eventlogname);
644 /* Create some event sources, the registry value 'Sources' is updated automatically */
645 for (i = 0; i < sizeof(eventsources)/sizeof(eventsources[0]); i++)
649 lret = RegCreateKeyA(eventkey, eventsources[i], &srckey);
650 if (lret != ERROR_SUCCESS)
652 skip("Could not create the eventsource '%s' registry key\n", eventsources[i]);
661 /* The flushing of the registry (here and above) gives us some assurance
662 * that we are not to quickly writing events as 'Sources' could still be
665 RegFlushKey(eventkey);
667 RegCloseKey(eventkey);
673 static const char *one_string[] = { "First string" };
674 static const char *two_strings[] = { "First string", "Second string" };
683 const char **evt_strings;
686 { eventlogname, EVENTLOG_INFORMATION_TYPE, 1, 1, FALSE, 1, one_string },
687 { eventsources[0], EVENTLOG_WARNING_TYPE, 1, 2, FALSE, 0, NULL },
688 { eventsources[1], EVENTLOG_AUDIT_FAILURE, 1, 3, FALSE, 2, two_strings },
689 { eventsources[2], EVENTLOG_ERROR_TYPE, 1, 4, FALSE, 0, NULL },
690 { eventsources[3], EVENTLOG_WARNING_TYPE, 1, 5, FALSE, 1, one_string },
691 { eventlogname, EVENTLOG_SUCCESS, 2, 6, TRUE, 2, two_strings },
692 { eventsources[0], EVENTLOG_AUDIT_FAILURE, 2, 7, TRUE, 0, NULL },
693 { eventsources[1], EVENTLOG_AUDIT_SUCCESS, 2, 8, TRUE, 2, two_strings },
694 { eventsources[2], EVENTLOG_WARNING_TYPE, 2, 9, TRUE, 0, NULL },
695 { eventsources[3], EVENTLOG_ERROR_TYPE, 2, 10, TRUE, 1, one_string }
698 static void test_readwrite(void)
702 DWORD sidsize, count;
703 BOOL ret, sidavailable;
704 BOOL on_vista = FALSE; /* Used to indicate Vista or higher */
706 char localcomputer[MAX_COMPUTERNAME_LENGTH + 1];
707 DWORD len = sizeof(localcomputer);
709 if (pCreateWellKnownSid)
711 sidsize = SECURITY_MAX_SID_SIZE;
712 user = HeapAlloc(GetProcessHeap(), 0, sidsize);
713 SetLastError(0xdeadbeef);
714 pCreateWellKnownSid(WinInteractiveSid, NULL, user, &sidsize);
719 win_skip("Skipping some SID related tests\n");
720 sidavailable = FALSE;
724 GetComputerNameA(localcomputer, &len);
726 /* Write an event with an incorrect event type. This will fail on Windows 7
727 * but succeed on all others, hence it's not part of the struct.
729 handle = OpenEventLogA(NULL, eventlogname);
731 SetLastError(0xdeadbeef);
732 ret = ReportEvent(handle, 0x20, 0, 0, NULL, 0, 0, NULL, NULL);
733 if (!ret && GetLastError() == ERROR_CRC)
735 win_skip("Win7 fails when using incorrect event types\n");
736 ret = ReportEvent(handle, 0, 0, 0, NULL, 0, 0, NULL, NULL);
738 ok(ret, "Expected success : %d\n", GetLastError());
740 /* This will clear the eventlog. The record numbering for new
741 * events however differs on Vista+. Before Vista the first
742 * event would be numbered 1, on Vista+ it's now 2 as we already
745 ClearEventLogA(handle, NULL);
746 CloseEventLog(handle);
748 /* Write a bunch of events while using different event sources */
749 for (i = 0; i < sizeof(read_write)/sizeof(read_write[0]); i++)
752 BOOL run_sidtests = read_write[i].evt_sid & sidavailable;
754 /* We don't need to use RegisterEventSource to report events */
756 handle = OpenEventLogA(NULL, read_write[i].evt_src);
758 handle = RegisterEventSourceA(NULL, read_write[i].evt_src);
759 ok(handle != NULL, "Expected a handle\n");
761 SetLastError(0xdeadbeef);
762 ret = ReportEvent(handle, read_write[i].evt_type, read_write[i].evt_cat,
763 read_write[i].evt_id, run_sidtests ? user : NULL,
764 read_write[i].evt_numstrings, 0, read_write[i].evt_strings, NULL);
767 ret = GetNumberOfEventLogRecords(handle, &count);
768 ok(ret, "Expected success\n");
769 ok(count == (i + 1), "Expected %d records, got %d\n", i + 1, count);
772 ret = GetOldestEventLogRecord(handle, &oldest);
773 ok(ret, "Expected success\n");
775 oldest == 2, /* Vista+ */
776 "Expected oldest to be 1 or 2, got %d\n", oldest);
781 ret = CloseEventLog(handle);
783 ret = DeregisterEventSource(handle);
784 ok(ret, "Expected success : %d\n", GetLastError());
787 handle = OpenEventLogA(NULL, eventlogname);
789 ret = GetNumberOfEventLogRecords(handle, &count);
790 ok(ret, "Expected success\n");
791 ok(count == i, "Expected %d records, got %d\n", i, count);
792 CloseEventLog(handle);
796 skip("No events were written to the eventlog\n");
800 /* Report only once */
802 skip("There is no DWORD alignment for UserSid on Vista or higher\n");
804 /* Read all events from our created eventlog, one by one */
805 handle = OpenEventLogA(NULL, eventlogname);
811 EVENTLOGRECORD *record;
812 char *sourcename, *computername;
815 BOOL run_sidtests = read_write[i].evt_sid & sidavailable;
817 buf = HeapAlloc(GetProcessHeap(), 0, sizeof(EVENTLOGRECORD));
818 SetLastError(0xdeadbeef);
819 ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ,
820 0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
821 if (!ret && GetLastError() == ERROR_HANDLE_EOF)
823 HeapFree(GetProcessHeap(), 0, buf);
826 ok(!ret, "Expected failure\n");
827 ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER,
828 "Expected ERROR_INVALID_PARAMETER, got %d\n",GetLastError());
830 buf = HeapReAlloc(GetProcessHeap(), 0, buf, needed);
831 ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ,
832 0, buf, needed, &read, &needed);
833 ok(ret, "Expected success: %d\n", GetLastError());
835 record = (EVENTLOGRECORD *)buf;
837 ok(record->Length == read,
838 "Expected %d, got %d\n", read, record->Length);
839 ok(record->Reserved == 0x654c664c,
840 "Expected 0x654c664c, got %d\n", record->Reserved);
841 ok(record->RecordNumber == i + 1 ||
842 (on_vista && (record->RecordNumber == i + 2)),
843 "Expected %d or %d, got %d\n", i + 1, i + 2, record->RecordNumber);
844 ok(record->EventID == read_write[i].evt_id,
845 "Expected %d, got %d\n", read_write[i].evt_id, record->EventID);
846 ok(record->EventType == read_write[i].evt_type,
847 "Expected %d, got %d\n", read_write[i].evt_type, record->EventType);
848 ok(record->NumStrings == read_write[i].evt_numstrings,
849 "Expected %d, got %d\n", read_write[i].evt_numstrings, record->NumStrings);
850 ok(record->EventCategory == read_write[i].evt_cat,
851 "Expected %d, got %d\n", read_write[i].evt_cat, record->EventCategory);
853 sourcename = (char *)((BYTE *)buf + sizeof(EVENTLOGRECORD));
854 ok(!lstrcmpA(sourcename, read_write[i].evt_src), "Expected '%s', got '%s'\n",
855 read_write[i].evt_src, sourcename);
857 computername = (char *)((BYTE *)buf + sizeof(EVENTLOGRECORD) + lstrlenA(sourcename) + 1);
858 ok(!lstrcmpiA(computername, localcomputer), "Expected '%s', got '%s'\n",
859 localcomputer, computername);
861 /* Before Vista, UserSid was aligned on a DWORD boundary. Next to that if
862 * no padding was actually required a 0 DWORD was still used for padding. No
863 * application should be relying on the padding as we are working with offsets
869 DWORD calculated_sidoffset = sizeof(EVENTLOGRECORD) + lstrlenA(sourcename) + 1 + lstrlenA(computername) + 1;
871 /* We are already DWORD aligned, there should still be some padding */
872 if ((((UINT_PTR)buf + calculated_sidoffset) % sizeof(DWORD)) == 0)
873 ok(*(DWORD *)((BYTE *)buf + calculated_sidoffset) == 0, "Expected 0\n");
875 ok((((UINT_PTR)buf + record->UserSidOffset) % sizeof(DWORD)) == 0, "Expected DWORD alignment\n");
880 ok(record->UserSidLength == sidsize, "Expected %d, got %d\n", sidsize, record->UserSidLength);
884 ok(record->StringOffset == record->UserSidOffset, "Expected offsets to be the same\n");
885 ok(record->UserSidLength == 0, "Expected 0, got %d\n", record->UserSidLength);
888 ok(record->DataLength == 0, "Expected 0, got %d\n", record->DataLength);
890 ptr = (char *)((BYTE *)buf + record->StringOffset);
891 for (k = 0; k < record->NumStrings; k++)
893 ok(!lstrcmpA(ptr, two_strings[k]), "Expected '%s', got '%s'\n", two_strings[k], ptr);
894 ptr += lstrlenA(ptr) + 1;
897 ok(record->Length == *(DWORD *)((BYTE *)buf + record->Length - sizeof(DWORD)),
898 "Expected the closing DWORD to contain the length of the record\n");
900 HeapFree(GetProcessHeap(), 0, buf);
903 CloseEventLog(handle);
905 HeapFree(GetProcessHeap(), 0, user);
907 /* Test clearing a real eventlog */
908 handle = OpenEventLogA(NULL, eventlogname);
910 SetLastError(0xdeadbeef);
911 ret = ClearEventLogA(handle, NULL);
912 ok(ret, "Expected success\n");
915 ret = GetNumberOfEventLogRecords(handle, &count);
916 ok(ret, "Expected success\n");
917 ok(count == 0, "Expected an empty eventlog, got %d records\n", count);
919 CloseEventLog(handle);
924 * Creating an eventlog on Windows (via the registry) automatically leads
925 * to creation of a REG_MULTI_SZ named 'Sources'. This value lists all the
926 * potential event sources for this eventlog. 'Sources' is automatically
927 * updated when a new key (aka event source) is created.
929 * Although the updating of registry keys is almost instantaneously, we
930 * check it after some other tests to assure we are not querying the
931 * registry or file system to quickly.
935 * The eventlog file itself is also automatically created, even before we
936 * start writing events.
938 static char eventlogfile[MAX_PATH];
939 static void test_autocreation(void)
946 char sources[sizeof(eventsources)];
947 char sysdir[MAX_PATH];
949 RegOpenKeyA(HKEY_LOCAL_MACHINE, eventlogsvc, &key);
950 RegOpenKeyA(key, eventlogname, &eventkey);
952 size = sizeof(sources);
954 ret = RegQueryValueExA(eventkey, "Sources", NULL, &type, (LPBYTE)sources, &size);
955 if (ret == ERROR_SUCCESS)
957 char sources_verify[sizeof(eventsources)];
959 ok(type == REG_MULTI_SZ, "Expected a REG_MULTI_SZ, got %d\n", type);
961 /* Build the expected string */
962 memset(sources_verify, 0, sizeof(sources_verify));
964 for (i = sizeof(eventsources)/sizeof(eventsources[0]); i > 0; i--)
966 lstrcpyA(p, eventsources[i - 1]);
967 p += (lstrlenA(eventsources[i - 1]) + 1);
969 lstrcpyA(p, eventlogname);
971 ok(!memcmp(sources, sources_verify, size), "Expected a correct 'Sources' value\n");
974 RegCloseKey(eventkey);
977 /* On Windows we also automatically get an eventlog file */
978 GetSystemDirectoryA(sysdir, sizeof(sysdir));
981 lstrcpyA(eventlogfile, sysdir);
982 lstrcatA(eventlogfile, "\\config\\");
983 lstrcatA(eventlogfile, eventlogname);
984 lstrcatA(eventlogfile, ".evt");
986 if (GetFileAttributesA(eventlogfile) == INVALID_FILE_ATTRIBUTES)
989 lstrcpyA(eventlogfile, sysdir);
990 lstrcatA(eventlogfile, "\\winevt\\Logs\\");
991 lstrcatA(eventlogfile, eventlogname);
992 lstrcatA(eventlogfile, ".evtx");
995 ok(GetFileAttributesA(eventlogfile) != INVALID_FILE_ATTRIBUTES,
996 "Expected an eventlog file\n");
999 static void cleanup_eventlog(void)
1005 char winesvc[MAX_PATH];
1007 /* Delete the registry tree */
1008 lstrcpyA(winesvc, eventlogsvc);
1009 lstrcatA(winesvc, "\\");
1010 lstrcatA(winesvc, eventlogname);
1012 RegOpenKeyA(HKEY_LOCAL_MACHINE, winesvc, &key);
1013 for (i = 0; i < sizeof(eventsources)/sizeof(eventsources[0]); i++)
1014 RegDeleteKeyA(key, eventsources[i]);
1015 RegDeleteValueA(key, "Sources");
1017 lret = RegDeleteKeyA(HKEY_LOCAL_MACHINE, winesvc);
1019 ok(lret == ERROR_SUCCESS, "Could not delete the registry tree : %d\n", lret);
1021 /* A handle to the eventlog is locked by services.exe. We can only
1022 * delete the eventlog file after reboot.
1024 bret = MoveFileExA(eventlogfile, NULL, MOVEFILE_DELAY_UNTIL_REBOOT);
1026 ok(bret, "Expected MoveFileEx to succeed: %d\n", GetLastError());
1029 START_TEST(eventlog)
1031 SetLastError(0xdeadbeef);
1032 CloseEventLog(NULL);
1033 if (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
1035 win_skip("Event log functions are not implemented\n");
1039 init_function_pointers();
1041 /* Parameters only */
1051 /* Functional tests */
1052 if (create_new_eventlog())
1055 test_autocreation();