Example #1
0
func readString(buffer []byte, reader io.Reader) (string, error) {
	offset, err := offset(buffer, reader)
	if err != nil {
		// Ignore NULL values.
		if err == ErrorEvtVarTypeNULL {
			return "", nil
		}
		return "", err
	}
	str, _, err := eventlog.UTF16BytesToString(buffer[offset:])
	return str, err
}
Example #2
0
// FormatEventString formats part of the event as a string.
// messageFlag determines what part of the event is formatted as as string.
// eventHandle is the handle to the event.
// publisher is the name of the event's publisher.
// publisherHandle is a handle to the publisher's metadata as provided by
// EvtOpenPublisherMetadata.
// lang is the language ID.
// buffer is optional and if not provided it will be allocated.
func FormatEventString(
	messageFlag EvtFormatMessageFlag,
	eventHandle EvtHandle,
	publisher string,
	publisherHandle EvtHandle,
	lang uint32,
	buffer []byte,
) ([]string, int, error) {
	p, err := syscall.UTF16PtrFromString(publisher)
	if err != nil {
		return nil, 0, err
	}

	// Open a publisher handle if one was not provided.
	ph := publisherHandle
	if ph == NullEvtHandle {
		ph, err = _EvtOpenPublisherMetadata(NullEvtHandle, p, nil, lang, 0)
		if err != nil {
			return nil, 0, err
		}
		defer _EvtClose(ph)
	}

	// Create a buffer if one was not provider.
	var bufferUsed uint32
	if buffer == nil {
		err = _EvtFormatMessage(ph, eventHandle, 0, 0, 0, messageFlag,
			0, nil, &bufferUsed)
		bufferUsed *= 2 // It returns the number of utf-16 chars.
		if err != nil && !isInsufficientBuffer(err) {
			return nil, 0, err
		}

		buffer = make([]byte, bufferUsed)
		bufferUsed = 0
	}

	err = _EvtFormatMessage(ph, eventHandle, 0, 0, 0, messageFlag,
		uint32(len(buffer)/2), &buffer[0], &bufferUsed)
	bufferUsed *= 2 // It returns the number of utf-16 chars.
	if err != nil {
		if isInsufficientBuffer(err) {
			return nil, int(bufferUsed), err
		}
		return nil, 0, err
	}

	var value string
	var offset int
	var size int
	var values []string
	for {
		value, size, err = eventlog.UTF16BytesToString(buffer[offset:bufferUsed])
		if err != nil {
			return nil, 0, err
		}
		offset += size
		values = append(values, removeWindowsLineEndings(value))

		if offset >= int(bufferUsed) {
			break
		}
	}

	return values, 0, nil
}