How to check that the given path exists in registry? - winapi

Actually i have Path=Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run,andSoftware\\Microsoft\\Windows\\CurrentVersion\\Run and i am passing root key asHKEY_USESRSfrom which i am getting subkeys.then Iam Concatinating subkey+Path.....In loop i am gettingHKEY_USERS\S-1-5-19\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run also actually which is not existing in registry...is there any function to check Complete path exists or not?
listData.RemoveAll();
HKEY hrKey=HKEY_USERS,hKey;
if(hrKey==HKEY_USERS)
{
TCHAR achKey[MAX_KEY_LENGTH]; // buffer for subkey name
DWORD cbName; // size of name string
TCHAR achClass[MAX_PATH] = TEXT(""); // buffer for class name
DWORD cchClassName = MAX_PATH; // size of class string
DWORD cSubKeys=0; // number of subkeys
DWORD cbMaxSubKey; // longest subkey size
DWORD cchMaxClass; // longest class string
DWORD cValues; // number of values for key
DWORD cchMaxValue; // longest value name
DWORD cbMaxValueData; // longest value data
DWORD cbSecurityDescriptor; // size of security descriptor
FILETIME ftLastWriteTime; // last write time
DWORD i, retCode;
// Get the class name and the value count.
retCode = RegQueryInfoKey(hrKey, // key handle
achClass, // buffer for class name
&cchClassName, // size of class string
NULL, // reserved
&cSubKeys, // number of subkeys
&cbMaxSubKey, // longest subkey size
&cchMaxClass, // longest class string
&cValues, // number of values for this key
&cchMaxValue, // longest value name
&cbMaxValueData, // longest value data
&cbSecurityDescriptor, // security descriptor
&ftLastWriteTime); // last write time
if (cSubKeys)
{
for (i=0; i<cSubKeys; i++)
{
cbName = MAX_KEY_LENGTH;
retCode = RegEnumKeyEx(hrKey, i,achKey,&cbName,NULL,NULL,NULL,&ftLastWriteTime);
if (retCode == ERROR_SUCCESS)
{
CString subKey=achKey;
if(subKey!=_T(".DEFAULT")&&(subKey.Mid(subKey.ReverseFind('_')+1)!=_T("Classes")))
{
csRegistryPath=subKey+_T("\\")+csRegistryPath;
CLog::Log( csRegistryPath);
}
}
}
}
csRegistryPath is array in calling function then once i will getS-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run and S-1-5-19\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce basing on this path i am performing further operations but actually HKEY_USERS\S-1-5-19\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce not exist in registry if get this path i need to check if this is existing or not ? to do this isthere any API

For a Win32 API solution you use RegOpenKeyEx to test for existence of a key.
Do note that you must not hard code Wow6432Node. Use the KEY_WOW64_32KEY flag to specify that you want to look in the 32 bit view of the registry.
You would want to pass
STANDARD_RIGHTS_READ | KEY_WOW64_32KEY
to the samDesired argument of RegOpenKeyEx.

Related

sending a pointer of global variable's member to WinHttpQueryHeaders (WinHTTP API) does not change it's value

I have the following code snippet:
// Using HttpQueryInfo to obtain the size of the buffer into dwSize.
if (!WinHttpQueryHeaders(hRequest,
WINHTTP_QUERY_RAW_HEADERS_CRLF,
WINHTTP_HEADER_NAME_BY_INDEX, NULL, &st.dwSize, WINHTTP_NO_HEADER_INDEX))
{
// An ERROR_INSUFFICIENT_BUFFER is expected because you
// are looking for the size of the headers. If any other
// error is encountered, display error information.
DWORD dwErr = GetLastError();
if (dwErr != ERROR_INSUFFICIENT_BUFFER)
{
DEBUG_PRINT(("Error %d encountered.", dwErr));
return;
} else {
// enters here and prints '0' (initial value)
DEBUG_PRINT(("size of buffer: ", &st.dwSize));
}
}
while st is a global object with a member dwSize.
When I'm running this part in debugging mode I see that st.dwSize does not change its value after the call to WinHttpQueryHeaders.
But if I create a local var DWORD dwSize = 0 and send &dwSize to WinHttpQueryHeaders, it does obtain buffer size and succeeds to change its value.
is there any reason why I shouldn't send a pointer of a global object's member to WinHttpQueryHeaders or to any other external API functions?
the reason WinHttpQueryHeaders did not succeed to change st.dwSize it's because I declered st as a static global var.
static WinHttpSubtransport st;
and as written in Scope rules of the "persistent" variables in C:
A static global variable is a global variable that can only be accessed by functions in the same C program file as the variable.

How to get mode name using XCB?

In Xlib the structure XRRModeInfo contains, aside from nameLength field, the name itself. But in XCB the corresponding structure xcb_randr_mode_info_t only contains name_len, and there seems to be no function to get actual name string.
I do see all the mode names in the string returned by xcb_randr_get_screen_resources_names(), but they are all concatenated, and I don't know how to find the offset of a particular mode in this string.
So, how can I get the mode name using XCB?
I do see all the mode names in the string returned by xcb_randr_get_screen_resources_names(), but they are all concatenated, and I don't know how to find the offset of a particular mode in this string.
You have the length of the individual names and you know the length of each name, so you just have to count bytes:
#include <stdio.h>
#include <xcb/randr.h>
int main()
{
xcb_connection_t *c = xcb_connect(NULL, NULL);
xcb_screen_t *screen = xcb_setup_roots_iterator(xcb_get_setup(c)).data;
// TODO: Error handling
// TODO: Checking if the RandR extension is available
xcb_randr_get_screen_resources_reply_t *reply =
xcb_randr_get_screen_resources_reply(c,
xcb_randr_get_screen_resources(c, screen->root),
NULL);
xcb_randr_mode_info_iterator_t iter = xcb_randr_get_screen_resources_modes_iterator(reply);
uint8_t *names = xcb_randr_get_screen_resources_names(reply);
while (iter.rem) {
xcb_randr_mode_info_t *mode = iter.data;
printf("Mode %d has size %dx%d and name %.*s\n",
mode->id, mode->width, mode->height, mode->name_len, names);
names += mode->name_len;
xcb_randr_mode_info_next(&iter);
}
free(reply);
xcb_disconnect(c);
return 0;
}

How to find the device instance id of a PCSC reader

Having only a handle and context to a PCSC reader using winscard on Windows >= XP, is there some way to get its device instance id or something else that can be used in the SetupDi* API to find out which driver is loaded for said reader.
SCardGetReaderDeviceInstanceId is only available on Windows 8, so unfortunately not for me.
As a plan B, all smart card readers could be enumerated in SetupDi using the smart card reader class guid. But then I would need a unique attribute to be able to correlate a reader between SCard* API and SetupDi* API. For example, the serial number sounds like a good candidate, but not all manufacturers use it.
Any ideas?
One way to match SCard with Setup is to open the driver, then use IOCTL_SMARTCARD_GET_ATTRIBUTE to query SCARD_ATTR_DEVICE_SYSTEM_NAME and match it with the one via SCard API.
There is only one tiny problem. The Smartcard service opens all smartcard drivers without sharing. You first need to stop the Smartcard service before being able to open the device driver.
Another solution is to use the SCardControl function to call the driver via IOCTL_xxx calls from within the SCard API.
The problem here is that until so far I haven't found a IOCTL_xxx call which I can use to match with any property from the Setup API.
I tried a brute force loop to scan for supported IOCTL_xxx calls but the SCard api crashes when doing so, and reporting every failing IOCTL_xxx call to the event viewer.
-- update --
The IOCTL supports the following tags:
SCARD_ATTR_VENDOR_NAME
SCARD_ATTR_VENDOR_IFD_TYPE
SCARD_ATTR_VENDOR_IFD_VERSION
SCARD_ATTR_CHANNEL_ID
SCARD_ATTR_PROTOCOL_TYPES
SCARD_ATTR_DEFAULT_CLK
SCARD_ATTR_MAX_CLK
SCARD_ATTR_DEFAULT_DATA_RATE
SCARD_ATTR_MAX_DATA_RATE
SCARD_ATTR_MAX_IFSD
SCARD_ATTR_POWER_MGMT_SUPPORT
SCARD_ATTR_CHARACTERISTICS
SCARD_ATTR_ICC_PRESENCE
SCARD_ATTR_ICC_INTERFACE_STATUS
SCARD_ATTR_DEVICE_UNIT
Below is the code to generate the smartcard device name from either the IOCTL, and via SCARD also to demonstrate the simularity between two methods
//------------------------------------------------------------------------------
// PROTOTYPES
//------------------------------------------------------------------------------
/* get the Smartcard DeviceName via IOCTL calls */
BOOL Smc_GetDeviceNameViaIOCTL(HANDLE,TCHAR*,UINT);
/* get the Smartcard DeviceName via SCARD calls */
BOOL Smc_GetDeviceNameViaSCARD(SCARDHANDLE,TCHAR*,UINT);
//------------------------------------------------------------------------------
// IMPLEMENTATIONS
//------------------------------------------------------------------------------
/************************************************/
/* get the Smartcard DeviceName via IOCTL calls */
/************************************************/
BOOL Smc_GetDeviceNameViaIOCTL(HANDLE in_hDev, TCHAR *out_Name, UINT in_MaxLen)
{
/* locals */
UINT lv_Pos;
DWORD lv_InBuf;
DWORD lv_ValLen;
DWORD lv_ChanID;
CHAR lv_OutBuf[256];
BOOL lv_Result;
// reserve space for eos
if (in_MaxLen-- <= 0)
return FALSE;
// init the position
lv_Pos = 0;
// set the tag
lv_InBuf = SCARD_ATTR_VENDOR_NAME;
// get the value
lv_Result = DeviceIoControl(
in_hDev, IOCTL_SMARTCARD_GET_ATTRIBUTE,
&lv_InBuf, sizeof(DWORD), lv_OutBuf, 256, &lv_ValLen, 0);
// fail?
if (!lv_Result)
return FALSE;
// check the length, including space
if (lv_Pos + lv_ValLen + 1 > in_MaxLen)
return FALSE;
// append to output
AChar2TCharCL(lv_OutBuf, lv_ValLen, &out_Name[lv_Pos], in_MaxLen-lv_Pos);
// update position
lv_Pos += lv_ValLen;
// append space
out_Name[lv_Pos++] = ' ';
// set the tag
lv_InBuf = SCARD_ATTR_VENDOR_IFD_TYPE;
// get the value
lv_Result = DeviceIoControl(
in_hDev, IOCTL_SMARTCARD_GET_ATTRIBUTE,
&lv_InBuf, sizeof(DWORD), lv_OutBuf, 256, &lv_ValLen, 0);
// fail?
if (!lv_Result)
return FALSE;
// check the length, including space
if (lv_Pos + lv_ValLen + 1 > in_MaxLen)
return FALSE;
// append to output
AChar2TCharCL(lv_OutBuf, lv_ValLen, &out_Name[lv_Pos], in_MaxLen-lv_Pos);
// update position
lv_Pos += lv_ValLen;
// append space
out_Name[lv_Pos++] = ' ';
// set the tag
lv_InBuf = SCARD_ATTR_DEVICE_UNIT;
// get the value
lv_Result = DeviceIoControl(
in_hDev, IOCTL_SMARTCARD_GET_ATTRIBUTE,
&lv_InBuf, sizeof(DWORD), &lv_ChanID, sizeof(DWORD), &lv_ValLen, 0);
// fail?
if (!lv_Result)
return FALSE;
// format as string
FormatStringA(lv_OutBuf, 256, "%d", lv_ChanID);
// check the length
if (lv_Pos + strlenA(lv_OutBuf) > in_MaxLen)
return FALSE;
// append to output
AChar2TCharC(lv_OutBuf, &out_Name[lv_Pos], in_MaxLen-lv_Pos);
// done
return TRUE;
}
/************************************************/
/* get the Smartcard DeviceName via SCARD calls */
/************************************************/
BOOL Smc_GetDeviceNameViaSCARD(SCARDHANDLE in_hCard, TCHAR *out_Name, UINT in_MaxLen)
{
/* locals */
UINT lv_Pos;
DWORD lv_InBuf;
DWORD lv_ValLen;
DWORD lv_ChanID;
CHAR lv_OutBuf[256];
UINT lv_hResult;
// reserve space for eos
if (in_MaxLen-- <= 0)
return FALSE;
// init the position
lv_Pos = 0;
// set the tag
lv_InBuf = SCARD_ATTR_VENDOR_NAME;
lv_ValLen = 256;
// get the value
lv_hResult = lib_SCardGetAttrib(in_hCard, lv_InBuf, (BYTE*)lv_OutBuf, &lv_ValLen);
// fail?
if (FAILED(lv_hResult))
return FALSE;
// check the length, including space
if (lv_Pos + lv_ValLen + 1 > in_MaxLen)
return FALSE;
// append to output
AChar2TCharCL(lv_OutBuf, lv_ValLen, &out_Name[lv_Pos], in_MaxLen-lv_Pos);
// update position
lv_Pos += lv_ValLen;
// append space
out_Name[lv_Pos++] = ' ';
// set the tag
lv_InBuf = SCARD_ATTR_VENDOR_IFD_TYPE;
lv_ValLen = 256;
// get the value
lv_hResult = lib_SCardGetAttrib(in_hCard, lv_InBuf, (BYTE*)lv_OutBuf, &lv_ValLen);
// fail?
if (FAILED(lv_hResult))
return FALSE;
// check the length, including space
if (lv_Pos + lv_ValLen + 1 > in_MaxLen)
return FALSE;
// append to output
AChar2TCharCL(lv_OutBuf, lv_ValLen, &out_Name[lv_Pos], in_MaxLen-lv_Pos);
// update position
lv_Pos += lv_ValLen;
// append space
out_Name[lv_Pos++] = ' ';
// set the tag
lv_InBuf = SCARD_ATTR_DEVICE_UNIT;
lv_ValLen = sizeof(DWORD);
// get the value
lv_hResult = lib_SCardGetAttrib(in_hCard, lv_InBuf, (BYTE*)&lv_ChanID, &lv_ValLen);
// fail?
if (FAILED(lv_hResult))
return FALSE;
// format as string
FormatStringA(lv_OutBuf, 256, "%d", lv_ChanID);
// check the length
if (lv_Pos + strlenA(lv_OutBuf) > in_MaxLen)
return FALSE;
// append to output
AChar2TCharC(lv_OutBuf, &out_Name[lv_Pos], in_MaxLen-lv_Pos);
// done
return TRUE;
}
From my tests, it seams that scard service assigns the name in this order:
a) SPDRP_FRIENDLYNAME if present
b) SPDRP_DEVICEDESC
This way, I was able to match the SCardListReaders() names with the rigth Device/Driver.
Hope this helps ...

Extract Eventlog messages in a specific language

I need some help regarding the extraction of eventlog data under Windows 7.
What I try to achieve:
A computer has Windows 7 German (or any other language) installed. I want to extract the eventlog messages in Englisch to transport them to another computer where I want to store and analyze the eventlog.
This should be done somehow programatically (C# or C++).
I have tried different ways. Write a C# programm to extract the messages result always in getting the messages not in englisch but the configured language of the computer. I also tried it in C++ but also with the same result.
The other approach was then to extract the eventlog in a evtx-File and transport it to another computer with an englisch operating system. But the problem with that solution is that I also need non Windows eventlog messages (e.g. from the installed programs) which cannot be viewed on the other computer where the program and the message dlls are not installed.
Does anybody have an idea how to extract eventlog messages in English independent from the language of the operating system?
Thanks a lot,
Ulli
Here is the complete code for C++ to extract special eventlog messages in a specific language (Thanks to "Apokal" and MSDN). You can change the definitions for
Provider Name (this is the key in the registry)
Resource dll (this is the path to the message dll referenced in the registry)
Message language (this is the language code - Note: Seems the complete code is needed "DE" is not working "DE-de" works ...)
#include "stdafx.h"
#include <windows.h>
#include <stdio.h>
#include <strsafe.h>
#define PROVIDER_NAME L"SceCli"
#define RESOURCE_DLL L"C:\\Windows\\System32\\scecli.dll"
#define MESSAGE_LANGUAGE 0x0409 // En-Us
#define MAX_TIMESTAMP_LEN 23 + 1 // mm/dd/yyyy hh:mm:ss.mmm
#define MAX_RECORD_BUFFER_SIZE 0x10000 // 64K
HANDLE GetMessageResources();
DWORD DumpRecordsInBuffer(PBYTE pBuffer, DWORD dwBytesRead);
DWORD GetEventTypeName(DWORD EventType);
LPWSTR GetMessageString(DWORD Id, DWORD argc, LPWSTR args);
void GetTimestamp(const DWORD Time, WCHAR DisplayString[]);
DWORD ApplyParameterStringsToMessage(CONST LPCWSTR pMessage, LPWSTR & pFinalMessage);
CONST LPWSTR pEventTypeNames[] = {L"Error", L"Warning", L"Informational", L"Audit Success", L"Audit Failure"};
HANDLE g_hResources = NULL;
void wmain(void)
{
HANDLE hEventLog = NULL;
DWORD status = ERROR_SUCCESS;
DWORD dwBytesToRead = 0;
DWORD dwBytesRead = 0;
DWORD dwMinimumBytesToRead = 0;
PBYTE pBuffer = NULL;
PBYTE pTemp = NULL;
// The source name (provider) must exist as a subkey of Application.
hEventLog = OpenEventLog(NULL, PROVIDER_NAME);
if (NULL == hEventLog)
{
wprintf(L"OpenEventLog failed with 0x%x.\n", GetLastError());
goto cleanup;
}
// Get the DLL that contains the string resources for the provider.
g_hResources = GetMessageResources();
if (NULL == g_hResources)
{
wprintf(L"GetMessageResources failed.\n");
goto cleanup;
}
// Allocate an initial block of memory used to read event records. The number
// of records read into the buffer will vary depending on the size of each event.
// The size of each event will vary based on the size of the user-defined
// data included with each event, the number and length of insertion
// strings, and other data appended to the end of the event record.
dwBytesToRead = MAX_RECORD_BUFFER_SIZE;
pBuffer = (PBYTE)malloc(dwBytesToRead);
if (NULL == pBuffer)
{
wprintf(L"Failed to allocate the initial memory for the record buffer.\n");
goto cleanup;
}
// Read blocks of records until you reach the end of the log or an
// error occurs. The records are read from newest to oldest. If the buffer
// is not big enough to hold a complete event record, reallocate the buffer.
while (ERROR_SUCCESS == status)
{
if (!ReadEventLog(hEventLog,
EVENTLOG_SEQUENTIAL_READ | EVENTLOG_BACKWARDS_READ,
0,
pBuffer,
dwBytesToRead,
&dwBytesRead,
&dwMinimumBytesToRead))
{
status = GetLastError();
if (ERROR_INSUFFICIENT_BUFFER == status)
{
status = ERROR_SUCCESS;
pTemp = (PBYTE)realloc(pBuffer, dwMinimumBytesToRead);
if (NULL == pTemp)
{
wprintf(L"Failed to reallocate the memory for the record buffer (%d bytes).\n", dwMinimumBytesToRead);
goto cleanup;
}
pBuffer = pTemp;
dwBytesToRead = dwMinimumBytesToRead;
}
else
{
if (ERROR_HANDLE_EOF != status)
{
wprintf(L"ReadEventLog failed with %lu.\n", status);
goto cleanup;
}
}
}
else
{
// Print the contents of each record in the buffer.
DumpRecordsInBuffer(pBuffer, dwBytesRead);
}
}
getchar();
cleanup:
if (hEventLog)
CloseEventLog(hEventLog);
if (pBuffer)
free(pBuffer);
}
// Get the provider DLL that contains the string resources for the
// category strings, event message strings, and parameter insert strings.
// For this example, the path to the DLL is hardcoded but typically,
// you would read the CategoryMessageFile, EventMessageFile, and
// ParameterMessageFile registry values under the source's registry key located
// under \SYSTEM\CurrentControlSet\Services\Eventlog\Application in
// the HKLM registry hive. In this example, all resources are included in
// the same resource-only DLL.
HANDLE GetMessageResources()
{
HANDLE hResources = NULL;
hResources = LoadLibraryEx(RESOURCE_DLL, NULL, LOAD_LIBRARY_AS_IMAGE_RESOURCE | LOAD_LIBRARY_AS_DATAFILE);
if (NULL == hResources)
{
wprintf(L"LoadLibrary failed with %lu.\n", GetLastError());
}
return hResources;
}
// Loop through the buffer and print the contents of each record
// in the buffer.
DWORD DumpRecordsInBuffer(PBYTE pBuffer, DWORD dwBytesRead)
{
DWORD status = ERROR_SUCCESS;
PBYTE pRecord = pBuffer;
PBYTE pEndOfRecords = pBuffer + dwBytesRead;
LPWSTR pMessage = NULL;
LPWSTR pFinalMessage = NULL;
WCHAR TimeStamp[MAX_TIMESTAMP_LEN];
while (pRecord < pEndOfRecords)
{
// If the event was written by our provider, write the contents of the event.
if (0 == wcscmp(PROVIDER_NAME, (LPWSTR)(pRecord + sizeof(EVENTLOGRECORD))))
{
GetTimestamp(((PEVENTLOGRECORD)pRecord)->TimeGenerated, TimeStamp);
wprintf(L"Time stamp: %s\n", TimeStamp);
wprintf(L"record number: %lu\n", ((PEVENTLOGRECORD)pRecord)->RecordNumber);
wprintf(L"status code: %d\n", ((PEVENTLOGRECORD)pRecord)->EventID & 0xFFFF);
wprintf(L"event type: %s\n", pEventTypeNames[GetEventTypeName(((PEVENTLOGRECORD)pRecord)->EventType)]);
pMessage = GetMessageString(((PEVENTLOGRECORD)pRecord)->EventCategory, 0, NULL);
if (pMessage)
{
wprintf(L"event category: %s", pMessage);
LocalFree(pMessage);
pMessage = NULL;
}
pMessage = GetMessageString(((PEVENTLOGRECORD)pRecord)->EventID,
((PEVENTLOGRECORD)pRecord)->NumStrings, (LPWSTR)(pRecord + ((PEVENTLOGRECORD)pRecord)->StringOffset));
if (pMessage)
{
status = ApplyParameterStringsToMessage(pMessage, pFinalMessage);
wprintf(L"event message: %s", (pFinalMessage) ? pFinalMessage : pMessage);
LocalFree(pMessage);
pMessage = NULL;
if (pFinalMessage)
{
free(pFinalMessage);
pFinalMessage = NULL;
}
}
// To write the event data, you need to know the format of the data. In
// this example, we know that the event data is a null-terminated string.
if (((PEVENTLOGRECORD)pRecord)->DataLength > 0)
{
wprintf(L"event data: %s\n", (LPWSTR)(pRecord + ((PEVENTLOGRECORD)pRecord)->DataOffset));
}
wprintf(L"\n");
}
pRecord += ((PEVENTLOGRECORD)pRecord)->Length;
}
return status;
}
// Get an index value to the pEventTypeNames array based on
// the event type value.
DWORD GetEventTypeName(DWORD EventType)
{
DWORD index = 0;
switch (EventType)
{
case EVENTLOG_ERROR_TYPE:
index = 0;
break;
case EVENTLOG_WARNING_TYPE:
index = 1;
break;
case EVENTLOG_INFORMATION_TYPE:
index = 2;
break;
case EVENTLOG_AUDIT_SUCCESS:
index = 3;
break;
case EVENTLOG_AUDIT_FAILURE:
index = 4;
break;
}
return index;
}
// Formats the specified message. If the message uses inserts, build
// the argument list to pass to FormatMessage.
LPWSTR GetMessageString(DWORD MessageId, DWORD argc, LPWSTR argv)
{
LPWSTR pMessage = NULL;
DWORD dwFormatFlags = FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_FROM_HMODULE | FORMAT_MESSAGE_ALLOCATE_BUFFER;
DWORD_PTR* pArgs = NULL;
LPWSTR pString = argv;
// The insertion strings appended to the end of the event record
// are an array of strings; however, FormatMessage requires
// an array of addresses. Create an array of DWORD_PTRs based on
// the count of strings. Assign the address of each string
// to an element in the array (maintaining the same order).
if (argc > 0)
{
pArgs = (DWORD_PTR*)malloc(sizeof(DWORD_PTR) * argc);
if (pArgs)
{
dwFormatFlags |= FORMAT_MESSAGE_ARGUMENT_ARRAY;
for (DWORD i = 0; i < argc; i++)
{
pArgs[i] = (DWORD_PTR)pString;
pString += wcslen(pString) + 1;
}
}
else
{
dwFormatFlags |= FORMAT_MESSAGE_IGNORE_INSERTS;
wprintf(L"Failed to allocate memory for the insert string array.\n");
}
}
if (!FormatMessage(dwFormatFlags,
g_hResources,
MessageId,
MESSAGE_LANGUAGE,
(LPWSTR)&pMessage,
0,
(va_list*)pArgs))
{
wprintf(L"Format message failed with %lu\n", GetLastError());
}
if (pArgs)
free(pArgs);
return pMessage;
}
// If the message string contains parameter insertion strings (for example, %%4096),
// you must perform the parameter substitution yourself. To get the parameter message
// string, call FormatMessage with the message identifier found in the parameter insertion
// string (for example, 4096 is the message identifier if the parameter insertion string
// is %%4096). You then substitute the parameter insertion string in the message
// string with the actual parameter message string.
DWORD ApplyParameterStringsToMessage(CONST LPCWSTR pMessage, LPWSTR & pFinalMessage)
{
DWORD status = ERROR_SUCCESS;
DWORD dwParameterCount = 0; // Number of insertion strings found in pMessage
size_t cbBuffer = 0; // Size of the buffer in bytes
size_t cchBuffer = 0; // Size of the buffer in characters
size_t cchParameters = 0; // Number of characters in all the parameter strings
size_t cch = 0;
DWORD i = 0;
LPWSTR* pStartingAddresses = NULL; // Array of pointers to the beginning of each parameter string in pMessage
LPWSTR* pEndingAddresses = NULL; // Array of pointers to the end of each parameter string in pMessage
DWORD* pParameterIDs = NULL; // Array of parameter identifiers found in pMessage
LPWSTR* pParameters = NULL; // Array of the actual parameter strings
LPWSTR pTempMessage = (LPWSTR)pMessage;
LPWSTR pTempFinalMessage = NULL;
// Determine the number of parameter insertion strings in pMessage.
while (pTempMessage = wcschr(pTempMessage, L'%'))
{
dwParameterCount++;
pTempMessage++;
}
// If there are no parameter insertion strings in pMessage, return.
if (0 == dwParameterCount)
{
pFinalMessage = NULL;
goto cleanup;
}
// Allocate an array of pointers that will contain the beginning address
// of each parameter insertion string.
cbBuffer = sizeof(LPWSTR) * dwParameterCount;
pStartingAddresses = (LPWSTR*)malloc(cbBuffer);
if (NULL == pStartingAddresses)
{
wprintf(L"Failed to allocate memory for pStartingAddresses.\n");
status = ERROR_OUTOFMEMORY;
goto cleanup;
}
RtlZeroMemory(pStartingAddresses, cbBuffer);
// Allocate an array of pointers that will contain the ending address (one
// character past the of the identifier) of the each parameter insertion string.
pEndingAddresses = (LPWSTR*)malloc(cbBuffer);
if (NULL == pEndingAddresses)
{
wprintf(L"Failed to allocate memory for pEndingAddresses.\n");
status = ERROR_OUTOFMEMORY;
goto cleanup;
}
RtlZeroMemory(pEndingAddresses, cbBuffer);
// Allocate an array of pointers that will contain pointers to the actual
// parameter strings.
pParameters = (LPWSTR*)malloc(cbBuffer);
if (NULL == pParameters)
{
wprintf(L"Failed to allocate memory for pEndingAddresses.\n");
status = ERROR_OUTOFMEMORY;
goto cleanup;
}
RtlZeroMemory(pParameters, cbBuffer);
// Allocate an array of DWORDs that will contain the message identifier
// for each parameter.
pParameterIDs = (DWORD*)malloc(cbBuffer);
if (NULL == pParameterIDs)
{
wprintf(L"Failed to allocate memory for pParameterIDs.\n");
status = ERROR_OUTOFMEMORY;
goto cleanup;
}
RtlZeroMemory(pParameterIDs, cbBuffer);
// Find each parameter in pMessage and get the pointer to the
// beginning of the insertion string, the end of the insertion string,
// and the message identifier of the parameter.
pTempMessage = (LPWSTR)pMessage;
while (pTempMessage = wcschr(pTempMessage, L'%'))
{
if (isdigit(*(pTempMessage+1)))
{
pStartingAddresses[i] = pTempMessage;
pTempMessage++;
pParameterIDs[i] = (DWORD)_wtoi(pTempMessage);
while (isdigit(*++pTempMessage))
;
pEndingAddresses[i] = pTempMessage;
i++;
}
}
// For each parameter, use the message identifier to get the
// actual parameter string.
for (DWORD i = 0; i < dwParameterCount; i++)
{
pParameters[i] = GetMessageString(pParameterIDs[i], 0, NULL);
if (NULL == pParameters[i])
{
wprintf(L"GetMessageString could not find parameter string for insert %lu.\n", i);
status = ERROR_INVALID_PARAMETER;
goto cleanup;
}
cchParameters += wcslen(pParameters[i]);
}
// Allocate enough memory for pFinalMessage based on the length of pMessage
// and the length of each parameter string. The pFinalMessage buffer will contain
// the completed parameter substitution.
pTempMessage = (LPWSTR)pMessage;
cbBuffer = (wcslen(pMessage) + cchParameters + 1) * sizeof(WCHAR);
pFinalMessage = (LPWSTR)malloc(cbBuffer);
if (NULL == pFinalMessage)
{
wprintf(L"Failed to allocate memory for pFinalMessage.\n");
status = ERROR_OUTOFMEMORY;
goto cleanup;
}
RtlZeroMemory(pFinalMessage, cbBuffer);
cchBuffer = cbBuffer / sizeof(WCHAR);
pTempFinalMessage = pFinalMessage;
// Build the final message string.
for (DWORD i = 0; i < dwParameterCount; i++)
{
// Append the segment from pMessage. In the first iteration, this is "8 " and in the
// second iteration, this is " = 2 ".
wcsncpy_s(pTempFinalMessage, cchBuffer, pTempMessage, cch = (pStartingAddresses[i] - pTempMessage));
pTempMessage = pEndingAddresses[i];
cchBuffer -= cch;
// Append the parameter string. In the first iteration, this is "quarts" and in the
// second iteration, this is "gallons"
pTempFinalMessage += cch;
wcscpy_s(pTempFinalMessage, cchBuffer, pParameters[i]);
cchBuffer -= cch = wcslen(pParameters[i]);
pTempFinalMessage += cch;
}
// Append the last segment from pMessage, which is ".".
wcscpy_s(pTempFinalMessage, cchBuffer, pTempMessage);
cleanup:
if (ERROR_SUCCESS != status)
pFinalMessage = (LPWSTR)pMessage;
if (pStartingAddresses)
free(pStartingAddresses);
if (pEndingAddresses)
free(pEndingAddresses);
if (pParameterIDs)
free(pParameterIDs);
for (DWORD i = 0; i < dwParameterCount; i++)
{
if (pParameters[i])
LocalFree(pParameters[i]);
}
return status;
}
// Get a string that contains the time stamp of when the event
// was generated.
void GetTimestamp(const DWORD Time, WCHAR DisplayString[])
{
ULONGLONG ullTimeStamp = 0;
ULONGLONG SecsTo1970 = 116444736000000000;
SYSTEMTIME st;
FILETIME ft, ftLocal;
ullTimeStamp = Int32x32To64(Time, 10000000) + SecsTo1970;
ft.dwHighDateTime = (DWORD)((ullTimeStamp >> 32) & 0xFFFFFFFF);
ft.dwLowDateTime = (DWORD)(ullTimeStamp & 0xFFFFFFFF);
FileTimeToLocalFileTime(&ft, &ftLocal);
FileTimeToSystemTime(&ftLocal, &st);
StringCchPrintf(DisplayString, MAX_TIMESTAMP_LEN, L"%d/%d/%d %.2d:%.2d:%.2d",
st.wMonth, st.wDay, st.wYear, st.wHour, st.wMinute, st.wSecond);
}
It's impossible to do in full way.
Here is why:
Each program that writes events to EventLog has an appropriate EventSource registered under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog. And an EventMessagFile value under EventSource key provides a path to a file that contain's event messages. So if, for example, some custom program provides only german event messages in that file, where do you get an english event messages from? The answer is from nowhere, because developers simply could not shipped event messages for other languages.
And for Windows, if you've got a german windows, but no english language pack (Microsoft's MUI) where does Windows have to get translations from? Nowhere.

enum all values from a subkey

I have a subkey in my registry with an unknown numbers of values.
I want to get all the data from those values in th specified subkey.
how can I do that ? I don't know the names of the values and the number of values.
I'm programming in C.
thanks!
Here's a code for geting all string values a from given regkey (you must open this key before and close after using this function.
vector<pair<wstring, wstring>> CRegistryManager::getKeyValues(HKEY regKey)
{
vector<pair<wstring, wstring>> retValues;
DWORD numOfValues;
DWORD maxValueNameLen;
DWORD maxValueDataLen;
LONG retCode;
retCode = RegQueryInfoKey(regKey, NULL, NULL,NULL, NULL, NULL, NULL, &numOfValues, &maxValueNameLen, &maxValueDataLen, NULL, NULL);
if( (retCode == ERROR_SUCCESS) && (numOfValues != 0) )
{
TCHAR* valueName = new TCHAR[maxValueNameLen+1];
TCHAR* valueData = new TCHAR[maxValueDataLen+1];
for(int i = 0; i < numOfValues; i++)
{
DWORD valueNameBuferSize = maxValueNameLen+1;
DWORD valueDataBufferSize = maxValueDataLen+1;
retCode = RegEnumValue(regKey, i, valueName, &valueNameBuferSize, NULL,NULL, (LPBYTE)valueData, &valueDataBufferSize);
if(retCode == ERROR_SUCCESS)
{
auto pair = make_pair(wstring(valueName), wstring(valueData));
retValues.push_back(pair);
}
}
delete[] valueName;
delete[] valueData;
}
return retValues;
}
You'll want to use the Win32 API RegEnumValue to enumerate the registry values of a subkey. There is an example on MSDN which is similar to this but for enumerating registry subkeys.
You can also find some helper functions from one of my previous answers here.

Resources