1
/*
2
 * Unit tests for Event Logging functions
3
 *
4
 * Copyright (c) 2009 Paul Vriens
5
 *
6
 * This library is free software; you can redistribute it and/or
7
 * modify it under the terms of the GNU Lesser General Public
8
 * License as published by the Free Software Foundation; either
9
 * version 2.1 of the License, or (at your option) any later version.
10
 *
11
 * This library is distributed in the hope that it will be useful,
12
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14
 * Lesser General Public License for more details.
15
 *
16
 * You should have received a copy of the GNU Lesser General Public
17
 * License along with this library; if not, write to the Free Software
18
 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
19
 */
20

21
#include <stdarg.h>
22

23
#include "initguid.h"
24
#include "windef.h"
25
#include "winbase.h"
26
#include "winerror.h"
27
#include "winnt.h"
28
#include "winreg.h"
29
#include "sddl.h"
30
#include "wmistr.h"
31
#include "evntprov.h"
32
#include "evntrace.h"
33
#include "netevent.h"
34

35
#include "wine/test.h"
36

37
static BOOL (WINAPI *pCreateWellKnownSid)(WELL_KNOWN_SID_TYPE,PSID,PSID,DWORD*);
38
static BOOL (WINAPI *pGetEventLogInformation)(HANDLE,DWORD,LPVOID,DWORD,LPDWORD);
39
static ULONG (WINAPI *pEventRegister)(const GUID *,PENABLECALLBACK,void *,REGHANDLE *);
40
static ULONG (WINAPI *pEventUnregister)(REGHANDLE);
41
static ULONG (WINAPI *pEventWriteString)(REGHANDLE,UCHAR,ULONGLONG,const WCHAR *);
42

43
static BOOL (WINAPI *pGetComputerNameExA)(COMPUTER_NAME_FORMAT,LPSTR,LPDWORD);
44
static BOOL (WINAPI *pWow64DisableWow64FsRedirection)(PVOID *);
45
static BOOL (WINAPI *pWow64RevertWow64FsRedirection)(PVOID);
46

47
static void init_function_pointers(void)
48
{
49
    HMODULE hadvapi32 = GetModuleHandleA("advapi32.dll");
50
    HMODULE hkernel32 = GetModuleHandleA("kernel32.dll");
51

52
    pCreateWellKnownSid = (void*)GetProcAddress(hadvapi32, "CreateWellKnownSid");
53
    pGetEventLogInformation = (void*)GetProcAddress(hadvapi32, "GetEventLogInformation");
54
    pEventWriteString = (void*)GetProcAddress(hadvapi32, "EventWriteString");
55
    pEventRegister = (void*)GetProcAddress(hadvapi32, "EventRegister");
56
    pEventUnregister = (void*)GetProcAddress(hadvapi32, "EventUnregister");
57

58
    pGetComputerNameExA = (void*)GetProcAddress(hkernel32, "GetComputerNameExA");
59
    pWow64DisableWow64FsRedirection = (void*)GetProcAddress(hkernel32, "Wow64DisableWow64FsRedirection");
60
    pWow64RevertWow64FsRedirection = (void*)GetProcAddress(hkernel32, "Wow64RevertWow64FsRedirection");
61
}
62

63
static BOOL create_backup(const char *filename)
64
{
65
    HANDLE handle;
66
    DWORD rc, attribs;
67

68
    handle = OpenEventLogA(NULL, "Application");
69
    if (!handle && (GetLastError() == ERROR_ACCESS_DENIED || GetLastError() == RPC_S_SERVER_UNAVAILABLE))
70
    {
71
        win_skip( "Can't open event log\n" );
72
        return FALSE;
73
    }
74
    ok(handle != NULL, "OpenEventLogA(Application) failed : %ld\n", GetLastError());
75

76
    DeleteFileA(filename);
77
    rc = BackupEventLogA(handle, filename);
78
    if (!rc && GetLastError() == ERROR_PRIVILEGE_NOT_HELD)
79
    {
80
        skip("insufficient privileges to backup the eventlog\n");
81
        CloseEventLog(handle);
82
        return FALSE;
83
    }
84
    ok(rc, "BackupEventLogA failed, le=%lu\n", GetLastError());
85
    CloseEventLog(handle);
86

87
    attribs = GetFileAttributesA(filename);
88
    todo_wine
89
    ok(attribs != INVALID_FILE_ATTRIBUTES, "Expected a backup file attribs=%#lx le=%lu\n", attribs, GetLastError());
90
    return TRUE;
91
}
92

93
static void test_open_close(void)
94
{
95
    HANDLE handle;
96
    BOOL ret;
97

98
    SetLastError(0xdeadbeef);
99
    ret = CloseEventLog(NULL);
100
    ok(!ret, "Expected failure\n");
101
    ok(GetLastError() == ERROR_INVALID_HANDLE ||
102
       GetLastError() == ERROR_NOACCESS, /* W2K */
103
       "Expected ERROR_INVALID_HANDLE, got %ld\n", GetLastError());
104

105
    SetLastError(0xdeadbeef);
106
    handle = OpenEventLogA(NULL, NULL);
107
    ok(handle == NULL, "OpenEventLogA() succeeded\n");
108
    ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %ld\n", GetLastError());
109

110
    SetLastError(0xdeadbeef);
111
    handle = OpenEventLogA("IDontExist", NULL);
112
    ok(handle == NULL, "OpenEventLogA(IDontExist,) succeeded\n");
113
    ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %ld\n", GetLastError());
114

115
    SetLastError(0xdeadbeef);
116
    handle = OpenEventLogA("IDontExist", "deadbeef");
117
    ok(handle == NULL, "OpenEventLogA(IDontExist,deadbeef) succeeded\n");
118
    ok(GetLastError() == RPC_S_SERVER_UNAVAILABLE ||
119
       GetLastError() == RPC_S_INVALID_NET_ADDR, /* Some Vista and Win7 */
120
       "Expected RPC_S_SERVER_UNAVAILABLE, got %ld\n", GetLastError());
121

122
    /* This one opens the Application log */
123
    handle = OpenEventLogA(NULL, "deadbeef");
124
    ok(handle != NULL, "OpenEventLogA(deadbeef) failed : %ld\n", GetLastError());
125
    ret = CloseEventLog(handle);
126
    ok(ret, "Expected success : %ld\n", GetLastError());
127
    /* Close a second time */
128
    SetLastError(0xdeadbeef);
129
    ret = CloseEventLog(handle);
130
    todo_wine
131
    {
132
    ok(!ret, "Expected failure\n");
133
    ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %ld\n", GetLastError());
134
    }
135

136
    /* Empty servername should be read as local server */
137
    handle = OpenEventLogA("", "Application");
138
    ok(handle != NULL, "OpenEventLogA('',Application) failed : %ld\n", GetLastError());
139
    CloseEventLog(handle);
140

141
    handle = OpenEventLogA(NULL, "Application");
142
    ok(handle != NULL, "OpenEventLogA(Application) failed : %ld\n", GetLastError());
143
    CloseEventLog(handle);
144
}
145

146
static void test_info(void)
147
{
148
    HANDLE handle;
149
    BOOL ret;
150
    DWORD needed;
151
    BYTE buffer[2 * sizeof(EVENTLOG_FULL_INFORMATION)];
152
    EVENTLOG_FULL_INFORMATION *efi = (void *)buffer;
153

154
    if (!pGetEventLogInformation)
155
    {
156
        /* NT4 */
157
        win_skip("GetEventLogInformation is not available\n");
158
        return;
159
    }
160
    SetLastError(0xdeadbeef);
161
    ret = pGetEventLogInformation(NULL, 1, NULL, 0, NULL);
162
    ok(!ret, "Expected failure\n");
163
    ok(GetLastError() == ERROR_INVALID_LEVEL, "Expected ERROR_INVALID_LEVEL, got %ld\n", GetLastError());
164

165
    SetLastError(0xdeadbeef);
166
    ret = pGetEventLogInformation(NULL, EVENTLOG_FULL_INFO, NULL, 0, NULL);
167
    ok(!ret, "Expected failure\n");
168
    ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %ld\n", GetLastError());
169

170
    handle = OpenEventLogA(NULL, "Application");
171
    ok(handle != NULL, "OpenEventLogA(Application) failed : %ld\n", GetLastError());
172

173
    SetLastError(0xdeadbeef);
174
    ret = pGetEventLogInformation(handle, EVENTLOG_FULL_INFO, NULL, 0, NULL);
175
    ok(!ret, "Expected failure\n");
176
    ok(GetLastError() == RPC_X_NULL_REF_POINTER, "Expected RPC_X_NULL_REF_POINTER, got %ld\n", GetLastError());
177

178
    SetLastError(0xdeadbeef);
179
    ret = pGetEventLogInformation(handle, EVENTLOG_FULL_INFO, NULL, 0, &needed);
180
    ok(!ret, "Expected failure\n");
181
    ok(GetLastError() == RPC_X_NULL_REF_POINTER, "Expected RPC_X_NULL_REF_POINTER, got %ld\n", GetLastError());
182

183
    SetLastError(0xdeadbeef);
184
    ret = pGetEventLogInformation(handle, EVENTLOG_FULL_INFO, efi, 0, NULL);
185
    ok(!ret, "Expected failure\n");
186
    ok(GetLastError() == RPC_X_NULL_REF_POINTER, "Expected RPC_X_NULL_REF_POINTER, got %ld\n", GetLastError());
187

188
    SetLastError(0xdeadbeef);
189
    needed = 0xdeadbeef;
190
    efi->dwFull = 0xdeadbeef;
191
    ret = pGetEventLogInformation(handle, EVENTLOG_FULL_INFO, efi, 0, &needed);
192
    ok(!ret, "Expected failure\n");
193
    ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Expected ERROR_INSUFFICIENT_BUFFER, got %ld\n", GetLastError());
194
    ok(needed == sizeof(EVENTLOG_FULL_INFORMATION), "Expected sizeof(EVENTLOG_FULL_INFORMATION), got %ld\n", needed);
195
    ok(efi->dwFull == 0xdeadbeef, "Expected no change to the dwFull member\n");
196

197
    /* Not that we care, but on success last error is set to ERROR_IO_PENDING */
198
    efi->dwFull = 0xdeadbeef;
199
    needed = sizeof(buffer);
200
    ret = pGetEventLogInformation(handle, EVENTLOG_FULL_INFO, efi, needed, &needed);
201
    ok(ret, "Expected success : %ld\n", GetLastError());
202
    ok(needed == sizeof(EVENTLOG_FULL_INFORMATION), "Expected sizeof(EVENTLOG_FULL_INFORMATION), got %ld\n", needed);
203
    ok(efi->dwFull == 0 || efi->dwFull == 1, "Expected 0 (not full) or 1 (full), got %ld\n", efi->dwFull);
204

205
    CloseEventLog(handle);
206
}
207

208
static void test_count(void)
209
{
210
    HANDLE handle;
211
    BOOL ret;
212
    DWORD count;
213
    const char backup[] = "backup.evt";
214

215
    SetLastError(0xdeadbeef);
216
    ret = GetNumberOfEventLogRecords(NULL, NULL);
217
    ok(!ret, "Expected failure\n");
218
    ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %ld\n", GetLastError());
219

220
    SetLastError(0xdeadbeef);
221
    count = 0xdeadbeef;
222
    ret = GetNumberOfEventLogRecords(NULL, &count);
223
    ok(!ret, "Expected failure\n");
224
    ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %ld\n", GetLastError());
225
    ok(count == 0xdeadbeef, "Expected count to stay unchanged\n");
226

227
    handle = OpenEventLogA(NULL, "Application");
228
    ok(handle != NULL, "OpenEventLogA(Application) failed : %ld\n", GetLastError());
229

230
    SetLastError(0xdeadbeef);
231
    ret = GetNumberOfEventLogRecords(handle, NULL);
232
    ok(!ret, "Expected failure\n");
233
    ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %ld\n", GetLastError());
234

235
    count = 0xdeadbeef;
236
    ret = GetNumberOfEventLogRecords(handle, &count);
237
    ok(ret, "Expected success : %ld\n", GetLastError());
238
    ok(count != 0xdeadbeef, "Expected the number of records\n");
239

240
    CloseEventLog(handle);
241

242
    /* Make a backup eventlog to work with */
243
    if (create_backup(backup))
244
    {
245
        handle = OpenBackupEventLogA(NULL, backup);
246
        todo_wine
247
        ok(handle != NULL, "Expected a handle, le=%ld\n", GetLastError());
248

249
        /* Does GetNumberOfEventLogRecords work with backup eventlogs? */
250
        count = 0xdeadbeef;
251
        ret = GetNumberOfEventLogRecords(handle, &count);
252
        todo_wine
253
        {
254
        ok(ret, "Expected success : %ld\n", GetLastError());
255
        ok(count != 0xdeadbeef, "Expected the number of records\n");
256
        }
257

258
        CloseEventLog(handle);
259
        DeleteFileA(backup);
260
    }
261
}
262

263
static void test_oldest(void)
264
{
265
    HANDLE handle;
266
    BOOL ret;
267
    DWORD oldest;
268
    const char backup[] = "backup.evt";
269

270
    SetLastError(0xdeadbeef);
271
    ret = GetOldestEventLogRecord(NULL, NULL);
272
    ok(!ret, "Expected failure\n");
273
    ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %ld\n", GetLastError());
274

275
    SetLastError(0xdeadbeef);
276
    oldest = 0xdeadbeef;
277
    ret = GetOldestEventLogRecord(NULL, &oldest);
278
    ok(!ret, "Expected failure\n");
279
    ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %ld\n", GetLastError());
280
    ok(oldest == 0xdeadbeef, "Expected oldest to stay unchanged\n");
281

282
    handle = OpenEventLogA(NULL, "Application");
283
    if (!handle && (GetLastError() == ERROR_ACCESS_DENIED || GetLastError() == RPC_S_SERVER_UNAVAILABLE))
284
    {
285
        win_skip( "Can't open event log\n" );
286
        return;
287
    }
288
    ok(handle != NULL, "OpenEventLogA(Application) failed : %ld\n", GetLastError());
289

290
    SetLastError(0xdeadbeef);
291
    ret = GetOldestEventLogRecord(handle, NULL);
292
    ok(!ret, "Expected failure\n");
293
    ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %ld\n", GetLastError());
294

295
    oldest = 0xdeadbeef;
296
    ret = GetOldestEventLogRecord(handle, &oldest);
297
    ok(ret, "Expected success : %ld\n", GetLastError());
298
    ok(oldest != 0xdeadbeef, "Expected the number of the oldest record\n");
299

300
    CloseEventLog(handle);
301

302
    /* Make a backup eventlog to work with */
303
    if (create_backup(backup))
304
    {
305
        handle = OpenBackupEventLogA(NULL, backup);
306
        todo_wine
307
        ok(handle != NULL, "Expected a handle\n");
308

309
        /* Does GetOldestEventLogRecord work with backup eventlogs? */
310
        oldest = 0xdeadbeef;
311
        ret = GetOldestEventLogRecord(handle, &oldest);
312
        todo_wine
313
        {
314
        ok(ret, "Expected success : %ld\n", GetLastError());
315
        ok(oldest != 0xdeadbeef, "Expected the number of the oldest record\n");
316
        }
317

318
        CloseEventLog(handle);
319
        DeleteFileA(backup);
320
    }
321
}
322

323
static void test_backup(void)
324
{
325
    HANDLE handle;
326
    BOOL ret;
327
    const char backup[] = "backup.evt";
328
    const char backup2[] = "backup2.evt";
329

330
    SetLastError(0xdeadbeef);
331
    ret = BackupEventLogA(NULL, NULL);
332
    ok(!ret, "Expected failure\n");
333
    ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %ld\n", GetLastError());
334

335
    SetLastError(0xdeadbeef);
336
    ret = BackupEventLogA(NULL, backup);
337
    ok(!ret, "Expected failure\n");
338
    ok(GetFileAttributesA(backup) == INVALID_FILE_ATTRIBUTES, "Expected no backup file\n");
339

340
    handle = OpenEventLogA(NULL, "Application");
341
    if (!handle && (GetLastError() == ERROR_ACCESS_DENIED || GetLastError() == RPC_S_SERVER_UNAVAILABLE))
342
    {
343
        win_skip( "Can't open event log\n" );
344
        return;
345
    }
346
    ok(handle != NULL, "OpenEventLogA(Application) failed : %ld\n", GetLastError());
347

348
    SetLastError(0xdeadbeef);
349
    ret = BackupEventLogA(handle, NULL);
350
    ok(!ret, "Expected failure\n");
351
    ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %ld\n", GetLastError());
352

353
    ret = BackupEventLogA(handle, backup);
354
    if (!ret && GetLastError() == ERROR_PRIVILEGE_NOT_HELD)
355
    {
356
        skip("insufficient privileges for backup tests\n");
357
        CloseEventLog(handle);
358
        return;
359
    }
360
    ok(ret, "Expected success : %ld\n", GetLastError());
361
    todo_wine
362
    ok(GetFileAttributesA(backup) != INVALID_FILE_ATTRIBUTES, "Expected a backup file\n");
363

364
    /* Try to overwrite */
365
    SetLastError(0xdeadbeef);
366
    ret = BackupEventLogA(handle, backup);
367
    todo_wine
368
    {
369
    ok(!ret, "Expected failure\n");
370
    ok(GetLastError() == ERROR_ALREADY_EXISTS, "Expected ERROR_ALREADY_EXISTS, got %ld\n", GetLastError());
371
    }
372

373
    CloseEventLog(handle);
374

375
    /* Can we make a backup of a backup? */
376
    handle = OpenBackupEventLogA(NULL, backup);
377
    todo_wine
378
    ok(handle != NULL, "Expected a handle\n");
379

380
    ret = BackupEventLogA(handle, backup2);
381
    todo_wine
382
    {
383
    ok(ret, "Expected success : %ld\n", GetLastError());
384
    ok(GetFileAttributesA(backup2) != INVALID_FILE_ATTRIBUTES, "Expected a backup file\n");
385
    }
386

387
    CloseEventLog(handle);
388
    DeleteFileA(backup);
389
    DeleteFileA(backup2);
390
}
391

392
static void test_read(void)
393
{
394
    HANDLE handle;
395
    BOOL ret;
396
    DWORD count, toread, read, needed;
397
    void *buf;
398

399
    SetLastError(0xdeadbeef);
400
    ret = ReadEventLogA(NULL, 0, 0, NULL, 0, NULL, NULL);
401
    ok(!ret, "Expected failure\n");
402
    todo_wine
403
    ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %ld\n", GetLastError());
404

405
    read = 0xdeadbeef;
406
    SetLastError(0xdeadbeef);
407
    ret = ReadEventLogA(NULL, 0, 0, NULL, 0, &read, NULL);
408
    ok(!ret, "Expected failure\n");
409
    ok(read == 0xdeadbeef, "Expected 'read' parameter to remain unchanged\n");
410
    todo_wine
411
    ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %ld\n", GetLastError());
412

413
    needed = 0xdeadbeef;
414
    SetLastError(0xdeadbeef);
415
    ret = ReadEventLogA(NULL, 0, 0, NULL, 0, NULL, &needed);
416
    ok(!ret, "Expected failure\n");
417
    ok(needed == 0xdeadbeef, "Expected 'needed' parameter to remain unchanged\n");
418
    todo_wine
419
    ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %ld\n", GetLastError());
420

421
    /* 'read' and 'needed' are only filled when the needed buffer size is passed back or when the call succeeds */
422
    SetLastError(0xdeadbeef);
423
    ret = ReadEventLogA(NULL, 0, 0, NULL, 0, &read, &needed);
424
    ok(!ret, "Expected failure\n");
425
    todo_wine
426
    ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %ld\n", GetLastError());
427

428
    SetLastError(0xdeadbeef);
429
    ret = ReadEventLogA(NULL, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 0, NULL, 0, NULL, NULL);
430
    ok(!ret, "Expected failure\n");
431
    todo_wine
432
    ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %ld\n", GetLastError());
433

434
    SetLastError(0xdeadbeef);
435
    ret = ReadEventLogA(NULL, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 0, NULL, 0, &read, &needed);
436
    ok(!ret, "Expected failure\n");
437
    todo_wine
438
    ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %ld\n", GetLastError());
439

440
    buf = NULL;
441
    SetLastError(0xdeadbeef);
442
    ret = ReadEventLogA(NULL, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ,
443
                        0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
444
    ok(!ret, "Expected failure\n");
445
    todo_wine
446
    ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %ld\n", GetLastError());
447

448
    buf = malloc(sizeof(EVENTLOGRECORD));
449
    SetLastError(0xdeadbeef);
450
    ret = ReadEventLogA(NULL, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ,
451
                        0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
452
    ok(!ret, "Expected failure\n");
453
    todo_wine
454
    ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %ld\n", GetLastError());
455
    free(buf);
456

457
    handle = OpenEventLogA(NULL, "Application");
458
    if (!handle && (GetLastError() == ERROR_ACCESS_DENIED || GetLastError() == RPC_S_SERVER_UNAVAILABLE))
459
    {
460
        win_skip( "Can't open event log\n" );
461
        return;
462
    }
463
    ok(handle != NULL, "OpenEventLogA(Application) failed : %ld\n", GetLastError());
464

465
    /* Show that we need the proper dwFlags with a (for the rest) proper call */
466
    buf = malloc(sizeof(EVENTLOGRECORD));
467

468
    SetLastError(0xdeadbeef);
469
    ret = ReadEventLogA(handle, 0, 0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
470
    ok(!ret, "Expected failure\n");
471
    todo_wine
472
    ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %ld\n", GetLastError());
473

474
    SetLastError(0xdeadbeef);
475
    ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ, 0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
476
    ok(!ret, "Expected failure\n");
477
    todo_wine
478
    ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %ld\n", GetLastError());
479

480
    SetLastError(0xdeadbeef);
481
    ret = ReadEventLogA(handle, EVENTLOG_SEEK_READ, 0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
482
    ok(!ret, "Expected failure\n");
483
    todo_wine
484
    ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %ld\n", GetLastError());
485

486
    SetLastError(0xdeadbeef);
487
    ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ | EVENTLOG_BACKWARDS_READ,
488
                        0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
489
    ok(!ret, "Expected failure\n");
490
    todo_wine
491
    ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %ld\n", GetLastError());
492

493
    SetLastError(0xdeadbeef);
494
    ret = ReadEventLogA(handle, EVENTLOG_SEEK_READ | EVENTLOG_FORWARDS_READ | EVENTLOG_BACKWARDS_READ,
495
                        0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
496
    ok(!ret, "Expected failure\n");
497
    todo_wine
498
    ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %ld\n", GetLastError());
499

500
    SetLastError(0xdeadbeef);
501
    ret = ReadEventLogA(handle, EVENTLOG_SEEK_READ | EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ,
502
                        0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
503
    ok(!ret, "Expected failure\n");
504
    todo_wine
505
    ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %ld\n", GetLastError());
506

507
    free(buf);
508

509
    /* First check if there are any records (in practice only on Wine: FIXME) */
510
    count = 0;
511
    GetNumberOfEventLogRecords(handle, &count);
512
    if (!count)
513
    {
514
        skip("No records in the 'Application' log\n");
515
        CloseEventLog(handle);
516
        return;
517
    }
518

519
    /* Get the buffer size for the first record */
520
    buf = malloc(sizeof(EVENTLOGRECORD));
521
    read = needed = 0xdeadbeef;
522
    SetLastError(0xdeadbeef);
523
    ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ,
524
                        0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
525
    ok(!ret, "Expected failure\n");
526
    ok(read == 0, "Expected no bytes read\n");
527
    ok(needed > sizeof(EVENTLOGRECORD), "Expected the needed buffersize to be bigger than sizeof(EVENTLOGRECORD)\n");
528
    ok(GetLastError() == ERROR_INSUFFICIENT_BUFFER, "Expected ERROR_INSUFFICIENT_BUFFER, got %ld\n", GetLastError());
529

530
    /* Read the first record */
531
    toread = needed;
532
    buf = realloc(buf, toread);
533
    read = needed = 0xdeadbeef;
534
    SetLastError(0xdeadbeef);
535
    ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 0, buf, toread, &read, &needed);
536
    ok(ret, "Expected success : %ld\n", GetLastError());
537
    ok(read == toread ||
538
       broken(read < toread), /* NT4 wants a buffer size way bigger than just 1 record */
539
       "Expected the requested size to be read\n");
540
    ok(needed == 0, "Expected no extra bytes to be read\n");
541
    free(buf);
542

543
    CloseEventLog(handle);
544
}
545

546
static void test_openbackup(void)
547
{
548
    HANDLE handle, handle2, file;
549
    DWORD written;
550
    const char backup[] = "backup.evt";
551
    const char text[] = "Just some text";
552

553
    SetLastError(0xdeadbeef);
554
    handle = OpenBackupEventLogA(NULL, NULL);
555
    ok(handle == NULL, "Didn't expect a handle\n");
556
    ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %ld\n", GetLastError());
557

558
    SetLastError(0xdeadbeef);
559
    handle = OpenBackupEventLogA(NULL, "idontexist.evt");
560
    ok(handle == NULL, "Didn't expect a handle\n");
561
    ok(GetLastError() == ERROR_FILE_NOT_FOUND ||
562
       GetLastError() == ERROR_ACCESS_DENIED ||
563
       GetLastError() == RPC_S_SERVER_UNAVAILABLE,
564
       "got %ld\n", GetLastError());
565

566
    SetLastError(0xdeadbeef);
567
    handle = OpenBackupEventLogA("IDontExist", NULL);
568
    ok(handle == NULL, "Didn't expect a handle\n");
569
    ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %ld\n", GetLastError());
570

571
    SetLastError(0xdeadbeef);
572
    handle = OpenBackupEventLogA("IDontExist", "idontexist.evt");
573
    ok(handle == NULL, "Didn't expect a handle\n");
574
    ok(GetLastError() == RPC_S_SERVER_UNAVAILABLE ||
575
       GetLastError() == RPC_S_INVALID_NET_ADDR, /* Some Vista and Win7 */
576
       "Expected RPC_S_SERVER_UNAVAILABLE, got %ld\n", GetLastError());
577

578
    /* Make a backup eventlog to work with */
579
    if (create_backup(backup))
580
    {
581
        /* FIXME: Wine stops here */
582
        if (GetFileAttributesA(backup) == INVALID_FILE_ATTRIBUTES)
583
        {
584
            skip("We don't have a backup eventlog to work with\n");
585
            return;
586
        }
587

588
        SetLastError(0xdeadbeef);
589
        handle = OpenBackupEventLogA("IDontExist", backup);
590
        ok(handle == NULL, "Didn't expect a handle\n");
591
        ok(GetLastError() == RPC_S_SERVER_UNAVAILABLE ||
592
           GetLastError() == RPC_S_INVALID_NET_ADDR, /* Some Vista and Win7 */
593
           "Expected RPC_S_SERVER_UNAVAILABLE, got %ld\n", GetLastError());
594

595
        /* Empty servername should be read as local server */
596
        handle = OpenBackupEventLogA("", backup);
597
        ok(handle != NULL, "Expected a handle\n");
598
        CloseEventLog(handle);
599

600
        handle = OpenBackupEventLogA(NULL, backup);
601
        ok(handle != NULL, "Expected a handle\n");
602

603
        /* Can we open that same backup eventlog more than once? */
604
        handle2 = OpenBackupEventLogA(NULL, backup);
605
        ok(handle2 != NULL, "Expected a handle\n");
606
        ok(handle2 != handle, "Didn't expect the same handle\n");
607
        CloseEventLog(handle2);
608

609
        CloseEventLog(handle);
610
        DeleteFileA(backup);
611
    }
612

613
    /* Is there any content checking done? */
614
    file = CreateFileA(backup, GENERIC_WRITE, 0, NULL, CREATE_NEW, 0, NULL);
615
    CloseHandle(file);
616
    SetLastError(0xdeadbeef);
617
    handle = OpenBackupEventLogA(NULL, backup);
618
    ok(handle == NULL, "Didn't expect a handle\n");
619
    ok(GetLastError() == ERROR_NOT_ENOUGH_MEMORY ||
620
       GetLastError() == ERROR_ACCESS_DENIED ||
621
       GetLastError() == RPC_S_SERVER_UNAVAILABLE ||
622
       GetLastError() == ERROR_EVENTLOG_FILE_CORRUPT, /* Vista and Win7 */
623
       "got %ld\n", GetLastError());
624
    CloseEventLog(handle);
625
    DeleteFileA(backup);
626

627
    file = CreateFileA(backup, GENERIC_WRITE, 0, NULL, CREATE_NEW, 0, NULL);
628
    WriteFile(file, text, sizeof(text), &written, NULL);
629
    CloseHandle(file);
630
    SetLastError(0xdeadbeef);
631
    handle = OpenBackupEventLogA(NULL, backup);
632
    ok(handle == NULL, "Didn't expect a handle\n");
633
    ok(GetLastError() == ERROR_EVENTLOG_FILE_CORRUPT ||
634
       GetLastError() == ERROR_ACCESS_DENIED ||
635
       GetLastError() == RPC_S_SERVER_UNAVAILABLE,
636
       "got %ld\n", GetLastError());
637
    CloseEventLog(handle);
638
    DeleteFileA(backup);
639
}
640

641
static void test_clear(void)
642
{
643
    HANDLE handle;
644
    BOOL ret;
645
    const char backup[] = "backup.evt";
646
    const char backup2[] = "backup2.evt";
647

648
    SetLastError(0xdeadbeef);
649
    ret = ClearEventLogA(NULL, NULL);
650
    ok(!ret, "Expected failure\n");
651
    ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %ld\n", GetLastError());
652

653
    /* Make a backup eventlog to work with */
654
    if (!create_backup(backup))
655
        return;
656

657
    SetLastError(0xdeadbeef);
658
    ret = ClearEventLogA(NULL, backup);
659
    ok(!ret, "Expected failure\n");
660
    ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %ld\n", GetLastError());
661

662
    handle = OpenBackupEventLogA(NULL, backup);
663
    todo_wine
664
    ok(handle != NULL, "Expected a handle\n");
665

666
    /* A real eventlog would fail with ERROR_ALREADY_EXISTS */
667
    SetLastError(0xdeadbeef);
668
    ret = ClearEventLogA(handle, backup);
669
    ok(!ret, "Expected failure\n");
670
    /* The eventlog service runs under an account that doesn't have the necessary
671
     * permissions on the users home directory on a default Vista+ system.
672
     */
673
    ok(GetLastError() == ERROR_INVALID_HANDLE ||
674
       GetLastError() == ERROR_ACCESS_DENIED, /* Vista+ */
675
       "Expected ERROR_INVALID_HANDLE, got %ld\n", GetLastError());
676

677
    /* Show that ClearEventLog only works for real eventlogs. */
678
    SetLastError(0xdeadbeef);
679
    ret = ClearEventLogA(handle, backup2);
680
    ok(!ret, "Expected failure\n");
681
    ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %ld\n", GetLastError());
682
    ok(GetFileAttributesA(backup2) == INVALID_FILE_ATTRIBUTES, "Expected no backup file\n");
683

684
    SetLastError(0xdeadbeef);
685
    ret = ClearEventLogA(handle, NULL);
686
    ok(!ret, "Expected failure\n");
687
    ok(GetLastError() == ERROR_INVALID_HANDLE, "Expected ERROR_INVALID_HANDLE, got %ld\n", GetLastError());
688

689
    CloseEventLog(handle);
690
    todo_wine
691
    ok(DeleteFileA(backup), "Could not delete the backup file\n");
692
}
693

694
static const char eventlogsvc[] = "SYSTEM\\CurrentControlSet\\Services\\Eventlog";
695
static const char eventlogname[] = "Wine";
696
static const char eventsources[][11] = { "WineSrc", "WineSrc1", "WineSrc20", "WineSrc300" };
697

698
static BOOL create_new_eventlog(void)
699
{
700
    HKEY key, eventkey;
701
    BOOL bret = FALSE;
702
    LONG lret;
703
    DWORD i;
704

705
    /* First create our eventlog */
706
    lret = RegOpenKeyA(HKEY_LOCAL_MACHINE, eventlogsvc, &key);
707
    if (lret != ERROR_SUCCESS)
708
    {
709
        skip("Could not open the EventLog service registry key\n");
710
        return FALSE;
711
    }
712
    lret = RegCreateKeyA(key, eventlogname, &eventkey);
713
    if (lret != ERROR_SUCCESS)
714
    {
715
        skip("Could not create the eventlog '%s' registry key\n", eventlogname);
716
        goto cleanup;
717
    }
718

719
    /* Create some event sources, the registry value 'Sources' is updated automatically */
720
    for (i = 0; i < ARRAY_SIZE(eventsources); i++)
721
    {
722
        HKEY srckey;
723

724
        lret = RegCreateKeyA(eventkey, eventsources[i], &srckey);
725
        if (lret != ERROR_SUCCESS)
726
        {
727
            skip("Could not create the eventsource '%s' registry key\n", eventsources[i]);
728
            goto cleanup;
729
        }
730
        RegFlushKey(srckey);
731
        RegCloseKey(srckey);
732
    }
733

734
    bret = TRUE;
735

736
    /* The flushing of the registry (here and above) gives us some assurance
737
     * that we are not to quickly writing events as 'Sources' could still be
738
     * not updated.
739
     */
740
    RegFlushKey(eventkey);
741
cleanup:
742
    RegCloseKey(eventkey);
743
    RegCloseKey(key);
744

745
    return bret;
746
}
747

748
static const char *one_string[] = { "First string" };
749
static const char *two_strings[] = { "First string", "Second string" };
750
static const struct
751
{
752
    const char  *evt_src;
753
    WORD         evt_type;
754
    WORD         evt_cat;
755
    DWORD        evt_id;
756
    BOOL         evt_sid;
757
    WORD         evt_numstrings;
758
    const char **evt_strings;
759
} read_write [] =
760
{
761
    { eventlogname,    EVENTLOG_INFORMATION_TYPE, 1, 1,  FALSE, 1, one_string },
762
    { eventsources[0], EVENTLOG_WARNING_TYPE,     1, 2,  FALSE, 0, NULL },
763
    { eventsources[1], EVENTLOG_AUDIT_FAILURE,    1, 3,  FALSE, 2, two_strings },
764
    { eventsources[2], EVENTLOG_ERROR_TYPE,       1, 4,  FALSE, 0, NULL },
765
    { eventsources[3], EVENTLOG_WARNING_TYPE,     1, 5,  FALSE, 1, one_string },
766
    { eventlogname,    EVENTLOG_SUCCESS,          2, 6,  TRUE,  2, two_strings },
767
    { eventsources[0], EVENTLOG_AUDIT_FAILURE,    2, 7,  TRUE,  0, NULL },
768
    { eventsources[1], EVENTLOG_AUDIT_SUCCESS,    2, 8,  TRUE,  2, two_strings },
769
    { eventsources[2], EVENTLOG_WARNING_TYPE,     2, 9,  TRUE,  0, NULL },
770
    { eventsources[3], EVENTLOG_ERROR_TYPE,       2, 10, TRUE,  1, one_string }
771
};
772

773
static void test_readwrite(void)
774
{
775
    HANDLE handle;
776
    PSID user;
777
    DWORD sidsize, count;
778
    BOOL ret, sidavailable;
779
    BOOL on_vista = FALSE; /* Used to indicate Vista, W2K8 or Win7 */
780
    DWORD i;
781
    char *localcomputer = NULL;
782
    DWORD size;
783
    void* buf;
784

785
    if (pCreateWellKnownSid)
786
    {
787
        sidsize = SECURITY_MAX_SID_SIZE;
788
        user = malloc(sidsize);
789
        SetLastError(0xdeadbeef);
790
        pCreateWellKnownSid(WinInteractiveSid, NULL, user, &sidsize);
791
        sidavailable = TRUE;
792
    }
793
    else
794
    {
795
        win_skip("Skipping some SID related tests\n");
796
        sidavailable = FALSE;
797
        user = NULL;
798
    }
799

800
    /* Write an event with an incorrect event type. This will fail on Windows 7
801
     * but succeed on all others, hence it's not part of the struct.
802
     */
803
    handle = OpenEventLogA(NULL, eventlogname);
804
    if (!handle)
805
    {
806
        /* Intermittently seen on NT4 when tests are run immediately after boot */
807
        win_skip("Could not get a handle to the eventlog\n");
808
        goto cleanup;
809
    }
810

811
    count = 0xdeadbeef;
812
    GetNumberOfEventLogRecords(handle, &count);
813
    if (count != 0)
814
    {
815
        /* Needed for W2K3 without a service pack */
816
        win_skip("We most likely opened the Application eventlog\n");
817
        CloseEventLog(handle);
818
        Sleep(2000);
819

820
        handle = OpenEventLogA(NULL, eventlogname);
821
        ok(handle != NULL, "OpenEventLogA(%s) failed : %ld\n", eventlogname, GetLastError());
822
        count = 0xdeadbeef;
823
        GetNumberOfEventLogRecords(handle, &count);
824
        if (count != 0)
825
        {
826
            win_skip("We didn't open our new eventlog\n");
827
            CloseEventLog(handle);
828
            goto cleanup;
829
        }
830
    }
831

832
    SetLastError(0xdeadbeef);
833
    ret = ReportEventA(handle, 0x20, 0, 0, NULL, 0, 0, NULL, NULL);
834
    if (!ret && GetLastError() == ERROR_CRC)
835
    {
836
        win_skip("Win7 fails when using incorrect event types\n");
837
        ret = ReportEventA(handle, 0, 0, 0, NULL, 0, 0, NULL, NULL);
838
        ok(ret, "Expected success : %ld\n", GetLastError());
839
    }
840
    else
841
    {
842
        void *buf;
843
        DWORD read, needed = 0;
844
        EVENTLOGRECORD *record;
845

846
        ok(ret, "Expected success : %ld\n", GetLastError());
847

848
        /* Needed to catch earlier Vista (with no ServicePack for example) */
849
        buf = malloc(sizeof(EVENTLOGRECORD));
850
        if (!(ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ,
851
                                  0, buf, sizeof(EVENTLOGRECORD), &read, &needed)) &&
852
            GetLastError() == ERROR_INSUFFICIENT_BUFFER)
853
        {
854
            buf = realloc(buf, needed);
855
            ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ,
856
                                0, buf, needed, &read, &needed);
857
        }
858
        if (ret)
859
        {
860
            record = (EVENTLOGRECORD *)buf;
861

862
            /* Vista and W2K8 return EVENTLOG_SUCCESS, Windows versions before return
863
             * the written eventtype (0x20 in this case).
864
             */
865
            if (record->EventType == EVENTLOG_SUCCESS)
866
                on_vista = TRUE;
867
        }
868
        free(buf);
869
    }
870

871
    /* This will clear the eventlog. The record numbering for new
872
     * events however differs on Vista SP1+. Before Vista the first
873
     * event would be numbered 1, on Vista SP1+ it's higher as we already
874
     * had at least one event (more in case of multiple test runs without
875
     * a reboot).
876
     */
877
    ClearEventLogA(handle, NULL);
878
    CloseEventLog(handle);
879

880
    /* Write a bunch of events while using different event sources */
881
    for (i = 0; i < ARRAY_SIZE(read_write); i++)
882
    {
883
        DWORD oldest;
884
        BOOL run_sidtests = read_write[i].evt_sid & sidavailable;
885

886
        winetest_push_context("%lu:%s", i, read_write[i].evt_src);
887

888
        /* We don't need to use RegisterEventSource to report events */
889
        if (i % 2)
890
            handle = OpenEventLogA(NULL, read_write[i].evt_src);
891
        else
892
            handle = RegisterEventSourceA(NULL, read_write[i].evt_src);
893
        ok(handle != NULL, "Expected a handle\n");
894

895
        SetLastError(0xdeadbeef);
896
        ret = ReportEventA(handle, read_write[i].evt_type, read_write[i].evt_cat,
897
                           read_write[i].evt_id, run_sidtests ? user : NULL,
898
                           read_write[i].evt_numstrings, 0, read_write[i].evt_strings, NULL);
899
        ok(ret, "Expected ReportEvent success : %ld\n", GetLastError());
900

901
        count = 0xdeadbeef;
902
        SetLastError(0xdeadbeef);
903
        ret = GetNumberOfEventLogRecords(handle, &count);
904
        ok(ret, "Expected GetNumberOfEventLogRecords success : %ld\n", GetLastError());
905
        todo_wine
906
        ok(count == (i + 1), "Expected %ld records, got %ld\n", i + 1, count);
907

908
        oldest = 0xdeadbeef;
909
        ret = GetOldestEventLogRecord(handle, &oldest);
910
        ok(ret, "Expected GetOldestEventLogRecord success : %ld\n", GetLastError());
911
        todo_wine
912
        ok(oldest == 1 ||
913
           (oldest > 1 && oldest != 0xdeadbeef), /* Vista SP1+, W2K8 and Win7 */
914
           "Expected oldest to be 1 or higher, got %ld\n", oldest);
915
        if (oldest > 1 && oldest != 0xdeadbeef)
916
            on_vista = TRUE;
917

918
        SetLastError(0xdeadbeef);
919
        if (i % 2)
920
            ret = CloseEventLog(handle);
921
        else
922
            ret = DeregisterEventSource(handle);
923
        ok(ret, "Expected success : %ld\n", GetLastError());
924
        winetest_pop_context();
925
    }
926

927
    handle = OpenEventLogA(NULL, eventlogname);
928
    ok(handle != NULL, "OpenEventLogA(%s) failed : %ld\n", eventlogname, GetLastError());
929
    count = 0xdeadbeef;
930
    ret = GetNumberOfEventLogRecords(handle, &count);
931
    ok(ret, "Expected success : %ld\n", GetLastError());
932
    todo_wine
933
    ok(count == i, "Expected %ld records, got %ld\n", i, count);
934
    CloseEventLog(handle);
935

936
    if (count == 0)
937
    {
938
        skip("No events were written to the eventlog\n");
939
        goto cleanup;
940
    }
941

942
    /* Report only once */
943
    if (on_vista)
944
        skip("There is no DWORD alignment enforced for UserSid on Vista, W2K8 or Win7\n");
945

946
    if (on_vista && pGetComputerNameExA)
947
    {
948
        /* New Vista+ behavior */
949
        size = 0;
950
        SetLastError(0xdeadbeef);
951
        pGetComputerNameExA(ComputerNameDnsFullyQualified, NULL, &size);
952
        localcomputer = malloc(size);
953
        pGetComputerNameExA(ComputerNameDnsFullyQualified, localcomputer, &size);
954
    }
955
    else
956
    {
957
        size = MAX_COMPUTERNAME_LENGTH + 1;
958
        localcomputer = malloc(size);
959
        GetComputerNameA(localcomputer, &size);
960
    }
961

962
    /* Read all events from our created eventlog, one by one */
963
    handle = OpenEventLogA(NULL, eventlogname);
964
    ok(handle != NULL, "OpenEventLogA(%s) failed : %ld\n", eventlogname, GetLastError());
965
    i = 0;
966
    size = sizeof(EVENTLOGRECORD) + 128;
967
    buf = malloc(size);
968
    for (;;)
969
    {
970
        DWORD read, needed;
971
        EVENTLOGRECORD *record;
972
        char *sourcename, *computername;
973
        int k;
974
        char *ptr;
975
        BOOL run_sidtests = read_write[i].evt_sid & sidavailable;
976

977
        winetest_push_context("%lu", i);
978

979
        SetLastError(0xdeadbeef);
980
        ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ,
981
                            0, buf, sizeof(EVENTLOGRECORD), &read, &needed);
982
        ok(!ret, "Expected failure\n");
983
        if (!ret && GetLastError() != ERROR_INSUFFICIENT_BUFFER)
984
        {
985
            ok(GetLastError() == ERROR_HANDLE_EOF, "record %ld, got %ld\n", i, GetLastError());
986
            winetest_pop_context();
987
            break;
988
        }
989

990
        if (needed > size)
991
        {
992
             free(buf);
993
             size = needed;
994
             buf = malloc(size);
995
        }
996
        ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ,
997
                            0, buf, needed, &read, &needed);
998
        ok(ret, "Expected success: %ld\n", GetLastError());
999
        if (!ret)
1000
        {
1001
             winetest_pop_context();
1002
             break;
1003
        }
1004
        record = (EVENTLOGRECORD *)buf;
1005

1006
        ok(record->Length == read,
1007
           "Expected %ld, got %ld\n", read, record->Length);
1008
        ok(record->Reserved == 0x654c664c,
1009
           "Expected 0x654c664c, got %ld\n", record->Reserved);
1010
        ok(record->RecordNumber == i + 1 ||
1011
           (on_vista && (record->RecordNumber > i + 1)),
1012
           "Expected %ld or higher, got %ld\n", i + 1, record->RecordNumber);
1013
        ok(record->EventID == read_write[i].evt_id,
1014
           "Expected %ld, got %ld\n", read_write[i].evt_id, record->EventID);
1015
        ok(record->EventType == read_write[i].evt_type,
1016
           "Expected %d, got %d\n", read_write[i].evt_type, record->EventType);
1017
        ok(record->NumStrings == read_write[i].evt_numstrings,
1018
           "Expected %d, got %d\n", read_write[i].evt_numstrings, record->NumStrings);
1019
        ok(record->EventCategory == read_write[i].evt_cat,
1020
           "Expected %d, got %d\n", read_write[i].evt_cat, record->EventCategory);
1021

1022
        sourcename = (char *)((BYTE *)buf + sizeof(EVENTLOGRECORD));
1023
        ok(!lstrcmpA(sourcename, read_write[i].evt_src), "Expected '%s', got '%s'\n",
1024
           read_write[i].evt_src, sourcename);
1025

1026
        computername = (char *)((BYTE *)buf + sizeof(EVENTLOGRECORD) + lstrlenA(sourcename) + 1);
1027
        ok(!lstrcmpiA(computername, localcomputer), "Expected '%s', got '%s'\n",
1028
           localcomputer, computername);
1029

1030
        /* Before Vista, UserSid was aligned on a DWORD boundary. Next to that if
1031
         * no padding was actually required a 0 DWORD was still used for padding. No
1032
         * application should be relying on the padding as we are working with offsets
1033
         * anyway.
1034
         */
1035

1036
        if (!on_vista)
1037
        {
1038
            DWORD calculated_sidoffset = sizeof(EVENTLOGRECORD) + lstrlenA(sourcename) + 1 + lstrlenA(computername) + 1;
1039

1040
            /* We are already DWORD aligned, there should still be some padding */
1041
            if ((((UINT_PTR)buf + calculated_sidoffset) % sizeof(DWORD)) == 0)
1042
                ok(*(DWORD *)((BYTE *)buf + calculated_sidoffset) == 0, "Expected 0\n");
1043

1044
            ok((((UINT_PTR)buf + record->UserSidOffset) % sizeof(DWORD)) == 0, "Expected DWORD alignment\n");
1045
        }
1046

1047
        if (run_sidtests)
1048
        {
1049
            ok(record->UserSidLength == sidsize, "Expected %ld, got %ld\n", sidsize, record->UserSidLength);
1050
        }
1051
        else
1052
        {
1053
            ok(record->StringOffset == record->UserSidOffset, "Expected offsets to be the same\n");
1054
            ok(record->UserSidLength == 0, "Expected 0, got %ld\n", record->UserSidLength);
1055
        }
1056

1057
        ok(record->DataLength == 0, "Expected 0, got %ld\n", record->DataLength);
1058

1059
        ptr = (char *)((BYTE *)buf + record->StringOffset);
1060
        for (k = 0; k < record->NumStrings; k++)
1061
        {
1062
            ok(!lstrcmpA(ptr, two_strings[k]), "Expected '%s', got '%s'\n", two_strings[k], ptr);
1063
            ptr += lstrlenA(ptr) + 1;
1064
        }
1065

1066
        ok(record->Length == *(DWORD *)((BYTE *)buf + record->Length - sizeof(DWORD)),
1067
           "Expected the closing DWORD to contain the length of the record\n");
1068

1069
        winetest_pop_context();
1070
        i++;
1071
    }
1072
    free(buf);
1073
    CloseEventLog(handle);
1074

1075
    /* Test clearing a real eventlog */
1076
    handle = OpenEventLogA(NULL, eventlogname);
1077
    ok(handle != NULL, "OpenEventLogA(%s) failed : %ld\n", eventlogname, GetLastError());
1078

1079
    SetLastError(0xdeadbeef);
1080
    ret = ClearEventLogA(handle, NULL);
1081
    ok(ret, "Expected success : %ld\n", GetLastError());
1082

1083
    count = 0xdeadbeef;
1084
    ret = GetNumberOfEventLogRecords(handle, &count);
1085
    ok(ret, "Expected success : %ld\n", GetLastError());
1086
    ok(count == 0, "Expected an empty eventlog, got %ld records\n", count);
1087

1088
    CloseEventLog(handle);
1089

1090
cleanup:
1091
    free(localcomputer);
1092
    free(user);
1093
}
1094

1095
/* Before Vista:
1096
 *
1097
 * Creating an eventlog on Windows (via the registry) automatically leads
1098
 * to creation of a REG_MULTI_SZ named 'Sources'. This value lists all the
1099
 * potential event sources for this eventlog. 'Sources' is automatically
1100
 * updated when a new key (aka event source) is created.
1101
 *
1102
 * Although the updating of registry keys is almost instantaneously, we
1103
 * check it after some other tests to assure we are not querying the
1104
 * registry or file system to quickly.
1105
 *
1106
 * NT4 and higher:
1107
 *
1108
 * The eventlog file itself is also automatically created, even before we
1109
 * start writing events.
1110
 */
1111
static char eventlogfile[MAX_PATH];
1112
static void test_autocreation(void)
1113
{
1114
    HKEY key, eventkey;
1115
    DWORD type, size;
1116
    LONG ret;
1117
    int i;
1118
    char *p;
1119
    char sources[sizeof(eventsources)];
1120
    char sysdir[MAX_PATH];
1121
    void *redir = 0;
1122

1123
    RegOpenKeyA(HKEY_LOCAL_MACHINE, eventlogsvc, &key);
1124
    RegOpenKeyA(key, eventlogname, &eventkey);
1125

1126
    size = sizeof(sources);
1127
    sources[0] = 0;
1128
    ret = RegQueryValueExA(eventkey, "Sources", NULL, &type, (LPBYTE)sources, &size);
1129
    if (ret == ERROR_SUCCESS)
1130
    {
1131
        char sources_verify[sizeof(eventsources)];
1132

1133
        ok(type == REG_MULTI_SZ, "Expected a REG_MULTI_SZ, got %ld\n", type);
1134

1135
        /* Build the expected string */
1136
        memset(sources_verify, 0, sizeof(sources_verify));
1137
        p = sources_verify;
1138
        for (i = ARRAY_SIZE(eventsources); i > 0; i--)
1139
        {
1140
            lstrcpyA(p, eventsources[i - 1]);
1141
            p += (lstrlenA(eventsources[i - 1]) + 1);
1142
        }
1143
        lstrcpyA(p, eventlogname);
1144

1145
        ok(!memcmp(sources, sources_verify, size),
1146
           "Expected a correct 'Sources' value (size : %ld)\n", size);
1147
    }
1148

1149
    RegCloseKey(eventkey);
1150
    RegCloseKey(key);
1151

1152
    /* The directory that holds the eventlog files could be redirected */
1153
    if (pWow64DisableWow64FsRedirection)
1154
        pWow64DisableWow64FsRedirection(&redir);
1155

1156
    /* On Windows we also automatically get an eventlog file */
1157
    GetSystemDirectoryA(sysdir, sizeof(sysdir));
1158

1159
    lstrcpyA(eventlogfile, sysdir);
1160
    lstrcatA(eventlogfile, "\\winevt\\Logs\\");
1161
    lstrcatA(eventlogfile, eventlogname);
1162
    lstrcatA(eventlogfile, ".evtx");
1163

1164
    if (pWow64RevertWow64FsRedirection)
1165
        pWow64RevertWow64FsRedirection(redir);
1166
}
1167

1168
static void cleanup_eventlog(void)
1169
{
1170
    BOOL bret;
1171
    LONG lret;
1172
    HKEY key;
1173
    DWORD i;
1174
    char winesvc[MAX_PATH];
1175

1176
    /* Delete the registry tree */
1177
    lstrcpyA(winesvc, eventlogsvc);
1178
    lstrcatA(winesvc, "\\");
1179
    lstrcatA(winesvc, eventlogname);
1180

1181
    RegOpenKeyA(HKEY_LOCAL_MACHINE, winesvc, &key);
1182
    for (i = 0; i < ARRAY_SIZE(eventsources); i++)
1183
        RegDeleteKeyA(key, eventsources[i]);
1184
    RegDeleteValueA(key, "Sources");
1185
    RegCloseKey(key);
1186
    lret = RegDeleteKeyA(HKEY_LOCAL_MACHINE, winesvc);
1187
    ok(lret == ERROR_SUCCESS, "Could not delete the registry tree : %ld\n", lret);
1188

1189
    /* A handle to the eventlog is locked by services.exe. We can only
1190
     * delete the eventlog file after reboot.
1191
     */
1192
    bret = MoveFileExA(eventlogfile, NULL, MOVEFILE_DELAY_UNTIL_REBOOT);
1193
    ok(bret, "Expected MoveFileEx to succeed: %ld\n", GetLastError());
1194
}
1195

1196
static void test_trace_event_params(void)
1197
{
1198
    static const WCHAR emptyW[] = {0};
1199
    static const GUID test_guid = {0x57696E65, 0x0000, 0x0000, {0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x01}};
1200

1201
    REGHANDLE reg_handle;
1202
    ULONG uret;
1203

1204
    if (!pEventRegister)
1205
    {
1206
        win_skip("advapi32.EventRegister is missing, skipping trace event tests\n");
1207
        return;
1208
    }
1209

1210
    uret = pEventRegister(NULL, NULL, NULL, &reg_handle);
1211
    todo_wine ok(uret == ERROR_INVALID_PARAMETER, "EventRegister gave wrong error: %#lx\n", uret);
1212

1213
    uret = pEventRegister(&test_guid, NULL, NULL, NULL);
1214
    ok(uret == ERROR_INVALID_PARAMETER, "EventRegister gave wrong error: %#lx\n", uret);
1215

1216
    uret = pEventRegister(&test_guid, NULL, NULL, &reg_handle);
1217
    ok(uret == ERROR_SUCCESS, "EventRegister gave wrong error: %#lx\n", uret);
1218

1219
    uret = pEventWriteString(0, 0, 0, emptyW);
1220
    todo_wine ok(uret == ERROR_INVALID_HANDLE, "EventWriteString gave wrong error: %#lx\n", uret);
1221

1222
    uret = pEventWriteString(reg_handle, 0, 0, NULL);
1223
    todo_wine ok(uret == ERROR_INVALID_PARAMETER, "EventWriteString gave wrong error: %#lx\n", uret);
1224

1225
    uret = pEventUnregister(0);
1226
    todo_wine ok(uret == ERROR_INVALID_HANDLE, "EventUnregister gave wrong error: %#lx\n", uret);
1227

1228
    uret = pEventUnregister(reg_handle);
1229
    ok(uret == ERROR_SUCCESS, "EventUnregister gave wrong error: %#lx\n", uret);
1230
}
1231

1232
static void test_start_trace(void)
1233
{
1234
    const char sessionname[] = "wine";
1235
    const char filepath[] = "wine.etl";
1236
    const char filepath2[] = "eniw.etl";
1237
    EVENT_TRACE_PROPERTIES *properties;
1238
    TRACEHANDLE handle;
1239
    LONG buffersize;
1240
    LONG ret;
1241

1242
    buffersize = sizeof(EVENT_TRACE_PROPERTIES) + sizeof(sessionname) + sizeof(filepath);
1243
    properties = calloc(1, buffersize);
1244
    properties->Wnode.BufferSize = buffersize;
1245
    properties->Wnode.Flags = WNODE_FLAG_TRACED_GUID;
1246
    properties->LogFileMode = EVENT_TRACE_FILE_MODE_NONE;
1247
    properties->LoggerNameOffset = sizeof(EVENT_TRACE_PROPERTIES);
1248
    properties->LogFileNameOffset = sizeof(EVENT_TRACE_PROPERTIES) + sizeof(sessionname);
1249
    strcpy((char *)properties + properties->LogFileNameOffset, filepath);
1250

1251
    properties->Wnode.BufferSize = 0;
1252
    ret = StartTraceA(&handle, sessionname, properties);
1253
    todo_wine
1254
    ok(ret == ERROR_BAD_LENGTH ||
1255
       ret == ERROR_INVALID_PARAMETER, /* XP and 2k3 */
1256
       "Expected ERROR_BAD_LENGTH, got %ld\n", ret);
1257
    properties->Wnode.BufferSize = buffersize;
1258

1259
    ret = StartTraceA(&handle, "this name is too long", properties);
1260
    todo_wine
1261
    ok(ret == ERROR_BAD_LENGTH, "Expected ERROR_BAD_LENGTH, got %ld\n", ret);
1262

1263
    ret = StartTraceA(&handle, sessionname, NULL);
1264
    todo_wine
1265
    ok(ret == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %ld\n", ret);
1266

1267
    ret = StartTraceA(NULL, sessionname, properties);
1268
    todo_wine
1269
    ok(ret == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %ld\n", ret);
1270

1271
    properties->LogFileNameOffset = 1;
1272
    ret = StartTraceA(&handle, sessionname, properties);
1273
    todo_wine
1274
    ok(ret == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %ld\n", ret);
1275
    properties->LogFileNameOffset = sizeof(EVENT_TRACE_PROPERTIES) + sizeof(sessionname);
1276

1277
    properties->LoggerNameOffset = 1;
1278
    ret = StartTraceA(&handle, sessionname, properties);
1279
    todo_wine
1280
    ok(ret == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %ld\n", ret);
1281
    properties->LoggerNameOffset = sizeof(EVENT_TRACE_PROPERTIES);
1282

1283
    properties->LogFileMode = EVENT_TRACE_FILE_MODE_SEQUENTIAL | EVENT_TRACE_FILE_MODE_CIRCULAR;
1284
    ret = StartTraceA(&handle, sessionname, properties);
1285
    todo_wine
1286
    ok(ret == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %ld\n", ret);
1287
    properties->LogFileMode = EVENT_TRACE_FILE_MODE_NONE;
1288
    /* XP creates a file we can't delete, so change the filepath to something else */
1289
    strcpy((char *)properties + properties->LogFileNameOffset, filepath2);
1290

1291
    properties->Wnode.Guid = SystemTraceControlGuid;
1292
    ret = StartTraceA(&handle, sessionname, properties);
1293
    todo_wine
1294
    ok(ret == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %ld\n", ret);
1295
    memset(&properties->Wnode.Guid, 0, sizeof(properties->Wnode.Guid));
1296

1297
    properties->LogFileNameOffset = 0;
1298
    ret = StartTraceA(&handle, sessionname, properties);
1299
    todo_wine
1300
    ok(ret == ERROR_BAD_PATHNAME, "Expected ERROR_BAD_PATHNAME, got %ld\n", ret);
1301
    properties->LogFileNameOffset = sizeof(EVENT_TRACE_PROPERTIES) + sizeof(sessionname);
1302

1303
    ret = StartTraceA(&handle, sessionname, properties);
1304
    if (ret == ERROR_ACCESS_DENIED)
1305
    {
1306
        skip("need admin rights\n");
1307
        goto done;
1308
    }
1309
    ok(ret == ERROR_SUCCESS, "Expected success, got %ld\n", ret);
1310

1311
    ret = StartTraceA(&handle, sessionname, properties);
1312
    todo_wine
1313
    ok(ret == ERROR_ALREADY_EXISTS ||
1314
       ret == ERROR_SHARING_VIOLATION, /* 2k3 */
1315
       "Expected ERROR_ALREADY_EXISTS, got %ld\n", ret);
1316

1317
    /* clean up */
1318
    ControlTraceA(handle, sessionname, properties, EVENT_TRACE_CONTROL_STOP);
1319
done:
1320
    free(properties);
1321
    DeleteFileA(filepath);
1322
}
1323

1324
static BOOL read_record(HANDLE handle, DWORD flags, DWORD offset, EVENTLOGRECORD **record, DWORD *size)
1325
{
1326
    DWORD read, needed;
1327
    BOOL ret;
1328

1329
    SetLastError(0xdeadbeef);
1330
    memset(*record, 0, *size);
1331
    needed = 0;
1332
    if (!(ret = ReadEventLogW(handle, flags, offset, *record, *size, &read, &needed)) &&
1333
        GetLastError() == ERROR_INSUFFICIENT_BUFFER)
1334
    {
1335
        free(*record);
1336
        *record = malloc(needed);
1337
        SetLastError(0xdeadbeef);
1338
        memset(*record, 0, needed);
1339
        *size = needed;
1340
        ret = ReadEventLogW(handle, flags, offset, *record, *size, &read, &needed);
1341
    }
1342

1343
    return ret;
1344
}
1345

1346
static void test_eventlog_start(void)
1347
{
1348
    BOOL ret, found;
1349
    HANDLE handle, handle2;
1350
    EVENTLOGRECORD *record, *record2;
1351
    DWORD size, size2, count, count2, read, needed;
1352
    WCHAR *sourcename, *computername, *localcomputer;
1353
    char *sourcenameA, *computernameA, *localcomputerA;
1354

1355
    /* ReadEventLogW */
1356
    handle = OpenEventLogW(0, L"System");
1357
    if (!handle && (GetLastError() == ERROR_ACCESS_DENIED || GetLastError() == RPC_S_SERVER_UNAVAILABLE))
1358
    {
1359
        win_skip( "Can't open System event log\n" );
1360
        return;
1361
    }
1362
    ok(handle != NULL, "OpenEventLogW(System) failed : %ld\n", GetLastError());
1363
    handle2 = OpenEventLogW(0, L"System");
1364
    todo_wine ok(handle != handle2, "Expected different handle\n");
1365
    CloseEventLog(handle2);
1366

1367
    handle2 = OpenEventLogW(0, L"SYSTEM");
1368
    ok(!!handle2, "Expected valid handle\n");
1369
    CloseEventLog(handle2);
1370

1371
    size = MAX_COMPUTERNAME_LENGTH + 1;
1372
    localcomputer = malloc(size * sizeof(WCHAR));
1373
    GetComputerNameW(localcomputer, &size);
1374

1375
    ret = TRUE;
1376
    found = FALSE;
1377
    while (!found && ret)
1378
    {
1379
        read = needed = 0;
1380
        record = malloc(sizeof(EVENTLOGRECORD));
1381
        if (!(ret = ReadEventLogW(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_BACKWARDS_READ,
1382
                                  0, record, sizeof(EVENTLOGRECORD), &read, &needed)) &&
1383
            GetLastError() == ERROR_INSUFFICIENT_BUFFER)
1384
        {
1385
            record = realloc(record, needed);
1386
            ret = ReadEventLogW(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_BACKWARDS_READ,
1387
                                0, record, needed, &read, &needed);
1388
            ok(needed == 0, "Expected 0, got %ld\n", needed);
1389
        }
1390
        if (ret && record->EventID == EVENT_EventlogStarted)
1391
        {
1392
            ok(record->Length == read, "Expected %ld, got %ld\n", read, record->Length);
1393
            ok(record->Reserved == 0x654c664c, "Expected 0x654c664c, got %ld\n", record->Reserved);
1394
            ok(record->RecordNumber > 0, "Expected 1 or higher, got %ld\n", record->RecordNumber);
1395
            ok(record->TimeGenerated == record->TimeWritten, "Expected time values to be the same\n");
1396
            ok(record->EventType == EVENTLOG_INFORMATION_TYPE,
1397
                "Expected %d, got %d\n", EVENTLOG_INFORMATION_TYPE, record->EventType);
1398
            ok(record->NumStrings == 0, "Expected 0, got %d\n", record->NumStrings);
1399
            ok(record->EventCategory == 0, "Expected 0, got %d\n", record->EventCategory);
1400
            ok(record->ReservedFlags == 0, "Expected 0, got %d\n", record->ReservedFlags);
1401
            ok(record->ClosingRecordNumber == 0, "Expected 0, got %ld\n", record->ClosingRecordNumber);
1402
            ok(record->StringOffset == record->UserSidOffset, "Expected offsets to be the same\n");
1403
            ok(record->UserSidLength == 0, "Expected 0, got %ld\n", record->UserSidLength);
1404
            ok(record->DataLength == 24, "Expected 24, got %ld\n", record->DataLength);
1405
            ok(record->DataOffset == record->UserSidOffset, "Expected offsets to be the same\n");
1406

1407
            sourcename = (WCHAR *)(record + 1);
1408
            ok(!lstrcmpW(sourcename, L"EventLog"),
1409
                "Expected 'EventLog', got '%ls'\n", sourcename);
1410

1411
            computername = sourcename + sizeof("EventLog");
1412
            ok(!lstrcmpiW(computername, localcomputer), "Expected '%ls', got '%ls'\n",
1413
                localcomputer, computername);
1414

1415
            size = sizeof(EVENTLOGRECORD) + sizeof(L"EventLog") +
1416
                (lstrlenW(computername) + 1) * sizeof(WCHAR);
1417
            size = (size + 7) & ~7;
1418
            ok(record->DataOffset == size ||
1419
                broken(record->DataOffset == size - sizeof(WCHAR)), /* win8 */
1420
                "Expected %ld, got %ld\n", size, record->DataOffset);
1421

1422
            found = TRUE;
1423
        }
1424
        free(record);
1425
    }
1426
    todo_wine ok(found, "EventlogStarted event not found\n");
1427
    CloseEventLog(handle);
1428
    free(localcomputer);
1429

1430
    /* ReadEventLogA */
1431
    size = MAX_COMPUTERNAME_LENGTH + 1;
1432
    localcomputerA = malloc(size);
1433
    GetComputerNameA(localcomputerA, &size);
1434

1435
    handle = OpenEventLogA(0, "System");
1436
    handle2 = OpenEventLogA(0, "SYSTEM");
1437
    todo_wine ok(handle != handle2, "Expected different handle\n");
1438
    CloseEventLog(handle2);
1439

1440
    ret = TRUE;
1441
    found = FALSE;
1442
    while (!found && ret)
1443
    {
1444
        read = needed = 0;
1445
        record = malloc(sizeof(EVENTLOGRECORD));
1446
        if (!(ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_BACKWARDS_READ,
1447
                                  0, record, sizeof(EVENTLOGRECORD), &read, &needed)) &&
1448
            GetLastError() == ERROR_INSUFFICIENT_BUFFER)
1449
        {
1450
            record = realloc(record, needed);
1451
            ret = ReadEventLogA(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_BACKWARDS_READ,
1452
                                0, record, needed, &read, &needed);
1453
            ok(needed == 0, "Expected 0, got %ld\n", needed);
1454
        }
1455
        if (ret && record->EventID == EVENT_EventlogStarted)
1456
        {
1457
            ok(record->Length == read, "Expected %ld, got %ld\n", read, record->Length);
1458
            ok(record->Reserved == 0x654c664c, "Expected 0x654c664c, got %ld\n", record->Reserved);
1459
            ok(record->RecordNumber > 0, "Expected 1 or higher, got %ld\n", record->RecordNumber);
1460
            ok(record->TimeGenerated == record->TimeWritten, "Expected time values to be the same\n");
1461
            ok(record->EventType == EVENTLOG_INFORMATION_TYPE,
1462
                "Expected %d, got %d\n", EVENTLOG_INFORMATION_TYPE, record->EventType);
1463
            ok(record->NumStrings == 0, "Expected 0, got %d\n", record->NumStrings);
1464
            ok(record->EventCategory == 0, "Expected 0, got %d\n", record->EventCategory);
1465
            ok(record->ReservedFlags == 0, "Expected 0, got %d\n", record->ReservedFlags);
1466
            ok(record->ClosingRecordNumber == 0, "Expected 0, got %ld\n", record->ClosingRecordNumber);
1467
            ok(record->StringOffset == record->UserSidOffset, "Expected offsets to be the same\n");
1468
            ok(record->UserSidLength == 0, "Expected 0, got %ld\n", record->UserSidLength);
1469
            ok(record->DataLength == 24, "Expected 24, got %ld\n", record->DataLength);
1470
            ok(record->DataOffset == record->UserSidOffset, "Expected offsets to be the same\n");
1471

1472
            sourcenameA = (char *)(record + 1);
1473
            ok(!strcmp(sourcenameA, "EventLog"),
1474
                "Expected 'EventLog', got '%s'\n", sourcenameA);
1475

1476
            computernameA = sourcenameA + sizeof("EventLog");
1477
            ok(!_stricmp(computernameA, localcomputerA), "Expected '%s', got '%s'\n",
1478
                localcomputerA, computernameA);
1479

1480
            size = sizeof(EVENTLOGRECORD) + sizeof("EventLog") + strlen(computernameA) + 1;
1481
            size = (size + 7) & ~7;
1482
            ok(record->DataOffset == size ||
1483
                broken(record->DataOffset == size - 1), /* win8 */
1484
                "Expected %ld, got %ld\n", size, record->DataOffset);
1485

1486
            found = TRUE;
1487
        }
1488
        free(record);
1489
    }
1490
    todo_wine ok(found, "EventlogStarted event not found\n");
1491
    CloseEventLog(handle);
1492
    free(localcomputerA);
1493

1494
    /* SEQUENTIAL | FORWARDS - dwRecordOffset is ignored */
1495
    handle = OpenEventLogW(0, L"System");
1496
    size = sizeof(EVENTLOGRECORD) + 128;
1497
    record = malloc(size);
1498
    todo_wine {
1499
    ret = read_record(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 100, &record, &size);
1500
    ok(ret, "Expected success : %ld\n", GetLastError());
1501
    ok(record->RecordNumber == 1, "Expected 1, got %lu\n", record->RecordNumber);
1502
    ret = read_record(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 200, &record, &size);
1503
    ok(ret, "Expected success : %ld\n", GetLastError());
1504
    ok(record->RecordNumber == 2, "Expected 2, got %lu\n", record->RecordNumber);
1505

1506
    /* change direction sequentially */
1507
    ret = read_record(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_BACKWARDS_READ, 300, &record, &size);
1508
    ok(ret, "Expected success : %ld\n", GetLastError());
1509
    ok(record->RecordNumber == 2, "Expected 2, got %lu\n", record->RecordNumber);
1510
    ret = read_record(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_BACKWARDS_READ, 400, &record, &size);
1511
    ok(ret, "Expected success : %ld\n", GetLastError());
1512
    ok(record->RecordNumber == 1, "Expected 1, got %lu\n", record->RecordNumber);
1513
    }
1514

1515
    /* changing how is an error */
1516
    SetLastError(0xdeadbeef);
1517
    ret = read_record(handle, EVENTLOG_SEEK_READ | EVENTLOG_BACKWARDS_READ, 0, &record, &size);
1518
    ok(!ret, "Expected failure\n");
1519
    todo_wine
1520
    ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %ld\n", GetLastError());
1521
    CloseEventLog(handle);
1522

1523
    /* SEQUENTIAL | BACKWARDS - dwRecordOffset is ignored */
1524
    handle = OpenEventLogW(0, L"System");
1525
    count = 0xdeadbeef;
1526
    ret = GetNumberOfEventLogRecords(handle, &count);
1527
    ok(ret, "Expected success : %ld\n", GetLastError());
1528
    todo_wine
1529
    ok(count, "Zero records in log\n");
1530

1531
    ret = read_record(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_BACKWARDS_READ, 100, &record, &size);
1532
    todo_wine
1533
    ok(ret, "Expected success : %ld\n", GetLastError());
1534
    ok(record->RecordNumber == count, "Expected %lu, got %lu\n", count, record->RecordNumber);
1535
    ret = read_record(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_BACKWARDS_READ, 100, &record, &size);
1536
    todo_wine {
1537
    ok(ret, "Expected success : %ld\n", GetLastError());
1538
    ok(record->RecordNumber == count - 1, "Expected %lu, got %lu\n", count - 1, record->RecordNumber);
1539
    }
1540
    CloseEventLog(handle);
1541

1542
    handle = OpenEventLogW(0, L"System");
1543
    /* SEEK | FORWARDS */
1544
    /* bogus offset */
1545
    ret = read_record(handle, EVENTLOG_SEEK_READ | EVENTLOG_FORWARDS_READ, 0, &record, &size);
1546
    ok(!ret, "Expected failure\n");
1547
    todo_wine
1548
    ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %ld\n", GetLastError());
1549

1550
    count = 0xdeadbeef;
1551
    ret = GetNumberOfEventLogRecords(handle, &count);
1552
    ok(ret, "Expected success : %ld\n", GetLastError());
1553
    ret = read_record(handle, EVENTLOG_SEEK_READ | EVENTLOG_FORWARDS_READ, count + 1, &record, &size);
1554
    ok(!ret, "Expected failure\n");
1555
    todo_wine
1556
    ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %ld\n", GetLastError());
1557

1558
    todo_wine {
1559
    ret = read_record(handle, EVENTLOG_SEEK_READ | EVENTLOG_FORWARDS_READ, 2, &record, &size);
1560
    ok(ret, "Expected success : %ld\n", GetLastError());
1561
    ok(record->RecordNumber == 2, "Expected 2, got %lu\n", record->RecordNumber);
1562
    /* skip one */
1563
    ret = read_record(handle, EVENTLOG_SEEK_READ | EVENTLOG_FORWARDS_READ, 4, &record, &size);
1564
    ok(ret, "Expected success : %ld\n", GetLastError());
1565
    ok(record->RecordNumber == 4, "Expected 4, got %lu\n", record->RecordNumber);
1566
    /* seek an earlier one */
1567
    ret = read_record(handle, EVENTLOG_SEEK_READ | EVENTLOG_FORWARDS_READ, 3, &record, &size);
1568
    ok(ret, "Expected success : %ld\n", GetLastError());
1569
    ok(record->RecordNumber == 3, "Expected 3, got %lu\n", record->RecordNumber);
1570
    /* change how */
1571
    ret = read_record(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 100, &record, &size);
1572
    ok(ret, "Expected success : %ld\n", GetLastError());
1573
    ok(record->RecordNumber == 4 || broken(record->RecordNumber == 5) /* some win10 22h2 */,
1574
        "Expected 4, got %lu\n", record->RecordNumber);
1575
    /* change direction */
1576
    ret = read_record(handle, EVENTLOG_SEEK_READ | EVENTLOG_BACKWARDS_READ, 10, &record, &size);
1577
    ok(ret, "Expected success : %ld\n", GetLastError());
1578
    ok(record->RecordNumber == 10, "Expected 10, got %lu\n", record->RecordNumber);
1579
    }
1580
    CloseEventLog(handle);
1581

1582
    /* SEEK | BACKWARDS */
1583
    handle = OpenEventLogW(0, L"system");
1584
    /* bogus offset */
1585
    ret = read_record(handle, EVENTLOG_SEEK_READ | EVENTLOG_BACKWARDS_READ, 0, &record, &size);
1586
    ok(!ret, "Expected failure\n");
1587
    todo_wine
1588
    ok(GetLastError() == ERROR_INVALID_PARAMETER, "Expected ERROR_INVALID_PARAMETER, got %ld\n", GetLastError());
1589

1590
    todo_wine {
1591
    ret = read_record(handle, EVENTLOG_SEEK_READ | EVENTLOG_BACKWARDS_READ, 5, &record, &size);
1592
    ok(ret, "Expected success : %ld\n", GetLastError());
1593
    ok(record->RecordNumber == 5, "Expected 5, got %lu\n", record->RecordNumber);
1594
    /* skip one */
1595
    ret = read_record(handle, EVENTLOG_SEEK_READ | EVENTLOG_BACKWARDS_READ, 3, &record, &size);
1596
    ok(ret, "Expected success : %ld\n", GetLastError());
1597
    ok(record->RecordNumber == 3, "Expected 3, got %lu\n", record->RecordNumber);
1598
    /* seek a later one */
1599
    ret = read_record(handle, EVENTLOG_SEEK_READ | EVENTLOG_BACKWARDS_READ, 4, &record, &size);
1600
    ok(ret, "Expected success : %ld\n", GetLastError());
1601
    ok(record->RecordNumber == 4, "Expected 4, got %lu\n", record->RecordNumber);
1602
    /* change how */
1603
    ret = read_record(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_BACKWARDS_READ, 100, &record, &size);
1604
    ok(ret, "Expected success : %ld\n", GetLastError());
1605
    ok(record->RecordNumber == 3 || broken(record->RecordNumber == 2) /* some win10 22h2 */,
1606
        "Expected 3, got %lu\n", record->RecordNumber);
1607
    /* change direction */
1608
    ret = read_record(handle, EVENTLOG_SEEK_READ | EVENTLOG_FORWARDS_READ, 10, &record, &size);
1609
    ok(ret, "Expected success : %ld\n", GetLastError());
1610
    ok(record->RecordNumber == 10, "Expected 10, got %lu\n", record->RecordNumber);
1611
    }
1612
    CloseEventLog(handle);
1613

1614
    /* reading same log with different handles */
1615
    handle = OpenEventLogW(0, L"System");
1616
    handle2 = OpenEventLogW(0, L"SYSTEM");
1617
    todo_wine {
1618
    ret = read_record(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 0, &record, &size);
1619
    ok(ret, "Expected success : %ld\n", GetLastError());
1620
    ok(record->RecordNumber == 1, "Expected 1, got %lu\n", record->RecordNumber);
1621
    ret = read_record(handle2, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 0, &record, &size);
1622
    ok(ret, "Expected success : %ld\n", GetLastError());
1623
    ok(record->RecordNumber == 1, "Expected 1, got %lu\n", record->RecordNumber);
1624
    }
1625
    CloseEventLog(handle2);
1626
    CloseEventLog(handle);
1627

1628
    /* using source name */
1629
    size2 = size;
1630
    record2 = malloc(size2);
1631
    handle = OpenEventLogW(0, L"System");
1632
    handle2 = OpenEventLogW(0, L"EventLog");
1633
    todo_wine {
1634
    ret = read_record(handle, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 0, &record, &size);
1635
    ok(ret, "Expected success : %ld\n", GetLastError());
1636
    ret = read_record(handle2, EVENTLOG_SEQUENTIAL_READ | EVENTLOG_FORWARDS_READ, 0, &record2, &size2);
1637
    ok(ret, "Expected success : %ld\n", GetLastError());
1638
    }
1639
    ok(size == size2, "Expected %lu, got %lu\n", size, size2);
1640
    ok(!memcmp(record, record2, min(size, size2)), "Records miscompare\n");
1641
    count = 0xdeadbeef;
1642
    count2 = 0xdeadbeef;
1643
    ret = GetNumberOfEventLogRecords(handle, &count);
1644
    ok(ret, "Expected success : %ld\n", GetLastError());
1645
    ret = GetNumberOfEventLogRecords(handle2, &count2);
1646
    ok(ret, "Expected success : %ld\n", GetLastError());
1647
    ok(count == count2, "Expected %lu, got %lu\n", count, count2);
1648
    CloseEventLog(handle2);
1649
    CloseEventLog(handle);
1650

1651
    free(record2);
1652
    free(record);
1653
}
1654

1655
START_TEST(eventlog)
1656
{
1657
    SetLastError(0xdeadbeef);
1658
    CloseEventLog(NULL);
1659
    if (GetLastError() == ERROR_CALL_NOT_IMPLEMENTED)
1660
    {
1661
        win_skip("Event log functions are not implemented\n");
1662
        return;
1663
    }
1664

1665
    init_function_pointers();
1666

1667
    /* Parameters only */
1668
    test_open_close();
1669
    test_info();
1670
    test_count();
1671
    test_oldest();
1672
    test_backup();
1673
    test_openbackup();
1674
    test_read();
1675
    test_clear();
1676
    test_trace_event_params();
1677

1678
    /* Functional tests */
1679
    if (create_new_eventlog())
1680
    {
1681
        test_readwrite();
1682
        test_autocreation();
1683
        cleanup_eventlog();
1684
    }
1685

1686
    /* Trace tests */
1687
    test_start_trace();
1688

1689
    test_eventlog_start();
1690
}
1691

1692