Add CreateRenderContext

PiperOrigin-RevId: 387592836
Ulkar27 · Jul 29, 2021 · 3d249c5 · 3d249c5
1 parent e275348
commit 3d249c5
Show file tree

Hide file tree

Showing 2 changed files with 67 additions and 1 deletion.
diff --git a/go.mod b/go.mod
@@ -9,7 +9,7 @@ require (
   github.com/google/go-cmp v0.5.6
   github.com/google/logger v1.1.1
   github.com/google/uuid v1.3.0
-  github.com/google/winops v0.0.0-20210623230015-3a11856c7ffe
+  github.com/google/winops v0.0.0-20210728170133-1594a3207cb1
   github.com/iamacarpet/go-win64api v0.0.0-20210311141720-fe38760bed28
   github.com/pkg/errors v0.9.1
   github.com/scjalliance/comshim v0.0.0-20190308082608-cf06d2532c4e

diff --git a/go/eventlog/eventlog.go b/go/eventlog/eventlog.go
@@ -18,7 +18,9 @@ package eventlog
 import (
 	"errors"
 	"fmt"
+	"syscall"
 	"time"
+	"unsafe"
 
 	"golang.org/x/sys/windows"
 	"github.com/google/winops/winlog/wevtapi"
@@ -51,6 +53,16 @@ func (h *Event) Close() {
 	}
 }
 
+// A RenderContext is a Handle which tracks a Context as returned by EvtCreateRenderContext.
+type RenderContext Handle
+
+// Close releases a RenderContext.
+func (h *RenderContext) Close() {
+	if h != nil {
+		wevtapi.EvtClose(h.handle)
+	}
+}
+
 // A ResultSet is a Handle returned by a Query or Subscription
 type ResultSet Handle
 
@@ -71,6 +83,60 @@ func (h *Session) Close() {
 	}
 }
 
+// EvtRenderContextFlags specify which types of values to render from a given event.
+//
+// Ref: https://docs.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_render_context_flags
+type EvtRenderContextFlags uint32
+
+const (
+	// EvtRenderContextValues renders specific properties from the event.
+	EvtRenderContextValues EvtRenderContextFlags = iota
+	// EvtRenderContextSystem renders the system properties under the System element.
+	EvtRenderContextSystem
+	// EvtRenderContextUser renders all user-defined properties under the UserData or EventData element.
+	EvtRenderContextUser
+)
+
+// CreateRenderContext creates a context that specifies the information in the event that you want to render.
+//
+// The RenderContext is used to obtain only a subset of event data when querying events.
+// Without a RenderContext, the entirety of the log data will be returned.
+//
+// Passing one of EvtRenderContextSystem or EvtRenderContextUser (with valuePaths nil)
+// will render all properties under the corresponding element (System or User). Passing
+// EvtRenderContextValues along with a list of valuePaths allows the caller to obtain individual
+// event elements. valuePaths must be well formed XPath expressions. See the documentation
+// for EvtCreateRenderContext and EVT_RENDER_CONTEXT_FLAGS for more detail.
+//
+// Example, rendering all System values:
+//		eventlog.CreateRenderContext(eventlog.EvtRenderContextSystem, nil)
+//
+// Example, rendering specific values:
+//		eventlog.CreateRenderContext(eventlog.EvtRenderContextValues, &[]string{
+//				"Event/System/TimeCreated/@SystemTime", "Event/System/Provider/@Name"})
+//
+// Ref: https://docs.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtcreaterendercontext
+func CreateRenderContext(flags EvtRenderContextFlags, valuePaths *[]string) (RenderContext, error) {
+	rc := RenderContext{}
+
+	pathsPtr := uintptr(0)
+	p := []*uint16{}
+	if valuePaths != nil {
+		for _, v := range *valuePaths {
+			ptr, err := syscall.UTF16PtrFromString(v)
+			if err != nil {
+				return rc, fmt.Errorf("syscall.UTF16PtrFromString(%s): %w", v, err)
+			}
+			p = append(p, ptr)
+		}
+		pathsPtr = uintptr(unsafe.Pointer(&p[0]))
+	}
+
+	var err error
+	rc.handle, err = wevtapi.EvtCreateRenderContext(uint32(len(p)), uintptr(pathsPtr), uint32(flags))
+	return rc, err
+}
+
 // An EventSet holds one or more event handles.
 //
 // Close() must be called to release the event handles when finished.