[Win32utils-devel] [ win32utils-Bugs-21726 ] Description notshownon Win2k3-x64

Park Heesob phasis at gmail.com
Thu Sep 4 10:31:11 EDT 2008


Hi,
----- Original Message ----- 
From: "Berger, Daniel" <Daniel.Berger at qwest.com>
To: "Development and ideas for win32utils projects" 
<win32utils-devel at rubyforge.org>
Sent: Tuesday, September 02, 2008 10:57 PM
Subject: Re: [Win32utils-devel] [ win32utils-Bugs-21726 ] Description 
notshownon Win2k3-x64


> Anyone on the list have access to a 64-bit version of Windows?
>
> Dan
>
>> -----Original Message-----
>> From: win32utils-devel-bounces at rubyforge.org
>> [mailto:win32utils-devel-bounces at rubyforge.org] On Behalf Of
>> noreply at rubyforge.org
>> Sent: Friday, August 29, 2008 6:11 AM
>> To: noreply at rubyforge.org
>> Subject: [Win32utils-devel] [ win32utils-Bugs-21726 ]
>> Description not shownon Win2k3-x64
>>
>> Bugs item #21726, was opened at 2008-08-29 14:11 You can
>> respond by visiting:
>> http://rubyforge.org/tracker/?func=detail&atid=411&aid=21726&g
>> roup_id=85
>>
>> Category: win32-eventlog
>> Group: Code
>> Status: Open
>> Resolution: None
>> Priority: 3
>> Submitted By: Damjan Rems (ther)
>> Assigned to: Nobody (None)
>> Summary: Description not shown on Win2k3-x64
>>
>> Initial Comment:
>>
>> I have only one 64bit server so I cannot commit if the same
>> error was also present before or is consistant.
>>
>> Win2k3 R2 Standard x64:
>> #<struct Struct::EventLogStruct record_number=4826,
>> time_generated=Fri Aug 29 13:29:07 +0200 2008,
>> time_written=Fri Aug 29 13:29:07 +0200 2008, event_id=16022,
>> event_type="information", category=16,
>> source="MSExchangeTransport", computer="MYMAIL", user=nil,
>> string_inserts=[], description=""> #<struct
>> Struct::EventLogStruct record_number=4825, time_generated=Fri
>> Aug 29 13:29:07 +0200 2008, time_written=Fri Aug 29 13:29:07
>> +0200 2008, event_id=16002,event_type="information",
>> category=16, source="MSExchangeTransport", computer="MYMAIL",
>> user=nil, string_inserts=[], description="">
>>
>>
>> Another machine
>> Win2k3 R2 Standard 32 bit:
>> #<struct Struct::EventLogStruct record_number=489,
>> time_generated=Tue Aug 26 21:42:05 +0200 2008,
>> time_written=Tue Aug 26 21:42:05 +0200 2008, event_id=2003,
>> event_type="information", category=16, source="ESENT",
>> computer="MYDC", user=nil,string_inserts=["lsass", "480", "",
>> "4"], description="lsass (480) Shadow copy 4 freeze
>> stopped."> #<struct Struct::EventLogStruct record_number=488,
>> time_generated=Tue Aug 26 21:42:05 +0200 2008,
>> time_written=Tue Aug 26 21:42:05 +0200 2008, event_id=2001,
>> event_type="information", category=16, source="ESENT",
>> computer="MYDC", user=nil,string_inserts=["lsass", "480", "",
>> "4"], description="lsass (480) Shadow copy 4 freeze started.">
>>
>>
>> by
>> TheR
>>
There are two issues running 32bit application on the 64bit Windows OS.

1. File System 
Redirector(http://msdn.microsoft.com/en-us/library/aa384187(VS.85).aspx)

2. Loading 64bit dll file with 32bit LoadLibraryEx API.

Here is a patched code for get_description:
(0x2 is LOAD_LIBRARY_AS_DATAFILE)

      def get_description(rec, event_source, lkey)
         begin
           wow64DisableWow64FsRedirection = 
API.new('Wow64DisableWow64FsRedirection', 'P', 'B', 'kernel32')
           wow64RevertWow64FsRedirection = 
API.new('Wow64RevertWow64FsRedirection', 'L', 'B', 'kernel32')
         rescue Win32::API::Error
           wow64DisableWow64FsRedirection = nil
           wow64RevertWow64FsRedirection = nil
         end
         val = 0.chr * 4
         wow64DisableWow64FsRedirection.call(val) if 
wow64DisableWow64FsRedirection
         str     = rec[rec[36,4].unpack('L')[0] .. -1]
         num     = rec[26,2].unpack('S')[0] # NumStrings
         hkey    = [0].pack('L')
         key     = BASE_KEY + "#{@source}\\#{event_source}"
         buf     = 0.chr * 8192
         va_list = va_list0 = (num == 0) ? [] : str.unpack('Z*' * num)
         if RegOpenKeyEx(lkey, key, 0, KEY_READ, hkey) == 0
            value = 'ParameterMessageFile'
            file  = 0.chr * MAX_SIZE
            hkey  = hkey.unpack('L')[0]
            size  = [ file.length].pack('L')
            if RegQueryValueEx(hkey, value, 0, 0, file, size) == 0
               file = file.nstrip
               exe  = 0.chr * MAX_SIZE
               ExpandEnvironmentStrings(file, exe, exe.size)
               exe = exe.nstrip
               va_list = va_list0.map{ |v|
                  va = v

                  v.scan(/%%(\d+)/).uniq.each{ |x|
                     exe.split(';').each{ |file|
                        hmodule  = LoadLibraryEx(
                           file,
                           0,
                           DONT_RESOLVE_DLL_REFERENCES|0x2
                        )
                        if hmodule != 0
                           FormatMessage(
                              FORMAT_MESSAGE_FROM_HMODULE |
                              FORMAT_MESSAGE_ARGUMENT_ARRAY,
                              hmodule,
                              x.first.to_i,
                              0,
                              buf,
                              buf.size,
                              v
                           )
                           FreeLibrary(hmodule)
                           break if buf.nstrip != ""
                        end
                     }
                     va = va.gsub("%%#{x.first}", buf.nstrip)
                  }
                  va
               }
            end

            value = 'EventMessageFile'
            file  = 0.chr * MAX_SIZE
            size  = [file.length].pack('L')

            if RegQueryValueEx(hkey, value, 0, 0, file, size) == 0
               file = file.nstrip
               exe  = 0.chr * MAX_SIZE

               ExpandEnvironmentStrings(file, exe, exe.size)
               exe = exe.nstrip

               # Try to retrieve message *without* expanding the inserts yet
               exe.split(';').each{ |file|
                  hmodule  = LoadLibraryEx(file, 0, 
DONT_RESOLVE_DLL_REFERENCES|0x2)
                  event_id = rec[20,4].unpack('L')[0]
                  if hmodule != 0
                     FormatMessage(
                        FORMAT_MESSAGE_FROM_HMODULE |
                        FORMAT_MESSAGE_IGNORE_INSERTS,
                        hmodule,
                        event_id,
                        0,
                        buf,
                        buf.size,
                        nil
                     )
                     FreeLibrary(hmodule)
                     break if buf.nstrip != "" # All messages read
                  end
               }

               buf  = 0.chr * 8192 # Reset the buffer

               # Determine higest %n insert number
               max_insert = 
[num,buf.nstrip.scan(/%(\d+)/).map{|x|x[0].to_i}.max].compact.max

               # Insert dummy strings not provided by caller
               ((num+1)..(max_insert)).each{ |x| va_list.push("%#{x}") }

               if num == 0
                  va_list_ptr = 0.chr * 4
               else
                  va_list_ptr = va_list.map{ |x|
                     [x + 0.chr].pack('P').unpack('L')[0]
                  }.pack('L*')
               end

               exe.split(';').each{ |file|
                  hmodule  = LoadLibraryEx(file, 0, 
DONT_RESOLVE_DLL_REFERENCES|0x2)
                  event_id = rec[20,4].unpack('L')[0]

                  if hmodule != 0
                     FormatMessage(
                        FORMAT_MESSAGE_FROM_HMODULE |
                        FORMAT_MESSAGE_ARGUMENT_ARRAY,
                        hmodule,
                        event_id,
                        0,
                        buf,
                        buf.size,
                        va_list_ptr
                     )

                     FreeLibrary(hmodule)
                     break if buf.nstrip != "" # All messages read
                  end
               }
            end
            RegCloseKey(hkey)
          end
          wow64RevertWow64FsRedirection.call(val.unpack('L')[0]) if 
wow64RevertWow64FsRedirection
         [va_list0, buf.strip]
      end
   end
end


Regards,

Park Heesob




More information about the win32utils-devel mailing list