Package com.sun.jna.platform.win32

Interface Wevtapi

    • Field Detail

      • INSTANCE

        static final Wevtapi INSTANCE

    • Method Detail

      • EvtOpenSession

        Winevt.EVT_HANDLE EvtOpenSession​(int LoginClass,
                                 Winevt.EVT_RPC_LOGIN Login,
                                 int Timeout,
                                 int Flags)
        Establishes a connection to a remote computer that you can use when calling the other Windows Event Log functions. https://msdn.microsoft.com/en-us/library/windows/desktop/aa385462(v=vs.85).aspx
        Parameters:
        LoginClass - [in] The connection method to use to connect to the remote computer. For possible values, see the Winevt.EVT_LOGIN_CLASS enumeration.
        Login - [in] A EVT_RPC_LOGIN structure that identifies the remote computer that you want to connect to, the user's credentials, and the type of authentication to use when connecting.
        Timeout - [in] Reserved. Must be zero.
        Flags - [in]Reserved. Must be zero.
        Returns:
        If successful, the function returns a session handle that you can use to access event log information on the remote computer; otherwise, NULL. If NULL, call Kernel32.GetLastError() function to get the error code.

      • EvtClose

        boolean EvtClose​(Winevt.EVT_HANDLE Object)
        Closes an open handle. https://msdn.microsoft.com/en-us/library/windows/desktop/aa385344(v=vs.85).aspx
        Parameters:
        Object - [in] An open event handle to close.
        Returns:
        True The function succeeded, False The function failed. To get the error code, call the Kernel32.GetLastError() function.

      • EvtGetExtendedStatus

        int EvtGetExtendedStatus​(int BufferSize,
                         char[] Buffer,
                         IntByReference BufferUsed)
        Gets a text message that contains the extended error information for the current error. https://msdn.microsoft.com/en-us/library/windows/desktop/aa385380(v=vs.85).aspx
        Parameters:
        BufferSize - [in] The size of the Buffer buffer, in characters.
        Buffer - [in] A caller-allocated string buffer that will receive the extended error information. You can set this parameter to NULL to determine the required buffer size.
        BufferUsed - [out] The size, in characters, of the caller-allocated buffer that the function used or the required buffer size if the function fails with ERROR_INSUFFICIENT_BUFFER.
        Returns:
        The return value is ERROR_SUCCESS if the call succeeded; otherwise, a Win32 error code.

      • EvtQuery

        Winevt.EVT_HANDLE EvtQuery​(Winevt.EVT_HANDLE Session,
                           String Path,
                           String Query,
                           int Flags)
        Runs a query to retrieve events from a channel or log file that match the specified query criteria. https://msdn.microsoft.com/en-us/library/windows/desktop/aa385466(v=vs.85).aspx
        Parameters:
        Session - [in] A remote session handle that the EvtOpenSession(int, com.sun.jna.platform.win32.Winevt.EVT_RPC_LOGIN, int, int) function returns. Set to NULL to query for events on the local computer.
        Path - [in] The name of the channel or the full path to a log file that contains the events that you want to query. You can specify an .evt, .evtx, or.etl log file. The path is required if the Query parameter contains an XPath query; the path is ignored if the Query parameter contains a structured XML query and the query specifies the path.
        Query - [in] A query that specifies the types of events that you want to retrieve. You can specify an XPath 1.0 query or structured XML query. If your XPath contains more than 20 expressions, use a structured XML query. To receive all events, set this parameter to NULL or "*".
        Flags - [in] One or more flags that specify the order that you want to receive the events and whether you are querying against a channel or log file. For possible values, see the Winevt.EVT_QUERY_FLAGS enumeration.
        Returns:
        A handle to the query results if successful; otherwise, NULL. If the function returns NULL, call the Kernel32.GetLastError() function to get the error code.

      • EvtSeek

        boolean EvtSeek​(Winevt.EVT_HANDLE ResultSet,
                long Position,
                Winevt.EVT_HANDLE Bookmark,
                int Timeout,
                int Flags)
        Seeks to a specific event in a query result set. https://msdn.microsoft.com/en-us/library/windows/desktop/aa385481(v=vs.85).aspx
        Parameters:
        ResultSet - [in] The handle to a query result set that the EvtQuery(com.sun.jna.platform.win32.Winevt.EVT_HANDLE, java.lang.String, java.lang.String, int) function returns.
        Position - [in] The zero-based offset to an event in the result set. The flag that you specify in the Flags parameter indicates the beginning relative position in the result set from which to seek. For example, you can seek from the beginning of the results or from the end of the results. Set to 0 to move to the relative position specified by the flag.
        Bookmark - [in] A handle to a bookmark that the EvtCreateBookmark(java.lang.String)function returns. The bookmark identifies an event in the result set to which you want to seek. Set this parameter only if the Flags parameter has the EvtSeekRelativeToBookmark flag set.
        Timeout - [in] Reserved. Must be zero.
        Flags - [in] One or more flags that indicate the relative position in the result set from which to seek. For possible values, see the Winevt.EVT_SEEK_FLAGS enumeration.
        Returns:
        True The function was successful, False The function failed. To get the error code, call the Kernel32.GetLastError() function.

      • EvtSubscribe

        Winevt.EVT_HANDLE EvtSubscribe​(Winevt.EVT_HANDLE Session,
                               Winevt.EVT_HANDLE SignalEvent,
                               String ChannelPath,
                               String Query,
                               Winevt.EVT_HANDLE Bookmark,
                               Pointer Context,
                               Callback Callback,
                               int Flags)
        Creates a subscription that will receive current and future events from a channel or log file that match the specified query criteria. https://msdn.microsoft.com/en-us/library/windows/desktop/aa385487(v=vs.85).aspx
        Parameters:
        Session - [in] A remote session handle that the EvtOpenSession(int, com.sun.jna.platform.win32.Winevt.EVT_RPC_LOGIN, int, int) function returns. Set to NULL to subscribe to events on the local computer.
        SignalEvent - [in] The handle to an event object that the service will signal when new events are available that match your query criteria. This parameter must be NULL if the Callback parameter is not NULL.
        ChannelPath - [in] The name of the Admin or Operational channel that contains the events that you want to subscribe to (you cannot subscribe to Analytic or Debug channels). The path is required if the Query parameter contains an XPath query; the path is ignored if the Query parameter contains a structured XML query.
        Query - [in] A query that specifies the types of events that you want the subscription service to return. You can specify an XPath 1.0 query or structured XML query. If your XPath contains more than 20 expressions, use a structured XML query. To receive all events, set this parameter to NULL or "*".
        Bookmark - [in] A handle to a bookmark that identifies the starting point for the subscription. To get a bookmark handle, call the EvtCreateBookmark(java.lang.String) function. You must set this parameter if the Flags parameter contains the EvtSubscribeStartAfterBookmark flag; otherwise, NULL.
        Context - [in] A caller-defined context value that the subscription service will pass to the specified callback each time it delivers an event.
        Callback - [in] Pointer to your EVT_SUBSCRIBE_CALLBACK callback function that will receive the subscription events. This parameter must be NULL if the SignalEvent parameter is not NULL.
        Flags - [in] One or more flags that specify when to start subscribing to events. For example, if you specify Winevt.EVT_SUBSCRIBE_FLAGS.EvtSubscribeStartAtOldestRecord, the service will retrieve all current and future events that match your query criteria; however, if you specify Winevt.EVT_SUBSCRIBE_FLAGS.EvtSubscribeToFutureEvents, the service returns only future events that match your query criteria. For possible values,see the Winevt.EVT_SUBSCRIBE_FLAGS enumeration.
        Returns:
        A handle to the subscription if successful; otherwise, NULL. If the function returns NULL, call the Kernel32.GetLastError() function to get the error code. You must call the EvtClose function with the subscription handle when done.

      • EvtFormatMessage

        boolean EvtFormatMessage​(Winevt.EVT_HANDLE PublisherMetadata,
                         Winevt.EVT_HANDLE Event,
                         int MessageId,
                         int ValueCount,
                         Winevt.EVT_VARIANT[] Values,
                         int Flags,
                         int BufferSize,
                         char[] Buffer,
                         IntByReference BufferUsed)
        Formats a message string. https://msdn.microsoft.com/en-us/library/windows/desktop/aa385359(v=vs.85).aspx
        Parameters:
        PublisherMetadata - [in] A handle to the provider's metadata that the EvtOpenPublisherMetadata(com.sun.jna.platform.win32.Winevt.EVT_HANDLE, java.lang.String, java.lang.String, int, int) function returns. The handle acts as a formatting context for the event or message identifier.

        You can set this parameter to NULL if the Windows Event Collector service forwarded the event. Forwarded events include a RenderingInfo section that contains the rendered message strings. You can also set this parameter to NULL if the event property that you are formatting is defined in the Winmeta.xml file (for example, if level is set to win:Error). In the latter case, the service uses the Winmeta provider as the formatting context and will format only those message strings that you reference in your event that are defined in the Winmeta.xml file.

        Event - [in] A handle to an event. The Flags parameter specifies the message string in the event that you want to format. This parameter must be NULL if the Flags parameter is set to EvtFormatMessageId.
        MessageId - [in] The resource identifier of the message string that you want to format. To get the resource identifier for a message string, call the EvtGetPublisherMetadataProperty(com.sun.jna.platform.win32.Winevt.EVT_HANDLE, int, int, int, com.sun.jna.Pointer, com.sun.jna.ptr.IntByReference) function. Set this parameter only if the Flags parameter is set to EvtFormatMessageId.
        ValueCount - [in] The number of values in the Values parameter.
        Values - [in] An array of insertion values to use when formatting the event's message string. Typically, you set this parameter to NULL and the function gets the insertion values from the event data itself. You would use this parameter to override the default behavior and supply the insertion values to use. For example, you might use this parameter if you wanted to resolve a SID to a principal name before inserting the value.

        To override the insertion values, the Flags parameter must be set to Winevt.EVT_FORMAT_MESSAGE_FLAGS.EvtFormatMessageEvent, Winevt.EVT_FORMAT_MESSAGE_FLAGS.EvtFormatMessageXml, or Winevt.EVT_FORMAT_MESSAGE_FLAGS.EvtFormatMessageId, If Flags is set to Winevt.EVT_FORMAT_MESSAGE_FLAGS.EvtFormatMessageId, the resource identifier must identify the event's message string.

        Flags - [in] A flag that specifies the message string in the event to format. For possible values, see the Winevt.EVT_FORMAT_MESSAGE_FLAGS enumeration.
        BufferSize - [in] The size of the Buffer buffer, in characters.
        Buffer - [in] A caller-allocated buffer that will receive the formatted message string. You can set this parameter to NULL to determine the required buffer size.
        BufferUsed - [out] The size, in characters of the caller-allocated buffer that the function used or the required buffer size if the function fails with ERROR_INSUFFICIENT_BUFFER.
        Returns:
        True The function was successful, False The function failed. To get the error code, call the Kernel32.GetLastError() function.

      • EvtOpenLog

        Winevt.EVT_HANDLE EvtOpenLog​(Winevt.EVT_HANDLE Session,
                             String Path,
                             int Flags)
        Gets a handle to a channel or log file that you can then use to get information about the channel or log file. https://msdn.microsoft.com/en-us/library/windows/desktop/aa385447(v=vs.85).aspx
        Parameters:
        Session - [in] A remote session handle that the EvtOpenSession(int, com.sun.jna.platform.win32.Winevt.EVT_RPC_LOGIN, int, int) function returns. Set to NULL to open a channel or log on the local computer.
        Path - [in] The name of the channel or the full path to the exported log file.
        Flags - [in] A flag that determines whether the Path parameter points to a log file or channel. For possible values, see the Winevt.EVT_OPEN_LOG_FLAGS enumeration.
        Returns:
        If successful, the function returns a handle to the file or channel; otherwise, NULL. If NULL, call Kernel32.GetLastError() function to get the error code.

      • EvtGetLogInfo

        boolean EvtGetLogInfo​(Winevt.EVT_HANDLE Log,
                      int PropertyId,
                      int PropertyValueBufferSize,
                      Pointer PropertyValueBuffer,
                      IntByReference PropertyValueBufferUsed)
        Gets information about a channel or log file. https://msdn.microsoft.com/en-us/library/windows/desktop/aa385385(v=vs.85).aspx
        Parameters:
        Log - [in] A handle to the channel or log file that the EvtOpenLog(com.sun.jna.platform.win32.Winevt.EVT_HANDLE, java.lang.String, int) function returns.
        PropertyId - [in] The identifier of the property to retrieve. For a list of property identifiers, see the Winevt.EVT_LOG_PROPERTY_ID enumeration.
        PropertyValueBufferSize - [in] The size of the PropertyValueBuffer buffer, in bytes.
        PropertyValueBuffer - [in] A caller-allocated buffer that will receive the property value. The buffer contains an EVT_VARIANT object. You can set this parameter to NULL to determine the required buffer size.
        PropertyValueBufferUsed - [out] The size, in bytes, of the caller-allocated buffer that the function used or the required buffer size if the function fails with ERROR_INSUFFICIENT_BUFFER.
        Returns:
        True The function was successful, False The function failed. To get the error code, call the Kernel32.GetLastError() function.

      • EvtClearLog

        boolean EvtClearLog​(Winevt.EVT_HANDLE Session,
                    String ChannelPath,
                    String TargetFilePath,
                    int Flags)
        Removes all events from the specified channel and writes them to the target log file. https://msdn.microsoft.com/en-us/library/windows/desktop/aa385340(v=vs.85).aspx
        Parameters:
        Session - [in, optional] A remote session handle that the EvtOpenSession(int, com.sun.jna.platform.win32.Winevt.EVT_RPC_LOGIN, int, int) function returns. Set to NULL for local channels.
        ChannelPath - [in] The name of the channel to clear.
        TargetFilePath - [in, optional] The full path to the target log file that will receive the events. Set to NULL to clear the log file and not save the events.
        Flags - [in] Reserved. Must be zero.
        Returns:
        True The function was successful, False The function failed. To get the error code, call the Kernel32.GetLastError() function.

      • EvtExportLog

        boolean EvtExportLog​(Winevt.EVT_HANDLE Session,
                     String Path,
                     String Query,
                     String TargetFilePath,
                     int Flags)
        Copies events from the specified channel or log file and writes them to the target log file. https://msdn.microsoft.com/en-us/library/windows/desktop/aa385355(v=vs.85).aspx
        Parameters:
        Session - [in, optional] A remote session handle that the EvtOpenSession(int, com.sun.jna.platform.win32.Winevt.EVT_RPC_LOGIN, int, int) function returns. Set to NULL for local channels.
        Path - [in] The name of the channel or the full path to a log file that contains the events that you want to export. If the Query parameter contains an XPath query, you must specify the channel or log file. If the Flags parameter contains Winevt.EVT_EXPORTLOG_FLAGS.EvtExportLogFilePath, you must specify the log file. If the Query parameter contains a structured XML query, the channel or path that you specify here must match the channel or path in the query. If the Flags parameter contains Winevt.EVT_EXPORTLOG_FLAGS.EvtExportLogChannelPath, this parameter can be NULL if the query is a structured XML query that specifies the channel.
        Query - [in] A query that specifies the types of events that you want to export. You can specify an XPath 1.0 query or structured XML query. If your XPath contains more than 20 expressions, use a structured XML query. To export all events, set this parameter to NULL or "*".
        TargetFilePath - [in] The full path to the target log file that will receive the events. The target log file must not exist.
        Flags - [in] Flags that indicate whether the events come from a channel or log file. For possible values, see the Winevt.EVT_EXPORTLOG_FLAGS.EvtExportLogChannelPath enumeration.
        Returns:
        True The function was successful, False The function failed. To get the error code, call the Kernel32.GetLastError() function.

      • EvtArchiveExportedLog

        boolean EvtArchiveExportedLog​(Winevt.EVT_HANDLE Session,
                              String LogFilePath,
                              int Locale,
                              int Flags)
        Adds localized strings to the events in the specified log file. https://msdn.microsoft.com/en-us/library/windows/desktop/aa385232(v=vs.85).aspx
        Parameters:
        Session - [in] A remote session handle that the EvtOpenSession(int, com.sun.jna.platform.win32.Winevt.EVT_RPC_LOGIN, int, int) function returns. Set to NULL for local channels.
        LogFilePath - [in] The full path to the exported log file that contains the events to localize.
        Locale - [in] The locale to use to localize the strings that the service adds to the events in the log file. If zero, the function uses the calling thread's locale. If the provider's resources does not contain the locale, the string is empty.
        Flags - [in] Reserved. Must be zero.
        Returns:
        True The function succeeded, False The function failed. To get the error code, call the Kernel32.GetLastError() function.

      • EvtOpenChannelEnum

        Winevt.EVT_HANDLE EvtOpenChannelEnum​(Winevt.EVT_HANDLE Session,
                                     int Flags)
        Gets a handle that you use to enumerate the list of channels that are registered on the computer. https://msdn.microsoft.com/en-us/library/windows/desktop/aa385437(v=vs.85).aspx
        Parameters:
        Session - [in] A remote session handle that the EvtOpenSession(int, com.sun.jna.platform.win32.Winevt.EVT_RPC_LOGIN, int, int) function returns. Set to NULL to enumerate the channels on the local computer.
        Flags - [in] Reserved. Must be zero.
        Returns:
        If successful, the function returns a handle to the list of channel names that are registered on the computer; otherwise, NULL. If NULL, call Kernel32.GetLastError() function to get the error code.

      • EvtNextChannelPath

        boolean EvtNextChannelPath​(Winevt.EVT_HANDLE ChannelEnum,
                           int ChannelPathBufferSize,
                           char[] ChannelPathBuffer,
                           IntByReference ChannelPathBufferUsed)
        Gets a channel name from the enumerator. https://msdn.microsoft.com/en-us/library/windows/desktop/aa385412(v=vs.85).aspx
        Parameters:
        ChannelEnum - [in] A handle to the enumerator that the EvtOpenChannelEnum(com.sun.jna.platform.win32.Winevt.EVT_HANDLE, int) function returns.
        ChannelPathBufferSize - [in] The size of the ChannelPathBuffer buffer, in characters.
        ChannelPathBuffer - [in] A caller-allocated buffer that will receive the name of the channel. You can set this parameter to NULL to determine the required buffer size.
        ChannelPathBufferUsed - [out] The size, in characters, of the caller-allocated buffer that the function used or the required buffer size if the function fails with ERROR_INSUFFICIENT_BUFFER.
        Returns:
        True The function succeeded, False The function failed. To get the error code, call the Kernel32.GetLastError() function.

      • EvtOpenChannelConfig

        Winevt.EVT_HANDLE EvtOpenChannelConfig​(Winevt.EVT_HANDLE Session,
                                       String ChannelPath,
                                       int Flags)
        Gets a handle that you use to read or modify a channel's configuration property. https://msdn.microsoft.com/en-us/library/windows/desktop/aa385430(v=vs.85).aspx
        Parameters:
        Session - [in] A remote session handle that the EvtOpenSession(int, com.sun.jna.platform.win32.Winevt.EVT_RPC_LOGIN, int, int) function returns. Set to NULL to access a channel on the local computer.
        ChannelPath - [in] The name of the channel to access.
        Flags - [in] Reserved. Must be zero.
        Returns:
        If successful, the function returns a handle to the channel's configuration; otherwise, NULL. If NULL, call GetLastError function to get the error code.

      • EvtSetChannelConfigProperty

        boolean EvtSetChannelConfigProperty​(Winevt.EVT_HANDLE ChannelConfig,
                                    int PropertyId,
                                    int Flags,
                                    Winevt.EVT_VARIANT PropertyValue)
        Sets the specified configuration property of a channel. https://msdn.microsoft.com/en-us/library/windows/desktop/aa385484(v=vs.85).aspx
        Parameters:
        ChannelConfig - [in] A handle to the channel's configuration properties that the EvtOpenChannelConfig(com.sun.jna.platform.win32.Winevt.EVT_HANDLE, java.lang.String, int) function returns.
        PropertyId - [in] The identifier of the channel property to set. For a list of property identifiers, see the Winevt.EVT_CHANNEL_CONFIG_PROPERTY_ID enumeration.
        Flags - [in] Reserved. Must be zero.
        PropertyValue - [in] The property value to set. A caller-allocated buffer that contains the new configuration property value. The buffer contains an EVT_VARIANT object. Be sure to set the configuration value and variant type.
        Returns:
        True The function succeeded, False The function failed. To get the error code, call the Kernel32.GetLastError() function.

      • EvtGetChannelConfigProperty

        boolean EvtGetChannelConfigProperty​(Winevt.EVT_HANDLE ChannelConfig,
                                    int PropertyId,
                                    int Flags,
                                    int PropertyValueBufferSize,
                                    Pointer PropertyValueBuffer,
                                    IntByReference PropertyValueBufferUsed)
        Gets the specified channel configuration property. https://msdn.microsoft.com/en-us/library/windows/desktop/aa385362(v=vs.85).aspx
        Parameters:
        ChannelConfig - [in] A handle to the channel's configuration properties that the EvtOpenChannelConfig(com.sun.jna.platform.win32.Winevt.EVT_HANDLE, java.lang.String, int) function returns.
        PropertyId - [in] The identifier of the channel property to retrieve. For a list of property identifiers, see the Winevt.EVT_CHANNEL_CONFIG_PROPERTY_ID enumeration.
        Flags - [in] Reserved. Must be zero.
        PropertyValueBufferSize - [in] The size of the PropertyValueBuffer buffer, in bytes.
        PropertyValueBuffer - [in] A caller-allocated buffer that will receive the configuration property. The buffer contains an EVT_VARIANT object. You can set this parameter to NULL to determine the required buffer size.
        PropertyValueBufferUsed - [out] The size, in bytes, of the caller-allocated buffer that the function used or the required buffer size if the function fails with ERROR_INSUFFICIENT_BUFFER.
        Returns:
        True The function succeeded, False The function failed. To get the error code, call the Kernel32.GetLastError() function.

      • EvtOpenPublisherEnum

        Winevt.EVT_HANDLE EvtOpenPublisherEnum​(Winevt.EVT_HANDLE Session,
                                       int Flags)
        Gets a handle that you use to enumerate the list of registered providers on the computer. https://msdn.microsoft.com/en-us/library/windows/desktop/aa385451(v=vs.85).aspx
        Parameters:
        Session - [in] A remote session handle that the EvtOpenSession(int, com.sun.jna.platform.win32.Winevt.EVT_RPC_LOGIN, int, int) function returns. Set to NULL to enumerate the registered providers on the local computer.
        Flags - [in] Reserved. Must be zero.
        Returns:
        If successful, the function returns a handle to the list of registered providers; otherwise, NULL. If NULL, call Kernel32.GetLastError() function to get the error code.

      • EvtNextPublisherId

        boolean EvtNextPublisherId​(Winevt.EVT_HANDLE PublisherEnum,
                           int PublisherIdBufferSize,
                           char[] PublisherIdBuffer,
                           IntByReference PublisherIdBufferUsed)
        Gets the identifier of a provider from the enumerator. https://msdn.microsoft.com/en-us/library/windows/desktop/aa385425(v=vs.85).aspx
        Parameters:
        PublisherEnum - [in] A handle to the registered providers enumerator that the EvtOpenPublisherEnum(com.sun.jna.platform.win32.Winevt.EVT_HANDLE, int) function returns.
        PublisherIdBufferSize - [in] The size of the PublisherIdBuffer buffer, in characters.
        PublisherIdBuffer - [in] A caller-allocated buffer that will receive the name of the registered provider. You can set this parameter to NULL to determine the required buffer size.
        PublisherIdBufferUsed - [out] The size, in characters, of the caller-allocated buffer that the function used or the required buffer size if the function fails with ERROR_INSUFFICIENT_BUFFER.
        Returns:
        If successful, the function returns a handle to the list of registered providers; otherwise, NULL. If NULL, call Kernel32.GetLastError() function to get the error code.

      • EvtOpenPublisherMetadata

        Winevt.EVT_HANDLE EvtOpenPublisherMetadata​(Winevt.EVT_HANDLE EvtHandleSession,
                                           String PublisherIdentity,
                                           String LogFilePath,
                                           int Locale,
                                           int Flags)
        Gets a handle that you use to read the specified provider's metadata. https://msdn.microsoft.com/en-us/library/windows/desktop/aa385458(v=vs.85).aspx
        Parameters:
        EvtHandleSession - [in, optional] A remote session handle that the EvtOpenSession(int, com.sun.jna.platform.win32.Winevt.EVT_RPC_LOGIN, int, int) function returns. Set to NULL to get the metadata for a provider on the local computer.
        PublisherIdentity - [in] The name of the provider. To enumerate the names of the providers registered on the computer, call the EvtOpenPublisherEnum(com.sun.jna.platform.win32.Winevt.EVT_HANDLE, int) function.
        LogFilePath - [in, optional] The full path to an archived log file that contains the events that the provider logged. An archived log file also contains the provider's metadata. Use this parameter when the provider is not registered on the local computer. Set to NULL when reading the metadata from a registered provider..
        Locale - [in] The locale identifier to use when accessing the localized metadata from the provider. To create the locale identifier, use the MAKELCID macro. Set to 0 to use the locale identifier of the calling thread.
        Flags - [in] Reserved. Must be zero.
        Returns:
        If successful, the function returns a handle to the provider's metadata; otherwise, NULL. If NULL, call Kernel32.GetLastError() function to get the error code.

      • EvtGetPublisherMetadataProperty

        boolean EvtGetPublisherMetadataProperty​(Winevt.EVT_HANDLE PublisherMetadata,
                                        int PropertyId,
                                        int Flags,
                                        int PublisherMetadataPropertyBufferSize,
                                        Pointer PublisherMetadataPropertyBuffer,
                                        IntByReference PublisherMetadataPropertyBufferUsed)
        Gets the specified provider metadata property. https://msdn.microsoft.com/en-us/library/windows/desktop/aa385399(v=vs.85).aspx
        Parameters:
        PublisherMetadata - [in] A handle to the metadata that the EvtOpenPublisherMetadata(com.sun.jna.platform.win32.Winevt.EVT_HANDLE, java.lang.String, java.lang.String, int, int) function returns.
        PropertyId - [in] The identifier of the metadata property to retrieve. For a list of property identifiers, see the Winevt.EVT_PUBLISHER_METADATA_PROPERTY_ID enumeration.
        Flags - [in] Reserved. Must be zero.
        PublisherMetadataPropertyBufferSize - [in] The size of the PublisherMetadataPropertyBuffer buffer, in bytes.
        PublisherMetadataPropertyBuffer - [in] A caller-allocated buffer that will receive the metadata property. The buffer contains an EVT_VARIANT object. You can set this parameter to NULL to determine the required buffer size.
        PublisherMetadataPropertyBufferUsed - [out] The size, in bytes, of the caller-allocated buffer that the function used or the required buffer size if the function fails with ERROR_INSUFFICIENT_BUFFER.
        Returns:
        True The function succeeded, False The function failed. To get the error code, call the Kernel32.GetLastError() function.

      • EvtGetEventMetadataProperty

        boolean EvtGetEventMetadataProperty​(Winevt.EVT_HANDLE EventMetadata,
                                    int PropertyId,
                                    int Flags,
                                    int EventMetadataPropertyBufferSize,
                                    Pointer Buffer,
                                    IntByReference BufferUsed)
        Gets the specified event metadata property. https://msdn.microsoft.com/en-us/library/windows/desktop/aa385376(v=vs.85).aspx
        Parameters:
        EventMetadata - [in] A handle to the event metadata that the EvtNextEventMetadata(com.sun.jna.platform.win32.Winevt.EVT_HANDLE, int) function returns.
        PropertyId - [in] The identifier of the metadata property to retrieve. For a list of property identifiers, see the Winevt.EVT_EVENT_METADATA_PROPERTY_ID enumeration.
        Flags - [in] Reserved. Must be zero.
        EventMetadataPropertyBufferSize - [in] The size of the EventMetadataPropertyBuffer buffer, in bytes.
        Buffer - [in] A caller-allocated buffer that will receive the metadata property. The buffer contains an EVT_VARIANT object. You can set this parameter to NULL to determine the required buffer size.
        BufferUsed - [out] The size, in bytes, of the caller-allocated buffer that the function used or the required buffer size if the function fails with ERROR_INSUFFICIENT_BUFFER.
        Returns:
        True The function succeeded, False The function failed. To get the error code, call the Kernel32.GetLastError() function.

      • EvtGetObjectArrayProperty

        boolean EvtGetObjectArrayProperty​(Pointer ObjectArray,
                                  int PropertyId,
                                  int ArrayIndex,
                                  int Flags,
                                  int PropertyValueBufferSize,
                                  Pointer PropertyValueBuffer,
                                  IntByReference PropertyValueBufferUsed)
        Gets a provider metadata property from the specified object in the array. https://msdn.microsoft.com/en-us/library/windows/desktop/aa385389(v=vs.85).aspx
        Parameters:
        ObjectArray - [in] A handle to an array of objects that the EvtGetPublisherMetadataProperty(com.sun.jna.platform.win32.Winevt.EVT_HANDLE, int, int, int, com.sun.jna.Pointer, com.sun.jna.ptr.IntByReference) function returns.
        PropertyId - [in] The property identifier of the metadata property that you want to get from the specified object. For possible values, see the Remarks section of Winevt.EVT_PUBLISHER_METADATA_PROPERTY_ID.
        ArrayIndex - [in] The zero-based index of the object in the array.
        Flags - [in] Reserved. Must be zero.
        PropertyValueBufferSize - [in] The size of the PropertyValueBuffer buffer, in bytes.
        PropertyValueBuffer - [in] A caller-allocated buffer that will receive the metadata property. The buffer contains an EVT_VARIANT object. You can set this parameter to NULL to determine the required buffer size.
        PropertyValueBufferUsed - [in] The size, in bytes, of the caller-allocated buffer that the function used or the required buffer size if the function fails with ERROR_INSUFFICIENT_BUFFER.
        Returns:
        True The function succeeded, False The function failed. To get the error code, call the Kernel32.GetLastError() function.

      • EvtCreateBookmark

        Winevt.EVT_HANDLE EvtCreateBookmark​(String BookmarkXml)
        Creates a bookmark that identifies an event in a channel. https://msdn.microsoft.com/en-us/library/windows/desktop/aa385348(v=vs.85).aspx
        Parameters:
        BookmarkXml - [in, optional] An XML string that contains the bookmark or NULL if creating a bookmark.
        Returns:
        A handle to the bookmark if the call succeeds; otherwise, NULL. If NULL, call the Kernel32.GetLastError() function to get the error code.

      • EvtUpdateBookmark

        boolean EvtUpdateBookmark​(Winevt.EVT_HANDLE Bookmark,
                          Winevt.EVT_HANDLE Event)
        Updates the bookmark with information that identifies the specified event. https://msdn.microsoft.com/en-us/library/windows/desktop/aa385489(v=vs.85).aspx
        Parameters:
        Bookmark - [in] The handle to the bookmark to be updated. The EvtCreateBookmark(java.lang.String) function returns this handle.
        Event - [in] The handle to the event to bookmark.
        Returns:
        True The function succeeded, False The function failed. To get the error code, call the Kernel32.GetLastError() function.

      • EvtGetEventInfo

        boolean EvtGetEventInfo​(Winevt.EVT_HANDLE Event,
                        int PropertyId,
                        int PropertyValueBufferSize,
                        Pointer PropertyValueBuffer,
                        IntByReference PropertyValueBufferUsed)
        Gets information that identifies the structured XML query that selected the event and the channel or log file that contained the event. https://msdn.microsoft.com/en-us/library/windows/desktop/aa385372(v=vs.85).aspx
        Parameters:
        Event - [in] A handle to an event for which you want to retrieve information.
        PropertyId - [in] A flag that identifies the information to retrieve. For example, the query identifier or the path. For possible values, see the Winevt.EVT_EVENT_PROPERTY_ID enumeration.
        PropertyValueBufferSize - [in] The size of the PropertyValueBuffer buffer, in bytes.
        PropertyValueBuffer - [in] A caller-allocated buffer that will receive the information. The buffer contains an EVT_VARIANT object. You can set this parameter to NULL to determine the required buffer size.
        PropertyValueBufferUsed - [in] The size, in bytes, of the caller-allocated buffer that the function used or the required buffer size if the function fails with ERROR_INSUFFICIENT_BUFFER.
        Returns:
        True The function succeeded, False The function failed. To get the error code, call the Kernel32.GetLastError() function.