Worked on EventLog providers script

Author: joachimmetz

.gitignore

@@ -13,5 +13,6 @@
 /__pycache__
 /build
 /dist
+/MANIFEST.test_data
 /winregrc.egg-info
 

config/dpkg/changelog

@@ -1,5 +1,5 @@
-winreg-kb (20220106-1) unstable; urgency=low
+winreg-kb (20220111-1) unstable; urgency=low
 
   * Auto-generated
 
- -- Joachim Metz <[email protected]>  Thu, 06 Jan 2022 12:32:48 +0100
+ -- Joachim Metz <[email protected]>  Tue, 11 Jan 2022 06:08:17 +0100

docs/sources/EventLog-keys.md

@@ -11,27 +11,48 @@ Note that the combined information of both keys can be needed, for example
 the Services\EventLog key:
 
 ```
-Log source              : WinMgmt
-Identifier              : {1edeee53-0afe-4609-b846-d8c0b2075b1f}
-Log type                : Application
+Log type                : System
+Log source              : Microsoft-Windows-Time-Service
+Identifier              : {06edcfeb-0fd0-4e53-acca-a6f8bbf81bcb}
+Event message files     : %SystemRoot%\system32\w32time.dll
+```
+
+```
+Log type                : System
+Log source              : W32Time
+Identifier              : {06edcfeb-0fd0-4e53-acca-a6f8bbf81bcb}
+Event message files     : %SystemRoot%\system32\w32time.dll
 ```
 
 In combination with the corresponding WINEVT\Publishers key:
 
 ```
-Log source              : Microsoft-Windows-WMI
-Identifier              : {1edeee53-0afe-4609-b846-d8c0b2075b1f}
-Event message files     : %SystemRoot%\system32\wbem\WinMgmtR.dll
+Name			: Microsoft-Windows-Time-Service
+Identifier              : {06edcfeb-0fd0-4e53-acca-a6f8bbf81bcb}
+Event message files     : %SystemRoot%\system32\w32time.dll
+```
+
+Is the following EvenLog provider:
+
+```
+Name			: Microsoft-Windows-Time-Service
+Identifier              : {06edcfeb-0fd0-4e53-acca-a6f8bbf81bcb}
+Log type                : System
+Log source(s)           : Microsoft-Windows-Time-Service
+                        : W32Time
+Event message files     : %SystemRoot%\system32\w32time.dll
 ```
 
-Is the following EvenLog provider, that has multiple log sources:
+Note that an EventLog provider can have multiple log types and log sources.
+It is not known if a log source that matches the EventLog provider name can be
+deduplicated.
+
+Or as specified as Event XML:
 
 ```
-Log source              : WinMgmt
-                        : Microsoft-Windows-WMI
-Identifier              : {1edeee53-0afe-4609-b846-d8c0b2075b1f}
-Log type                : Application
-Event message files     : %systemroot%\system32\wbem\winmgmtr.dll
+<Provider Name='Microsoft-Windows-Time-Service'
+          Guid='{06edcfeb-0fd0-4e53-acca-a6f8bbf81bcb}'
+          EventSourceName='W32Time'/>
 ```
 
 ## Services\EventLog key
@@ -127,15 +148,16 @@ Values:
 
 Name | Data type | Description
 --- | --- | ---
-(default) | | Case insensitive log source.
-MessageFileName | | Path to an event message file. An event message file contains language-dependent strings that describe the events.
-ResourceFileName | | Path to an event resource file.
+(default) | REG_SZ | Case insensitive log source.
+MessageFileName | REG_EXPAND_SZ | Path to an event message file. An event message file contains language-dependent strings that describe the events.
+ResourceFileName | REG_EXPAND_SZ | Path to an event resource file.
+ParameterFileName | REG_EXPAND_SZ | Path to an event parameter file.
 
 ## Message file paths
 
 A message file path can be defined in numerous different ways for example:
 
-As an abosolute path
+As an absolute path
 
 ```
 C:\Windows\System32\mscoree.dll
@@ -177,8 +199,10 @@ Last written time: Oct 30, 2015 07:25:12.126588100 UTC
 Value: 0 providerGuid
 Type: string (REG_SZ)
 Data size: 78
-Data: {D4BE7726-DC7A-11DF-A6E6-0902DFD72085}
+Data: {d4be7726-dc7a-11df-a6e6-0902dfd72085}
+```
 
+```
 Key path: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{89203471-d554-47d4-bde4-7552ec219999}
 Name: {89203471-d554-47d4-bde4-7552ec219999}
 Last written time: Oct 30, 2015 07:25:53.860831900 UTC
@@ -199,6 +223,63 @@ Data size: 66
 Data: %SystemRoot%\system32\KdsCli.dll
 ```
 
+## EventLog provider with multiple log types
+
+Seen on Windows 10:
+
+```
+Key path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\Application\Microsoft-Windows-EventCollector
+Name: Microsoft-Windows-EventCollector
+Last written time: Sep 13, 2014 07:27:56.080450600 UTC
+
+Value: 0 ProviderGuid
+Type: string (REG_SZ)
+Data size: 78
+Data: {b977cf02-76f6-df84-cc1a-6a4b232322b6}
+
+Value: 1 EventMessageFile
+Type: expandable string (REG_EXPAND_SZ)
+Data size: 66
+Data: %SystemRoot%\system32\wecsvc.dll
+```
+
+```
+Key path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\System\Microsoft-Windows-EventCollector
+Name: Microsoft-Windows-EventCollector
+Last written time: Sep 13, 2014 07:27:56.080450600 UTC
+
+Value: 0 ProviderGuid
+Type: string (REG_SZ)
+Data size: 78
+Data: {b977cf02-76f6-df84-cc1a-6a4b232322b6}
+
+Value: 1 EventMessageFile
+Type: expandable string (REG_EXPAND_SZ)
+Data size: 66
+Data: %SystemRoot%\system32\wecsvc.dll
+```
+
+```
+Key path:  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{b977cf02-76f6-df84-cc1a-6a4b232322b6}
+Name: {b977cf02-76f6-df84-cc1a-6a4b232322b6}
+Last written time: Sep 13, 2014 07:27:56.080450600 UTC
+
+Value: 0 (default)
+Type: string (REG_SZ)
+Data size: 66
+Data: Microsoft-Windows-EventCollector
+
+Value: 1 ResourceFileName
+Type: expandable string (REG_EXPAND_SZ)
+Data size: 66
+Data: %SystemRoot%\system32\wecsvc.dll
+
+Value: 2 MessageFileName
+Type: expandable string (REG_EXPAND_SZ)
+Data size: 66
+Data: %SystemRoot%\system32\wecsvc.dll
+```
+
 ## External Links
 
 * [Eventlog Key](https://docs.microsoft.com/en-us/windows/win32/eventlog/eventlog-key)

scripts/eventlog_providers.py

@@ -22,48 +22,55 @@ def WriteEventLogProvider(self, eventlog_provider):
     Args:
       eventlog_provider (EventLogProvider): Event Log provider.
     """
-    for index, log_source in enumerate(sorted(eventlog_provider.log_sources)):
-      if index == 0:
-        text = 'Log source(s)\t\t: {0:s}\n'.format(log_source)
-      else:
-        text = '\t\t\t: {0:s}\n'.format(log_source)
-      self.WriteText(text)
-
-    if eventlog_provider.log_type:
-      text = 'Log type\t\t: {0:s}\n'.format(eventlog_provider.log_type)
+    if eventlog_provider.name:
+      text = 'Name\t\t\t\t: {0:s}\n'.format(eventlog_provider.name)
       self.WriteText(text)
 
     if eventlog_provider.identifier:
-      text = 'Identifier\t\t: {0:s}\n'.format(eventlog_provider.identifier)
+      text = 'Identifier\t\t\t: {0:s}\n'.format(eventlog_provider.identifier)
       self.WriteText(text)
 
     if eventlog_provider.additional_identifier:
-      text = 'Additional identifier\t: {0:s}\n'.format(
+      text = 'Additional identifier\t\t: {0:s}\n'.format(
           eventlog_provider.additional_identifier)
       self.WriteText(text)
 
+    for index, log_type in enumerate(sorted(eventlog_provider.log_types)):
+      if index == 0:
+        text = 'Log type(s)\t\t\t: {0:s}\n'.format(log_type)
+      else:
+        text = '\t\t\t\t: {0:s}\n'.format(log_type)
+      self.WriteText(text)
+
+    for index, log_source in enumerate(sorted(eventlog_provider.log_sources)):
+      if index == 0:
+        text = 'Log source(s)\t\t\t: {0:s}\n'.format(log_source)
+      else:
+        text = '\t\t\t\t: {0:s}\n'.format(log_source)
+      self.WriteText(text)
+
     for index, path in enumerate(sorted((
         eventlog_provider.category_message_files))):
       if index == 0:
         text = 'Category message file(s)\t: {0:s}\n'.format(path)
       else:
-        text = '\t\t\t: {0:s}\n'.format(path)
+        text = '\t\t\t\t: {0:s}\n'.format(path)
       self.WriteText(text)
 
     for index, path in enumerate(sorted((
         eventlog_provider.event_message_files))):
       if index == 0:
-        text = 'Event message file(s)\t: {0:s}\n'.format(path)
+        text = 'Event message file(s)\t\t: {0:s}\n'.format(path)
       else:
-        text = '\t\t\t: {0:s}\n'.format(path)
+        text = '\t\t\t\t: {0:s}\n'.format(path)
       self.WriteText(text)
 
     for index, path in enumerate(sorted((
         eventlog_provider.parameter_message_files))):
       if index == 0:
         text = 'Parameter message file(s)\t: {0:s}\n'.format(path)
       else:
-        text = '\t\t\t: {0:s}\n'.format(path)
+        text = '\t\t\t\t: {0:s}\n'.format(path)
       self.WriteText(text)
 
     self.WriteText('\n')

tests/eventlog_providers.py

@@ -51,8 +51,9 @@ def testCollect(self):
 
     eventlog_provider = test_results[0]
     self.assertIsNone(eventlog_provider.identifier)
+    self.assertIsNone(eventlog_provider.name)
     self.assertEqual(eventlog_provider.log_sources, ['.NET Runtime'])
-    self.assertEqual(eventlog_provider.log_type, 'Application')
+    self.assertEqual(eventlog_provider.log_types, ['Application'])
     self.assertEqual(eventlog_provider.category_message_files, set())
     self.assertEqual(
         eventlog_provider.event_message_files,

winregrc/__init__.py

@@ -1,4 +1,4 @@
 # -*- coding: utf-8 -*-
 """Windows Registry resources (winregrc)."""
 
-__version__ = '20220106'
+__version__ = '20220111'