IoWriteErrorLogEntry passes at most 52 characters?

NTDEV
1

Hi all,

I’d like to verify my understanding.

I’ve implemented writing to event log using IoAllocateErrorLogEntry and
IoWriteErrorLogEntry. I’d like to pass many characters from a driver to the
log at a time. After I’d read DDK and some other docs, I arrived to the
following computation:

nWchars = ((ERROR_LOG_MAXIMUM_SIZE - sizeof(IO_ERROR_LOG_PACKET))
& ~3) / sizeof(WCHAR);
//< available bytes (ERROR_LOG_MAXIMUM_SIZE -
sizeof(IO_ERROR_LOG_PACKET))
//< rounded down to LONG boundary (& ~3),
//< converted to WCHARS (/ sizeof(WCHAR))

This gives a total of 52 wide characters (including terminating nulls) that
can be passed as insertion strings. I’d prefer to have a higher limit. Are
my computations correct?

Joze

2

Joze Fabcic wrote:

I’d like to verify my understanding.

I’ve implemented writing to event log using IoAllocateErrorLogEntry and
IoWriteErrorLogEntry. I’d like to pass many characters from a driver to the
log at a time. After I’d read DDK and some other docs, I arrived to the
following computation:

nWchars = ((ERROR_LOG_MAXIMUM_SIZE - sizeof(IO_ERROR_LOG_PACKET))
& ~3) / sizeof(WCHAR);
//< available bytes (ERROR_LOG_MAXIMUM_SIZE -
sizeof(IO_ERROR_LOG_PACKET))
//< rounded down to LONG boundary (& ~3),
//< converted to WCHARS (/ sizeof(WCHAR))

This gives a total of 52 wide characters (including terminating nulls) that
can be passed as insertion strings. I’d prefer to have a higher limit. Are
my computations correct?

That sounds right. ERROR_LOG_MAXIMUM_SIZE is 152 (0x98), which you can
see by disassemhling IoAllocateErrorLogEntry in your debugger. 48 of
this is the size of the ERROR_LOG_PACKET, which leaves 104, just as you
calculated.

Don’t forget that the size argument to IoAllocateErrorLogEntry is a
UCHAR. If you simply cast a ULONG to UCHAR to make the compiler happy,
you could easily end up passing the internal size test and overwriting
memory. E.g., ask for 408 bytes, which looks like 152 when truncated to
8 bits. IoAllocateErrorLogEntry is happy to give you that much, and you
proceed to overstore the allocation by some 256 bytes.


Walter Oney, Consulting and Training
Basic and Advanced Driver Programming Seminars
Check out our schedule at http://www.oneysoft.com

3

Hi Joze,

Long back I did the same research (in NT 4.0).
FYI, I pasted my query below.
HTH…

Hi !

I’m logging events from my Kernel Mode Device Driver, for
that, i used IoAllocateErrorLogEntry() &
IoWriteErrorLogEntry() functions…

I’m not using any DumpInfo, but, using “Insertion String
1”…

Practically i can’t log more than 40 WIDE characters in
the Insertion String Field…

But, my theoritical calculation says that we can log even
more…

Can u tell me what is wrong in this ?

pl find below the function i used…

earlier, for the symbolic contant EVENTLOG_MSG_ARR_SIZE ,
i assigned a value 50…that wasn’t working…

/**********************************************************
*
* Function : SstReportEvent
*
* Description: Uses the input parameters to send a
message to the Event Log
* found in the Administrative Tools Section
of Windows NT.
*
*******************************************************/

LONG
SstReportEvent(
IN PVOID pIoObject,
IN NTSTATUS MsgCode,
IN CHAR *p_c_ArgString
)
{
PIO_ERROR_LOG_PACKET pPacket;
UCHAR uc_Size;
WCHAR arr_wd_EventLogMsg
[EVENTLOG_MSG_ARR_SIZE];

/* this EVENTLOG_MSG_ARR_SIZE equals 41 */

if (pIoObject == NULL ||
p_c_ArgString == NULL)
return -1;

if ( strlen(p_c_ArgString) <= 0 ||
strlen(p_c_ArgString) >=
EVENTLOG_MSG_ARR_SIZE )
return -2;

swprintf(
arr_wd_EventLogMsg,
L"%S",
p_c_ArgString
);

uc_Size =
sizeof(IO_ERROR_LOG_PACKET) +
((wcslen(arr_wd_EventLogMsg) + 1)
* sizeof(WCHAR));

if (uc_Size >= ERROR_LOG_MAXIMUM_SIZE)
return -3;

// Try to allocate the packet
pPacket = IoAllocateErrorLogEntry(
pIoObject,
uc_Size
);

if (pPacket == NULL)
return -4;

// Fill in standard parts of the packet
pPacket->MajorFunctionCode = 0;
pPacket->RetryCount = 0;
pPacket->DumpDataSize = 0;

pPacket->EventCategory = 0;
pPacket->ErrorCode = MsgCode;
pPacket->UniqueErrorValue = 0;
pPacket->FinalStatus =
STATUS_SUCCESS;
pPacket->SequenceNumber = 0;
pPacket->IoControlCode = 0;
pPacket->DeviceOffset.QuadPart = 0;

pPacket->NumberOfStrings = 1;
pPacket->StringOffset =
FIELD_OFFSET(IO_ERROR_LOG_PACKET, DumpData) ;

RtlCopyMemory(
(PWSTR) ( &pPacket->DumpData[0] ),
arr_wd_EventLogMsg,
uc_Size - sizeof(IO_ERROR_LOG_PACKET)
);

// Log the message
IoWriteErrorLogEntry(
pPacket
);

return 0;

} // Closing : “SstReportEvent(…)”

Thanks,
Sathya

===================================
Knowledge, Skill and desire will lead to SUCCESS.

-----Original Message-----
From: Joze Fabcic [mailto:xxxxx@hermes.si]
Sent: Monday, June 09, 2003 5:27 PM
Subject: IoWriteErrorLogEntry passes at most 52 characters?

Hi all,

I’d like to verify my understanding.

I’ve implemented writing to event log using IoAllocateErrorLogEntry and
IoWriteErrorLogEntry. I’d like to pass many characters from a driver to
the
log at a time. After I’d read DDK and some other docs, I arrived to the
following computation:

nWchars = ((ERROR_LOG_MAXIMUM_SIZE - sizeof(IO_ERROR_LOG_PACKET))
& ~3) / sizeof(WCHAR);
//< available bytes (ERROR_LOG_MAXIMUM_SIZE -
sizeof(IO_ERROR_LOG_PACKET))
//< rounded down to LONG boundary (& ~3),
//< converted to WCHARS (/ sizeof(WCHAR))

This gives a total of 52 wide characters (including terminating nulls)
that
can be passed as insertion strings. I’d prefer to have a higher limit.
Are
my computations correct?

Joze