RubyGems - win32-eventlog - Versions diffs - 0.5.3 → 0.6.0 - Mend

win32-eventlog 0.5.3 → 0.6.0

Files changed (22) hide show

checksums.yaml +7 -0
data/CHANGES +234 -226
data/MANIFEST +19 -16
data/README +78 -68
data/Rakefile +6 -1
data/doc/tutorial.txt +136 -136
data/examples/example_notify.rb +23 -23
data/examples/example_read.rb +83 -83
data/examples/example_write.rb +64 -64
data/lib/win32/eventlog.rb +1146 -1157
data/lib/win32/mc.rb +120 -118
data/lib/win32/windows/constants.rb +56 -0
data/lib/win32/windows/functions.rb +51 -0
data/lib/win32/windows/helper.rb +13 -0
data/lib/win32/windows/structs.rb +30 -0
data/misc/install_msg.rb +46 -46
data/misc/rubymsg.mc +35 -35
data/test/foo.mc +24 -24
data/test/test_eventlog.rb +310 -319
data/test/test_mc.rb +64 -67
data/win32-eventlog.gemspec +30 -29
metadata +90 -90

data/examples/example_notify.rb CHANGED Viewed

@@ -1,24 +1,24 @@
-############################################################################
-# example_notify.rb (win32-eventlog)
-#
-# A sample script for demonstrating the tail method.  Start this in its own
-# terminal.  Then, in another terminal, write an entry to the event log
-# (or force an entry via some other means) and watch the output.
-#
-# You can run this code via the 'example_notify' rake task.
-############################################################################
-Thread.new { loop { sleep 0.01 } } # Allow Ctrl-C
-require 'win32/eventlog'
-include Win32
-log = EventLog.open
-# replace 'tail' with 'notify_change' to see the difference
-log.tail{ |struct|
-   puts "Got something"
-   p struct
-   puts
-}
+############################################################################
+# example_notify.rb (win32-eventlog)
+#
+# A sample script for demonstrating the tail method.  Start this in its own
+# terminal.  Then, in another terminal, write an entry to the event log
+# (or force an entry via some other means) and watch the output.
+#
+# You can run this code via the 'example_notify' rake task.
+############################################################################
+Thread.new { loop { sleep 0.01 } } # Allow Ctrl-C
+require 'win32/eventlog'
+include Win32
+log = EventLog.open
+# replace 'tail' with 'notify_change' to see the difference
+log.tail{ |struct|
+   puts "Got something"
+   p struct
+   puts
+}
 log.close

data/examples/example_read.rb CHANGED Viewed

@@ -1,84 +1,84 @@
-############################################################################
-# example_read.rb (win32-eventlog)
-#
-# Test script for general futzing.  This will attempt to read and backup
-# your Event Log. You can run this example via the 'rake example_read'
-# task.
-#
-# Modify as you see fit.
-############################################################################
-require 'win32/eventlog'
-include Win32
-puts "VERSION: " + EventLog::VERSION
-sleep 1
-# A few different ways to read an event log
-el = EventLog.new("Application")
-el.read{ |log|
-   p log
-}
-el.close
-EventLog.read("Application"){ |log|
-   p log
-   puts
-}
-EventLog.open("Application") do |log|
-   log.read{ |struct|
-      p struct
-      puts
-   }
-end
-backup_file = "C:\\event_backup1"
-File.delete(backup_file) if File.exists?(backup_file)
-e1 = EventLog.open("System")
-puts "System log opened"
-e2 = EventLog.open("Application")
-puts "Application log opened"
-e3 = EventLog.open("Security")
-puts "Security log opened"
-puts "=" * 40
-puts "Total system records: " + e1.total_records.to_s
-puts "Total application records: " + e2.total_records.to_s
-puts "Total security records: " + e3.total_records.to_s
-puts "=" * 40
-puts "Oldest system record number: " + e1.oldest_record_number.to_s
-puts "Oldest application record number: " + e2.oldest_record_number.to_s
-puts "Oldest security record number: " + e3.oldest_record_number.to_s
-puts "=" * 40
-e2.backup(backup_file)
-puts "Application log backed up to #{backup_file}"
-puts "=" * 40
-e1.close
-puts "System log closed"
-e2.close
-puts "Application log closed"
-e3.close
-puts "Security log closed"
-e4 = EventLog.open_backup(backup_file)
-e4.read{ |elr|
-   p elr
-   puts
-}
-puts "Finished reading backup file"
-e4.close
+############################################################################
+# example_read.rb (win32-eventlog)
+#
+# Test script for general futzing.  This will attempt to read and backup
+# your Event Log. You can run this example via the 'rake example_read'
+# task.
+#
+# Modify as you see fit.
+############################################################################
+require 'win32/eventlog'
+include Win32
+puts "VERSION: " + EventLog::VERSION
+sleep 1
+# A few different ways to read an event log
+el = EventLog.new("Application")
+el.read{ |log|
+   p log
+}
+el.close
+EventLog.read("Application"){ |log|
+   p log
+   puts
+}
+EventLog.open("Application") do |log|
+   log.read{ |struct|
+      p struct
+      puts
+   }
+end
+backup_file = "C:\\event_backup1"
+File.delete(backup_file) if File.exists?(backup_file)
+e1 = EventLog.open("System")
+puts "System log opened"
+e2 = EventLog.open("Application")
+puts "Application log opened"
+e3 = EventLog.open("Security")
+puts "Security log opened"
+puts "=" * 40
+puts "Total system records: " + e1.total_records.to_s
+puts "Total application records: " + e2.total_records.to_s
+puts "Total security records: " + e3.total_records.to_s
+puts "=" * 40
+puts "Oldest system record number: " + e1.oldest_record_number.to_s
+puts "Oldest application record number: " + e2.oldest_record_number.to_s
+puts "Oldest security record number: " + e3.oldest_record_number.to_s
+puts "=" * 40
+e2.backup(backup_file)
+puts "Application log backed up to #{backup_file}"
+puts "=" * 40
+e1.close
+puts "System log closed"
+e2.close
+puts "Application log closed"
+e3.close
+puts "Security log closed"
+e4 = EventLog.open_backup(backup_file)
+e4.read{ |elr|
+   p elr
+   puts
+}
+puts "Finished reading backup file"
+e4.close
 File.delete(backup_file)

data/examples/example_write.rb CHANGED Viewed

@@ -1,65 +1,65 @@
-##############################################################################
-# example_write.rb
-#
-# Tests both the creation of an Event Log source and writing to the Event
-# Log. You can run this via the 'rake example_write' task.
-#
-# Modify as you see fit.
-##############################################################################
-# Prompt user to continue, or not...
-msg = <<TEXT
-	This script will create an event source 'foo' in your registry and
-	write an event to the 'Application' source.
-	Is that ok [y/N]?
-TEXT
-print msg
-ans = STDIN.gets.chomp
-unless ans == "y" || ans == "Y"
-	puts "Ok, exiting..."
-   	exit!
-end
-require "win32/eventlog"
-require "win32/mc"
-include Win32
-puts "EventLog VERSION: " + EventLog::VERSION
-puts "MC VERSION: " + MC::VERSION
-sleep 1
-m = MC.new("foo.mc")
-m.create_all
-puts ".dll created"
-sleep 1
-dll_file = File.expand_path(m.dll_file)
-EventLog.add_event_source(
-   'source'                => "Application",
-   'key_name'              => "foo",
-   'category_count'        => 2,
-   'event_message_file'    => dll_file,
-   'category_message_file' => dll_file
-)
-puts "Event source added to registry"
-sleep 1
-e1 = EventLog.open("Application")
-e1.report_event(
-   :source      => "foo",
-   :event_type  => EventLog::WARN,
-   :category    => "0x00000002L".hex,
-   :event_id    => "0xC0000003L".hex,
-   :data        => "Danger Will Robinson!"
-)
-puts "Event written to event log"
-e1.close
+##############################################################################
+# example_write.rb
+#
+# Tests both the creation of an Event Log source and writing to the Event
+# Log. You can run this via the 'rake example_write' task.
+#
+# Modify as you see fit.
+##############################################################################
+# Prompt user to continue, or not...
+msg = <<TEXT
+	This script will create an event source 'foo' in your registry and
+	write an event to the 'Application' source.
+	Is that ok [y/N]?
+TEXT
+print msg
+ans = STDIN.gets.chomp
+unless ans == "y" || ans == "Y"
+	puts "Ok, exiting..."
+   	exit!
+end
+require "win32/eventlog"
+require "win32/mc"
+include Win32
+puts "EventLog VERSION: " + EventLog::VERSION
+puts "MC VERSION: " + MC::VERSION
+sleep 1
+m = MC.new("foo.mc")
+m.create_all
+puts ".dll created"
+sleep 1
+dll_file = File.expand_path(m.dll_file)
+EventLog.add_event_source(
+   'source'                => "Application",
+   'key_name'              => "foo",
+   'category_count'        => 2,
+   'event_message_file'    => dll_file,
+   'category_message_file' => dll_file
+)
+puts "Event source added to registry"
+sleep 1
+e1 = EventLog.open("Application")
+e1.report_event(
+   :source      => "foo",
+   :event_type  => EventLog::WARN,
+   :category    => "0x00000002L".hex,
+   :event_id    => "0xC0000003L".hex,
+   :data        => "Danger Will Robinson!"
+)
+puts "Event written to event log"
+e1.close
 puts "Finished.  Exiting..."

data/lib/win32/eventlog.rb CHANGED Viewed

@@ -1,1157 +1,1146 @@
-require 'windows/error'
-require 'windows/eventlog'
-require 'windows/security'
-require 'windows/registry'
-require 'windows/system_info'
-require 'windows/library'
-require 'windows/synchronize'
-require 'windows/handle'
-class String
-  # Return the portion of the string up to the first NULL character.  This
-  # was added for both speed and convenience.
-  def nstrip
-    if RUBY_VERSION.to_f >= 1.9
-      unless self.ascii_only?
-        self.force_encoding('BINARY')
-      end
-    end
-    self[ /^[^\0]*/ ]
-  end
-end
-# The Win32 module serves as a namespace only.
-module Win32
-   # The EventLog class encapsulates an Event Log source and provides methods
-   # for interacting with that source.
-   class EventLog
-      # The EventLog::Error is raised in cases where interaction with the
-      # event log should happen to fail for any reason.
-      class Error < StandardError; end
-      include Windows::Error
-      include Windows::EventLog
-      include Windows::Security
-      include Windows::Registry
-      include Windows::SystemInfo
-      include Windows::Library
-      include Windows::Synchronize
-      include Windows::Handle
-      extend Windows::Error
-      extend Windows::Registry
-      # The version of the win32-eventlog library
-      VERSION = '0.5.3'
-      # The log is read in chronological order, i.e. oldest to newest.
-      FORWARDS_READ = EVENTLOG_FORWARDS_READ
-      # The log is read in reverse chronological order, i.e. newest to oldest.
-      BACKWARDS_READ = EVENTLOG_BACKWARDS_READ
-      # Begin reading from a specific record.
-      SEEK_READ = EVENTLOG_SEEK_READ
-      # Read the records sequentially. If this is the first read operation, the
-      # EVENTLOG_FORWARDS_READ or EVENTLOG_BACKWARDS_READ flags determines
-      # which record is read first.
-      SEQUENTIAL_READ = EVENTLOG_SEQUENTIAL_READ
-      # Event types
-      # Information event, an event that describes the successful operation
-      # of an application, driver or service.
-      SUCCESS = EVENTLOG_SUCCESS
-      # Error event, an event that indicates a significant problem such as
-      # loss of data or functionality.
-      ERROR = EVENTLOG_ERROR_TYPE
-      # Warning event, an event that is not necessarily significant but may
-      # indicate a possible future problem.
-      WARN = EVENTLOG_WARNING_TYPE
-      # Information event, an event that describes the successful operation
-      # of an application, driver or service.
-      INFO = EVENTLOG_INFORMATION_TYPE
-      # Success audit event, an event that records an audited security attempt
-      # that is successful.
-      AUDIT_SUCCESS = EVENTLOG_AUDIT_SUCCESS
-      # Failure audit event, an event that records an audited security attempt
-      # that fails.
-      AUDIT_FAILURE = EVENTLOG_AUDIT_FAILURE
-      private
-      # :stopdoc:
-      BUFFER_SIZE = 1024 * 64
-      MAX_SIZE    = 256
-      MAX_STRINGS = 16
-      BASE_KEY    = "SYSTEM\\CurrentControlSet\\Services\\EventLog\\"
-      # :startdoc:
-      public
-      # The EventLogStruct encapsulates a single event log record.
-      EventLogStruct = Struct.new('EventLogStruct', :record_number,
-         :time_generated, :time_written, :event_id, :event_type, :category,
-         :source, :computer, :user, :string_inserts, :description
-      )
-      # The name of the event log source.  This will typically be
-      # 'Application', 'System' or 'Security', but could also refer to
-      # a custom event log source.
-      #
-      attr_reader :source
-      # The name of the server which the event log is reading from.
-      #
-      attr_reader :server
-      # The name of the file used in the EventLog.open_backup method.  This is
-      # set to nil if the file was not opened using the EventLog.open_backup
-      # method.
-      #
-      attr_reader :file
-      # Opens a handle to the new EventLog +source+ on +server+, or the local
-      # machine if no host is specified.  Typically, your source will be
-      # 'Application, 'Security' or 'System', although you can specify a
-      # custom log file as well.
-      #
-      # If a custom, registered log file name cannot be found, the event
-      # logging service opens the 'Application' log file.  This is the
-      # behavior of the underlying Windows function, not my own doing.
-      #
-      def initialize(source = 'Application', server = nil, file = nil)
-         @source = source || 'Application' # In case of explicit nil
-         @server = server
-         @file   = file
-         # Avoid potential segfaults from win32-api
-         raise TypeError unless @source.is_a?(String)
-         raise TypeError unless @server.is_a?(String) if @server
-         function = 'OpenEventLog()'
-         if @file.nil?
-            @handle = OpenEventLog(@server, @source)
-         else
-            @handle = OpenBackupEventLog(@server, @file)
-            function = 'OpenBackupEventLog()'
-         end
-         if @handle == 0
-            error = "#{function} failed: " + get_last_error
-            raise Error, error
-         end
-         # Ensure the handle is closed at the end of a block
-         if block_given?
-            begin
-               yield self
-            ensure
-               close
-            end
-         end
-      end
-      # Class method aliases
-      class << self
-         alias :open :new
-      end
-      # Nearly identical to EventLog.open, except that the source is a backup
-      # file and not an event source (and there is no default).
-      #
-      def self.open_backup(file, source = 'Application', server = nil, &block)
-         @file   = file
-         @source = source
-         @server = server
-         # Avoid potential segfaults from win32-api
-         raise TypeError unless @file.is_a?(String)
-         raise TypeError unless @source.is_a?(String)
-         raise TypeError unless @server.is_a?(String) if @server
-         self.new(source, server, file, &block)
-      end
-      # Adds an event source to the registry. Returns the disposition, which
-      # is either REG_CREATED_NEW_KEY (1) or REG_OPENED_EXISTING_KEY (2).
-      #
-      # The following are valid keys:
-      #
-      # * source                 # Source name.  Set to "Application" by default
-      # * key_name               # Name stored as the registry key
-      # * category_count         # Number of supported (custom) categories
-      # * event_message_file     # File (dll) that defines events
-      # * category_message_file  # File (dll) that defines categories
-      # * parameter_message_file # File (dll) that contains values for
-      #   variables in the event description.
-      # * supported_types        # See the 'event types' constants
-      #
-      # Of these keys, only +key_name+ is mandatory.  An ArgumentError is
-      # raised if you attempt to use an invalid key.  If +supported_types+
-      # is not specified then the following value is used:
-      #
-      # EventLog::ERROR | EventLog::WARN | EventLog::INFO
-      #
-      # The +event_message_file+ and +category_message_file+ are typically,
-      # though not necessarily, the same file.  See the documentation on .mc files
-      # for more details.
-      #
-      def self.add_event_source(args)
-         raise TypeError unless args.is_a?(Hash)
-         valid_keys = %w/
-            source
-            key_name
-            category_count
-            event_message_file
-            category_message_file
-            parameter_message_file
-            supported_types
-         /
-         key_base = "SYSTEM\\CurrentControlSet\\Services\\EventLog\\"
-         # Default values
-         hash = {
-            'source'          => 'Application',
-            'supported_types' => ERROR | WARN | INFO
-         }
-         # Validate the keys, and convert symbols and case to lowercase strings.
-         args.each{ |key, val|
-            key = key.to_s.downcase
-            unless valid_keys.include?(key)
-               raise ArgumentError, "invalid key '#{key}'"
-            end
-            hash[key] = val
-         }
-         # The key_name must be specified
-         unless hash['key_name']
-            raise Error, 'no event_type specified'
-         end
-         hkey = [0].pack('L')
-         key  = key_base + hash['source']
-         disposition = [0].pack('L')
-         rv = RegCreateKeyEx(
-            HKEY_LOCAL_MACHINE,
-            key,
-            0,
-            nil,
-            REG_OPTION_NON_VOLATILE,
-            KEY_WRITE,
-            nil,
-            hkey,
-            disposition
-         )
-         if rv != ERROR_SUCCESS
-            error = 'RegCreateKeyEx() failed: ' + get_last_error
-            raise Error, error
-         end
-         hkey = hkey.unpack('L')[0]
-         data = "%SystemRoot%\\System32\\config\\#{hash['source']}.evt"
-         begin
-            rv = RegSetValueEx(
-               hkey,
-               'File',
-               0,
-               REG_EXPAND_SZ,
-               data,
-               data.size
-            )
-            if rv != ERROR_SUCCESS
-               error = 'RegSetValueEx() failed: ', get_last_error
-               raise Error, error
-            end
-         ensure
-            RegCloseKey(hkey)
-         end
-         hkey = [0].pack('L')
-         key  = key_base << hash['source'] << "\\" << hash['key_name']
-         disposition = [0].pack('L')
-         begin
-            rv = RegCreateKeyEx(
-               HKEY_LOCAL_MACHINE,
-               key,
-               0,
-               nil,
-               REG_OPTION_NON_VOLATILE,
-               KEY_WRITE,
-               nil,
-               hkey,
-               disposition
-            )
-            if rv != ERROR_SUCCESS
-               raise Error, 'RegCreateKeyEx() failed: ' + get_last_error
-            end
-            hkey = hkey.unpack('L')[0]
-            if hash['category_count']
-               data = [hash['category_count']].pack('L')
-               rv = RegSetValueEx(
-                  hkey,
-                  'CategoryCount',
-                  0,
-                  REG_DWORD,
-                  data,
-                  data.size
-               )
-               if rv != ERROR_SUCCESS
-                  error = 'RegSetValueEx() failed: ' + get_last_error
-                  raise Error, error
-               end
-            end
-            if hash['category_message_file']
-               data = File.expand_path(hash['category_message_file'])
-               rv = RegSetValueEx(
-                  hkey,
-                  'CategoryMessageFile',
-                  0,
-                  REG_EXPAND_SZ,
-                  data,
-                  data.size
-               )
-               if rv != ERROR_SUCCESS
-                  error = 'RegSetValueEx() failed: ' + get_last_error
-                  raise Error, error
-               end
-            end
-            if hash['event_message_file']
-               data = File.expand_path(hash['event_message_file'])
-               rv = RegSetValueEx(
-                  hkey,
-                  'EventMessageFile',
-                  0,
-                  REG_EXPAND_SZ,
-                  data,
-                  data.size
-               )
-               if rv != ERROR_SUCCESS
-                  error = 'RegSetValueEx() failed: ' + get_last_error
-                  raise Error, error
-               end
-            end
-            if hash['parameter_message_file']
-               data = File.expand_path(hash['parameter_message_file'])
-               rv = RegSetValueEx(
-                  hkey,
-                  'ParameterMessageFile',
-                  0,
-                  REG_EXPAND_SZ,
-                  data,
-                  data.size
-               )
-               if rv != ERROR_SUCCESS
-                  error = 'RegSetValueEx() failed: ' + get_last_error
-                  raise Error, error
-               end
-            end
-            data = [hash['supported_types']].pack('L')
-            rv = RegSetValueEx(
-               hkey,
-               'TypesSupported',
-               0,
-               REG_DWORD,
-               data,
-               data.size
-            )
-            if rv != ERROR_SUCCESS
-               error = 'RegSetValueEx() failed: ' + get_last_error
-               raise Error, error
-            end
-         ensure
-            RegCloseKey(hkey)
-         end
-         disposition.unpack('L')[0]
-      end
-      # Backs up the event log to +file+.  Note that you cannot backup to
-      # a file that already exists or a Error will be raised.
-      #
-      def backup(file)
-         raise TypeError unless file.is_a?(String)
-         unless BackupEventLog(@handle, file)
-            error = 'BackupEventLog() failed: ' + get_last_error
-            raise Error, error
-         end
-         self
-      end
-      # Clears the EventLog.  If +backup_file+ is provided, it backs up the
-      # event log to that file first.
-      #
-      def clear(backup_file = nil)
-         raise TypeError unless backup_file.is_a?(String) if backup_file
-         backup_file = 0 unless backup_file
-         unless ClearEventLog(@handle, backup_file)
-            error = 'ClearEventLog() failed: ' + get_last_error
-            raise Error
-         end
-         self
-      end
-      # Closes the EventLog handle. The handle is automatically closed for you
-      # if you use the block form of EventLog.new.
-      #
-      def close
-         CloseEventLog(@handle)
-      end
-      # Indicates whether or not the event log is full.
-      #
-      def full?
-         buf    = [0].pack('L') # dwFull
-         needed = [0].pack('L')
-         unless GetEventLogInformation(@handle, 0, buf, buf.size, needed)
-            raise Error, 'GetEventLogInformation() failed: ' + get_last_error
-         end
-         buf[0,4].unpack('L')[0] != 0
-      end
-      # Returns the absolute record number of the oldest record.  Note that
-      # this is not guaranteed to be 1 because event log records can be
-      # overwritten.
-      #
-      def oldest_record_number
-         rec = [0].pack('L')
-         unless GetOldestEventLogRecord(@handle, rec)
-            error = 'GetOldestEventLogRecord() failed: ' + get_last_error
-            raise Error, error
-         end
-         rec.unpack('L')[0]
-      end
-      # Returns the total number of records for the given event log.
-      #
-      def total_records
-         total = [0].pack('L')
-         unless GetNumberOfEventLogRecords(@handle, total)
-            error = 'GetNumberOfEventLogRecords() failed: ' + get_last_error
-            raise Error, error
-         end
-         total.unpack('L')[0]
-      end
-      # Yields an EventLogStruct every time a record is written to the event
-      # log. Unlike EventLog#tail, this method breaks out of the block after
-      # the event.
-      #
-      # Raises an Error if no block is provided.
-      #
-      def notify_change(&block)
-         unless block_given?
-            raise Error, 'block missing for notify_change()'
-         end
-         # Reopen the handle because the NotifyChangeEventLog() function will
-         # choke after five or six reads otherwise.
-         @handle = OpenEventLog(@server, @source)
-         if @handle == 0
-            error = 'OpenEventLog() failed: ' + get_last_error
-            raise Error, error
-         end
-         event = CreateEvent(0, 0, 0, 0)
-         unless NotifyChangeEventLog(@handle, event)
-            error = 'NotifyChangeEventLog() failed: ' + get_last_error
-            raise Error, error
-         end
-         wait_result = WaitForSingleObject(event, INFINITE)
-         begin
-            if wait_result == WAIT_FAILED
-               error = 'WaitForSingleObject() failed: ' + get_last_error
-               raise Error, error
-            else
-               last = read_last_event
-               block.call(last)
-            end
-         ensure
-            CloseHandle(event)
-         end
-         self
-      end
-      # Yields an EventLogStruct every time a record is written to the event
-      # log, once every +frequency+ seconds. Unlike EventLog#notify_change,
-      # this method does not break out of the block after the event.  The read
-      # +frequency+ is set to 5 seconds by default.
-      #
-      # Raises an Error if no block is provided.
-      #
-      # The delay between reads is due to the nature of the Windows event log.
-      # It is not really designed to be tailed in the manner of a Unix syslog,
-      # for example, in that not nearly as many events are typically recorded.
-      # It's just not designed to be polled that heavily.
-      #
-      def tail(frequency = 5)
-         unless block_given?
-            raise Error, 'block missing for tail()'
-         end
-         old_total = total_records()
-         flags     = FORWARDS_READ | SEEK_READ
-         rec_num   = read_last_event.record_number
-         while true
-            new_total = total_records()
-            if new_total != old_total
-               rec_num = oldest_record_number() if full?
-               read(flags, rec_num).each{ |log| yield log }
-               old_total = new_total
-               rec_num   = read_last_event.record_number + 1
-            end
-            sleep frequency
-         end
-      end
-      # Iterates over each record in the event log, yielding a EventLogStruct
-      # for each record.  The offset value is only used when used in
-      # conjunction with the EventLog::SEEK_READ flag.  Otherwise, it is
-      # ignored.  If no flags are specified, then the default flags are:
-      #
-      # EventLog::SEQUENTIAL_READ | EventLog::FORWARDS_READ
-      #
-      # Note that, if you're performing a SEEK_READ, then the offset must
-      # refer to a record number that actually exists.  The default of 0
-      # may or may not work for your particular event log.
-      #
-      # The EventLogStruct struct contains the following members:
-      #
-      # * record_number  # Fixnum
-      # * time_generated # Time
-      # * time_written   # Time
-      # * event_id       # Fixnum
-      # * event_type     # String
-      # * category       # String
-      # * source         # String
-      # * computer       # String
-      # * user           # String or nil
-      # * description    # String or nil
-      # * string_inserts # An array of Strings or nil
-      #
-      # If no block is given the method returns an array of EventLogStruct's.
-      #
-      def read(flags = nil, offset = 0)
-         buf    = 0.chr * BUFFER_SIZE # 64k buffer
-         read   = [0].pack('L')
-         needed = [0].pack('L')
-         array  = []
-         lkey   = HKEY_LOCAL_MACHINE
-         unless flags
-            flags = FORWARDS_READ | SEQUENTIAL_READ
-         end
-         if @server
-            hkey = [0].pack('L')
-            if RegConnectRegistry(@server, HKEY_LOCAL_MACHINE, hkey) != 0
-               raise Error, get_last_error
-            end
-            lkey = hkey.unpack('L').first
-         end
-         while ReadEventLog(@handle, flags, offset, buf, buf.size, read, needed) ||
-            GetLastError() == ERROR_INSUFFICIENT_BUFFER
-            if GetLastError() == ERROR_INSUFFICIENT_BUFFER
-               buf = (0.chr * buf.size) + (0.chr * needed.unpack('L')[0])
-               unless ReadEventLog(@handle, flags, offset, buf, buf.size, read, needed)
-                  raise Error, get_last_error
-               end
-            end
-            dwread = read.unpack('L')[0]
-            while dwread > 0
-               struct       = EventLogStruct.new
-               event_source = buf[56..-1].nstrip
-               computer     = buf[56 + event_source.length + 1..-1].nstrip
-               user = get_user(buf)
-               strings, desc = get_description(buf, event_source, lkey)
-               struct.source         = event_source
-               struct.computer       = computer
-               struct.record_number  = buf[8,4].unpack('L')[0]
-               struct.time_generated = Time.at(buf[12,4].unpack('L')[0])
-               struct.time_written   = Time.at(buf[16,4].unpack('L')[0])
-               struct.event_id       = buf[20,4].unpack('L')[0] & 0x0000FFFF
-               struct.event_type     = get_event_type(buf[24,2].unpack('S')[0])
-               struct.user           = user
-               struct.category       = buf[28,2].unpack('S')[0]
-               struct.string_inserts = strings
-               struct.description 	 = desc
-               struct.freeze # This is read-only information
-               if block_given?
-                  yield struct
-               else
-                  array.push(struct)
-               end
-               if flags & EVENTLOG_BACKWARDS_READ > 0
-                  offset = buf[8,4].unpack('L')[0] - 1
-               else
-                  offset = buf[8,4].unpack('L')[0] + 1
-               end
-               length = buf[0,4].unpack('L')[0] # Length
-               dwread -= length
-               buf = buf[length..-1]
-            end
-            buf = 0.chr * BUFFER_SIZE
-            read = [0].pack('L')
-         end
-         block_given? ? nil : array
-      end
-      # This class method is nearly identical to the EventLog#read instance
-      # method, except that it takes a +source+ and +server+ as the first two
-      # arguments.
-      #
-      def self.read(source='Application', server=nil, flags=nil, offset=0)
-         self.new(source, server){ |log|
-            if block_given?
-               log.read(flags, offset){ |els| yield els }
-            else
-               return log.read(flags, offset)
-            end
-         }
-      end
-      # Writes an event to the event log.  The following are valid keys:
-      #
-      # * source     # Event log source name. Defaults to "Application"
-      # * event_id   # Event ID (defined in event message file)
-      # * category   # Event category (defined in category message file)
-      # * data       # String that is written to the log
-      # * event_type # Type of event, e.g. EventLog::ERROR, etc.
-      #
-      # The +event_type+ keyword is the only mandatory keyword. The others are
-      # optional. Although the +source+ defaults to "Application", I
-      # recommend that you create an application specific event source and use
-      # that instead. See the 'EventLog.add_event_source' method for more
-      # details.
-      #
-      # The +event_id+ and +category+ values are defined in the message
-      # file(s) that you created for your application. See the tutorial.txt
-      # file for more details on how to create a message file.
-      #
-      # An ArgumentError is raised if you attempt to use an invalid key.
-      #
-      def report_event(args)
-         raise TypeError unless args.is_a?(Hash)
-         valid_keys  = %w/source event_id category data event_type/
-         num_strings = 0
-         # Default values
-         hash = {
-            'source'   => @source,
-            'event_id' => 0,
-            'category' => 0,
-            'data'     => 0
-         }
-         # Validate the keys, and convert symbols and case to lowercase strings.
-         args.each{ |key, val|
-            key = key.to_s.downcase
-            unless valid_keys.include?(key)
-               raise ArgumentError, "invalid key '#{key}'"
-            end
-            hash[key] = val
-         }
-         # The event_type must be specified
-         unless hash['event_type']
-            raise Error, 'no event_type specified'
-         end
-         handle = RegisterEventSource(@server, hash['source'])
-         if handle == 0
-            error = 'RegisterEventSource() failed: ' + get_last_error
-            raise Error, error
-         end
-         if hash['data'].is_a?(String)
-            data = hash['data'] << 0.chr
-            data = [data].pack('p*')
-            num_strings = 1
-         else
-            data = 0
-            num_strings = 0
-         end
-         bool = ReportEvent(
-            handle,
-            hash['event_type'],
-            hash['category'],
-            hash['event_id'],
-            0,
-            num_strings,
-            0,
-            data,
-            0
-         )
-         unless bool
-            error = 'ReportEvent() failed: ' + get_last_error
-            raise Error, error
-         end
-         self
-      end
-      alias :write :report_event
-      private
-      # A private method that reads the last event log record.
-      #
-      def read_last_event(handle=@handle, source=@source, server=@server)
-         buf    = 0.chr * BUFFER_SIZE # 64k buffer
-         read   = [0].pack('L')
-         needed = [0].pack('L')
-         lkey   = HKEY_LOCAL_MACHINE
-         flags = EVENTLOG_BACKWARDS_READ | EVENTLOG_SEQUENTIAL_READ
-         unless ReadEventLog(@handle, flags, 0, buf, buf.size, read, needed)
-            error = GetLastError()
-            if error == ERROR_INSUFFICIENT_BUFFER
-               buf = (0.chr * buf.size) + (0.chr * needed.unpack('L')[0])
-               unless ReadEventLog(@handle, flags, 0, buf, buf.size, read, needed)
-                  raise Error, get_last_error
-               end
-            else
-               raise Error, get_last_error(error)
-            end
-         end
-         if @server
-            hkey = [0].pack('L')
-            if RegConnectRegistry(@server, HKEY_LOCAL_MACHINE, hkey) != 0
-               raise Error, get_last_error
-            end
-            lkey = hkey.unpack('L').first
-         end
-         event_source  = buf[56..-1].nstrip
-         computer      = buf[56 + event_source.length + 1..-1].nstrip
-         event_type    = get_event_type(buf[24,2].unpack('S')[0])
-         user          = get_user(buf)
-         strings, desc = get_description(buf, event_source, lkey)
-         struct = EventLogStruct.new
-         struct.source         = event_source
-         struct.computer       = computer
-         struct.record_number  = buf[8,4].unpack('L')[0]
-         struct.time_generated = Time.at(buf[12,4].unpack('L')[0])
-         struct.time_written   = Time.at(buf[16,4].unpack('L')[0])
-         struct.event_id       = buf[20,4].unpack('L')[0] & 0x0000FFFF
-         struct.event_type     = event_type
-         struct.user           = user
-         struct.category       = buf[28,2].unpack('S')[0]
-         struct.string_inserts = strings
-         struct.description 	 = desc
-         struct.freeze # This is read-only information
-         struct
-      end
-      # Private method that retrieves the user name based on data in the
-      # EVENTLOGRECORD buffer.
-      #
-      def get_user(buf)
-         return nil if buf[40,4].unpack('L')[0] <= 0 # UserSidLength
-         name        = 0.chr * MAX_SIZE
-         name_size   = [name.size].pack('L')
-         domain      = 0.chr * MAX_SIZE
-         domain_size = [domain.size].pack('L')
-         snu         = 0.chr * 4
-         offset = buf[44,4].unpack('L')[0] # UserSidOffset
-         val = LookupAccountSid(
-            @server,
-            [buf].pack('P').unpack('L')[0] + offset,
-            name,
-            name_size,
-            domain,
-            domain_size,
-            snu
-         )
-         # Return nil if the lookup failed
-         return val ? name.nstrip : nil
-      end
-      # Private method that converts a numeric event type into a human
-      # readable string.
-      #
-      def get_event_type(event)
-         case event
-            when EVENTLOG_ERROR_TYPE
-               'error'
-            when EVENTLOG_WARNING_TYPE
-               'warning'
-            when EVENTLOG_INFORMATION_TYPE, EVENTLOG_SUCCESS
-               'information'
-            when EVENTLOG_AUDIT_SUCCESS
-               'audit_success'
-            when EVENTLOG_AUDIT_FAILURE
-               'audit_failure'
-            else
-               nil
-         end
-      end
-      # Private method that gets the string inserts (Array) and the full
-      # event description (String) based on data from the EVENTLOGRECORD
-      # buffer.
-      #
-      def get_description(rec, event_source, lkey)
-         str     = rec[rec[36,4].unpack('L')[0] .. -1]
-         num     = rec[26,2].unpack('S')[0] # NumStrings
-         hkey    = [0].pack('L')
-         key     = BASE_KEY + "#{@source}\\#{event_source}"
-         buf     = 0.chr * 8192
-         va_list = va_list0 = (num == 0) ? [] : str.unpack('Z*' * num)
-         begin
-            if defined? Wow64DisableWow64FsRedirection
-               old_wow_val = 0.chr * 4
-               Wow64DisableWow64FsRedirection(old_wow_val)
-            end
-            param_exe = nil
-            message_exe = nil
-            if RegOpenKeyEx(lkey, key, 0, KEY_READ, hkey) == 0
-               hkey  = hkey.unpack('L')[0]
-               value = 'providerGuid'
-               guid  = 0.chr * MAX_SIZE
-               size  = [ guid.length].pack('L')
-               if RegQueryValueEx(hkey, value, 0, 0, guid, size) == 0
-                  guid  = guid.nstrip
-                  hkey2 = [0].pack('L')
-                  key   = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\"
-                  key   << "WINEVT\\Publishers\\#{guid}"
-                  if RegOpenKeyEx(lkey, key, 0, KEY_READ|0x100, hkey2) == 0
-                     hkey2  = hkey2.unpack('L')[0]
-                     value = 'ParameterMessageFile'
-                     file  = 0.chr * MAX_SIZE
-                     size  = [ file.length].pack('L')
-                     if RegQueryValueEx(hkey2, value, 0, 0, file, size) == 0
-                        file = file.nstrip
-                        exe  = 0.chr * MAX_SIZE
-                        ExpandEnvironmentStrings(file, exe, exe.size)
-                        param_exe = exe.nstrip
-                     end
-                     value = 'MessageFileName'
-                     file  = 0.chr * MAX_SIZE
-                     size  = [file.length].pack('L')
-                     if RegQueryValueEx(hkey2, value, 0, 0, file, size) == 0
-                        file = file.nstrip
-                        exe  = 0.chr * MAX_SIZE
-                        ExpandEnvironmentStrings(file, exe, exe.size)
-                        message_exe = exe.nstrip
-                     end
-                     RegCloseKey(hkey2)
-                  end
-               else
-                  value = 'ParameterMessageFile'
-                  file  = 0.chr * MAX_SIZE
-                  size  = [ file.length].pack('L')
-                  if RegQueryValueEx(hkey, value, 0, 0, file, size) == 0
-                     file = file.nstrip
-                     exe  = 0.chr * MAX_SIZE
-                     ExpandEnvironmentStrings(file, exe, exe.size)
-                     param_exe = exe.nstrip
-                  end
-                  value = 'EventMessageFile'
-                  file  = 0.chr * MAX_SIZE
-                  size  = [file.length].pack('L')
-                  if RegQueryValueEx(hkey, value, 0, 0, file, size) == 0
-                     file = file.nstrip
-                     exe  = 0.chr * MAX_SIZE
-                     ExpandEnvironmentStrings(file, exe, exe.size)
-                     message_exe = exe.nstrip
-                  end
-               end
-                RegCloseKey(hkey)
-            elsif defined? EvtOpenPublisherMetadata # Vista or later
-               pubMetadata = EvtOpenPublisherMetadata(
-                  0,
-                  multi_to_wide(event_source),
-                  0,
-                  1024, # Default LCID
-                  0
-               )
-               if pubMetadata > 0
-                  buf2 = 0.chr * 8192
-                  val  = 0.chr*4
-                  EvtGetPublisherMetadataProperty(
-                     pubMetadata,
-                     2, # EvtPublisherMetadataParameterFilePath
-                     0,
-                     8192,
-                     buf2,
-                     val
-                  )
-                  file = wide_to_multi(buf2[16..-1])
-                  exe  = 0.chr * MAX_SIZE
-                  ExpandEnvironmentStrings(file, exe, exe.size)
-                  param_exe = exe.nstrip
-                  buf2 = 0.chr * 8192
-                  val = 0.chr*4
-                  EvtGetPublisherMetadataProperty(
-                     pubMetadata,
-                     3, # EvtPublisherMetadataMessageFilePath
-                     0,
-                     8192,
-                     buf2,
-                     val
-                  )
-                  file = wide_to_multi(buf2[16..-1])
-                  exe  = 0.chr * MAX_SIZE
-                  ExpandEnvironmentStrings(file, exe, exe.size)
-                  message_exe = exe.nstrip
-                  EvtClose(pubMetadata)
-               end
-            end
-            if param_exe != nil
-               va_list = va_list0.map{ |v|
-                  va = v
-                  v.scan(/%%(\d+)/).uniq.each{ |x|
-                     param_exe.split(';').each{ |file|
-                        hmodule  = LoadLibraryEx(
-                           file,
-                           0,
-                           DONT_RESOLVE_DLL_REFERENCES |
-                           LOAD_LIBRARY_AS_DATAFILE
-                        )
-                        if hmodule != 0
-                           res = FormatMessage(
-                              FORMAT_MESSAGE_FROM_HMODULE |
-                              FORMAT_MESSAGE_ARGUMENT_ARRAY,
-                              hmodule,
-                              x.first.to_i,
-                              0,
-                              buf,
-                              buf.size,
-                              v
-                           )
-                           if res == 0
-                              event_id = 0xB0000000 | event_id
-                              res = FormatMessage(
-                                 FORMAT_MESSAGE_FROM_HMODULE |
-                                 FORMAT_MESSAGE_IGNORE_INSERTS,
-                                 hmodule,
-                                 event_id,
-                                 0,
-                                 buf,
-                                 buf.size,
-                                 nil
-                              )
-                           end
-                           FreeLibrary(hmodule)
-                           break if buf.nstrip != ""
-                        end
-                     }
-                     va = va.gsub("%%#{x.first}", buf.nstrip)
-                  }
-                  va
-               }
-            end
-            if message_exe != nil
-               buf  = 0.chr * 8192 # Reset the buffer
-               # Try to retrieve message *without* expanding the inserts yet
-               message_exe.split(';').each{ |file|
-                  hmodule = LoadLibraryEx(
-                     file,
-                     0,
-                     DONT_RESOLVE_DLL_REFERENCES | LOAD_LIBRARY_AS_DATAFILE
-                  )
-                  event_id = rec[20,4].unpack('L')[0]
-                  if hmodule != 0
-                     res = FormatMessage(
-                        FORMAT_MESSAGE_FROM_HMODULE |
-                        FORMAT_MESSAGE_IGNORE_INSERTS,
-                        hmodule,
-                        event_id,
-                        0,
-                        buf,
-                        buf.size,
-                        nil
-                     )
-                     if res == 0
-                        event_id = 0xB0000000 | event_id
-                        res = FormatMessage(
-                           FORMAT_MESSAGE_FROM_HMODULE |
-                           FORMAT_MESSAGE_IGNORE_INSERTS,
-                           hmodule,
-                           event_id,
-                           0,
-                           buf,
-                           buf.size,
-                           nil
-                        )
-                     end
-                     FreeLibrary(hmodule)
-                     break if buf.nstrip != "" # All messages read
-                  end
-               }
-               # Determine higest %n insert number
-               max_insert = [num, buf.nstrip.scan(/%(\d+)/).map{ |x| x[0].to_i }.max].compact.max
-               # Insert dummy strings not provided by caller
-               ((num+1)..(max_insert)).each{ |x| va_list.push("%#{x}") }
-               if num == 0
-                  va_list_ptr = 0.chr * 4
-               else
-                  va_list_ptr = va_list.map{ |x|
-                     [x + 0.chr].pack('P').unpack('L')[0]
-                  }.pack('L*')
-               end
-               message_exe.split(';').each{ |file|
-                  hmodule = LoadLibraryEx(
-                     file,
-                     0,
-                     DONT_RESOLVE_DLL_REFERENCES | LOAD_LIBRARY_AS_DATAFILE
-                  )
-                  event_id = rec[20,4].unpack('L')[0]
-                  if hmodule != 0
-                     res = FormatMessage(
-                        FORMAT_MESSAGE_FROM_HMODULE |
-                        FORMAT_MESSAGE_ARGUMENT_ARRAY,
-                        hmodule,
-                        event_id,
-                        0,
-                        buf,
-                        buf.size,
-                        va_list_ptr
-                     )
-                     if res == 0
-                        event_id = 0xB0000000 | event_id
-                        res = FormatMessage(
-                           FORMAT_MESSAGE_FROM_HMODULE |
-                           FORMAT_MESSAGE_ARGUMENT_ARRAY,
-                           hmodule,
-                           event_id,
-                           0,
-                           buf,
-                           buf.size,
-                           va_list_ptr
-                        )
-                     end
-                     FreeLibrary(hmodule)
-                     break if buf.nstrip != "" # All messages read
-                  end
-               }
-            end
-        ensure
-           if defined? Wow64RevertWow64FsRedirection
-              Wow64RevertWow64FsRedirection(old_wow_val.unpack('L')[0])
-           end
-        end
-        [va_list0, buf.nstrip]
-     end
-   end
-end
+require File.join(File.dirname(__FILE__), 'windows', 'constants')
+require File.join(File.dirname(__FILE__), 'windows', 'structs')
+require File.join(File.dirname(__FILE__), 'windows', 'functions')
+# The Win32 module serves as a namespace only.
+module Win32
+  # The EventLog class encapsulates an Event Log source and provides methods
+  # for interacting with that source.
+  class EventLog
+    include Windows::Constants
+    include Windows::Structs
+    include Windows::Functions
+    extend Windows::Functions
+    # The EventLog::Error is raised in cases where interaction with the
+    # event log should happen to fail for any reason.
+    class Error < StandardError; end
+    # The version of the win32-eventlog library
+    VERSION = '0.6.0'
+    # The log is read in chronological order, i.e. oldest to newest.
+    FORWARDS_READ = EVENTLOG_FORWARDS_READ
+    # The log is read in reverse chronological order, i.e. newest to oldest.
+    BACKWARDS_READ = EVENTLOG_BACKWARDS_READ
+    # Begin reading from a specific record.
+    SEEK_READ = EVENTLOG_SEEK_READ
+    # Read the records sequentially. If this is the first read operation, the
+    # EVENTLOG_FORWARDS_READ or EVENTLOG_BACKWARDS_READ flags determines
+    # which record is read first.
+    SEQUENTIAL_READ = EVENTLOG_SEQUENTIAL_READ
+    # Event types
+    # Information event, an event that describes the successful operation
+    # of an application, driver or service.
+    SUCCESS = EVENTLOG_SUCCESS
+    # Error event, an event that indicates a significant problem such as
+    # loss of data or functionality.
+    ERROR_TYPE = EVENTLOG_ERROR_TYPE
+    # Warning event, an event that is not necessarily significant but may
+    # indicate a possible future problem.
+    WARN_TYPE = EVENTLOG_WARNING_TYPE
+    # Information event, an event that describes the successful operation
+    # of an application, driver or service.
+    INFO_TYPE = EVENTLOG_INFORMATION_TYPE
+    # Success audit event, an event that records an audited security attempt
+    # that is successful.
+    AUDIT_SUCCESS = EVENTLOG_AUDIT_SUCCESS
+    # Failure audit event, an event that records an audited security attempt
+    # that fails.
+    AUDIT_FAILURE = EVENTLOG_AUDIT_FAILURE
+    # The EventLogStruct encapsulates a single event log record.
+    EventLogStruct = Struct.new('EventLogStruct', :record_number,
+      :time_generated, :time_written, :event_id, :event_type, :category,
+      :source, :computer, :user, :string_inserts, :description
+    )
+    # The name of the event log source.  This will typically be
+    # 'Application', 'System' or 'Security', but could also refer to
+    # a custom event log source.
+    #
+    attr_reader :source
+    # The name of the server which the event log is reading from.
+    #
+    attr_reader :server
+    # The name of the file used in the EventLog.open_backup method.  This is
+    # set to nil if the file was not opened using the EventLog.open_backup
+    # method.
+    #
+    attr_reader :file
+    # Opens a handle to the new EventLog +source+ on +server+, or the local
+    # machine if no host is specified.  Typically, your source will be
+    # 'Application, 'Security' or 'System', although you can specify a
+    # custom log file as well.
+    #
+    # If a custom, registered log file name cannot be found, the event
+    # logging service opens the 'Application' log file.  This is the
+    # behavior of the underlying Windows function, not my own doing.
+    #
+    def initialize(source = 'Application', server = nil, file = nil)
+      @source = source || 'Application' # In case of explicit nil
+      @server = server
+      @file   = file
+      # Avoid potential segfaults from win32-api
+      raise TypeError unless @source.is_a?(String)
+      raise TypeError unless @server.is_a?(String) if @server
+      if file.nil?
+        function = 'OpenEventLog'
+        @handle = OpenEventLog(@server, @source)
+      else
+        function = 'OpenBackupEventLog'
+        @handle = OpenBackupEventLog(@server, @file)
+      end
+      if @handle == 0
+        raise SystemCallError.new(function, FFI.errno)
+      end
+      # Ensure the handle is closed at the end of a block
+      if block_given?
+        begin
+          yield self
+        ensure
+          close
+        end
+      end
+    end
+    # Class method aliases
+    class << self
+      alias :open :new
+    end
+    # Nearly identical to EventLog.open, except that the source is a backup
+    # file and not an event source (and there is no default).
+    #
+    def self.open_backup(file, source = 'Application', server = nil, &block)
+      @file   = file
+      @source = source
+      @server = server
+      # Avoid potential segfaults from win32-api
+      raise TypeError unless @file.is_a?(String)
+      raise TypeError unless @source.is_a?(String)
+      raise TypeError unless @server.is_a?(String) if @server
+      self.new(source, server, file, &block)
+    end
+    # Adds an event source to the registry. Returns the disposition, which
+    # is either REG_CREATED_NEW_KEY (1) or REG_OPENED_EXISTING_KEY (2).
+    #
+    # The following are valid keys:
+    #
+    # * source                 # Source name.  Set to "Application" by default
+    # * key_name               # Name stored as the registry key
+    # * category_count         # Number of supported (custom) categories
+    # * event_message_file     # File (dll) that defines events
+    # * category_message_file  # File (dll) that defines categories
+    # * parameter_message_file # File (dll) that contains values for variables in the event description.
+    # * supported_types        # See the 'event types' constants
+    #
+    # Of these keys, only +key_name+ is mandatory. An ArgumentError is
+    # raised if you attempt to use an invalid key. If +supported_types+
+    # is not specified then the following value is used:
+    #
+    # EventLog::ERROR_TYPE | EventLog::WARN_TYPE | EventLog::INFO_TYPE
+    #
+    # The +event_message_file+ and +category_message_file+ are typically,
+    # though not necessarily, the same file. See the documentation on .mc files
+    # for more details.
+    #
+    # You will need administrative privileges to use this method.
+    #
+    def self.add_event_source(args)
+      raise TypeError unless args.is_a?(Hash)
+      valid_keys = %w[
+        source
+        key_name
+        category_count
+        event_message_file
+        category_message_file
+        parameter_message_file
+        supported_types
+      ]
+      key_base = "SYSTEM\\CurrentControlSet\\Services\\EventLog\\"
+      # Default values
+      hash = {
+        'source'          => 'Application',
+        'supported_types' => ERROR_TYPE | WARN_TYPE | INFO_TYPE
+      }
+      # Validate the keys, and convert symbols and case to lowercase strings.
+      args.each{ |key, val|
+        key = key.to_s.downcase
+        unless valid_keys.include?(key)
+          raise ArgumentError, "invalid key '#{key}'"
+        end
+        hash[key] = val
+      }
+      # The key_name must be specified
+      unless hash['key_name']
+        raise ArgumentError, 'no event_type specified'
+      end
+      hkey = FFI::MemoryPointer.new(:uintptr_t)
+      disposition = FFI::MemoryPointer.new(:ulong)
+      key = key_base + hash['source']
+      rv = RegCreateKeyEx(
+        HKEY_LOCAL_MACHINE,
+        key,
+        0,
+        nil,
+        REG_OPTION_NON_VOLATILE,
+        KEY_WRITE,
+        nil,
+        hkey,
+        disposition
+      )
+      if rv != ERROR_SUCCESS
+        raise SystemCallError.new('RegCreateKeyEx', rv)
+      end
+      hkey = hkey.read_pointer.to_i
+      data = "%SystemRoot%\\System32\\config\\#{hash['source']}.evt"
+      begin
+        rv = RegSetValueEx(
+          hkey,
+          'File',
+          0,
+          REG_EXPAND_SZ,
+          data,
+          data.size
+        )
+        if rv != ERROR_SUCCESS
+          raise SystemCallError.new('RegSetValueEx', rv)
+        end
+      ensure
+        RegCloseKey(hkey)
+      end
+      hkey = FFI::MemoryPointer.new(:uintptr_t)
+      disposition = FFI::MemoryPointer.new(:ulong)
+      key  = key_base << hash['source'] << "\\" << hash['key_name']
+      begin
+        rv = RegCreateKeyEx(
+          HKEY_LOCAL_MACHINE,
+          key,
+          0,
+          nil,
+          REG_OPTION_NON_VOLATILE,
+          KEY_WRITE,
+          nil,
+          hkey,
+          disposition
+        )
+        if rv != ERROR_SUCCESS
+          raise SystemCallError.new('RegCreateKeyEx', rv)
+        end
+        hkey = hkey.read_pointer.to_i
+        if hash['category_count']
+          data = FFI::MemoryPointer.new(:ulong).write_ulong(hash['category_count'])
+          rv = RegSetValueEx(
+            hkey,
+            'CategoryCount',
+            0,
+            REG_DWORD,
+            data,
+            data.size
+          )
+          if rv != ERROR_SUCCESS
+            raise SystemCallError.new('RegSetValueEx', rv)
+          end
+        end
+        if hash['category_message_file']
+          data = File.expand_path(hash['category_message_file'])
+          data = FFI::MemoryPointer.from_string(data)
+          rv = RegSetValueEx(
+            hkey,
+            'CategoryMessageFile',
+            0,
+            REG_EXPAND_SZ,
+            data,
+            data.size
+          )
+          if rv != ERROR_SUCCESS
+            raise SystemCallError.new('RegSetValueEx', rv)
+          end
+        end
+        if hash['event_message_file']
+          data = File.expand_path(hash['event_message_file'])
+          data = FFI::MemoryPointer.from_string(data)
+          rv = RegSetValueEx(
+            hkey,
+            'EventMessageFile',
+            0,
+            REG_EXPAND_SZ,
+            data,
+            data.size
+          )
+          if rv != ERROR_SUCCESS
+            raise SystemCallError.new('RegSetValueEx', rv)
+          end
+        end
+        if hash['parameter_message_file']
+          data = File.expand_path(hash['parameter_message_file'])
+          data = FFI::MemoryPointer.from_string(data)
+          rv = RegSetValueEx(
+            hkey,
+            'ParameterMessageFile',
+            0,
+            REG_EXPAND_SZ,
+            data,
+            data.size
+          )
+          if rv != ERROR_SUCCESS
+            raise SystemCallError.new('RegSetValueEx', rv)
+          end
+        end
+        data = FFI::MemoryPointer.new(:ulong).write_ulong(hash['supported_types'])
+        rv = RegSetValueEx(
+          hkey,
+          'TypesSupported',
+          0,
+          REG_DWORD,
+          data,
+          data.size
+        )
+        if rv != ERROR_SUCCESS
+          raise SystemCallError.new('RegSetValueEx', rv)
+        end
+      ensure
+        RegCloseKey(hkey)
+      end
+      disposition.read_ulong
+    end
+    # Backs up the event log to +file+.  Note that you cannot backup to
+    # a file that already exists or a Error will be raised.
+    #
+    def backup(file)
+      raise TypeError unless file.is_a?(String)
+      unless BackupEventLog(@handle, file)
+        raise SystemCallError.new('BackupEventLog', FFI.errno)
+      end
+    end
+    # Clears the EventLog.  If +backup_file+ is provided, it backs up the
+    # event log to that file first.
+    #
+    def clear(backup_file = nil)
+      raise TypeError unless backup_file.is_a?(String) if backup_file
+      unless ClearEventLog(@handle, backup_file)
+        raise SystemCallError.new('ClearEventLog', FFI.errno)
+      end
+    end
+    # Closes the EventLog handle. The handle is automatically closed for you
+    # if you use the block form of EventLog.new.
+    #
+    def close
+      CloseEventLog(@handle)
+    end
+    # Indicates whether or not the event log is full.
+    #
+    def full?
+      ptr = FFI::MemoryPointer.new(:ulong, 1)
+      needed = FFI::MemoryPointer.new(:ulong)
+      unless GetEventLogInformation(@handle, 0, ptr, ptr.size, needed)
+        raise SystemCallError.new('GetEventLogInformation', FFI.errno)
+      end
+      ptr.read_ulong != 0
+    end
+    # Returns the absolute record number of the oldest record.  Note that
+    # this is not guaranteed to be 1 because event log records can be
+    # overwritten.
+    #
+    def oldest_record_number
+      rec = FFI::MemoryPointer.new(:ulong)
+      unless GetOldestEventLogRecord(@handle, rec)
+        raise SystemCallError.new('GetOldestEventLogRecord', FFI.errno)
+      end
+      rec.read_ulong
+    end
+    # Returns the total number of records for the given event log.
+    #
+    def total_records
+      total = FFI::MemoryPointer.new(:ulong)
+      unless GetNumberOfEventLogRecords(@handle, total)
+        raise SystemCallError.new('GetNumberOfEventLogRecords', FFI.errno)
+      end
+      total.read_ulong
+    end
+    # Yields an EventLogStruct every time a record is written to the event
+    # log. Unlike EventLog#tail, this method breaks out of the block after
+    # the event.
+    #
+    # Raises an Error if no block is provided.
+    #
+    def notify_change(&block)
+      unless block_given?
+        raise ArgumentError, 'block missing for notify_change'
+      end
+      # Reopen the handle because the NotifyChangeEventLog() function will
+      # choke after five or six reads otherwise.
+      @handle = OpenEventLog(@server, @source)
+      if @handle == 0
+        raise SystemCallError.new('OpenEventLog', FFI.errno)
+      end
+      event = CreateEvent(nil, false, false, nil)
+      unless NotifyChangeEventLog(@handle, event)
+        raise SystemCallError.new('NotifyChangeEventLog', FFI.errno)
+      end
+      wait_result = WaitForSingleObject(event, INFINITE)
+      begin
+        if wait_result == WAIT_FAILED
+          raise SystemCallError.new('WaitForSingleObject', FFI.errno)
+        else
+          last = read_last_event
+          block.call(last)
+        end
+      ensure
+        CloseHandle(event)
+      end
+      self
+    end
+    # Yields an EventLogStruct every time a record is written to the event
+    # log, once every +frequency+ seconds. Unlike EventLog#notify_change,
+    # this method does not break out of the block after the event.  The read
+    # +frequency+ is set to 5 seconds by default.
+    #
+    # Raises an Error if no block is provided.
+    #
+    # The delay between reads is due to the nature of the Windows event log.
+    # It is not really designed to be tailed in the manner of a Unix syslog,
+    # for example, in that not nearly as many events are typically recorded.
+    # It's just not designed to be polled that heavily.
+    #
+    def tail(frequency = 5)
+      unless block_given?
+        raise ArgumentError, 'block missing for tail'
+      end
+      old_total = total_records()
+      flags     = FORWARDS_READ | SEEK_READ
+      rec_num   = read_last_event.record_number
+      while true
+        new_total = total_records()
+        if new_total != old_total
+          rec_num = oldest_record_number() if full?
+          read(flags, rec_num).each{ |log| yield log }
+          old_total = new_total
+          rec_num   = read_last_event.record_number + 1
+        end
+        sleep frequency
+      end
+    end
+    # Iterates over each record in the event log, yielding a EventLogStruct
+    # for each record.  The offset value is only used when used in
+    # conjunction with the EventLog::SEEK_READ flag.  Otherwise, it is
+    # ignored.  If no flags are specified, then the default flags are:
+    #
+    # EventLog::SEQUENTIAL_READ | EventLog::FORWARDS_READ
+    #
+    # Note that, if you're performing a SEEK_READ, then the offset must
+    # refer to a record number that actually exists.  The default of 0
+    # may or may not work for your particular event log.
+    #
+    # The EventLogStruct struct contains the following members:
+    #
+    # * record_number  # Fixnum
+    # * time_generated # Time
+    # * time_written   # Time
+    # * event_id       # Fixnum
+    # * event_type     # String
+    # * category       # String
+    # * source         # String
+    # * computer       # String
+    # * user           # String or nil
+    # * description    # String or nil
+    # * string_inserts # An array of Strings or nil
+    #
+    # If no block is given the method returns an array of EventLogStruct's.
+    #
+    def read(flags = nil, offset = 0)
+      buf    = FFI::MemoryPointer.new(:char, BUFFER_SIZE)
+      read   = FFI::MemoryPointer.new(:ulong)
+      needed = FFI::MemoryPointer.new(:ulong)
+      array  = []
+      lkey   = HKEY_LOCAL_MACHINE
+      unless flags
+        flags = FORWARDS_READ | SEQUENTIAL_READ
+      end
+      if @server
+        hkey = FFI::MemoryPointer.new(:uintptr_t)
+        if RegConnectRegistry(@server, HKEY_LOCAL_MACHINE, hkey) != 0
+          raise SystemCallError.new('RegConnectRegistry', FFI.errno)
+        end
+        lkey = hkey.read_pointer.to_i
+      end
+      while ReadEventLog(@handle, flags, offset, buf, buf.size, read, needed) ||
+        FFI.errno == ERROR_INSUFFICIENT_BUFFER
+        if FFI.errno == ERROR_INSUFFICIENT_BUFFER
+          needed = needed.read_ulong / EVENTLOGRECORD.size
+          buf = FFI::MemoryPointer.new(EVENTLOGRECORD, needed)
+          unless ReadEventLog(@handle, flags, offset, buf, buf.size, read, needed)
+            raise SystemCallError.new('ReadEventLog', FFI.errno)
+          end
+        end
+        dwread = read.read_ulong
+        while dwread > 0
+          struct = EventLogStruct.new
+          record = EVENTLOGRECORD.new(buf)
+          event_source = buf.read_bytes(buf.size)[56..-1][/^[^\0]*/]
+          computer = buf.read_bytes(buf.size)[56 + event_source.length + 1..-1][/^[^\0]*/]
+          user = get_user(record)
+          strings, desc = get_description(buf, event_source, lkey)
+          struct.source         = event_source
+          struct.computer       = computer
+          struct.record_number  = record[:RecordNumber]
+          struct.time_generated = Time.at(record[:TimeGenerated])
+          struct.time_written   = Time.at(record[:TimeWritten])
+          struct.event_id       = record[:EventID] & 0x0000FFFF
+          struct.event_type     = get_event_type(record[:EventType])
+          struct.user           = user
+          struct.category       = record[:EventCategory]
+          struct.string_inserts = strings
+          struct.description 	  = desc
+          struct.freeze # This is read-only information
+          if block_given?
+            yield struct
+          else
+            array.push(struct)
+          end
+          if flags & EVENTLOG_BACKWARDS_READ > 0
+            offset = record[:RecordNumber] - 1
+          else
+            offset = record[:RecordNumber] + 1
+          end
+          length = record[:Length]
+          dwread -= length
+          buf += length
+        end
+        buf  = FFI::MemoryPointer.new(:char, BUFFER_SIZE)
+      end
+      block_given? ? nil : array
+    end
+    # This class method is nearly identical to the EventLog#read instance
+    # method, except that it takes a +source+ and +server+ as the first two
+    # arguments.
+    #
+    def self.read(source='Application', server=nil, flags=nil, offset=0)
+      self.new(source, server){ |log|
+        if block_given?
+          log.read(flags, offset){ |els| yield els }
+        else
+          return log.read(flags, offset)
+        end
+      }
+    end
+    # Writes an event to the event log. The following are valid keys:
+    #
+    # * source     # Event log source name. Defaults to "Application".
+    # * event_id   # Event ID (defined in event message file).
+    # * category   # Event category (defined in category message file).
+    # * data       # String, or array of strings, that is written to the log.
+    # * event_type # Type of event, e.g. EventLog::ERROR_TYPE, etc.
+    #
+    # The +event_type+ keyword is the only mandatory keyword. The others are
+    # optional. Although the +source+ defaults to "Application", I
+    # recommend that you create an application specific event source and use
+    # that instead. See the 'EventLog.add_event_source' method for more
+    # details.
+    #
+    # The +event_id+ and +category+ values are defined in the message
+    # file(s) that you created for your application. See the tutorial.txt
+    # file for more details on how to create a message file.
+    #
+    # An ArgumentError is raised if you attempt to use an invalid key.
+    #
+    def report_event(args)
+      raise TypeError unless args.is_a?(Hash)
+      valid_keys  = %w[source event_id category data event_type]
+      num_strings = 0
+      # Default values
+      hash = {
+        'source'   => @source,
+        'event_id' => 0,
+        'category' => 0,
+        'data'     => 0
+      }
+      # Validate the keys, and convert symbols and case to lowercase strings.
+      args.each{ |key, val|
+        key = key.to_s.downcase
+        unless valid_keys.include?(key)
+          raise ArgumentError, "invalid key '#{key}'"
+        end
+        hash[key] = val
+      }
+      # The event_type must be specified
+      unless hash['event_type']
+        raise ArgumentError, 'no event_type specified'
+      end
+      handle = RegisterEventSource(@server, hash['source'])
+      if handle == 0
+        raise SystemCallError.new('RegisterEventSource', FFI.errno)
+      end
+      if hash['data'].is_a?(String)
+        strptrs = []
+        strptrs << FFI::MemoryPointer.from_string(hash['data'])
+        strptrs << nil
+        data = FFI::MemoryPointer.new(:pointer, strptrs.size)
+        strptrs.each_with_index do |p, i|
+          data[i].put_pointer(0, p)
+        end
+        num_strings = 1
+      elsif hash['data'].is_a?(Array)
+        strptrs = []
+        hash['data'].each{ |str|
+          strptrs << FFI::MemoryPointer.from_string(str)
+        }
+        strptrs << nil
+        data = FFI::MemoryPointer.new(:pointer, strptrs.size)
+        strptrs.each_with_index do |p, i|
+          data[i].put_pointer(0, p)
+        end
+        num_strings = hash['data'].size
+      else
+        data = nil
+        num_strings = 0
+      end
+      bool = ReportEvent(
+        handle,
+        hash['event_type'],
+        hash['category'],
+        hash['event_id'],
+        nil,
+        num_strings,
+        0,
+        data,
+        nil
+      )
+      unless bool
+        raise SystemCallError.new('ReportEvent', FFI.errno)
+      end
+    end
+    alias :write :report_event
+    private
+    # A private method that reads the last event log record.
+    #
+    def read_last_event(handle=@handle, source=@source, server=@server)
+      buf    = FFI::MemoryPointer.new(:char, BUFFER_SIZE)
+      read   = FFI::MemoryPointer.new(:ulong)
+      needed = FFI::MemoryPointer.new(:ulong)
+      lkey   = HKEY_LOCAL_MACHINE
+      flags = EVENTLOG_BACKWARDS_READ | EVENTLOG_SEQUENTIAL_READ
+      unless ReadEventLog(@handle, flags, 0, buf, buf.size, read, needed)
+        if FFI.errno == ERROR_INSUFFICIENT_BUFFER
+          needed = needed.read_ulong / EVENTLOGRECORD.size
+          buf = FFI::MemoryPointer.new(EVENTLOGRECORD, needed)
+          unless ReadEventLog(@handle, flags, 0, buf, buf.size, read, needed)
+            raise SystemCallError.new('ReadEventLog', FFI.errno)
+          end
+        else
+          raise SystemCallError.new('ReadEventLog', FFI.errno)
+        end
+      end
+      if @server
+        hkey = FFI::MemoryPointer.new(:uintptr_t)
+        if RegConnectRegistry(@server, HKEY_LOCAL_MACHINE, hkey) != 0
+          raise SystemCallError.new('RegConnectRegistry', FFI.errno)
+        end
+        lkey = hkey.read_pointer.to_i
+      end
+      record = EVENTLOGRECORD.new(buf)
+      event_source  = buf.read_bytes(buf.size)[56..-1][/^[^\0]*/]
+      computer      = buf.read_bytes(buf.size)[56 + event_source.length + 1..-1][/^[^\0]*/]
+      event_type    = get_event_type(record[:EventType])
+      user          = get_user(record)
+      strings, desc = get_description(buf, event_source, lkey)
+      struct = EventLogStruct.new
+      struct.source         = event_source
+      struct.computer       = computer
+      struct.record_number  = record[:RecordNumber]
+      struct.time_generated = Time.at(record[:TimeGenerated])
+      struct.time_written   = Time.at(record[:TimeWritten])
+      struct.event_id       = record[:EventID] & 0x0000FFFF
+      struct.event_type     = event_type
+      struct.user           = user
+      struct.category       = record[:EventCategory]
+      struct.string_inserts = strings
+      struct.description 	  = desc
+      struct.freeze # This is read-only information
+      struct
+    end
+    # Private method that retrieves the user name based on data in the
+    # EVENTLOGRECORD buffer.
+    #
+    def get_user(rec)
+      return nil if rec[:UserSidLength] <= 0
+      name   = FFI::MemoryPointer.new(:char, MAX_SIZE)
+      domain = FFI::MemoryPointer.new(:char, MAX_SIZE)
+      snu    = FFI::MemoryPointer.new(:int)
+      name_size   = FFI::MemoryPointer.new(:ulong)
+      domain_size = FFI::MemoryPointer.new(:ulong)
+      name_size.write_ulong(name.size)
+      domain_size.write_ulong(domain.size)
+      offset = rec[:UserSidOffset]
+      val = LookupAccountSid(
+        @server,
+        rec.pointer + offset,
+        name,
+        name_size,
+        domain,
+        domain_size,
+        snu
+      )
+      # Return nil if the lookup failed
+      return val ? name.read_string : nil
+    end
+    # Private method that converts a numeric event type into a human
+    # readable string.
+    #
+    def get_event_type(event)
+      case event
+        when EVENTLOG_ERROR_TYPE
+          'error'
+        when EVENTLOG_WARNING_TYPE
+          'warning'
+        when EVENTLOG_INFORMATION_TYPE, EVENTLOG_SUCCESS
+          'information'
+        when EVENTLOG_AUDIT_SUCCESS
+          'audit_success'
+        when EVENTLOG_AUDIT_FAILURE
+          'audit_failure'
+        else
+          nil
+      end
+    end
+    # Private method that gets the string inserts (Array) and the full
+    # event description (String) based on data from the EVENTLOGRECORD
+    # buffer.
+    #
+    def get_description(buf, event_source, lkey)
+      rec     = EVENTLOGRECORD.new(buf)
+      str     = buf.read_bytes(buf.size)[rec[:StringOffset] .. -1]
+      num     = rec[:NumStrings]
+      hkey    = FFI::MemoryPointer.new(:uintptr_t)
+      key     = BASE_KEY + "#{@source}\\#{event_source}"
+      buf     = FFI::MemoryPointer.new(:char, 8192)
+      va_list = va_list0 = (num == 0) ? [] : str.unpack('Z*' * num)
+      begin
+        old_wow_val = FFI::MemoryPointer.new(:int)
+        Wow64DisableWow64FsRedirection(old_wow_val)
+        param_exe = nil
+        message_exe = nil
+        if RegOpenKeyEx(lkey, key, 0, KEY_READ, hkey) == 0
+          hkey  = hkey.read_pointer.to_i
+          value = 'providerGuid'
+          guid  = FFI::MemoryPointer.new(:char, MAX_SIZE)
+          size  = FFI::MemoryPointer.new(:ulong)
+          size.write_ulong(guid.size)
+          if RegQueryValueEx(hkey, value, nil, nil, guid, size) == 0
+            guid  = guid.read_string
+            hkey2 = FFI::MemoryPointer.new(:uintptr_t)
+            key   = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Publishers\\#{guid}"
+            if RegOpenKeyEx(lkey, key, 0, KEY_READ|0x100, hkey2) == 0
+              hkey2  = hkey2.read_pointer.to_i
+              value = 'ParameterMessageFile'
+              file  = FFI::MemoryPointer.new(:char, MAX_SIZE)
+              size  = FFI::MemoryPointer.new(:ulong)
+              size.write_ulong(file.size)
+              if RegQueryValueEx(hkey2, value, nil, nil, file, size) == 0
+                file = file.read_string
+                exe  = FFI::MemoryPointer.new(:char, MAX_SIZE)
+                ExpandEnvironmentStrings(file, exe, exe.size)
+                param_exe = exe.read_string
+              end
+              value = 'MessageFileName'
+              file  = FFI::MemoryPointer.new(:char, MAX_SIZE)
+              size  = FFI::MemoryPointer.new(:ulong)
+              size.write_ulong(file.size)
+              if RegQueryValueEx(hkey2, value, nil, nil, file, size) == 0
+                file = file.read_string
+                exe  = FFI::MemoryPointer.new(:char, MAX_SIZE)
+                ExpandEnvironmentStrings(file, exe, exe.size)
+                message_exe = exe.read_string
+              end
+              RegCloseKey(hkey2)
+            end
+          else
+            value = 'ParameterMessageFile'
+            file  = FFI::MemoryPointer.new(:char, MAX_SIZE)
+            size  = FFI::MemoryPointer.new(:ulong)
+            size.write_ulong(file.size)
+            if RegQueryValueEx(hkey, value, nil, nil, file, size) == 0
+              file = file.read_string
+              exe  = FFI::MemoryPointer.new(:char, MAX_SIZE)
+              ExpandEnvironmentStrings(file, exe, exe.size)
+              param_exe = exe.read_string
+            end
+            value = 'EventMessageFile'
+            file  = FFI::MemoryPointer.new(:char, MAX_SIZE)
+            size  = FFI::MemoryPointer.new(:ulong)
+            size.write_ulong(file.size)
+            if RegQueryValueEx(hkey, value, nil, nil, file, size) == 0
+              file = file.read_string
+              exe  = FFI::MemoryPointer.new(:char, MAX_SIZE)
+              ExpandEnvironmentStrings(file, exe, exe.size)
+              message_exe = exe.read_string
+            end
+          end
+          RegCloseKey(hkey)
+        else
+          wevent_source = (event_source + 0.chr).encode('UTF-16LE')
+          begin
+            pubMetadata = EvtOpenPublisherMetadata(0, wevent_source, nil, 1024, 0)
+            if pubMetadata > 0
+              buf2 = FFI::MemoryPointer.new(:char, 8192)
+              val  = FFI::MemoryPointer.new(:ulong)
+              bool = EvtGetPublisherMetadataProperty(
+                pubMetadata,
+                2, # EvtPublisherMetadataParameterFilePath
+                0,
+                buf2.size,
+                buf2,
+                val
+              )
+              unless bool
+                raise SystemCallError.new('EvtGetPublisherMetadataProperty', FFI.errno)
+              end
+              file = buf2.read_string[16..-1]
+              exe  = FFI::MemoryPointer.new(:char, MAX_SIZE)
+              ExpandEnvironmentStrings(file, exe, exe.size)
+              param_exe = exe.read_string
+              buf2 = FFI::MemoryPointer.new(:char, 8192)
+              val  = FFI::MemoryPointer.new(:ulong)
+              bool = EvtGetPublisherMetadataProperty(
+                pubMetadata,
+                3, # EvtPublisherMetadataMessageFilePath
+                0,
+                buf2.size,
+                buf2,
+                val
+              )
+              unless bool
+                raise SystemCallError.new('EvtGetPublisherMetadataProperty', FFI.errno)
+              end
+              file = buf2.read_string[16..-1]
+              exe  = FFI::MemoryPointer.new(:char, MAX_SIZE)
+              ExpandEnvironmentStrings(file, exe, exe.size)
+              message_exe = exe.read_string
+            end
+          ensure
+            EvtClose(pubMetadata) if pubMetadata
+          end
+        end
+        if param_exe != nil
+          va_list = va_list0.map{ |v|
+            va = v
+            v.scan(/%%(\d+)/).uniq.each{ |x|
+              param_exe.split(';').each{ |lfile|
+                hmodule  = LoadLibraryEx(
+                  lfile,
+                  0,
+                  DONT_RESOLVE_DLL_REFERENCES | LOAD_LIBRARY_AS_DATAFILE
+                )
+                if hmodule != 0
+                  res = FormatMessage(
+                    FORMAT_MESSAGE_FROM_HMODULE | FORMAT_MESSAGE_ARGUMENT_ARRAY,
+                    hmodule,
+                    x.first.to_i,
+                    0,
+                    buf,
+                    buf.size,
+                    v
+                  )
+                  if res == 0
+                    event_id = 0xB0000000 | event_id
+                    res = FormatMessage(
+                      FORMAT_MESSAGE_FROM_HMODULE | FORMAT_MESSAGE_IGNORE_INSERTS,
+                      hmodule,
+                      event_id,
+                      0,
+                      buf,
+                      buf.size,
+                      nil
+                    )
+                  end
+                  FreeLibrary(hmodule)
+                  break if buf.nstrip != ""
+                end
+              }
+              va = va.gsub("%%#{x.first}", buf.nstrip)
+            }
+            va
+          }
+        end
+        if message_exe != nil
+          buf  = FFI::MemoryPointer.new(:char, 8192) # Reset the buffer
+          # Try to retrieve message *without* expanding the inserts yet
+          message_exe.split(';').each{ |lfile|
+            hmodule = LoadLibraryEx(
+              lfile,
+              0,
+              DONT_RESOLVE_DLL_REFERENCES | LOAD_LIBRARY_AS_DATAFILE
+            )
+            event_id = rec[:EventID]
+            if hmodule != 0
+              res = FormatMessage(
+                FORMAT_MESSAGE_FROM_HMODULE | FORMAT_MESSAGE_IGNORE_INSERTS,
+                hmodule,
+                event_id,
+                0,
+                buf,
+                buf.size,
+                nil
+              )
+              if res == 0
+                event_id = 0xB0000000 | event_id
+                res = FormatMessage(
+                  FORMAT_MESSAGE_FROM_HMODULE | FORMAT_MESSAGE_IGNORE_INSERTS,
+                  hmodule,
+                  event_id,
+                  0,
+                  buf,
+                  buf.size,
+                  nil
+                )
+              end
+              FreeLibrary(hmodule)
+              break if buf.read_string != "" # All messages read
+            end
+          }
+          # Determine higest %n insert number
+          max_insert = [num, buf.read_string.scan(/%(\d+)/).map{ |x| x[0].to_i }.max].compact.max
+          # Insert dummy strings not provided by caller
+          ((num+1)..(max_insert)).each{ |x| va_list.push("%#{x}") }
+          if num == 0
+            va_list_ptr = FFI::MemoryPointer.new(:pointer)
+          else
+            strptrs = []
+            va_list.each{ |x| strptrs << FFI::MemoryPointer.from_string(x) }
+            strptrs << nil
+            va_list_ptr = FFI::MemoryPointer.new(:pointer, strptrs.size)
+            strptrs.each_with_index{ |p, i|
+              va_list_ptr[i].put_pointer(0, p)
+            }
+          end
+          message_exe.split(';').each{ |lfile|
+            hmodule = LoadLibraryEx(
+              lfile,
+              0,
+              DONT_RESOLVE_DLL_REFERENCES | LOAD_LIBRARY_AS_DATAFILE
+            )
+            event_id = rec[:EventID]
+            if hmodule != 0
+              res = FormatMessage(
+                FORMAT_MESSAGE_FROM_HMODULE |
+                FORMAT_MESSAGE_ARGUMENT_ARRAY,
+                hmodule,
+                event_id,
+                0,
+                buf,
+                buf.size,
+                va_list_ptr
+              )
+              if res == 0
+                event_id = 0xB0000000 | event_id
+                res = FormatMessage(
+                  FORMAT_MESSAGE_FROM_HMODULE | FORMAT_MESSAGE_ARGUMENT_ARRAY,
+                  hmodule,
+                  event_id,
+                  0,
+                  buf,
+                  buf.size,
+                  va_list_ptr
+                )
+              end
+              FreeLibrary(hmodule)
+              break if buf.read_string != "" # All messages read
+            end
+          }
+        end
+      ensure
+        Wow64RevertWow64FsRedirection(old_wow_val.read_ulong)
+      end
+      [va_list0, buf.read_string]
+    end
+  end
+end