winevt_c 0.10.1 → 0.11.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9d3ebf96df7a93d6d2a4dae15cba8cc7a76617e752f758aeb8c355c43abd988d
-  data.tar.gz: de33f1ee85dacba17dbe5b32e98a45d4a57fdde7d931db70dd3b4e054f22c82b
+  metadata.gz: 53a1d55d20095680cdb54820e8b0b9293fe40e2a16ae74a897ea3f5b0a1cf05d
+  data.tar.gz: '080132cb71100664e30b9ef7e9c1f2c49542b7f92f5c78b25d3b893fc459bb5b'
 SHA512:
-  metadata.gz: 83bbe0ca77653a773bf29005236478865f1efb9917f312b5fc8f37485a3ddd068962f4eb2bac7da99916fcd0553b78ed140ac1900441c397e767bad39915c09d
-  data.tar.gz: fdf8aba88fb62518e52ea4dc65d44247706c5a578e078c224a850323737af2d886afc525fd431ca2652a8a65e375bfc2c960b94667e4839c155ab82f5b3462f1
+  metadata.gz: dbd64322ff92fb89c723a2d963fb1b706a169d40a620985adf8ea9cb4eb5654a5df206d07346834c68334e157224c6d71fc9e38762c010eca73df34f1dd68662
+  data.tar.gz: a514c1c356b1d62c44c19887ce24790cc5efa966a9184470df1fc2317f88d436b24caa61600b62cf5d4d8bddbcf07cccaacd2d2b48fa9b14e0c2adf772db9d11

data/.github/workflows/linux.yml

@@ -8,7 +8,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ruby: [ '2.4', '2.5', '2.6', '2.7', '3.0' ]
+        ruby: [ '3.0', '3.1', '3.2' ]
         os:
           - ubuntu-latest
     name: Ruby ${{ matrix.ruby }} building fat gem testing on ${{ matrix.os }}

data/appveyor.yml

@@ -38,11 +38,16 @@ for:
   matrix:
     only:
       - ruby_version: "31-x64"
+      - ruby_version: "27-x64"
+      - ruby_version: "27"
+      - ruby_version: "26-x64"
+      - ruby_version: "26"
   install:
+    - ps: if ($ENV:ruby_version -ne "31-x64") { .\ruby_install.ps1 }
     - SET PATH=C:\Ruby%ruby_version%\bin;%PATH%
     - ruby --version
     - gem --version
     - bundle --version
-    - ridk.cmd install 1 3
+    - ps: if ($ENV:ruby_version -eq "31-x64") { ridk.ps1 install 1 3 }
     - ridk.cmd exec bundle install
     - ridk.cmd exec bundle exec rake compile

data/ext/winevt/extconf.rb

@@ -14,6 +14,9 @@ have_library("wevtapi")
 have_func("EvtQuery", "winevt.h")
 have_library("advapi32")
 have_library("ole32")
+if have_macro("RB_ALLOCV")
+  $CFLAGS << " -DHAVE_RB_ALLOCV=1 "
+end
 
 $LDFLAGS << " -lwevtapi -ladvapi32 -lole32"
 $CFLAGS << " -Wall -std=c99 -fPIC -fms-extensions "

data/ext/winevt/winevt.c

@@ -7,6 +7,7 @@ VALUE rb_cSubscribe;
 VALUE rb_eWinevtQueryError;
 VALUE rb_eChannelNotFoundError;
 VALUE rb_eRemoteHandlerError;
+VALUE rb_eSubscribeHandlerError;
 
 static ID id_call;
 
@@ -20,6 +21,7 @@ Init_winevt(void)
   rb_eWinevtQueryError = rb_define_class_under(rb_cQuery, "Error", rb_eStandardError);
   rb_eChannelNotFoundError = rb_define_class_under(rb_cEventLog, "ChannelNotFoundError", rb_eStandardError);
   rb_eRemoteHandlerError = rb_define_class_under(rb_cSubscribe, "RemoteHandlerError", rb_eRuntimeError);
+  rb_eSubscribeHandlerError = rb_define_class_under(rb_cSubscribe, "SubscribeHandlerError", rb_eRuntimeError);
 
   Init_winevt_channel(rb_cEventLog);
   Init_winevt_bookmark(rb_cEventLog);

data/ext/winevt/winevt_c.h

@@ -16,6 +16,11 @@
 #endif /* WIN32_WINNT */
 #define _WIN32_WINNT MINIMUM_WINDOWS_VERSION
 
+#if !defined(HAVE_RB_ALLOCV)
+#define ALLOCV     RB_ALLOCV
+#define ALLOCV_N   RB_ALLOCV_N
+#endif
+
 #include <time.h>
 #include <winevt.h>
 #define EventQuery(object) ((struct WinevtQuery*)DATA_PTR(object))
@@ -33,6 +38,9 @@ typedef struct {
 extern "C" {
 #endif /* __cplusplus */
 
+#define WINEVT_UTILS_ERROR_NONE_MAPPED -1
+#define WINEVT_UTILS_ERROR_OTHERS      -2
+
 VALUE wstr_to_rb_str(UINT cp, const WCHAR* wstr, int clen);
 #if defined(__cplusplus)
 [[ noreturn ]]
@@ -46,7 +54,7 @@ EVT_HANDLE connect_to_remote(LPWSTR computerName, LPWSTR domain,
                              DWORD *error_code);
 WCHAR* get_description(EVT_HANDLE handle, LANGID langID, EVT_HANDLE hRemote);
 VALUE get_values(EVT_HANDLE handle);
-VALUE render_system_event(EVT_HANDLE handle, BOOL preserve_qualifiers);
+VALUE render_system_event(EVT_HANDLE handle, BOOL preserve_qualifiers, BOOL preserveSID);
 LocaleInfo* get_locale_info_from_rb_str(VALUE rb_locale_str);
 
 #ifdef __cplusplus
@@ -61,6 +69,7 @@ extern VALUE rb_cSubscribe;
 extern VALUE rb_eWinevtQueryError;
 extern VALUE rb_eChannelNotFoundError;
 extern VALUE rb_eRemoteHandlerError;
+extern VALUE rb_eSubscribeHandlerError;
 extern VALUE rb_cLocale;
 extern VALUE rb_cSession;
 
@@ -100,6 +109,7 @@ struct WinevtQuery
   LONG timeout;
   BOOL renderAsXML;
   BOOL preserveQualifiers;
+  BOOL preserveSID;
   LocaleInfo *localeInfo;
   EVT_HANDLE remoteHandle;
 };
@@ -121,6 +131,7 @@ struct WinevtSubscribe
   DWORD currentRate;
   BOOL renderAsXML;
   BOOL preserveQualifiers;
+  BOOL preserveSID;
   LocaleInfo* localeInfo;
   EVT_HANDLE remoteHandle;
 };

data/ext/winevt/winevt_query.c

@@ -85,15 +85,15 @@ static VALUE
 rb_winevt_query_initialize(VALUE argc, VALUE *argv, VALUE self)
 {
   PWSTR evtChannel, evtXPath;
-  VALUE channel, xpath, session;
+  VALUE channel, xpath, session, rb_flags;
   struct WinevtQuery* winevtQuery;
   struct WinevtSession* winevtSession;
   EVT_HANDLE hRemoteHandle = NULL;
-  DWORD len;
+  DWORD len, flags = 0;
   VALUE wchannelBuf, wpathBuf;
   DWORD err = ERROR_SUCCESS;
 
-  rb_scan_args(argc, argv, "21", &channel, &xpath, &session);
+  rb_scan_args(argc, argv, "22", &channel, &xpath, &session, &rb_flags);
   Check_Type(channel, T_STRING);
   Check_Type(xpath, T_STRING);
 
@@ -111,6 +111,17 @@ rb_winevt_query_initialize(VALUE argc, VALUE *argv, VALUE self)
     }
   }
 
+  switch (TYPE(rb_flags)) {
+  case T_FIXNUM:
+    flags = NUM2LONG(rb_flags);
+    break;
+  case T_NIL:
+    flags = EvtQueryChannelPath | EvtQueryTolerateQueryErrors;
+    break;
+  default:
+    rb_raise(rb_eArgError, "Expected a String, a Symbol, a Fixnum, or a NilClass instance");
+  }
+
   // channel : To wide char
   len =
     MultiByteToWideChar(CP_UTF8, 0, RSTRING_PTR(channel), RSTRING_LEN(channel), NULL, 0);
@@ -128,7 +139,7 @@ rb_winevt_query_initialize(VALUE argc, VALUE *argv, VALUE self)
   TypedData_Get_Struct(self, struct WinevtQuery, &rb_winevt_query_type, winevtQuery);
 
   winevtQuery->query = EvtQuery(
-    hRemoteHandle, evtChannel, evtXPath, EvtQueryChannelPath | EvtQueryTolerateQueryErrors);
+    hRemoteHandle, evtChannel, evtXPath, flags);
   err = GetLastError();
   if (err != ERROR_SUCCESS) {
     if (err == ERROR_EVT_CHANNEL_NOT_FOUND) {
@@ -142,6 +153,7 @@ rb_winevt_query_initialize(VALUE argc, VALUE *argv, VALUE self)
   winevtQuery->preserveQualifiers = FALSE;
   winevtQuery->localeInfo = &default_locale;
   winevtQuery->remoteHandle = hRemoteHandle;
+  winevtQuery->preserveSID = TRUE;
 
   ALLOCV_END(wchannelBuf);
   ALLOCV_END(wpathBuf);
@@ -263,7 +275,8 @@ rb_winevt_query_render(VALUE self, EVT_HANDLE event)
   if (winevtQuery->renderAsXML) {
     return render_to_rb_str(event, EvtRenderEventXml);
   } else {
-    return render_system_event(event, winevtQuery->preserveQualifiers);
+    return render_system_event(event, winevtQuery->preserveQualifiers,
+                               winevtQuery->preserveSID);
   }
 }
 
@@ -524,6 +537,40 @@ rb_winevt_query_get_locale(VALUE self)
   }
 }
 
+/*
+ * This method specifies whether preserving SID or not.
+ *
+ * @param rb_preserve_sid_p [Boolean]
+ */
+static VALUE
+rb_winevt_query_set_preserve_sid(VALUE self, VALUE rb_preserve_sid_p)
+{
+  struct WinevtQuery* winevtQuery;
+
+  TypedData_Get_Struct(
+    self, struct WinevtQuery, &rb_winevt_query_type, winevtQuery);
+
+  winevtQuery->preserveSID = RTEST(rb_preserve_sid_p);
+
+  return Qnil;
+}
+
+/*
+ * This method returns whether preserving SID or not.
+ *
+ * @return [Boolean]
+ */
+static VALUE
+rb_winevt_query_preserve_sid_p(VALUE self)
+{
+  struct WinevtQuery* winevtQuery;
+
+  TypedData_Get_Struct(
+    self, struct WinevtQuery, &rb_winevt_query_type, winevtQuery);
+
+  return winevtQuery->preserveSID ? Qtrue : Qfalse;
+}
+
 /*
  * This method cancels channel query.
  *
@@ -613,6 +660,37 @@ Init_winevt_query(VALUE rb_cEventLog)
    * @see https://msdn.microsoft.com/en-us/windows/desktop/aa385575#EvtSeekStrict
    */
   rb_define_const(rb_cFlag, "Strict", LONG2NUM(EvtSeekStrict));
+
+  /*
+   * EVT_QUERY_FLAGS enumeration: EvtQueryChannelPath
+   * @since 0.11.0
+   * @see https://learn.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_query_flags
+   */
+  rb_define_const(rb_cFlag, "ChannelPath", LONG2NUM(EvtQueryChannelPath));
+  /*
+   * EVT_QUERY_FLAGS enumeration: EvtQueryFilePath
+   * @since 0.11.0
+   * @see https://learn.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_query_flags
+   */
+  rb_define_const(rb_cFlag, "FilePath", LONG2NUM(EvtQueryFilePath));
+  /*
+   * EVT_QUERY_FLAGS enumeration: EvtQueryForwardDirection
+   * @since 0.11.0
+   * @see https://learn.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_query_flags
+   */
+  rb_define_const(rb_cFlag, "ForwardDirection", LONG2NUM(EvtQueryForwardDirection));
+  /*
+   * EVT_QUERY_FLAGS enumeration: EvtQueryReverseDirection
+   * @since 0.11.0
+   * @see https://learn.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_query_flags
+   */
+  rb_define_const(rb_cFlag, "ReverseDirection", LONG2NUM(EvtQueryReverseDirection));
+  /*
+   * EVT_QUERY_FLAGS enumeration: EvtSeekOriginMask
+   * @since 0.11.0
+   * @see https://learn.microsoft.com/en-us/windows/win32/api/winevt/ne-winevt-evt_query_flags
+   */
+  rb_define_const(rb_cFlag, "TolerateQueryErrors", LONG2NUM(EvtQueryTolerateQueryErrors));
   /* clang-format on */
 
   rb_define_method(rb_cQuery, "initialize", rb_winevt_query_initialize, -1);
@@ -641,6 +719,14 @@ Init_winevt_query(VALUE rb_cEventLog)
    * @since 0.8.0
    */
   rb_define_method(rb_cQuery, "locale=", rb_winevt_query_set_locale, 1);
+  /*
+   * @since 0.11.0
+   */
+  rb_define_method(rb_cQuery, "preserve_sid?", rb_winevt_query_preserve_sid_p, 0);
+  /*
+   * @since 0.11.0
+   */
+  rb_define_method(rb_cQuery, "preserve_sid=", rb_winevt_query_set_preserve_sid, 1);
   /*
    * @since 0.9.1
    */

data/ext/winevt/winevt_subscribe.c

@@ -110,6 +110,7 @@ rb_winevt_subscribe_initialize(VALUE self)
   winevtSubscribe->readExistingEvents = TRUE;
   winevtSubscribe->preserveQualifiers = FALSE;
   winevtSubscribe->localeInfo = &default_locale;
+  winevtSubscribe->preserveSID = TRUE;
 
   return Qnil;
 }
@@ -174,7 +175,7 @@ rb_winevt_subscribe_subscribe(int argc, VALUE* argv, VALUE self)
   struct WinevtSession* winevtSession;
   struct WinevtSubscribe* winevtSubscribe;
 
-  hSignalEvent = CreateEvent(NULL, FALSE, FALSE, NULL);
+  hSignalEvent = CreateEvent(NULL, TRUE, TRUE, NULL);
 
   TypedData_Get_Struct(
     self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
@@ -341,6 +342,8 @@ rb_winevt_subscribe_next(VALUE self)
   EVT_HANDLE hEvents[SUBSCRIBE_ARRAY_SIZE];
   ULONG count = 0;
   DWORD status = ERROR_SUCCESS;
+  DWORD dwWait = 0;
+
   struct WinevtSubscribe* winevtSubscribe;
 
   TypedData_Get_Struct(
@@ -355,6 +358,23 @@ rb_winevt_subscribe_next(VALUE self)
     return Qfalse;
   }
 
+  /* If a signalEvent notifies whether a state of processed event(s)
+   * is existing or not.
+   * For checking for a result of WaitForSingleObject,
+   * we need to raise SubscribeHandlerError exception when
+   * WAIT_FAILED is detected for further investigations.
+   * Note that we don't need to wait explicitly here.
+   * Because this function is inside of each enumerator.
+   * So, WaitForSingleObject should return immediately and should be
+   * processed with the latter each loops if there is no more items.
+   * Just intended to check that there is no errors here. */
+  dwWait = WaitForSingleObject(winevtSubscribe->signalEvent, 0);
+  if (dwWait == WAIT_FAILED) {
+    raise_system_error(rb_eSubscribeHandlerError, GetLastError());
+  } else if (dwWait != WAIT_OBJECT_0) {
+    return Qfalse;
+  }
+
   if (!EvtNext(winevtSubscribe->subscription,
                SUBSCRIBE_ARRAY_SIZE,
                hEvents,
@@ -368,6 +388,8 @@ rb_winevt_subscribe_next(VALUE self)
     if (ERROR_NO_MORE_ITEMS != status) {
       return Qfalse;
     }
+
+    ResetEvent(winevtSubscribe->signalEvent);
   }
 
   if (status == ERROR_SUCCESS) {
@@ -396,7 +418,8 @@ rb_winevt_subscribe_render(VALUE self, EVT_HANDLE event)
   if (winevtSubscribe->renderAsXML) {
     return render_to_rb_str(event, EvtRenderEventXml);
   } else {
-    return render_system_event(event, winevtSubscribe->preserveQualifiers);
+    return render_system_event(event, winevtSubscribe->preserveQualifiers,
+                               winevtSubscribe->preserveSID);
   }
 }
 
@@ -653,6 +676,40 @@ rb_winevt_subscribe_get_locale(VALUE self)
   }
 }
 
+/*
+ * This method specifies whether preserving SID or not.
+ *
+ * @param rb_preserve_sid_p [Boolean]
+ */
+static VALUE
+rb_winevt_subscribe_set_preserve_sid(VALUE self, VALUE rb_preserve_sid_p)
+{
+  struct WinevtSubscribe* winevtSubscribe;
+
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+
+  winevtSubscribe->preserveSID = RTEST(rb_preserve_sid_p);
+
+  return Qnil;
+}
+
+/*
+ * This method returns whether preserving SID or not.
+ *
+ * @return [Boolean]
+ */
+static VALUE
+rb_winevt_subscribe_preserve_sid_p(VALUE self)
+{
+  struct WinevtSubscribe* winevtSubscribe;
+
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+
+  return winevtSubscribe->preserveSID ? Qtrue : Qfalse;
+}
+
 /*
  * This method cancels channel subscription.
  *
@@ -750,6 +807,14 @@ Init_winevt_subscribe(VALUE rb_cEventLog)
    */
   rb_define_method(
     rb_cSubscribe, "locale=", rb_winevt_subscribe_set_locale, 1);
+  /*
+   * @since 0.11.0
+   */
+  rb_define_method(rb_cSubscribe, "preserve_sid?", rb_winevt_subscribe_preserve_sid_p, 0);
+  /*
+   * @since 0.11.0
+   */
+  rb_define_method(rb_cSubscribe, "preserve_sid=", rb_winevt_subscribe_set_preserve_sid, 1);
   /*
    * @since 0.9.1
    */

data/ext/winevt/winevt_utils.cpp

@@ -17,7 +17,7 @@ wstr_to_rb_str(UINT cp, const WCHAR* wstr, int clen)
   }
 
   int len = WideCharToMultiByte(cp, 0, wstr, clen, nullptr, 0, nullptr, nullptr);
-  ptr = ALLOCV_N(CHAR, vstr, len);
+  ptr = RB_ALLOCV_N(CHAR, vstr, len);
   // For memory safety.
   ZeroMemory(ptr, sizeof(CHAR) * len);
   ret = WideCharToMultiByte(cp, 0, wstr, clen, ptr, len, nullptr, nullptr);
@@ -25,11 +25,11 @@ wstr_to_rb_str(UINT cp, const WCHAR* wstr, int clen)
   // ref: https://docs.microsoft.com/en-us/windows/win32/api/stringapiset/nf-stringapiset-widechartomultibyte#return-value
   if (ret == 0) {
     err = GetLastError();
-    ALLOCV_END(vstr);
+    RB_ALLOCV_END(vstr);
     raise_system_error(rb_eRuntimeError, err);
   }
   VALUE str = rb_utf8_str_new_cstr(ptr);
-  ALLOCV_END(vstr);
+  RB_ALLOCV_END(vstr);
 
   return str;
 }
@@ -85,18 +85,18 @@ render_to_rb_str(EVT_HANDLE handle, DWORD flags)
   EvtRender(nullptr, handle, flags, 0, NULL, &bufferSize, &count);
 
   // bufferSize is in bytes, not characters
-  buffer = (WCHAR*)ALLOCV(vbuffer, bufferSize);
+  buffer = (WCHAR*)RB_ALLOCV(vbuffer, bufferSize);
 
   succeeded =
     EvtRender(nullptr, handle, flags, bufferSize, buffer, &bufferSizeUsed, &count);
   if (!succeeded) {
     DWORD status = GetLastError();
-    ALLOCV_END(vbuffer);
+    RB_ALLOCV_END(vbuffer);
     raise_system_error(rb_eWinevtQueryError, status);
   }
 
   result = wstr_to_rb_str(CP_UTF8, buffer, -1);
-  ALLOCV_END(vbuffer);
+  RB_ALLOCV_END(vbuffer);
 
   return result;
 }
@@ -153,7 +153,7 @@ make_displayable_binary_string(PBYTE bin, size_t length)
     return rb_str_new2("(NULL)");
   }
 
-  buffer = ALLOCV_N(CHAR, vbuffer, size);
+  buffer = RB_ALLOCV_N(CHAR, vbuffer, size);
 
   for (i = 0; i < length; i++) {
     for (j = 0; j < 2; j++) {
@@ -164,7 +164,7 @@ make_displayable_binary_string(PBYTE bin, size_t length)
   buffer[size - 1] = '\0';
 
   VALUE str = rb_str_new2(buffer);
-  ALLOCV_END(vbuffer);
+  RB_ALLOCV_END(vbuffer);
 
   return str;
 }
@@ -380,7 +380,7 @@ get_values(EVT_HANDLE handle)
     renderContext, handle, EvtRenderEventValues, 0, NULL, &bufferSize, &propCount);
 
   // bufferSize is in bytes, not array size
-  pRenderedValues = (PEVT_VARIANT)ALLOCV(vbuffer, bufferSize);
+  pRenderedValues = (PEVT_VARIANT)RB_ALLOCV(vbuffer, bufferSize);
 
   succeeded = EvtRender(renderContext,
                         handle,
@@ -391,14 +391,14 @@ get_values(EVT_HANDLE handle)
                         &propCount);
   if (!succeeded) {
     DWORD status = GetLastError();
-    ALLOCV_END(vbuffer);
+    RB_ALLOCV_END(vbuffer);
     EvtClose(renderContext);
     raise_system_error(rb_eWinevtQueryError, status);
   }
 
   userValues = extract_user_evt_variants(pRenderedValues, propCount);
 
-  ALLOCV_END(vbuffer);
+  RB_ALLOCV_END(vbuffer);
   EvtClose(renderContext);
 
   return userValues;
@@ -596,8 +596,102 @@ cleanup:
   return _wcsdup(result.data());
 }
 
+static char* convert_wstr(wchar_t *wstr)
+{
+  VALUE vstr;
+  int len = 0;
+  CHAR *ptr = NULL;
+  DWORD err = ERROR_SUCCESS;
+
+  len = WideCharToMultiByte(CP_UTF8, 0, wstr, -1, NULL, 0, NULL, NULL);
+  if (len == 0) {
+    return NULL;
+  }
+
+  ptr = RB_ALLOCV_N(CHAR, vstr, len);
+  // For memory safety.
+  ZeroMemory(ptr, sizeof(CHAR) * len);
+
+  len = WideCharToMultiByte(CP_UTF8, 0, wstr, -1, ptr, len, NULL, NULL);
+  // return 0 should be failure.
+  // ref: https://docs.microsoft.com/en-us/windows/win32/api/stringapiset/nf-stringapiset-widechartomultibyte#return-value
+  if (len == 0) {
+    err = GetLastError();
+    RB_ALLOCV_END(vstr);
+    raise_system_error(rb_eRuntimeError, err);
+  }
+
+  return strdup(ptr);
+}
+
+static int ExpandSIDWString(PSID sid, CHAR **out_expanded)
+{
+#define MAX_NAME 256
+  DWORD len = MAX_NAME, err = ERROR_SUCCESS;
+  SID_NAME_USE sid_type = SidTypeUnknown;
+  WCHAR wAccount[MAX_NAME];
+  WCHAR wDomain[MAX_NAME];
+  CHAR *account = NULL, *domain = NULL;
+  DWORD result_len = 0;
+  CHAR *formatted = NULL;
+  VALUE vformatted;
+#undef MAX_NAME
+
+  if (!LookupAccountSidW(NULL, sid,
+                         wAccount, &len, wDomain,
+                         &len, &sid_type)) {
+    err = GetLastError();
+    if (err == ERROR_NONE_MAPPED) {
+      goto none_mapped_error;
+    }
+    else {
+      return WINEVT_UTILS_ERROR_OTHERS;
+    }
+
+    goto error;
+  }
+
+  domain = convert_wstr(wDomain);
+  if (domain == NULL) {
+    goto error;
+  }
+  account = convert_wstr(wAccount);
+  if (account == NULL) {
+    goto error;
+  }
+
+  result_len = strlen(domain) + 1 + strlen(account) + 1;
+  formatted = (CHAR *)RB_ALLOCV(vformatted, result_len);
+  if (formatted == NULL) {
+    goto error;
+  }
+
+  _snprintf_s(formatted, result_len, _TRUNCATE, "%s\\%s", domain, account);
+
+  *out_expanded = strdup(formatted);
+
+  free(domain);
+  free(account);
+  RB_ALLOCV_END(vformatted);
+
+
+  return 0;
+
+none_mapped_error:
+
+  return WINEVT_UTILS_ERROR_NONE_MAPPED;
+
+error:
+  err = GetLastError();
+
+  RB_ALLOCV_END(vformatted);
+  free(domain);
+  free(account);
+  raise_system_error(rb_eRuntimeError, err);
+}
+
 VALUE
-render_system_event(EVT_HANDLE hEvent, BOOL preserve_qualifiers)
+render_system_event(EVT_HANDLE hEvent, BOOL preserve_qualifiers, BOOL preserveSID_p)
 {
   DWORD status = ERROR_SUCCESS;
   EVT_HANDLE hContext = NULL;
@@ -633,7 +727,7 @@ render_system_event(EVT_HANDLE hEvent, BOOL preserve_qualifiers)
     status = GetLastError();
     if (ERROR_INSUFFICIENT_BUFFER == status) {
       dwBufferSize = dwBufferUsed;
-      pRenderedValues = (PEVT_VARIANT)ALLOCV(vRenderedValues, dwBufferSize);
+      pRenderedValues = (PEVT_VARIANT)RB_ALLOCV(vRenderedValues, dwBufferSize);
       if (pRenderedValues) {
         EvtRender(hContext,
                   hEvent,
@@ -651,7 +745,7 @@ render_system_event(EVT_HANDLE hEvent, BOOL preserve_qualifiers)
 
     if (ERROR_SUCCESS != status) {
       EvtClose(hContext);
-      ALLOCV_END(vRenderedValues);
+      RB_ALLOCV_END(vRenderedValues);
 
       rb_raise(rb_eWinevtQueryError, "EvtRender failed with %lu\n", status);
     }
@@ -787,14 +881,23 @@ render_system_event(EVT_HANDLE hEvent, BOOL preserve_qualifiers)
 
   if (EvtVarTypeNull != pRenderedValues[EvtSystemUserID].Type) {
     if (ConvertSidToStringSid(pRenderedValues[EvtSystemUserID].SidVal, &pwsSid)) {
-      rbstr = rb_utf8_str_new_cstr(pwsSid);
-      rb_hash_aset(hash, rb_str_new2("UserID"), rbstr);
-      LocalFree(pwsSid);
+      CHAR *expandSID = NULL;
+      if (preserveSID_p) {
+        rbstr = rb_utf8_str_new_cstr(pwsSid);
+        rb_hash_aset(hash, rb_str_new2("UserID"), rbstr);
+        LocalFree(pwsSid);
+      }
+      if (ExpandSIDWString(pRenderedValues[EvtSystemUserID].SidVal,
+                       &expandSID) == 0) {
+        rbstr = rb_utf8_str_new_cstr(expandSID);
+        free(expandSID);
+        rb_hash_aset(hash, rb_str_new2("User"), rbstr);
+      }
     }
   }
 
   EvtClose(hContext);
-  ALLOCV_END(vRenderedValues);
+  RB_ALLOCV_END(vRenderedValues);
 
   return hash;
 }

data/lib/winevt/version.rb

@@ -1,3 +1,3 @@
 module Winevt
-  VERSION = "0.10.1"
+  VERSION = "0.11.0"
 end

data/ruby_install.ps1

@@ -0,0 +1,92 @@
+$rubies = @(
+    @{
+        "version"      = "Ruby 2.6.9-1"
+        "install_path" = "C:\Ruby26"
+        "download_url" = "https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-2.6.9-1/rubyinstaller-2.6.9-1-x86.exe"
+        "devkit_url"   = ""
+        "devkit_paths" = @()
+        "bundlerV2"    = $true
+    }
+    @{
+        "version"      = "Ruby 2.6.9-1 (x64)"
+        "install_path" = "C:\Ruby26-x64"
+        "download_url" = "https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-2.6.9-1/rubyinstaller-2.6.9-1-x64.exe"
+        "devkit_url"   = ""
+        "devkit_paths" = @()
+        "bundlerV2"    = $true
+    }
+    @{
+        "version"      = "Ruby 2.7.8-1"
+        "install_path" = "C:\Ruby27"
+        "download_url" = "https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-2.7.8-1/rubyinstaller-2.7.8-1-x86.exe"
+        "devkit_url"   = ""
+        "devkit_paths" = @()
+        "bundlerV2"    = $true
+    }
+    @{
+        "version"      = "Ruby 2.7.8-1 (x64)"
+        "install_path" = "C:\Ruby27-x64"
+        "download_url" = "https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-2.7.8-1/rubyinstaller-2.7.8-1-x64.exe"
+        "devkit_url"   = ""
+        "devkit_paths" = @()
+        "bundlerV2"    = $true
+    }
+)
+
+function UpdateRubyPath($rubyPath) {
+    $env:path = ($env:path -split ';' | Where-Object { -not $_.contains('\Ruby') }) -join ';'
+    $env:path = "$rubyPath;$env:path"
+}
+
+function Install-Ruby($ruby) {
+    Write-Host "Installing $($ruby.version)" -ForegroundColor Cyan
+
+    # uninstall existing
+    $rubyUninstallPath = "$ruby.install_path\unins000.exe"
+    if ([IO.File]::Exists($rubyUninstallPath)) {
+        Write-Host "  Uninstalling previous Ruby 2.4..." -ForegroundColor Gray
+        "`"$rubyUninstallPath`" /silent" | out-file "$env:temp\uninstall-ruby.cmd" -Encoding ASCII
+        & "$env:temp\uninstall-ruby.cmd"
+        del "$env:temp\uninstall-ruby.cmd"
+        Start-Sleep -s 5
+    }
+
+    if (Test-Path $ruby.install_path) {
+        Write-Host "  Deleting $($ruby.install_path)" -ForegroundColor Gray
+        Remove-Item $ruby.install_path -Force -Recurse
+    }
+
+    $exePath = "$($env:TEMP)\rubyinstaller.exe"
+
+    Write-Host "  Downloading $($ruby.version) from $($ruby.download_url)" -ForegroundColor Gray
+    (New-Object Net.WebClient).DownloadFile($ruby.download_url, $exePath)
+
+    Write-Host "Installing..." -ForegroundColor Gray
+    cmd /c start /wait $exePath /verysilent /allusers /dir="$($ruby.install_path.replace('\', '/'))" /tasks="noassocfiles,nomodpath,noridkinstall"
+    del $exePath
+    Write-Host "Installed" -ForegroundColor Green
+
+    # setup Ruby
+    UpdateRubyPath "$($ruby.install_path)\bin"
+    Write-Host "ruby --version" -ForegroundColor Gray
+    cmd /c ruby --version
+
+    Write-Host "gem --version" -ForegroundColor Gray
+    cmd /c gem --version
+
+    # list installed gems
+    Write-Host "gem list --local" -ForegroundColor Gray
+    cmd /c gem list --local
+
+    # delete temp path
+    if ($tempPath) {
+        Write-Host "  Cleaning up..." -ForegroundColor Gray
+        Remove-Item $tempPath -Force -Recurse
+    }
+
+    Write-Host "  Done!" -ForegroundColor Green
+}
+
+for ($i = 0; $i -lt $rubies.Count; $i++) {
+  Install-Ruby $rubies[$i]
+}

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: winevt_c
 version: !ruby/object:Gem::Version
-  version: 0.10.1
+  version: 0.11.0
 platform: ruby
 authors:
 - Hiroshi Hatake
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2022-09-21 00:00:00.000000000 Z
+date: 2024-08-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -141,6 +141,7 @@ files:
 - lib/winevt/session.rb
 - lib/winevt/subscribe.rb
 - lib/winevt/version.rb
+- ruby_install.ps1
 - winevt_c.gemspec
 homepage: https://github.com/fluent-plugins-nursery/winevt_c
 licenses: