RubyGems - winevt_c - Versions diffs - 0.9.1 → 0.10.0 - Mend

winevt_c 0.9.1 → 0.10.0

Files changed (34) hide show

checksums.yaml +4 -4
data/.clang-format +4 -4
data/.github/workflows/linux.yml +26 -0
data/Gemfile +6 -6
data/LICENSE.txt +202 -202
data/README.md +97 -97
data/Rakefile +37 -37
data/appveyor.yml +48 -26
data/example/bookmark.rb +9 -9
data/example/enumerate_channels.rb +13 -13
data/example/eventlog.rb +13 -13
data/example/locale.rb +13 -13
data/example/rate_limit.rb +14 -14
data/example/tailing.rb +21 -21
data/ext/winevt/extconf.rb +24 -24
data/ext/winevt/winevt.c +30 -30
data/ext/winevt/winevt_bookmark.c +149 -149
data/ext/winevt/winevt_c.h +133 -132
data/ext/winevt/winevt_channel.c +327 -327
data/ext/winevt/winevt_locale.c +92 -92
data/ext/winevt/winevt_locale_info.c +68 -68
data/ext/winevt/winevt_query.c +649 -650
data/ext/winevt/winevt_session.c +425 -425
data/ext/winevt/winevt_subscribe.c +756 -757
data/ext/winevt/winevt_utils.cpp +790 -718
data/lib/winevt/bookmark.rb +6 -6
data/lib/winevt/query.rb +6 -6
data/lib/winevt/session.rb +15 -15
data/lib/winevt/subscribe.rb +18 -18
data/lib/winevt/version.rb +3 -3
data/lib/winevt.rb +14 -14
data/winevt_c.gemspec +34 -34
metadata +8 -9
data/.travis.yml +0 -15

data/ext/winevt/winevt_subscribe.c CHANGED Viewed

@@ -1,757 +1,756 @@
-#include <winevt_c.h>
-/* clang-format off */
-/*
- * Document-class: Winevt::EventLog::Subscribe
- *
- * Subscribe Windows EventLog channel.
- *
- * @example
- *  require 'winevt'
- *
- *  @subscribe = Winevt::EventLog::Subscribe.new
- *  @subscribe.tail = true
- *  @subscribe.rate_limit = 80
- *  @subscribe.subscribe(
- *    "Application", "*[System[(Level <= 4) and TimeCreated[timediff(@SystemTime) <= 86400000]]]"
- *  )
- *  while true do
- *    @subscribe.each do |eventlog, message, string_inserts|
- *      puts ({eventlog: eventlog, data: message})
- *    end
- *    sleep(0.1)
- *  end
- *
- * @see https://docs.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtsubscribe
- */
-/* clang-format on */
-static void subscribe_free(void* ptr);
-static const rb_data_type_t rb_winevt_subscribe_type = { "winevt/subscribe",
-                                                         {
-                                                           0,
-                                                           subscribe_free,
-                                                           0,
-                                                         },
-                                                         NULL,
-                                                         NULL,
-                                                         RUBY_TYPED_FREE_IMMEDIATELY };
-static void
-close_handles(struct WinevtSubscribe* winevtSubscribe)
-{
-  if (winevtSubscribe->signalEvent) {
-    CloseHandle(winevtSubscribe->signalEvent);
-    winevtSubscribe->signalEvent = NULL;
-  }
-  if (winevtSubscribe->subscription) {
-    EvtClose(winevtSubscribe->subscription);
-    winevtSubscribe->subscription = NULL;
-  }
-  if (winevtSubscribe->bookmark) {
-    EvtClose(winevtSubscribe->bookmark);
-    winevtSubscribe->bookmark = NULL;
-  }
-  for (int i = 0; i < winevtSubscribe->count; i++) {
-    if (winevtSubscribe->hEvents[i]) {
-      EvtClose(winevtSubscribe->hEvents[i]);
-      winevtSubscribe->hEvents[i] = NULL;
-    }
-  }
-  winevtSubscribe->count = 0;
-  if (winevtSubscribe->remoteHandle) {
-    EvtClose(winevtSubscribe->remoteHandle);
-    winevtSubscribe->remoteHandle = NULL;
-  }
-}
-static void
-subscribe_free(void* ptr)
-{
-  struct WinevtSubscribe* winevtSubscribe = (struct WinevtSubscribe*)ptr;
-  close_handles(winevtSubscribe);
-  xfree(ptr);
-}
-static VALUE
-rb_winevt_subscribe_alloc(VALUE klass)
-{
-  VALUE obj;
-  struct WinevtSubscribe* winevtSubscribe;
-  obj = TypedData_Make_Struct(
-    klass, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  return obj;
-}
-/*
- * Initalize Subscribe class.
- *
- * @return [Subscribe]
- *
- */
-static VALUE
-rb_winevt_subscribe_initialize(VALUE self)
-{
-  struct WinevtSubscribe* winevtSubscribe;
-  TypedData_Get_Struct(
-    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  winevtSubscribe->rateLimit = SUBSCRIBE_RATE_INFINITE;
-  winevtSubscribe->lastTime = 0;
-  winevtSubscribe->currentRate = 0;
-  winevtSubscribe->renderAsXML = TRUE;
-  winevtSubscribe->readExistingEvents = TRUE;
-  winevtSubscribe->preserveQualifiers = FALSE;
-  winevtSubscribe->localeInfo = &default_locale;
-  return Qnil;
-}
-/*
- * This method specifies whether read existing events or not.
- *
- * @param rb_read_existing_events_p [Boolean]
- */
-static VALUE
-rb_winevt_subscribe_set_read_existing_events(VALUE self, VALUE rb_read_existing_events_p)
-{
-  struct WinevtSubscribe* winevtSubscribe;
-  TypedData_Get_Struct(
-    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  winevtSubscribe->readExistingEvents = RTEST(rb_read_existing_events_p);
-  return Qnil;
-}
-/*
- * This method returns whether read existing events or not.
- *
- * @return [Boolean]
- */
-static VALUE
-rb_winevt_subscribe_read_existing_events_p(VALUE self)
-{
-  struct WinevtSubscribe* winevtSubscribe;
-  TypedData_Get_Struct(
-    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  return winevtSubscribe->readExistingEvents ? Qtrue : Qfalse;
-}
-/*
- * Subscribe into a Windows EventLog channel.
- *
- * @overload subscribe(path, query, bookmark=nil, session=nil)
- *   @param path [String] Subscribe Channel
- *   @param query [String] Query string for channel
- *   @param bookmark [Bookmark] bookmark Bookmark class instance.
- *   @param session [Session] Session information for remoting access.
- * @return [Boolean]
- *
- */
-static VALUE
-rb_winevt_subscribe_subscribe(int argc, VALUE* argv, VALUE self)
-{
-  VALUE rb_path, rb_query, rb_bookmark, rb_session;
-  EVT_HANDLE hSubscription = NULL, hBookmark = NULL;
-  HANDLE hSignalEvent;
-  EVT_HANDLE hRemoteHandle = NULL;
-  DWORD len, flags = 0L;
-  DWORD err = ERROR_SUCCESS;
-  VALUE wpathBuf, wqueryBuf, wBookmarkBuf;
-  PWSTR path, query, bookmarkXml;
-  DWORD status = ERROR_SUCCESS;
-  struct WinevtSession* winevtSession;
-  struct WinevtSubscribe* winevtSubscribe;
-  hSignalEvent = CreateEvent(NULL, FALSE, FALSE, NULL);
-  TypedData_Get_Struct(
-    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  rb_scan_args(argc, argv, "22", &rb_path, &rb_query, &rb_bookmark, &rb_session);
-  Check_Type(rb_path, T_STRING);
-  Check_Type(rb_query, T_STRING);
-  if (rb_obj_is_kind_of(rb_bookmark, rb_cString)) {
-    // bookmarkXml : To wide char
-    len = MultiByteToWideChar(
-        CP_UTF8, 0, RSTRING_PTR(rb_bookmark), RSTRING_LEN(rb_bookmark), NULL, 0);
-    bookmarkXml = ALLOCV_N(WCHAR, wBookmarkBuf, len + 1);
-    MultiByteToWideChar(CP_UTF8,
-                        0,
-                        RSTRING_PTR(rb_bookmark),
-                        RSTRING_LEN(rb_bookmark),
-                        bookmarkXml,
-                        len);
-    bookmarkXml[len] = L'\0';
-    hBookmark = EvtCreateBookmark(bookmarkXml);
-    ALLOCV_END(wBookmarkBuf);
-    if (hBookmark == NULL) {
-      status = GetLastError();
-      raise_system_error(rb_eWinevtQueryError, status);
-    }
-  }
-  if (rb_obj_is_kind_of(rb_session, rb_cSession)) {
-    winevtSession = EventSession(rb_session);
-    hRemoteHandle = connect_to_remote(winevtSession->server,
-                                      winevtSession->domain,
-                                      winevtSession->username,
-                                      winevtSession->password,
-                                      winevtSession->flags);
-    err = GetLastError();
-    if (err != ERROR_SUCCESS) {
-      raise_system_error(rb_eRuntimeError, err);
-    }
-  }
-  // path : To wide char
-  len =
-    MultiByteToWideChar(CP_UTF8, 0, RSTRING_PTR(rb_path), RSTRING_LEN(rb_path), NULL, 0);
-  path = ALLOCV_N(WCHAR, wpathBuf, len + 1);
-  MultiByteToWideChar(CP_UTF8, 0, RSTRING_PTR(rb_path), RSTRING_LEN(rb_path), path, len);
-  path[len] = L'\0';
-  // query : To wide char
-  len = MultiByteToWideChar(
-    CP_UTF8, 0, RSTRING_PTR(rb_query), RSTRING_LEN(rb_query), NULL, 0);
-  query = ALLOCV_N(WCHAR, wqueryBuf, len + 1);
-  MultiByteToWideChar(
-    CP_UTF8, 0, RSTRING_PTR(rb_query), RSTRING_LEN(rb_query), query, len);
-  query[len] = L'\0';
-  if (hBookmark) {
-    flags |= EvtSubscribeStartAfterBookmark;
-  } else if (winevtSubscribe->readExistingEvents) {
-    flags |= EvtSubscribeStartAtOldestRecord;
-  } else {
-    flags |= EvtSubscribeToFutureEvents;
-  }
-  hSubscription =
-    EvtSubscribe(hRemoteHandle, hSignalEvent, path, query, hBookmark, NULL, NULL, flags);
-  if (!hSubscription) {
-    if (hBookmark != NULL) {
-      EvtClose(hBookmark);
-    }
-    if (hSignalEvent != NULL) {
-      CloseHandle(hSignalEvent);
-    }
-    status = GetLastError();
-    if (rb_obj_is_kind_of(rb_session, rb_cSession)) {
-      rb_raise(rb_eRemoteHandlerError, "Remoting subscription is not working. errCode: %ld\n", status);
-    } else {
-      raise_system_error(rb_eWinevtQueryError, status);
-    }
-  }
-  if (winevtSubscribe->subscription != NULL) {
-    // should be disgarded the old event subscription handle.
-    EvtClose(winevtSubscribe->subscription);
-  }
-  ALLOCV_END(wpathBuf);
-  ALLOCV_END(wqueryBuf);
-  winevtSubscribe->signalEvent = hSignalEvent;
-  winevtSubscribe->subscription = hSubscription;
-  winevtSubscribe->remoteHandle = hRemoteHandle;
-  if (hBookmark) {
-    winevtSubscribe->bookmark = hBookmark;
-  } else {
-    winevtSubscribe->bookmark = EvtCreateBookmark(NULL);
-    if (winevtSubscribe->bookmark == NULL) {
-      if (hSubscription != NULL) {
-        EvtClose(hSubscription);
-      }
-      if (hSignalEvent != NULL) {
-        CloseHandle(hSignalEvent);
-      }
-      status = GetLastError();
-      raise_system_error(rb_eWinevtQueryError, status);
-    }
-  }
-  return Qtrue;
-}
-BOOL
-is_rate_limit_exceeded(struct WinevtSubscribe* winevtSubscribe)
-{
-  time_t now;
-  if (winevtSubscribe->rateLimit == SUBSCRIBE_RATE_INFINITE)
-    return FALSE;
-  time(&now);
-  if (now <= winevtSubscribe->lastTime) {
-    if (winevtSubscribe->currentRate >= winevtSubscribe->rateLimit) {
-      return TRUE;
-    }
-  } else {
-    winevtSubscribe->currentRate = 0;
-  }
-  return FALSE;
-}
-void
-update_to_reflect_rate_limit_state(struct WinevtSubscribe* winevtSubscribe, ULONG count)
-{
-  time_t lastTime = 0;
-  if (winevtSubscribe->rateLimit == SUBSCRIBE_RATE_INFINITE)
-    return;
-  time(&lastTime);
-  winevtSubscribe->lastTime = lastTime;
-  winevtSubscribe->currentRate += count;
-}
-/*
- * Handle the next values. Since v0.6.0, this method is used for
- * testing only. Please use #each instead.
- *
- * @return [Boolean]
- *
- * @see each
- */
-static VALUE
-rb_winevt_subscribe_next(VALUE self)
-{
-  EVT_HANDLE hEvents[SUBSCRIBE_ARRAY_SIZE];
-  ULONG count = 0;
-  DWORD status = ERROR_SUCCESS;
-  struct WinevtSubscribe* winevtSubscribe;
-  TypedData_Get_Struct(
-    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  if (is_rate_limit_exceeded(winevtSubscribe)) {
-    return Qfalse;
-  }
-  /* If subscription handle is NULL, it should return false. */
-  if (!winevtSubscribe->subscription) {
-    return Qfalse;
-  }
-  if (!EvtNext(winevtSubscribe->subscription,
-               SUBSCRIBE_ARRAY_SIZE,
-               hEvents,
-               INFINITE,
-               0,
-               &count)) {
-    status = GetLastError();
-    if (ERROR_CANCELLED == status) {
-      return Qfalse;
-    }
-    if (ERROR_NO_MORE_ITEMS != status) {
-      return Qfalse;
-    }
-  }
-  if (status == ERROR_SUCCESS) {
-    winevtSubscribe->count = count;
-    for (int i = 0; i < count; i++) {
-      winevtSubscribe->hEvents[i] = hEvents[i];
-      EvtUpdateBookmark(winevtSubscribe->bookmark, winevtSubscribe->hEvents[i]);
-    }
-    update_to_reflect_rate_limit_state(winevtSubscribe, count);
-    return Qtrue;
-  }
-  return Qfalse;
-}
-static VALUE
-rb_winevt_subscribe_render(VALUE self, EVT_HANDLE event)
-{
-  struct WinevtSubscribe* winevtSubscribe;
-  TypedData_Get_Struct(
-    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  if (winevtSubscribe->renderAsXML) {
-    return render_to_rb_str(event, EvtRenderEventXml);
-  } else {
-    return render_system_event(event, winevtSubscribe->preserveQualifiers);
-  }
-}
-static VALUE
-rb_winevt_subscribe_message(EVT_HANDLE event, LocaleInfo* localeInfo, EVT_HANDLE hRemote)
-{
-  WCHAR* wResult;
-  VALUE utf8str;
-  wResult = get_description(event, localeInfo->langID, hRemote);
-  utf8str = wstr_to_rb_str(CP_UTF8, wResult, -1);
-  free(wResult);
-  return utf8str;
-}
-static VALUE
-rb_winevt_subscribe_string_inserts(EVT_HANDLE event)
-{
-  return get_values(event);
-}
-static VALUE
-rb_winevt_subscribe_close_handle(VALUE self)
-{
-  struct WinevtSubscribe* winevtSubscribe;
-  TypedData_Get_Struct(
-    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  for (int i = 0; i < winevtSubscribe->count; i++) {
-    if (winevtSubscribe->hEvents[i] != NULL) {
-      EvtClose(winevtSubscribe->hEvents[i]);
-      winevtSubscribe->hEvents[i] = NULL;
-    }
-  }
-  return Qnil;
-}
-static VALUE
-rb_winevt_subscribe_each_yield(VALUE self)
-{
-  RETURN_ENUMERATOR(self, 0, 0);
-  struct WinevtSubscribe* winevtSubscribe;
-  TypedData_Get_Struct(
-    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  for (int i = 0; i < winevtSubscribe->count; i++) {
-    rb_yield_values(3,
-                    rb_winevt_subscribe_render(self, winevtSubscribe->hEvents[i]),
-                    rb_winevt_subscribe_message(winevtSubscribe->hEvents[i], winevtSubscribe->localeInfo,
-                                                winevtSubscribe->remoteHandle),
-                    rb_winevt_subscribe_string_inserts(winevtSubscribe->hEvents[i]));
-  }
-  return Qnil;
-}
-/*
- * Enumerate to obtain Windows EventLog contents.
- *
- * This method yields the following:
- * (Stringified EventLog, Stringified detail message, Stringified
- * insert values)
- *
- * @yield (String,String,String)
- *
- */
-static VALUE
-rb_winevt_subscribe_each(VALUE self)
-{
-  RETURN_ENUMERATOR(self, 0, 0);
-  while (rb_winevt_subscribe_next(self)) {
-    rb_ensure(
-      rb_winevt_subscribe_each_yield, self, rb_winevt_subscribe_close_handle, self);
-  }
-  return Qnil;
-}
-/*
- * This method renders bookmark content which is related to Subscribe class instance.
- *
- * @return [String]
- */
-static VALUE
-rb_winevt_subscribe_get_bookmark(VALUE self)
-{
-  struct WinevtSubscribe* winevtSubscribe;
-  TypedData_Get_Struct(
-    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  return render_to_rb_str(winevtSubscribe->bookmark, EvtRenderBookmark);
-}
-/*
- * This method returns rate limit value.
- *
- * @since 0.6.0
- * @return [Integer]
- */
-static VALUE
-rb_winevt_subscribe_get_rate_limit(VALUE self)
-{
-  struct WinevtSubscribe* winevtSubscribe;
-  TypedData_Get_Struct(
-    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  return INT2NUM(winevtSubscribe->rateLimit);
-}
-/*
- * This method specifies rate limit value.
- *
- * @since 0.6.0
- * @param rb_rate_limit [Integer] rate_limit value
- */
-static VALUE
-rb_winevt_subscribe_set_rate_limit(VALUE self, VALUE rb_rate_limit)
-{
-  struct WinevtSubscribe* winevtSubscribe;
-  DWORD rateLimit;
-  TypedData_Get_Struct(
-    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  rateLimit = NUM2LONG(rb_rate_limit);
-  if ((rateLimit != SUBSCRIBE_RATE_INFINITE) && (rateLimit < 10 || rateLimit % 10)) {
-    rb_raise(rb_eArgError, "Specify a multiples of 10 or RATE_INFINITE constant");
-  } else {
-    winevtSubscribe->rateLimit = rateLimit;
-  }
-  return Qnil;
-}
-/*
- * This method returns whether render as xml or not.
- *
- * @since 0.6.0
- * @return [Boolean]
- */
-static VALUE
-rb_winevt_subscribe_render_as_xml_p(VALUE self)
-{
-  struct WinevtSubscribe* winevtSubscribe;
-  TypedData_Get_Struct(
-    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  return winevtSubscribe->renderAsXML ? Qtrue : Qfalse;
-}
-/*
- * This method specifies whether render as xml or not.
- *
- * @since 0.6.0
- * @param rb_render_as_xml [Boolean]
- */
-static VALUE
-rb_winevt_subscribe_set_render_as_xml(VALUE self, VALUE rb_render_as_xml)
-{
-  struct WinevtSubscribe* winevtSubscribe;
-  TypedData_Get_Struct(
-    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  winevtSubscribe->renderAsXML = RTEST(rb_render_as_xml);
-  return Qnil;
-}
-/*
- * This method specifies whether preserving qualifiers key or not.
- *
- * @since 0.7.3
- * @param rb_preserve_qualifiers [Boolean]
- */
-static VALUE
-rb_winevt_subscribe_set_preserve_qualifiers(VALUE self, VALUE rb_preserve_qualifiers)
-{
-  struct WinevtSubscribe* winevtSubscribe;
-  TypedData_Get_Struct(
-    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  winevtSubscribe->preserveQualifiers = RTEST(rb_preserve_qualifiers);
-  return Qnil;
-}
-/*
- * This method returns whether preserving qualifiers or not.
- *
- * @since 0.7.3
- * @return [Integer]
- */
-static VALUE
-rb_winevt_subscribe_get_preserve_qualifiers_p(VALUE self)
-{
-  struct WinevtSubscribe* winevtSubscribe;
-  TypedData_Get_Struct(
-    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  return winevtSubscribe->preserveQualifiers ? Qtrue : Qfalse;
-}
-/*
- * This method specifies locale with [String].
- *
- * @since 0.8.0
- * @param rb_locale_str [String]
- */
-static VALUE
-rb_winevt_subscribe_set_locale(VALUE self, VALUE rb_locale_str)
-{
-  struct WinevtSubscribe* winevtSubscribe;
-  LocaleInfo* locale_info = &default_locale;
-  TypedData_Get_Struct(
-    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  locale_info = get_locale_info_from_rb_str(rb_locale_str);
-  winevtSubscribe->localeInfo = locale_info;
-  return Qnil;
-}
-/*
- * This method obtains specified locale with [String].
- *
- * @since 0.8.0
- */
-static VALUE
-rb_winevt_subscribe_get_locale(VALUE self)
-{
-  struct WinevtSubscribe* winevtSubscribe;
-  TypedData_Get_Struct(
-    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  if (winevtSubscribe->localeInfo->langCode) {
-    return rb_str_new2(winevtSubscribe->localeInfo->langCode);
-  } else {
-    return rb_str_new2(default_locale.langCode);
-  }
-}
-/*
- * This method cancels channel subscription.
- *
- * @return [Boolean]
- * @since 0.9.1
- */
-static VALUE
-rb_winevt_subscribe_cancel(VALUE self)
-{
-  struct WinevtSubscribe* winevtSubscribe;
-  BOOL result = FALSE;
-  TypedData_Get_Struct(
-    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  if (winevtSubscribe->subscription) {
-    result = EvtCancel(winevtSubscribe->subscription);
-  }
-  if (result) {
-    return Qtrue;
-  } else {
-    return Qfalse;
-  }
-}
-/*
- * This method closes channel handles forcibly.
- *
- * @since 0.9.1
- */
-static VALUE
-rb_winevt_subscribe_close(VALUE self)
-{
-  struct WinevtSubscribe* winevtSubscribe;
-  TypedData_Get_Struct(
-    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
-  close_handles(winevtSubscribe);
-  return Qnil;
-}
-void
-Init_winevt_subscribe(VALUE rb_cEventLog)
-{
-  rb_cSubscribe = rb_define_class_under(rb_cEventLog, "Subscribe", rb_cObject);
-  rb_define_alloc_func(rb_cSubscribe, rb_winevt_subscribe_alloc);
-  /*
-   * For Subscribe#rate_limit=. It represents unspecified rate limit.
-   * @since 0.6.0
-   */
-  rb_define_const(rb_cSubscribe, "RATE_INFINITE", SUBSCRIBE_RATE_INFINITE);
-  rb_define_method(rb_cSubscribe, "initialize", rb_winevt_subscribe_initialize, 0);
-  rb_define_method(rb_cSubscribe, "subscribe", rb_winevt_subscribe_subscribe, -1);
-  rb_define_method(rb_cSubscribe, "next", rb_winevt_subscribe_next, 0);
-  rb_define_method(rb_cSubscribe, "each", rb_winevt_subscribe_each, 0);
-  rb_define_method(rb_cSubscribe, "bookmark", rb_winevt_subscribe_get_bookmark, 0);
-  /*
-   * @since 0.7.0
-   */
-  rb_define_method(rb_cSubscribe, "read_existing_events?", rb_winevt_subscribe_read_existing_events_p, 0);
-  /*
-   * @since 0.7.0
-   */
-  rb_define_method(rb_cSubscribe, "read_existing_events=", rb_winevt_subscribe_set_read_existing_events, 1);
-  rb_define_method(rb_cSubscribe, "rate_limit", rb_winevt_subscribe_get_rate_limit, 0);
-  rb_define_method(rb_cSubscribe, "rate_limit=", rb_winevt_subscribe_set_rate_limit, 1);
-  rb_define_method(
-    rb_cSubscribe, "render_as_xml?", rb_winevt_subscribe_render_as_xml_p, 0);
-  rb_define_method(
-    rb_cSubscribe, "render_as_xml=", rb_winevt_subscribe_set_render_as_xml, 1);
-  /*
-   * @since 0.7.3
-   */
-  rb_define_method(
-    rb_cSubscribe, "preserve_qualifiers?", rb_winevt_subscribe_get_preserve_qualifiers_p, 0);
-  /*
-   * @since 0.7.3
-   */
-  rb_define_method(
-    rb_cSubscribe, "preserve_qualifiers=", rb_winevt_subscribe_set_preserve_qualifiers, 1);
-  /*
-   * @since 0.8.0
-   */
-  rb_define_method(
-    rb_cSubscribe, "locale", rb_winevt_subscribe_get_locale, 0);
-  /*
-   * @since 0.8.0
-   */
-  rb_define_method(
-    rb_cSubscribe, "locale=", rb_winevt_subscribe_set_locale, 1);
-  /*
-   * @since 0.9.1
-   */
-  rb_define_method(
-    rb_cSubscribe, "cancel", rb_winevt_subscribe_cancel, 0);
-  /*
-   * @since 0.9.1
-   */
-  rb_define_method(
-    rb_cSubscribe, "close", rb_winevt_subscribe_close, 0);
-}
+#include <winevt_c.h>
+/* clang-format off */
+/*
+ * Document-class: Winevt::EventLog::Subscribe
+ *
+ * Subscribe Windows EventLog channel.
+ *
+ * @example
+ *  require 'winevt'
+ *
+ *  @subscribe = Winevt::EventLog::Subscribe.new
+ *  @subscribe.tail = true
+ *  @subscribe.rate_limit = 80
+ *  @subscribe.subscribe(
+ *    "Application", "*[System[(Level <= 4) and TimeCreated[timediff(@SystemTime) <= 86400000]]]"
+ *  )
+ *  while true do
+ *    @subscribe.each do |eventlog, message, string_inserts|
+ *      puts ({eventlog: eventlog, data: message})
+ *    end
+ *    sleep(0.1)
+ *  end
+ *
+ * @see https://docs.microsoft.com/en-us/windows/win32/api/winevt/nf-winevt-evtsubscribe
+ */
+/* clang-format on */
+static void subscribe_free(void* ptr);
+static const rb_data_type_t rb_winevt_subscribe_type = { "winevt/subscribe",
+                                                         {
+                                                           0,
+                                                           subscribe_free,
+                                                           0,
+                                                         },
+                                                         NULL,
+                                                         NULL,
+                                                         RUBY_TYPED_FREE_IMMEDIATELY };
+static void
+close_handles(struct WinevtSubscribe* winevtSubscribe)
+{
+  if (winevtSubscribe->signalEvent) {
+    CloseHandle(winevtSubscribe->signalEvent);
+    winevtSubscribe->signalEvent = NULL;
+  }
+  if (winevtSubscribe->subscription) {
+    EvtClose(winevtSubscribe->subscription);
+    winevtSubscribe->subscription = NULL;
+  }
+  if (winevtSubscribe->bookmark) {
+    EvtClose(winevtSubscribe->bookmark);
+    winevtSubscribe->bookmark = NULL;
+  }
+  for (int i = 0; i < winevtSubscribe->count; i++) {
+    if (winevtSubscribe->hEvents[i]) {
+      EvtClose(winevtSubscribe->hEvents[i]);
+      winevtSubscribe->hEvents[i] = NULL;
+    }
+  }
+  winevtSubscribe->count = 0;
+  if (winevtSubscribe->remoteHandle) {
+    EvtClose(winevtSubscribe->remoteHandle);
+    winevtSubscribe->remoteHandle = NULL;
+  }
+}
+static void
+subscribe_free(void* ptr)
+{
+  struct WinevtSubscribe* winevtSubscribe = (struct WinevtSubscribe*)ptr;
+  close_handles(winevtSubscribe);
+  xfree(ptr);
+}
+static VALUE
+rb_winevt_subscribe_alloc(VALUE klass)
+{
+  VALUE obj;
+  struct WinevtSubscribe* winevtSubscribe;
+  obj = TypedData_Make_Struct(
+    klass, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  return obj;
+}
+/*
+ * Initalize Subscribe class.
+ *
+ * @return [Subscribe]
+ *
+ */
+static VALUE
+rb_winevt_subscribe_initialize(VALUE self)
+{
+  struct WinevtSubscribe* winevtSubscribe;
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  winevtSubscribe->rateLimit = SUBSCRIBE_RATE_INFINITE;
+  winevtSubscribe->lastTime = 0;
+  winevtSubscribe->currentRate = 0;
+  winevtSubscribe->renderAsXML = TRUE;
+  winevtSubscribe->readExistingEvents = TRUE;
+  winevtSubscribe->preserveQualifiers = FALSE;
+  winevtSubscribe->localeInfo = &default_locale;
+  return Qnil;
+}
+/*
+ * This method specifies whether read existing events or not.
+ *
+ * @param rb_read_existing_events_p [Boolean]
+ */
+static VALUE
+rb_winevt_subscribe_set_read_existing_events(VALUE self, VALUE rb_read_existing_events_p)
+{
+  struct WinevtSubscribe* winevtSubscribe;
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  winevtSubscribe->readExistingEvents = RTEST(rb_read_existing_events_p);
+  return Qnil;
+}
+/*
+ * This method returns whether read existing events or not.
+ *
+ * @return [Boolean]
+ */
+static VALUE
+rb_winevt_subscribe_read_existing_events_p(VALUE self)
+{
+  struct WinevtSubscribe* winevtSubscribe;
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  return winevtSubscribe->readExistingEvents ? Qtrue : Qfalse;
+}
+/*
+ * Subscribe into a Windows EventLog channel.
+ *
+ * @overload subscribe(path, query, bookmark=nil, session=nil)
+ *   @param path [String] Subscribe Channel
+ *   @param query [String] Query string for channel
+ *   @param bookmark [Bookmark] bookmark Bookmark class instance.
+ *   @param session [Session] Session information for remoting access.
+ * @return [Boolean]
+ *
+ */
+static VALUE
+rb_winevt_subscribe_subscribe(int argc, VALUE* argv, VALUE self)
+{
+  VALUE rb_path, rb_query, rb_bookmark, rb_session;
+  EVT_HANDLE hSubscription = NULL, hBookmark = NULL;
+  HANDLE hSignalEvent;
+  EVT_HANDLE hRemoteHandle = NULL;
+  DWORD len, flags = 0L;
+  DWORD err = ERROR_SUCCESS;
+  VALUE wpathBuf, wqueryBuf, wBookmarkBuf;
+  PWSTR path, query, bookmarkXml;
+  DWORD status = ERROR_SUCCESS;
+  struct WinevtSession* winevtSession;
+  struct WinevtSubscribe* winevtSubscribe;
+  hSignalEvent = CreateEvent(NULL, FALSE, FALSE, NULL);
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  rb_scan_args(argc, argv, "22", &rb_path, &rb_query, &rb_bookmark, &rb_session);
+  Check_Type(rb_path, T_STRING);
+  Check_Type(rb_query, T_STRING);
+  if (rb_obj_is_kind_of(rb_bookmark, rb_cString)) {
+    // bookmarkXml : To wide char
+    len = MultiByteToWideChar(
+        CP_UTF8, 0, RSTRING_PTR(rb_bookmark), RSTRING_LEN(rb_bookmark), NULL, 0);
+    bookmarkXml = ALLOCV_N(WCHAR, wBookmarkBuf, len + 1);
+    MultiByteToWideChar(CP_UTF8,
+                        0,
+                        RSTRING_PTR(rb_bookmark),
+                        RSTRING_LEN(rb_bookmark),
+                        bookmarkXml,
+                        len);
+    bookmarkXml[len] = L'\0';
+    hBookmark = EvtCreateBookmark(bookmarkXml);
+    ALLOCV_END(wBookmarkBuf);
+    if (hBookmark == NULL) {
+      status = GetLastError();
+      raise_system_error(rb_eWinevtQueryError, status);
+    }
+  }
+  if (rb_obj_is_kind_of(rb_session, rb_cSession)) {
+    winevtSession = EventSession(rb_session);
+    hRemoteHandle = connect_to_remote(winevtSession->server,
+                                      winevtSession->domain,
+                                      winevtSession->username,
+                                      winevtSession->password,
+                                      winevtSession->flags,
+                                      &err);
+    if (err != ERROR_SUCCESS) {
+      raise_system_error(rb_eRuntimeError, err);
+    }
+  }
+  // path : To wide char
+  len =
+    MultiByteToWideChar(CP_UTF8, 0, RSTRING_PTR(rb_path), RSTRING_LEN(rb_path), NULL, 0);
+  path = ALLOCV_N(WCHAR, wpathBuf, len + 1);
+  MultiByteToWideChar(CP_UTF8, 0, RSTRING_PTR(rb_path), RSTRING_LEN(rb_path), path, len);
+  path[len] = L'\0';
+  // query : To wide char
+  len = MultiByteToWideChar(
+    CP_UTF8, 0, RSTRING_PTR(rb_query), RSTRING_LEN(rb_query), NULL, 0);
+  query = ALLOCV_N(WCHAR, wqueryBuf, len + 1);
+  MultiByteToWideChar(
+    CP_UTF8, 0, RSTRING_PTR(rb_query), RSTRING_LEN(rb_query), query, len);
+  query[len] = L'\0';
+  if (hBookmark) {
+    flags |= EvtSubscribeStartAfterBookmark;
+  } else if (winevtSubscribe->readExistingEvents) {
+    flags |= EvtSubscribeStartAtOldestRecord;
+  } else {
+    flags |= EvtSubscribeToFutureEvents;
+  }
+  hSubscription =
+    EvtSubscribe(hRemoteHandle, hSignalEvent, path, query, hBookmark, NULL, NULL, flags);
+  if (!hSubscription) {
+    status = GetLastError();
+    if (hBookmark != NULL) {
+      EvtClose(hBookmark);
+    }
+    if (hSignalEvent != NULL) {
+      CloseHandle(hSignalEvent);
+    }
+    if (rb_obj_is_kind_of(rb_session, rb_cSession)) {
+      rb_raise(rb_eRemoteHandlerError, "Remoting subscription is not working. errCode: %ld\n", status);
+    } else {
+      raise_system_error(rb_eWinevtQueryError, status);
+    }
+  }
+  if (winevtSubscribe->subscription != NULL) {
+    // should be disgarded the old event subscription handle.
+    EvtClose(winevtSubscribe->subscription);
+  }
+  ALLOCV_END(wpathBuf);
+  ALLOCV_END(wqueryBuf);
+  winevtSubscribe->signalEvent = hSignalEvent;
+  winevtSubscribe->subscription = hSubscription;
+  winevtSubscribe->remoteHandle = hRemoteHandle;
+  if (hBookmark) {
+    winevtSubscribe->bookmark = hBookmark;
+  } else {
+    winevtSubscribe->bookmark = EvtCreateBookmark(NULL);
+    if (winevtSubscribe->bookmark == NULL) {
+      status = GetLastError();
+      if (hSubscription != NULL) {
+        EvtClose(hSubscription);
+      }
+      if (hSignalEvent != NULL) {
+        CloseHandle(hSignalEvent);
+      }
+      raise_system_error(rb_eWinevtQueryError, status);
+    }
+  }
+  return Qtrue;
+}
+BOOL
+is_rate_limit_exceeded(struct WinevtSubscribe* winevtSubscribe)
+{
+  time_t now;
+  if (winevtSubscribe->rateLimit == SUBSCRIBE_RATE_INFINITE)
+    return FALSE;
+  time(&now);
+  if (now <= winevtSubscribe->lastTime) {
+    if (winevtSubscribe->currentRate >= winevtSubscribe->rateLimit) {
+      return TRUE;
+    }
+  } else {
+    winevtSubscribe->currentRate = 0;
+  }
+  return FALSE;
+}
+void
+update_to_reflect_rate_limit_state(struct WinevtSubscribe* winevtSubscribe, ULONG count)
+{
+  time_t lastTime = 0;
+  if (winevtSubscribe->rateLimit == SUBSCRIBE_RATE_INFINITE)
+    return;
+  time(&lastTime);
+  winevtSubscribe->lastTime = lastTime;
+  winevtSubscribe->currentRate += count;
+}
+/*
+ * Handle the next values. Since v0.6.0, this method is used for
+ * testing only. Please use #each instead.
+ *
+ * @return [Boolean]
+ *
+ * @see each
+ */
+static VALUE
+rb_winevt_subscribe_next(VALUE self)
+{
+  EVT_HANDLE hEvents[SUBSCRIBE_ARRAY_SIZE];
+  ULONG count = 0;
+  DWORD status = ERROR_SUCCESS;
+  struct WinevtSubscribe* winevtSubscribe;
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  if (is_rate_limit_exceeded(winevtSubscribe)) {
+    return Qfalse;
+  }
+  /* If subscription handle is NULL, it should return false. */
+  if (!winevtSubscribe->subscription) {
+    return Qfalse;
+  }
+  if (!EvtNext(winevtSubscribe->subscription,
+               SUBSCRIBE_ARRAY_SIZE,
+               hEvents,
+               INFINITE,
+               0,
+               &count)) {
+    status = GetLastError();
+    if (ERROR_CANCELLED == status) {
+      return Qfalse;
+    }
+    if (ERROR_NO_MORE_ITEMS != status) {
+      return Qfalse;
+    }
+  }
+  if (status == ERROR_SUCCESS) {
+    winevtSubscribe->count = count;
+    for (int i = 0; i < count; i++) {
+      winevtSubscribe->hEvents[i] = hEvents[i];
+      EvtUpdateBookmark(winevtSubscribe->bookmark, winevtSubscribe->hEvents[i]);
+    }
+    update_to_reflect_rate_limit_state(winevtSubscribe, count);
+    return Qtrue;
+  }
+  return Qfalse;
+}
+static VALUE
+rb_winevt_subscribe_render(VALUE self, EVT_HANDLE event)
+{
+  struct WinevtSubscribe* winevtSubscribe;
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  if (winevtSubscribe->renderAsXML) {
+    return render_to_rb_str(event, EvtRenderEventXml);
+  } else {
+    return render_system_event(event, winevtSubscribe->preserveQualifiers);
+  }
+}
+static VALUE
+rb_winevt_subscribe_message(EVT_HANDLE event, LocaleInfo* localeInfo, EVT_HANDLE hRemote)
+{
+  WCHAR* wResult;
+  VALUE utf8str;
+  wResult = get_description(event, localeInfo->langID, hRemote);
+  utf8str = wstr_to_rb_str(CP_UTF8, wResult, -1);
+  free(wResult);
+  return utf8str;
+}
+static VALUE
+rb_winevt_subscribe_string_inserts(EVT_HANDLE event)
+{
+  return get_values(event);
+}
+static VALUE
+rb_winevt_subscribe_close_handle(VALUE self)
+{
+  struct WinevtSubscribe* winevtSubscribe;
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  for (int i = 0; i < winevtSubscribe->count; i++) {
+    if (winevtSubscribe->hEvents[i] != NULL) {
+      EvtClose(winevtSubscribe->hEvents[i]);
+      winevtSubscribe->hEvents[i] = NULL;
+    }
+  }
+  return Qnil;
+}
+static VALUE
+rb_winevt_subscribe_each_yield(VALUE self)
+{
+  RETURN_ENUMERATOR(self, 0, 0);
+  struct WinevtSubscribe* winevtSubscribe;
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  for (int i = 0; i < winevtSubscribe->count; i++) {
+    rb_yield_values(3,
+                    rb_winevt_subscribe_render(self, winevtSubscribe->hEvents[i]),
+                    rb_winevt_subscribe_message(winevtSubscribe->hEvents[i], winevtSubscribe->localeInfo,
+                                                winevtSubscribe->remoteHandle),
+                    rb_winevt_subscribe_string_inserts(winevtSubscribe->hEvents[i]));
+  }
+  return Qnil;
+}
+/*
+ * Enumerate to obtain Windows EventLog contents.
+ *
+ * This method yields the following:
+ * (Stringified EventLog, Stringified detail message, Stringified
+ * insert values)
+ *
+ * @yield (String,String,String)
+ *
+ */
+static VALUE
+rb_winevt_subscribe_each(VALUE self)
+{
+  RETURN_ENUMERATOR(self, 0, 0);
+  while (rb_winevt_subscribe_next(self)) {
+    rb_ensure(
+      rb_winevt_subscribe_each_yield, self, rb_winevt_subscribe_close_handle, self);
+  }
+  return Qnil;
+}
+/*
+ * This method renders bookmark content which is related to Subscribe class instance.
+ *
+ * @return [String]
+ */
+static VALUE
+rb_winevt_subscribe_get_bookmark(VALUE self)
+{
+  struct WinevtSubscribe* winevtSubscribe;
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  return render_to_rb_str(winevtSubscribe->bookmark, EvtRenderBookmark);
+}
+/*
+ * This method returns rate limit value.
+ *
+ * @since 0.6.0
+ * @return [Integer]
+ */
+static VALUE
+rb_winevt_subscribe_get_rate_limit(VALUE self)
+{
+  struct WinevtSubscribe* winevtSubscribe;
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  return INT2NUM(winevtSubscribe->rateLimit);
+}
+/*
+ * This method specifies rate limit value.
+ *
+ * @since 0.6.0
+ * @param rb_rate_limit [Integer] rate_limit value
+ */
+static VALUE
+rb_winevt_subscribe_set_rate_limit(VALUE self, VALUE rb_rate_limit)
+{
+  struct WinevtSubscribe* winevtSubscribe;
+  DWORD rateLimit;
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  rateLimit = NUM2LONG(rb_rate_limit);
+  if ((rateLimit != SUBSCRIBE_RATE_INFINITE) && (rateLimit < 10 || rateLimit % 10)) {
+    rb_raise(rb_eArgError, "Specify a multiples of 10 or RATE_INFINITE constant");
+  } else {
+    winevtSubscribe->rateLimit = rateLimit;
+  }
+  return Qnil;
+}
+/*
+ * This method returns whether render as xml or not.
+ *
+ * @since 0.6.0
+ * @return [Boolean]
+ */
+static VALUE
+rb_winevt_subscribe_render_as_xml_p(VALUE self)
+{
+  struct WinevtSubscribe* winevtSubscribe;
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  return winevtSubscribe->renderAsXML ? Qtrue : Qfalse;
+}
+/*
+ * This method specifies whether render as xml or not.
+ *
+ * @since 0.6.0
+ * @param rb_render_as_xml [Boolean]
+ */
+static VALUE
+rb_winevt_subscribe_set_render_as_xml(VALUE self, VALUE rb_render_as_xml)
+{
+  struct WinevtSubscribe* winevtSubscribe;
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  winevtSubscribe->renderAsXML = RTEST(rb_render_as_xml);
+  return Qnil;
+}
+/*
+ * This method specifies whether preserving qualifiers key or not.
+ *
+ * @since 0.7.3
+ * @param rb_preserve_qualifiers [Boolean]
+ */
+static VALUE
+rb_winevt_subscribe_set_preserve_qualifiers(VALUE self, VALUE rb_preserve_qualifiers)
+{
+  struct WinevtSubscribe* winevtSubscribe;
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  winevtSubscribe->preserveQualifiers = RTEST(rb_preserve_qualifiers);
+  return Qnil;
+}
+/*
+ * This method returns whether preserving qualifiers or not.
+ *
+ * @since 0.7.3
+ * @return [Integer]
+ */
+static VALUE
+rb_winevt_subscribe_get_preserve_qualifiers_p(VALUE self)
+{
+  struct WinevtSubscribe* winevtSubscribe;
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  return winevtSubscribe->preserveQualifiers ? Qtrue : Qfalse;
+}
+/*
+ * This method specifies locale with [String].
+ *
+ * @since 0.8.0
+ * @param rb_locale_str [String]
+ */
+static VALUE
+rb_winevt_subscribe_set_locale(VALUE self, VALUE rb_locale_str)
+{
+  struct WinevtSubscribe* winevtSubscribe;
+  LocaleInfo* locale_info = &default_locale;
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  locale_info = get_locale_info_from_rb_str(rb_locale_str);
+  winevtSubscribe->localeInfo = locale_info;
+  return Qnil;
+}
+/*
+ * This method obtains specified locale with [String].
+ *
+ * @since 0.8.0
+ */
+static VALUE
+rb_winevt_subscribe_get_locale(VALUE self)
+{
+  struct WinevtSubscribe* winevtSubscribe;
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  if (winevtSubscribe->localeInfo->langCode) {
+    return rb_str_new2(winevtSubscribe->localeInfo->langCode);
+  } else {
+    return rb_str_new2(default_locale.langCode);
+  }
+}
+/*
+ * This method cancels channel subscription.
+ *
+ * @return [Boolean]
+ * @since 0.9.1
+ */
+static VALUE
+rb_winevt_subscribe_cancel(VALUE self)
+{
+  struct WinevtSubscribe* winevtSubscribe;
+  BOOL result = FALSE;
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  if (winevtSubscribe->subscription) {
+    result = EvtCancel(winevtSubscribe->subscription);
+  }
+  if (result) {
+    return Qtrue;
+  } else {
+    return Qfalse;
+  }
+}
+/*
+ * This method closes channel handles forcibly.
+ *
+ * @since 0.9.1
+ */
+static VALUE
+rb_winevt_subscribe_close(VALUE self)
+{
+  struct WinevtSubscribe* winevtSubscribe;
+  TypedData_Get_Struct(
+    self, struct WinevtSubscribe, &rb_winevt_subscribe_type, winevtSubscribe);
+  close_handles(winevtSubscribe);
+  return Qnil;
+}
+void
+Init_winevt_subscribe(VALUE rb_cEventLog)
+{
+  rb_cSubscribe = rb_define_class_under(rb_cEventLog, "Subscribe", rb_cObject);
+  rb_define_alloc_func(rb_cSubscribe, rb_winevt_subscribe_alloc);
+  /*
+   * For Subscribe#rate_limit=. It represents unspecified rate limit.
+   * @since 0.6.0
+   */
+  rb_define_const(rb_cSubscribe, "RATE_INFINITE", SUBSCRIBE_RATE_INFINITE);
+  rb_define_method(rb_cSubscribe, "initialize", rb_winevt_subscribe_initialize, 0);
+  rb_define_method(rb_cSubscribe, "subscribe", rb_winevt_subscribe_subscribe, -1);
+  rb_define_method(rb_cSubscribe, "next", rb_winevt_subscribe_next, 0);
+  rb_define_method(rb_cSubscribe, "each", rb_winevt_subscribe_each, 0);
+  rb_define_method(rb_cSubscribe, "bookmark", rb_winevt_subscribe_get_bookmark, 0);
+  /*
+   * @since 0.7.0
+   */
+  rb_define_method(rb_cSubscribe, "read_existing_events?", rb_winevt_subscribe_read_existing_events_p, 0);
+  /*
+   * @since 0.7.0
+   */
+  rb_define_method(rb_cSubscribe, "read_existing_events=", rb_winevt_subscribe_set_read_existing_events, 1);
+  rb_define_method(rb_cSubscribe, "rate_limit", rb_winevt_subscribe_get_rate_limit, 0);
+  rb_define_method(rb_cSubscribe, "rate_limit=", rb_winevt_subscribe_set_rate_limit, 1);
+  rb_define_method(
+    rb_cSubscribe, "render_as_xml?", rb_winevt_subscribe_render_as_xml_p, 0);
+  rb_define_method(
+    rb_cSubscribe, "render_as_xml=", rb_winevt_subscribe_set_render_as_xml, 1);
+  /*
+   * @since 0.7.3
+   */
+  rb_define_method(
+    rb_cSubscribe, "preserve_qualifiers?", rb_winevt_subscribe_get_preserve_qualifiers_p, 0);
+  /*
+   * @since 0.7.3
+   */
+  rb_define_method(
+    rb_cSubscribe, "preserve_qualifiers=", rb_winevt_subscribe_set_preserve_qualifiers, 1);
+  /*
+   * @since 0.8.0
+   */
+  rb_define_method(
+    rb_cSubscribe, "locale", rb_winevt_subscribe_get_locale, 0);
+  /*
+   * @since 0.8.0
+   */
+  rb_define_method(
+    rb_cSubscribe, "locale=", rb_winevt_subscribe_set_locale, 1);
+  /*
+   * @since 0.9.1
+   */
+  rb_define_method(
+    rb_cSubscribe, "cancel", rb_winevt_subscribe_cancel, 0);
+  /*
+   * @since 0.9.1
+   */
+  rb_define_method(
+    rb_cSubscribe, "close", rb_winevt_subscribe_close, 0);
+}