Vista event log

Substitution

The substitution mechanism allows to separate content from structure. Variable data will be moved into a separate table, the "Substitution Array". Placeholders within the XML stream, the substitution system tokens, will point to the proper element.

Let's use the example from the last post again:

<EventID>1234</EventID>

This was encoded as follows:

0x0f 0x01 EventID 0x02 1234 0x04 0x00

The contained value, the EventID, is an unsigned 16bit integer. The internal code for this data type is 0x06.
The value shall be stored in slot no. 3 of the substitution array. Note that the index is zero-based.

The SubstitutionArray stores variable data.

We now replace the value in the sequence above with a placeholder, the NormalSubstitution system token:

0x0f 0x01 EventID 0x02 0x0d 0x0003 0x06 0x04 0x00

As it can be seen here, the system token is followed by a DWORD stating the slot number and the type.

A NormalSubstitution token will unconditionally insert the corresponding value from the substitution array. While this was the normal procedure in the early beta versions of Vista (hence the name), it's the exception nowadays. Usually there will be an OptionalSubstitution system token. In the final encoding only the token code will change:

0x0f 0x01 EventID 0x02 0x0e 0x0003 0x06 0x04 0x00

The optional substitution mechanism first checks the type code recorded in the proper slot of the substitution array. If it is different from TypeNull (0x00), the optional substitution will behave like a normal substitution. If, however, the type is TypeNull then the element which embeds the substitution will be suppressed. In the above example, this would be the whole <EventID> container element.

08/12/2007: Fixed two typos in the code samples. Thanks to "newsoft" for the report.

Posted by Andreas Schuster on July 31, 2007 09:00 PM |

Comments

The following line is repeated twice, however you say that something has changed between Vista Beta & RTM:

"0x0f 0x01 EventID 0x02 0x0c 0x0003 0x06 0x04 0x00"

Is this a copy/paste effect, or did I miss something?

Posted by: newsoft | August 12, 2007 12:24 PM

Thank you. Actually you've found two errors.

First, the token codes should be different. Second, they should be 0x0c, because that creates a new instance of an XML template.

Thank you for reporting the errors. I've corrected the posting.

Posted by: Andreas Schuster | August 12, 2007 12:51 PM

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Search


Deutsch

Deutschsprachige Ausgabe

Categories

Latest articles

Subscribe

Imprint

This blog is a project of
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
Germany
impressum@forensikblog.de

Copyright © 2005-2010 by
Andreas Schuster
All rights reserved.