winutil

package module
v0.55.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 11, 2024 License: Apache-2.0 Imports: 0 Imported by: 2

Documentation

Overview

Package winutil provides windows utilities

Package winutil contains Windows OS utilities

Index

Constants

View Source
const (
	// ProcessBasicInformation returns the PEB type
	ProcessBasicInformation = PROCESSINFOCLASS(0)
	// ProcessDebugPort included for completeness
	ProcessDebugPort = PROCESSINFOCLASS(7)
	// ProcessWow64Information included for completeness
	ProcessWow64Information = PROCESSINFOCLASS(26)
	// ProcessImageFileName included for completeness
	ProcessImageFileName = PROCESSINFOCLASS(27)
	// ProcessBreakOnTermination included for completeness
	ProcessBreakOnTermination = PROCESSINFOCLASS(29)
)
View Source
const (
	AclRevisionInformation = 1
	AclSizeInformation     = 2
)

ACL_INFORMATION_CLASS enum

https://learn.microsoft.com/en-us/windows/win32/api/winnt/ne-winnt-acl_information_class

View Source
const (
	ACCESS_ALLOWED_ACE_TYPE = 0
	ACCESS_DENIED_ACE_TYPE  = 1
)

https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-ace_header

View Source
const EpochDifferenceSecs uint64 = 116444736000000000

EpochDifferenceSecs is the difference between windows and unix epochs in 100ns intervals From GetUnixTimestamp() datadog-windows-filter\ddfilter\http\http_callbacks.c 11644473600s * 1000ms/s * 1000us/ms * 10 intervals/us

Variables

This section is empty.

Functions

func ControlService added in v0.51.0

func ControlService(serviceName string, command svc.Cmd, to svc.State, desiredAccess uint32, timeout uint64) error

ControlService sends a control code to a specified service and waits up to timeout for the service to transition to the requested state

https://learn.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-controlservice

func ConvertWindowsString

func ConvertWindowsString(winput []uint8) string

ConvertWindowsString converts a windows c-string into a go string. Even though the input is array of uint8, the underlying data is expected to be uint16 (unicode)

func ConvertWindowsString16

func ConvertWindowsString16(winput []uint16) string

ConvertWindowsString16 converts a windows c-string into a go string. Even though the input is array of uint8, the underlying data is expected to be uint16 (unicode)

func ConvertWindowsStringList

func ConvertWindowsStringList(winput []uint16) []string

ConvertWindowsStringList Converts a windows-style C list of strings (single null terminated elements double-null indicates the end of the list) to an array of Go strings

func ExpandEnvironmentStrings added in v0.51.0

func ExpandEnvironmentStrings(input string) (string, error)

ExpandEnvironmentStrings returns a string with any environment variables substituted.

provided here because `x/sys/windows` provides a wrapper to the underlying function, but it expects C strings. This will do the buffer calculation and return the go string everyone wants.

func FileTimeToUnix added in v0.51.0

func FileTimeToUnix(ft uint64) uint64

FileTimeToUnix translates Windows FileTime to seconds since Unix epoch

func FileTimeToUnixNano added in v0.51.0

func FileTimeToUnixNano(ft uint64) uint64

FileTimeToUnixNano translates Windows FileTime to nanoseconds since Unix epoch

func GetAce

func GetAce(acl *ACL, index uint32, ace **ACCESS_ALLOWED_ACE) error

GetAce calls Windows 'GetAce' function to obtain a pointer to an access control entry (ACE) in an access control list (ACL).

https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-getace

func GetAclInformation

func GetAclInformation(acl *ACL, info *ACL_SIZE_INFORMATION, class uint32) error

GetAclInformation calls windows 'GetAclInformation' function to retrieve information about an access control list (ACL).

https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-getaclinformation

func GetImagePathForProcess added in v0.32.0

func GetImagePathForProcess(h windows.Handle) (string, error)

GetImagePathForProcess returns executable path name in the win32 format

func GetLocalSystemSID added in v0.55.0

func GetLocalSystemSID() (*windows.SID, error)

GetLocalSystemSID returns the SID of the Local System account the returned SID must be freed by windows.FreeSid()

func GetNamedSecurityInfo

func GetNamedSecurityInfo(objectName string, objectType int32, secInfo uint32, owner, group **windows.SID, dacl, sacl **ACL, secDesc *windows.Handle) error

GetNamedSecurityInfo calls Windows 'GetNamedSecurityInfo' function to retrieve a copy of the security descriptor for an object specified by name.

https://learn.microsoft.com/en-us/windows/win32/api/aclapi/nf-aclapi-getnamedsecurityinfow

func GetProgramDataDir

func GetProgramDataDir() (path string, err error)

GetProgramDataDir returns the current programdatadir, usually c:\programdata\Datadog

func GetProgramDataDirForProduct

func GetProgramDataDirForProduct(product string) (path string, err error)

GetProgramDataDirForProduct returns the current programdatadir, usually c:\programdata\Datadog given a product key name

func GetProgramFilesDirForProduct added in v0.32.0

func GetProgramFilesDirForProduct(product string) (path string, err error)

GetProgramFilesDirForProduct returns the root of the installatoin directory, usually c:\program files\datadog\datadog agent

func GetSidFromUser added in v0.31.0

func GetSidFromUser() (*windows.SID, error)

GetSidFromUser grabs and returns the windows SID for the current user or an error. The *SID returned does not need to be freed by the caller.

func GetWindowsBuildString

func GetWindowsBuildString() (verstring string, err error)

GetWindowsBuildString retrieves the windows build version by querying the resource string as directed here https://msdn.microsoft.com/en-us/library/windows/desktop/ms724429(v=vs.85).aspx as of Windows 8.1, the core GetVersion() APIs have been changed to return the version of Windows manifested with the application, not the application version

func IsCurrentProcessLocalSystem added in v0.55.0

func IsCurrentProcessLocalSystem() (bool, error)

IsCurrentProcessLocalSystem checks if the current process is running as Local System

func IsProcess added in v0.51.0

func IsProcess(pid int) bool

IsProcess checks to see if a given pid is currently valid in the process table

func IsProcessElevated

func IsProcessElevated() (bool, error)

IsProcessElevated opens the process token and checks elevation status, returning true if the process is elevated and false if not elevated.

func IsServiceDisabled added in v0.51.0

func IsServiceDisabled(serviceName string) (enabled bool, err error)

IsServiceDisabled returns true if serviceName is disabled

func IsServiceRunning added in v0.51.0

func IsServiceRunning(serviceName string) (running bool, err error)

IsServiceRunning returns true if serviceName's state is SERVICE_RUNNING

func IsUserAnAdmin added in v0.51.0

func IsUserAnAdmin() (bool, error)

IsUserAnAdmin returns true is a user is a member of the Administrator's group TODO: Microsoft does not recommend using this function, instead CheckTokenMembership should be used.

https://learn.microsoft.com/en-us/windows/win32/api/shlobj_core/nf-shlobj_core-isuseranadmin

func IsWow64Process

func IsWow64Process(h windows.Handle) (is32bit bool, err error)

IsWow64Process determines if the specified process is running under WOW64 that is, if it's a 32 bit process running on 64 bit winodws

func KillProcess added in v0.55.0

func KillProcess(pid int, returnCode uint32) error

KillProcess kills the process with the given PID, supplying the given return code

func LogEventViewer

func LogEventViewer(servicename string, msgnum uint32, arg string)

LogEventViewer will open the event viewer API and log a single message to the event viewer. The string identified in the msgnum parameter must exist in the application's message catalog go log api only provides for a single argument to be passed, so can only include one positional argument

func NtQueryInformationProcess

func NtQueryInformationProcess(h windows.Handle, class PROCESSINFOCLASS, target, size uintptr) (err error)

NtQueryInformationProcess wraps the Windows NT kernel call of the same name

func OpenSCManager added in v0.51.0

func OpenSCManager(desiredAccess uint32) (*mgr.Mgr, error)

OpenSCManager connects to SCM

https://learn.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-openscmanagerw

func OpenService added in v0.51.0

func OpenService(manager *mgr.Mgr, serviceName string, desiredAccess uint32) (*mgr.Service, error)

OpenService opens a handle for serviceName

https://learn.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-openservicew

func ReadProcessMemory

func ReadProcessMemory(h windows.Handle, from, to uintptr, count uint32) (bytesRead uint64, err error)

ReadProcessMemory wraps the Windows kernel.dll function of the same name https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-readprocessmemory

func RestartService added in v0.51.0

func RestartService(serviceName string) error

RestartService stops a service and thenif the stop was successful starts it again

func StartService added in v0.51.0

func StartService(serviceName string, serviceArgs ...string) error

StartService starts serviceName via SCM.

Does not block until service is started https://learn.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-startservicea#remarks

func StopService added in v0.51.0

func StopService(serviceName string) error

StopService stops a service and any services that depend on it

func UTF16PtrOrNilFromString added in v0.51.0

func UTF16PtrOrNilFromString(s string) (*uint16, error)

UTF16PtrOrNilFromString converts a go string into a *uint16 using windows.Utf16PtrFromString, but will return nil for empty strings.

Useful for Windows APIs that take NULL or a non-zero length string. Be careful to check that the Windows API does not have special behavior for a zero-length string.

func WaitForState added in v0.51.0

func WaitForState(ctx context.Context, serviceName string, desiredState svc.State) error

WaitForState waits for the service to become the desired state. A timeout can be specified with a context. Returns nil if/when the service becomes the desired state.

Types

type ACCESS_ALLOWED_ACE added in v0.51.0

type ACCESS_ALLOWED_ACE struct {
	AceType    uint8
	AceFlags   uint8
	AceSize    uint16
	AccessMask uint32
	SidStart   uint32
}

ACCESS_ALLOWED_ACE struct

https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-access_allowed_ace

type ACL added in v0.51.0

type ACL struct {
	AclRevision uint8
	Sbz1        uint8
	AclSize     uint16
	AceCount    uint16
	Sbz2        uint16
}

ACL struct

https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-acl

type ACL_SIZE_INFORMATION added in v0.51.0

type ACL_SIZE_INFORMATION struct {
	AceCount      uint32
	AclBytesInUse uint32
	AclBytesFree  uint32
}

ACL_SIZE_INFORMATION struct

https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-acl_size_information

type DynamicIISConfig added in v0.51.0

type DynamicIISConfig struct {
	// contains filtered or unexported fields
}

DynamicIISConfig is an object that will watch the IIS configuration for changes, and reload the configuration when it changes. It provides additional methods for getting specific configuration items

func NewDynamicIISConfig added in v0.51.0

func NewDynamicIISConfig() (*DynamicIISConfig, error)

NewDynamicIISConfig creates a new DynamicIISConfig

func (*DynamicIISConfig) GetSiteNameFromID added in v0.51.0

func (iiscfg *DynamicIISConfig) GetSiteNameFromID(id uint32) string

GetSiteNameFromID looks up a site name by its site ID

func (*DynamicIISConfig) Start added in v0.51.0

func (iiscfg *DynamicIISConfig) Start() error

Start config watcher

func (*DynamicIISConfig) Stop added in v0.51.0

func (iiscfg *DynamicIISConfig) Stop()

Stop config watcher

type PROCESSINFOCLASS

type PROCESSINFOCLASS uint32

PROCESSINFOCLASS is the Go representation of the above enum

type PagefileStat

type PagefileStat struct {
	// The current committed memory limit for the system or
	// the current process, whichever is smaller, in bytes
	Total uint64

	// The maximum amount of memory the current process can commit, in bytes.
	// This value is equal to or smaller than the system-wide available commit
	// value.
	Available uint64

	// Used is Total - Available
	Used uint64

	// UsedPercent is used as a percentage of the total pagefile
	UsedPercent float64
}

PagefileStat contains basic metrics for the windows pagefile

func PagefileMemory

func PagefileMemory() (*PagefileStat, error)

PagefileMemory returns paging (swap) file metrics

type ProcessCommandParams added in v0.32.0

type ProcessCommandParams struct {
	CmdLine   string
	ImagePath string
}

ProcessCommandParams defines process command params

func GetCommandParamsForPid added in v0.32.0

func GetCommandParamsForPid(pid uint32, includeImagePath bool) (*ProcessCommandParams, error)

GetCommandParamsForPid returns the command line (and optionally image path) for the given PID

func GetCommandParamsForProcess added in v0.32.0

func GetCommandParamsForProcess(h windows.Handle, includeImagePath bool) (*ProcessCommandParams, error)

GetCommandParamsForProcess returns the command line (and optionally image path) for the given process

type SCMMonitor added in v0.51.0

type SCMMonitor struct {
	// contains filtered or unexported fields
}

SCMMonitor is an object that allows the caller to monitor Windows services. The object will maintain a table of active services indexed by PID

func GetServiceMonitor added in v0.51.0

func GetServiceMonitor() *SCMMonitor

GetServiceMonitor returns a service monitor object

func (*SCMMonitor) GetRefreshCount added in v0.51.0

func (scm *SCMMonitor) GetRefreshCount() uint64

GetRefreshCount returns the number of times we've actually queried the SCM database. used for logging stats.

func (*SCMMonitor) GetServiceInfo added in v0.51.0

func (scm *SCMMonitor) GetServiceInfo(pid uint64) (*ServiceInfo, error)

GetServiceInfo gets the service name and display name if the process identified by the pid is in the SCM. A process which is not an SCM controlled service will return nil with no error

type ServiceInfo added in v0.51.0

type ServiceInfo struct {
	ServiceName []string
	DisplayName []string
}

ServiceInfo contains name information for each service identified by PID

type ServiceList added in v0.51.0

type ServiceList struct {
	// contains filtered or unexported fields
}

ServiceList is the return value from a query by pid.

type SwapMemoryStat

type SwapMemoryStat struct {
	Total       uint64
	Used        uint64
	Free        uint64
	UsedPercent float64
}

SwapMemoryStat contains swap statistics

func SwapMemory

func SwapMemory() (*SwapMemoryStat, error)

SwapMemory returns swapfile statistics

type VirtualMemoryStat

type VirtualMemoryStat struct {
	// Total amount of RAM on this system
	Total uint64

	// RAM available for programs to allocate
	//
	// This value is computed from the kernel specific values.
	Available uint64

	// RAM used by programs
	//
	// This value is computed from the kernel specific values.
	Used uint64

	// Percentage of RAM used by programs
	//
	// This value is computed from the kernel specific values.
	UsedPercent float64
}

VirtualMemoryStat contains basic metrics for virtual memory

func VirtualMemory

func VirtualMemory() (*VirtualMemoryStat, error)

VirtualMemory returns virtual memory metrics for the machine

Directories

Path Synopsis
eventlog
api
Package evtapi defines the interface and common types for interacting with the Windows Event Log API from Golang
Package evtapi defines the interface and common types for interacting with the Windows Event Log API from Golang
api/fake
Package fakeevtapi is a fake implementation of the Windows Event Log API intended to be used in tests.
Package fakeevtapi is a fake implementation of the Windows Event Log API intended to be used in tests.
api/windows
Package winevtapi implements the evtapi.API interface with the Windows Event Log API
Package winevtapi implements the evtapi.API interface with the Windows Event Log API
bookmark
Package evtbookmark provides helpers for working with Windows Event Log Bookmarks
Package evtbookmark provides helpers for working with Windows Event Log Bookmarks
reporter
Package evtreporter provides helpers for writing events to the Windows Event Log
Package evtreporter provides helpers for writing events to the Windows Event Log
session
Package evtsession provides helpers for managing an Event Log API session https://learn.microsoft.com/en-us/windows/win32/wes/accessing-remote-computers
Package evtsession provides helpers for managing an Event Log API session https://learn.microsoft.com/en-us/windows/win32/wes/accessing-remote-computers
subscription
Package evtsubscribe provides helpers for reading Windows Event Logs with a Pull Subscription
Package evtsubscribe provides helpers for reading Windows Event Logs with a Pull Subscription
test
Package eventlog_test provides helpers for testing code that uses the eventlog package
Package eventlog_test provides helpers for testing code that uses the eventlog package
Package messagestrings defines the MESSAGETABLE constants used by agent binaries
Package messagestrings defines the MESSAGETABLE constants used by agent binaries
Package servicemain provides Windows Service application helpers
Package servicemain provides Windows Service application helpers

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL