Clearlogs V1.0

White Scorpion

Feb 12 2005, 11:44 PM

Hi All,

i've just finished writing another new tool which might come in handy:

ClearLogs v1.0. clearlogs is a simple tool which clears the Windows eventlogs with just one (double-)click.

The logfiles aren't saved so they aren't retrievable after running this program.

clearlogs is released under the GPL (open source) and it is written in ASM (masm32).

you can get it here.

I hope this tool might prove helpful to someone

regards,

White Scorpion

jead99

Feb 13 2005, 07:34 AM

Thanks for sharing your source code with us.

As i recall the c++ version will something like this:

CODE

void clearlogs()
{
HANDLE eventlog;
eventlog = RegisterEventSource(NULL, "Application");
ClearEventLog(eventlog, NULL);
DeregisterEventSource(eventlog);
eventlog = RegisterEventSource(NULL, "Security");
ClearEventLog(eventlog, NULL);
DeregisterEventSource(eventlog);
eventlog = RegisterEventSource(NULL, "System");
ClearEventLog(eventlog, NULL);
DeregisterEventSource(eventlog);
}

Correct me if i'm wrong.

ScuD

Feb 13 2005, 09:08 AM

i've tried your clearlogs out, and it worked fine, but when executing there pops up a box saying that the logs are cleared, aint it possible to turn that off?

And also wanna say nice coding

grtz

tibbar

Feb 13 2005, 09:27 AM

just edit the source and recompile... (i.e. remove the MessageBox call)

ScuD

Feb 13 2005, 09:34 AM

QUOTE(tibbar @ Feb 13 2005, 10:27 AM)

just edit the source and recompile... (i.e. remove the MessageBox call)

oki thx mate

White Scorpion

Feb 13 2005, 10:32 AM

tibbar is right,

here's a version attached which has no output whatsoever.

as for the C/C++ version. appearenlty it also works with RegisterEventSource() although i have used OpenEventLog() , they both return a handle to the eventlog.

Mr_X

Feb 13 2005, 02:09 PM

I tried jead99 code but don't works very well (I only tested it on Windows 2003). It cleared all logs except Security logs .

CODE

#include <windows.h>

int main(void)
{
int i;
HANDLE eventlog;
char * evtlog [] = { "Application", "Security","System"};
for (i=0;i<3;++i)
{
eventlog = OpenEventLog(NULL, evtlog[i]);
ClearEventLog(eventlog, NULL);
CloseEventLog(eventlog);
}
return EXIT_SUCCESS;
}

edit:
I also modified White Scorpion ClearLogs and packed with FSG. I obtained a 873 bytes executable

White Scorpion

Feb 13 2005, 05:12 PM

CODE

.386
.model flat,stdcall
option casemap:none

include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\advapi32.inc

includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\advapi32.lib

.DATA
App db "Application",0,"Security",0,"System",0

.DATA

hLog DWORD ?

.CODE

start:

lea ebx,App
mov ecx,3

run:
push ecx
invoke OpenEventLog,NULL,ebx
.IF eax!=NULL
mov hLog,eax
invoke ClearEventLog,hLog,NULL
invoke CloseEventLog,hLog
.ENDIF
pop ecx
dec ecx
cmp ecx,1
je two
add ebx,12
jmp three
two:
add ebx,9
three:
test ecx,ecx
jnz run

invoke ExitProcess,0

end start

try this one with FSG, i think this one will be even smaller

illwill

Feb 13 2005, 05:23 PM

very good work
always used arne's program never thought of actually making my own

illwill

Feb 13 2005, 06:40 PM

but i figure what the hell might as well make one too .. heres a revision of your code for commandline use .. it allows you to choose which logs to clear

CODE

.386
.model flat,stdcall
option casemap:none

include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\shell32.inc
include \masm32\include\advapi32.inc
include \masm32\include\masm32.inc
include \masm32\include\user32.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\shell32.lib
includelib \masm32\lib\advapi32.lib
includelib \masm32\lib\masm32.lib
includelib \masm32\lib\user32.lib

.data
commandLine dd 0
USAGE db '_______________________________________________________________',13,10
db '* ClearlogsCL 1.0 *',13,10
db '* by illwill - xillwillx@yahoo.com *',13,10
db '*_____________________________________________________________*',13,10
db '* USAGE: cl.exe [Log: 1/2/3] *',13,10
db '* 1 = Application *',13,10
db '* 2 = Security *',13,10
db '* 3 = System *',13,10
db '*_____________________________________________________________*',13,10
db ' Based on Code From WhiteScorpion ',13,10,0
fmt db '%s log has been cleared.',0
App db 'Application',0
Sec db 'Security',0
Syst db 'System',0

.data?
szLog db 4 dup(?)
hLog DWORD ?
strbuf db 64 dup (?)
.code
start:
invoke GetCommandLine
mov commandLine, eax
invoke GetCL, 1, addr szLog
cmp al, 1
je @F
invoke StdOut, addr USAGE
jmp exit_rj
@@:
mov al, szLog
cmp al, '1'
jne @F
lea ebx,App
jmp do_it
@@:
cmp al, '2'
jne @F
lea ebx,Sec
jmp do_it

@@:
cmp al, '3'
lea ebx, Syst

do_it:
invoke OpenEventLog,NULL,ebx
.IF eax!=NULL
mov hLog,eax
invoke ClearEventLog,hLog,NULL
invoke CloseEventLog,hLog
.ENDIF
invoke wsprintf, addr strbuf, addr fmt,ebx
invoke StdOut, addr strbuf
exit_rj:
invoke ExitProcess, eax
end start

White Scorpion

Feb 14 2005, 06:35 AM

Nice code illwill

well, since we are writing all different ones, i've decided to write another one for the commandline but then in C (for people who don't understand ASM).:

CODE

#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <windows.h>

void Usage(char buffer[]);

int main(int argc,char *argv[])
{
if(argc!=2)
{
Usage(argv[0]);
return EXIT_FAILURE;
}

HANDLE hLog;
if(strcmp(argv[1],"-app")==0)
{
if((hLog=OpenEventLog(NULL,"Application"))!=NULL)
{
ClearEventLog(hLog,NULL);
CloseEventLog(hLog);
printf("Application log cleared successfully.");
return EXIT_SUCCESS;
}
return EXIT_FAILURE;
}
else if(strcmp(argv[1],"-sec")==0)
{
if((hLog=OpenEventLog(NULL,"Security"))!=NULL)
{
ClearEventLog(hLog,NULL);
CloseEventLog(hLog);
printf("Security log cleared successfully.");
return EXIT_SUCCESS;
}
return EXIT_FAILURE;
}
else if(strcmp(argv[1],"-sys")==0)
{
if((hLog=OpenEventLog(NULL,"System"))!=NULL)
{
ClearEventLog(hLog,NULL);
CloseEventLog(hLog);
printf("System log cleared successfully.");
return EXIT_SUCCESS;
}
return EXIT_FAILURE;
}
Usage(argv[0]);
return EXIT_FAILURE;
}

//the Usage Function
void Usage(char buffer[])
{
printf("ClearLogs v1.1 written by White Scorpion (C)2005\n");
printf("********* http://www.white-scorpion.nl *********\n\n");
printf(" Based on the idea from illwill\n\n\n");
printf("A program that can clear the Windows eventlogs.\n\n");
printf("Usage:\n");
printf("%s -app\t(clears application eventlog).\n",buffer);
printf("%s -sec\t(clears security eventlog).\n",buffer);
printf("%s -sys\t(clears system eventlog).\n",buffer);
}

illwill

Feb 14 2005, 07:10 AM

#include <strings.h>

#include <string.h>

also added your website button to illmob

White Scorpion

Feb 14 2005, 11:45 AM

[quote]
#include <strings.h>

#include <string.h>
[/code]
this is compiler dependant. i'm using dev-cpp and i need strings.h ...

[edit]nice site illmob.org

, do you have such a button as well? max size can be 88x31 pixels.[/edit].

White Scorpion

Feb 14 2005, 11:45 AM

[EDIT]

stupid IE, i got a blank screen, i press refresh and i have 2 posts.... so ingnore this one ;-)[/EDIT]

illwill

Feb 16 2005, 04:12 AM

yea just get it from my site below your button

White Scorpion

Feb 16 2005, 03:15 PM

got it, added it

i've decided i wanted a forum as well, so i've added one yesterday. now all i need is members and posts

http://www.white-scorpion.nl/forums/

TedOb1

Feb 18 2005, 10:36 PM

once again White Scorpion real nice work.

White Scorpion

Feb 19 2005, 11:40 AM

thanks Tedob1.

are you the same as from AO?

i've seen you've became a member on my forums as well ;-)

nice to have you there!