我正在尝试使用Windows的事件跟踪(ETW)建立使用者,该使用者将从Microsoft-Windows-Kernel-Process接收事件。使用者启动,ProcessTrace没有错误。我可以在“ logman query -ets”的结果中看到我的会话名称。但是,我的事件回调函数从未调用过。我无法弄清楚为什么我没有看到任何事件。我以管理员身份运行我的应用程序。谁能在我的代码中看到问题?谢谢...
注:我尝试仅将事件写入文件中...我的事件回调被调用了两次,BufferCallback被调用了一次,在生成的etl文件中,我得到了一个错误代码为15003的事件,即ERROR_EVT_EVENT_TEMPLATE_NOT_FOUND(模板在资源中找不到事件定义(错误=%1)。)我不确定这是什么意思。我认为消费者不需要对清单做任何事情。
#include <windows.h>
#include <stdio.h>
#include <conio.h>
#include <strsafe.h>
#include <wbemidl.h>
#include <wmistr.h>
#include <evntrace.h>
#include <Evntcons.h>
using namespace std;
#pragma comment(lib, "Advapi32.lib")
#define LOGSESSION_GUID "{b2bcc945-9eb9-4231-883c-d6455cf4d86b}"
#define LOGSESSION_NAME L"Testing ETW Consumer"
static const GUID SessionGuid =
{ 0xb2bcc945, 0x9eb9, 0x4231,{ 0x88, 0x3c, 0xd6, 0x45, 0x5c, 0xf4, 0xd8, 0x6b } };
TRACEHANDLE sessionHandle;
TRACEHANDLE traceHandle;
GUID guid;
int bufferSize = sizeof(EVENT_TRACE_PROPERTIES) + sizeof(LOGSESSION_NAME) + sizeof(WCHAR);
auto pSessionProperties = static_cast<PEVENT_TRACE_PROPERTIES>(malloc(bufferSize));
// Microsoft-Windows-Kernel-Process
// {22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}
static const GUID MSKRNL_PROVIDER_GUID =
{ 0x22fb2cd6, 0x0e7b, 0x422b,{ 0xa0, 0xc7, 0x2f, 0xad, 0x1f, 0xd0, 0xe7, 0x16 } };
VOID WINAPI EventRecordCallback(EVENT_RECORD* pEventRecord) {
fprintf(stdout, "Event Record Received\n");
return;
}
ULONG WINAPI BufferCallback(EVENT_TRACE_LOGFILE* pLogFile) {
fprintf(stdout, "in BufferCallback...\n");
return TRUE;
}
static DWORD WINAPI Win32TracingThread(LPVOID Parameter)
{
fprintf(stdout, "processing trace...\n");
auto ptStatus = ProcessTrace(&traceHandle, 1, NULL, NULL);
if (ptStatus != ERROR_SUCCESS && ptStatus != ERROR_CANCELLED)
{
wprintf(L"ProcessTrace exit status: %lu\n", ptStatus);
}
return(0);
}
int main(void)
{
fprintf(stdout, "entering main program...\n");
// Set the session properties. You only append the log file name
// to the properties structure; the StartTrace function appends
// the session name for you.
ZeroMemory(pSessionProperties, bufferSize);
pSessionProperties->Wnode.BufferSize = bufferSize;
pSessionProperties->Wnode.Flags = WNODE_FLAG_TRACED_GUID;
pSessionProperties->Wnode.ClientContext = 1; //QPC clock resolution
pSessionProperties->Wnode.Guid = SessionGuid;
pSessionProperties->FlushTimer = 0;
pSessionProperties->EnableFlags = EVENT_TRACE_FLAG_PROCESS | EVENT_TRACE_FLAG_PROCESS_COUNTERS;
pSessionProperties->LogFileMode = EVENT_TRACE_REAL_TIME_MODE;
pSessionProperties->LogFileNameOffset = 0;
pSessionProperties->LoggerNameOffset = sizeof(EVENT_TRACE_PROPERTIES);
StringCbCopy((STRSAFE_LPWSTR)((char*)pSessionProperties + pSessionProperties->LoggerNameOffset), sizeof(LOGSESSION_NAME), LOGSESSION_NAME);
// stop any previous session
auto stopStatus = ControlTrace(0, LOGSESSION_NAME, pSessionProperties, EVENT_TRACE_CONTROL_STOP);
fprintf(stdout, "starting trace...\n");
auto sTrStatus = StartTrace(static_cast<PTRACEHANDLE>(&sessionHandle), LOGSESSION_NAME, pSessionProperties);
fprintf(stdout, "enabling trace...\n");
auto eTrExstatus = EnableTraceEx2(sessionHandle, &MSKRNL_PROVIDER_GUID, EVENT_CONTROL_CODE_ENABLE_PROVIDER, TRACE_LEVEL_VERBOSE, 1, 0, 0, nullptr);
EVENT_TRACE_LOGFILE loggerInfo = {0};
loggerInfo.ProcessTraceMode = EVENT_TRACE_REAL_TIME_MODE | PROCESS_TRACE_MODE_EVENT_RECORD;
loggerInfo.BufferCallback = BufferCallback;
// provide a callback whenever we get an event record
loggerInfo.EventRecordCallback = (PEVENT_RECORD_CALLBACK) EventRecordCallback;
loggerInfo.Context = nullptr;
// LoggerName is the sessionName that we had provided in StartTrace
// For consuming events from ETL file we will provide path to ETL file.
loggerInfo.LoggerName = LOGSESSION_NAME;
loggerInfo.LogFileName = NULL;
loggerInfo.LogFileMode = EVENT_TRACE_REAL_TIME_MODE;
fprintf(stdout, "opening trace...\n");
traceHandle = OpenTrace(&loggerInfo);
// calling thread will be blocked until BufferCallback returns FALSE or all events are delivered or CloseTrace is called
DWORD ThreadID;
HANDLE ThreadHandle = CreateThread(0, 0, Win32TracingThread, 0, 0, &ThreadID);
bool exit2 = false;
while (exit2 == false)
{
if (GetAsyncKeyState(VK_ESCAPE))
{
exit2 = true;
fprintf(stdout, "escape pressed, exiting loop...\n");
}
}
CloseHandle(ThreadHandle);
if ((TRACEHANDLE)INVALID_HANDLE_VALUE != traceHandle)
{
fprintf(stdout, "in cleanup...\n");
fprintf(stdout, "closing trace...\n");
auto ctStatus = CloseTrace(traceHandle);
}
auto cTrStatus = ControlTrace(sessionHandle, nullptr, pSessionProperties, EVENT_TRACE_CONTROL_STOP);
auto eTrStatus = EnableTraceEx2(sessionHandle, &MSKRNL_PROVIDER_GUID, EVENT_CONTROL_CODE_DISABLE_PROVIDER, 0, 0, 0, 0, nullptr);
free(pSessionProperties);
}
我可能自己想了很多...这就是我所做的更改...
首先,我必须在所有包含语句之前包含“ #define INITGUID”,但我没有意识到这是必须的...
然后,对于会话属性和记录器属性中的logfilemode,我将它们设置为此...
EVENT_TRACE_REAL_TIME_MODE | EVENT_TRACE_SYSTEM_LOGGER_MODE
我现在将事件返回到回调,现在我需要解析它们并找出其中的内容...