ETW写事件基础步骤
2013-02-19 22:06 Clingingboy 阅读(2377) 评论(0) 编辑 收藏 举报
一.调用EventRegister注册一个REGHANDLE
DWORD status = ERROR_SUCCESS;
REGHANDLE RegistrationHandle = NULL;
status = EventRegister(
&ProviderGuid, // GUID that identifies the provider
NULL, // Callback not used
NULL, // Context noot used
&RegistrationHandle // Used when calling EventWrite and EventUnregister
);
二.构造一个PEVENT_DATA_DESCRIPTOR 数组
EventWrite不仅仅只是记录字符串类型而已,还可以写入复杂的数据类型
EVENT_DATA_DESCRIPTOR结构
//
// EVENT_DATA_DESCRIPTOR is used to pass in user data items
// in events.
//
typedef struct _EVENT_DATA_DESCRIPTOR {
ULONGLONG Ptr; // Pointer to data
ULONG Size; // Size of data in bytes
ULONG Reserved;
} EVENT_DATA_DESCRIPTOR, *PEVENT_DATA_DESCRIPTOR;
使用EventDataDescCreate方法初始化EVENT_DATA_DESCRIPTOR
EventDataDescCreate(&Descriptors[i++], &pImage, sizeof(ULONG));
EventDataDescCreate(&Descriptors[i++], Scores, sizeof(Scores));
EventDataDescCreate(&Descriptors[i++], Guid, sizeof(GUID));
EventDataDescCreate(&Descriptors[i++], Cert, sizeof(Cert));
EventDataDescCreate(&Descriptors[i++], &IsLocal, sizeof(BOOL));
EventDataDescCreate(&Descriptors[i++], Path, (ULONG)(wcslen(Path) + 1) * sizeof(WCHAR));
EventDataDescCreate(&Descriptors[i++], &ArraySize, sizeof(USHORT));
EventDataDescCreate宏原型
FORCEINLINE
VOID
EventDataDescCreate(
__out PEVENT_DATA_DESCRIPTOR EventDataDescriptor,
__in const VOID* DataPtr,
__in ULONG DataSize
)
{
EventDataDescriptor->Ptr = (ULONGLONG)(ULONG_PTR)DataPtr;
EventDataDescriptor->Size = DataSize;
EventDataDescriptor->Reserved = 0;
return;
}
三.写事件EventWrite
1
status = EventWrite(
RegistrationHandle, // From EventRegister
&TransferEvent, // EVENT_DESCRIPTOR generated from the manifest
(ULONG)MAX_PAYLOAD_DESCRIPTORS, // Size of the array of EVENT_DATA_DESCRIPTORs
&Descriptors[0] // Array of descriptors that contain the event data
);
四.注销事件
EventUnregister(RegistrationHandle);
五.注意点
写事件传入的参数个数需要与EventWrite的第二个参数的事件模板参数相同,如下模板
<!-- <?xml version="1.0" encoding="UTF-16"?> -->
<instrumentationManifest xmlns="http://schemas.microsoft.com/win/2004/08/events"
xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events"
xmlns:xs="http://www.w3.org/2001/XMLSchema">
<instrumentation>
<events>
<provider name="Microsoft-Windows-ETWProvider"
guid="{D8909C24-5BE9-4502-98CA-AB7BDC24899D}"
symbol="ProviderGuid"
resourceFileName="c:\code\etw\v2provider\debug\v2provider.exe"
messageFileName="c:\code\etw\v2provider\debug\v2provider.exe"
message="$(string.Provider.Name)">
<keywords>
<keyword name="Read"
symbol="READ_KEYWORD"
mask="0x1" />
<keyword name="Write"
symbol="WRITE_KEYWORD"
mask="0x2" />
<keyword name="Local"
symbol="LOCAL_KEYWORD"
mask="0x4" />
<keyword name="Remote"
symbol="REMOTE_KEYWORD"
mask="0x8" />
</keywords>
<maps>
<valueMap name="TransferType">
<map value="1"
message="$(string.Map.Download)" />
<map value="2"
message="$(string.Map.Upload)" />
<map value="3"
message="$(string.Map.UploadReply)" />
</valueMap>
<bitMap name="DaysOfTheWeek">
<map value="0x1"
message="$(string.Map.Sunday)" />
<map value="0x2"
message="$(string.Map.Monday)" />
<map value="0x4"
message="$(string.Map.Tuesday)" />
<map value="0x8"
message="$(string.Map.Wednesday)" />
<map value="0x10"
message="$(string.Map.Thursday)" />
<map value="0x20"
message="$(string.Map.Friday)" />
<map value="0x40"
message="$(string.Map.Saturday)" />
</bitMap>
</maps>
<templates>
<template tid="TransferTemplate">
<data name="Image"
inType="win:Pointer" />
<data name="Scores"
inType="win:UInt16"
count="3" />
<data name="ID"
inType="win:GUID" />
<data name="Certificate"
inType="win:Binary"
length="11" />
<data name="IsLocal"
inType="win:Boolean" />
<data name="Path"
inType="win:UnicodeString" />
<data name="ValuesCount"
inType="win:UInt16" />
<struct name="Values"
count="ValuesCount">
<data name="Name"
inType="win:UnicodeString" />
<data name="Value"
inType="win:UInt16" />
</struct>
<data name="Day"
inType="win:UInt32"
map="DaysOfTheWeek" />
<data name="Transfer"
inType="win:UInt32"
map="TransferType" />
<UserData>
<EventData xmlns="ProviderNamespace">
<Transfer>%10</Transfer>
<Day>%9</Day>
<ValuesCount>%7</ValuesCount>
<Values>%8</Values>
<Path>%6</Path>
<IsLocal>%5</IsLocal>
<Scores>%2</Scores>
<Image>%1</Image>
<Certificate>%4</Certificate>
<ID>%3</ID>
</EventData>
</UserData>
</template>
</templates>
<events>
<event value="1"
level="win:Informational"
template="TransferTemplate"
symbol="TransferEvent"
message="$(string.Event.WhenToTransfer)"
keywords="Read Local" />
</events>
</provider>
</events>
</instrumentation>
<localization>
<resources culture="en-US">
<stringTable>
<string id="Provider.Name"
value="Microsoft-Windows-ETWProvider" />
<string id="Map.Download"
value="Download" />
<string id="Map.Upload"
value="Upload" />
<string id="Map.UploadReply"
value="Upload-reply" />
<string id="Map.Sunday"
value="Sunday" />
<string id="Map.Monday"
value="Monday" />
<string id="Map.Tuesday"
value="Tuesday" />
<string id="Map.Wednesday"
value="Wednesday" />
<string id="Map.Thursday"
value="Thursday" />
<string id="Map.Friday"
value="Friday" />
<string id="Map.Saturday"
value="Saturday" />
<string id="Event.WhenToTransfer"
value="The %10 transfer will occur %9." />
</stringTable>
</resources>
</localization>
</instrumentationManifest>
1