代码改变世界

ETW相关函数参考(1)

  Clingingboy  阅读(1023)  评论(0编辑  收藏  举报

 

一.QueryAllTraces

ULONG
WMIAPI
QueryAllTracesW(
    __out_ecount(PropertyArrayCount) PEVENT_TRACE_PROPERTIES *PropertyArray,
    __in  ULONG PropertyArrayCount,
    __out PULONG LoggerCount
    );

The QueryAllTraces function retrieves the properties and statistics for all event tracing sessions started on the computer.

1.首先分配内存

PEVENT_TRACE_PROPERTIES Storage;
ULONG SizeForOneProperty = sizeof(EVENT_TRACE_PROPERTIES) +
                           2 * MAXSTR * sizeof(TCHAR);

//
// We need to prepare space to receieve the inforamtion for the loggers.
// Each logger information needs one EVENT_TRACE_PROPERTIES sturucture
// followed by the logger name and the logfile path strings.
//

SizeNeeded = MAXIMUM_LOGGERS * SizeForOneProperty;

Storage = (PEVENT_TRACE_PROPERTIES)malloc(SizeNeeded);
if (Storage == NULL) {
    Status = ERROR_OUTOFMEMORY;
    break;
}

RtlZeroMemory(Storage, SizeNeeded);

2.填充和初始化数组指针

PEVENT_TRACE_PROPERTIES TempStorage=Storage;

PEVENT_TRACE_PROPERTIES LoggerInfo[MAXIMUM_LOGGERS];
//
// Save the pointer for free() later.
//
//
// Initialize the LoggerInfo array, before passing it to QueryAllTraces.
//

for (LoggerCounter = 0; LoggerCounter < MAXIMUM_LOGGERS; LoggerCounter++) {

    Storage->Wnode.BufferSize = SizeForOneProperty;
    Storage->LoggerNameOffset = sizeof(EVENT_TRACE_PROPERTIES);

    Storage->LogFileNameOffset = sizeof(EVENT_TRACE_PROPERTIES) +
                                 MAXSTR * sizeof(TCHAR);

    LoggerInfo[LoggerCounter] = Storage;

//
// Move Storage to point to the next allocated buffer for the
// logger information.
//

    Storage = (PEVENT_TRACE_PROPERTIES)((PUCHAR)Storage + 
                                        Storage->Wnode.BufferSize);
}

3.查询状态

Status = QueryAllTraces(LoggerInfo,
                        MAXIMUM_LOGGERS,
                        &ReturnCount);
    
if (Status == ERROR_SUCCESS) {
    for (LoggerCounter = 0; LoggerCounter < ReturnCount; LoggerCounter++) {
        PrintLoggerStatus(LoggerInfo[LoggerCounter], Status);
        _tprintf(_T("\n"));
    }
}

//
// Free the memory allocated for the logger information buffers.
//

free(TempStorage);

二.StartTrace

The StartTrace function registers and starts an event tracing session. 

ULONG
WMIAPI
StartTraceW(
    __out PTRACEHANDLE TraceHandle,
    __in LPCWSTR InstanceName,
    __inout PEVENT_TRACE_PROPERTIES Properties
    );

示例:

Status = StartTrace(&LoggerHandle, LoggerName, LoggerInfo);

if (Status != ERROR_SUCCESS) {
    _tprintf(_T("Could not start logger: %s\n") 
             _T("Operation Status:       %uL\n"),
             LoggerName,
             Status);

    break;
}
_tprintf(_T("Logger Started...\n"));

三.ControlTrace

对于event tracing session,ControlTrace可以用于停止,查询,更新的操作

停止操作注意点: 第一个参数需要为空

Status = ControlTrace(0,
    LoggerName,
    LoggerInfo,
    EVENT_TRACE_CONTROL_STOP);

查询操作注意点:必须指定BufferSize参数

TempSizeNeeded= LoggerInfo->Wnode.BufferSize;
RtlZeroMemory(LoggerInfo, SizeNeeded);
LoggerInfo->Wnode.BufferSize=TempSizeNeeded;
Status = ControlTrace(LoggerHandle,
    LoggerName,
    LoggerInfo,
    EVENT_TRACE_CONTROL_QUERY);

更新操作注意点:必须参数有更改,该方法才能生效

LoggerInfo->LogFileNameOffset = 0;  //Do not update the file name
LoggerInfo->Wnode.Flags = WNODE_FLAG_TRACED_GUID;
LoggerInfo->EnableFlags |= EVENT_TRACE_FLAG_PROCESS | EVENT_TRACE_FLAG_THREAD;

Status = ControlTrace(NULL,
    LoggerName,
    LoggerInfo,
    EVENT_TRACE_CONTROL_UPDATE);

四.EnableTrace

The EnableTrace function enables or disables the specified event trace provider. 

Status = EnableTrace(TRUE,
    0,
    TRACE_LEVEL_INFORMATION,
    &TargetGuid, 
    LoggerHandle);
Status = EnableTrace(FALSE,
    0,
    0,
    &TargetGuid, 
    LoggerHandle);
编辑推荐:
· AI与.NET技术实操系列:基于图像分类模型对图像进行分类
· go语言实现终端里的倒计时
· 如何编写易于单元测试的代码
· 10年+ .NET Coder 心语,封装的思维:从隐藏、稳定开始理解其本质意义
· .NET Core 中如何实现缓存的预热?
阅读排行:
· 分享一个免费、快速、无限量使用的满血 DeepSeek R1 模型,支持深度思考和联网搜索!
· 25岁的心里话
· 基于 Docker 搭建 FRP 内网穿透开源项目(很简单哒)
· ollama系列01:轻松3步本地部署deepseek,普通电脑可用
· 按钮权限的设计及实现
点击右上角即可分享
微信分享提示