[原]how to view custom provider's events(collected without provider registered) by wpa

最近想使用etw作为高效的日志机制,也不想暴露机密信息(关键信息在msnifest文件中)。也就是不能在客户机器上注册自己的provider,那需要manifest文件。这样采集回来的.etl文件如果直接在wpa中打开,会很难看,基本看不出什么有用的信息,如图1

图1 用wpa打开poor.etl文件(在未注册过provider的机器上采集的,也未经过experf -merge处理的.etl文件
 
如何使得到的信息能像下图这样详细呢?
 图2 用wpa打开good.etl文件(在注册过provider的机器上采集的
 

 

下面一段是我在stackoverflow上给自己的回答

 

I found answer at msdn forums, here is the same question asked by myself.

xperf -merge is the key!

whole steps as follow:

  1. install my software and start collect event data on custom's machine. (no need to register my provider.) call xperf -start mysession -on MY_PROVIDER_GUID start collecting event data.

  2. after run some time, call xperf -stop mysession -d poor.etl to stop collecting and save to poor.etl file.

  3. copy poor.etl to my dev machine(my provider already registered) and callxperf -merge poor.etl good.etl

  4. open good.etl with wpa, I can see every details as I expected.

that's all. hope it will help other guy like me. thanks everyone.

 

 

具体参考

1. https://social.msdn.microsoft.com/Forums/en-US/efadef6c-85cf-4e39-bd7a-2fa9ba7df9b3/to-what-extend-will-custom-events-integrate-in-wpa?forum=wptkv5

 

2. 我在stackoverflow上的帖子

 
3. 我在msdn forum上的帖子
 
 
 
 
 





posted @ 2017-03-30 22:57  BCN  阅读(246)  评论(0编辑  收藏  举报