467 questions
-1
votes
0
answers
97
views
ProcessID from ETW always return 0xFFFFFFFF
I am using Event Tracing for Windows to monitor disk io and network usage of processes. I have used ETW with KERNEL_LOGGER_NAME , EVENT_TRACE_FLAG_PROCESS , EVENT_TRACE_FLAG_DISK_IO, ...
- 9
3
votes
0
answers
165
views
Thread quantum expires in 0.012 milliseconds?
This CPU Usage (Precise) view below seems to indicate that this thread's quantum is expiring after only 0.012 milliseconds on row 19. Rows 6 and 29 look normal with a 15 millisecond thread quantum ...
- 2,413
0
votes
0
answers
58
views
Unable to collect events from Microsoft-Windows-Kernel-Process using logman
I would like to collect events with the keyword Winevent_Keyword_Process (0x10).
My system is Windows Server 2016, and the available providers are shown in the screenshot below:
Then, I used logman ...
- 35
0
votes
0
answers
43
views
EventAccessControl API not working in Windows 10 for setting DACL?
I am using the following code to set the DACL on my ETW session object using EventAccessControl, to only allow processes under SYSTEM to be able to access the session object:
// Initialize the ...
- 1,066
2
votes
0
answers
113
views
Trouble Capturing Process Start Events with ETW in User-Mode Application
I have a question regarding ETW (Event Tracing for Windows) programming.
My goal is simple: I want to use ETW base program to record every user-launched program on Windows.
I have already implemented ...
- 111
0
votes
0
answers
79
views
How to create a custom event channel that a user mode app and a kernel mode driver can both write to?
I want to create a custom event channel to which an executable running as a limited user and a kernel mode driver both are able to write to it. How can I do this?
Following are the things I tried but ...
- 71
1
vote
1
answer
121
views
Why are ETW events not triggered when using PS in a custom PowerShell host from C#?
I'm executing PowerShell scripts from within a C# application using the System.Management.Automation library. My goal is to capture script actions through ETW events from the Microsoft-Windows-...
- 279
0
votes
0
answers
52
views
How frequently is the ETW Provider based TcpDataTransferSend event emitted?
ETW Provider Microsoft-Windows-TCPIP provides various events like:
TcpShutdownTcb = 1044,
TcpDataTransferReceive = 1074,
TcpDataTransferSend = 1332,
TcpDataTransferRetransmitRound = ...
- 43
1
vote
0
answers
135
views
ETW: How to record stack for a native function that crashes due to access violation or stack overflow?
It's easy to capture call stacks with ETW for managed code that throws exception, the CLR provides all. But what can I do for native code that behaves badly?
Let's assume I have a large application ...
- 790
0
votes
0
answers
72
views
Cannot get decriptions for events from ETW Providers
I created a trace on my Windows 10 laptop using this logman command:
logman create trace "Microsoft-Windows-Kernel-File" -p Microsoft-Windows-Kernel-File 0x1800 -o "C:\Logs\Microsoft-...
- 11
1
vote
0
answers
126
views
How to monitor file access?
I want to monitor when some process reads a specific file
When I use procmon to monitor the said file I can see that it gets queried and read a lot
Now I want to monitor a specific file and act once ...
- 7,922
0
votes
1
answer
106
views
ProcessTrace handle is not invoking the callback registered via OpenTraceA using python and ctypes
I have an ETL file (e.g. sample.etl) to parse using the Native WinAPI. Using cpp I am able to parse and process an existing windows etl log. Now, I'm trying to use python to call into the same windows ...
- 3
1
vote
0
answers
45
views
How does Mono enable ETL files to capture both native and managed call stacks?
I am conducting a research project and have encountered an issue with an older version of Mono (a modified version used in Unity, around 2015-2016, exact version unknown). When using a profiling tool ...
- 11
0
votes
0
answers
182
views
Event trace consumer throwing error on ProcessTrace api
Working on creating a tool to log kernel events to get better understanding of ETW.
I used the below MS sample to create a kernel logger session and added the opentrace/processtrace/closetrace apis in ...
- 71
0
votes
1
answer
204
views
how to print event information using etw in c++
Error: Unable to Start ETW Trace Session in C++ (Error Code 87)
I'm developing a C++ application to consume and print real-time events using Event Tracing for Windows (ETW). However, I'm encountering ...
0
votes
0
answers
125
views
To fetch bytes sent/received per sec for particular application
Need to find amount of incoming outgoing network bytes using cmd/powershell command for specific application.
So I researched and found that there isn't any direct way to filter this data using netsat/...
0
votes
1
answer
132
views
What is the easiest method for forwarding ETW logs to Splunk receiver?
I am trying to forward some kernel-level events from my Splunk UF to my Splunk receiver.
I experienced with windows' built in utility - logman and was able to produce etl files and convert them to XML ...
- 1
0
votes
1
answer
137
views
Could not load Krabsetw in C# .NET 6.0
I am using C# with the .NET 6.0 framework in Windows 10 and trying to use the NuGet Microsoft.O365.Security.Native.ETW package, corresponding to the Microsoft Krabsetw library, which allows the use of ...
- 279
0
votes
0
answers
55
views
Why do operational logs end up in the debug log?
I've created an application in .Net Framework 4.6.2 which logs to the event log by extending the EventSource class (https://learn.microsoft.com/en-us/dotnet/api/system.diagnostics.tracing.eventsource?...
1
vote
1
answer
346
views
Exporting Call Tree into CSV with diagsession via Azure Profiler or Perfview
I'm trying to use Brendan Gregg's flamegraph, and I'm trying to fold/collapse my stacks with the stack trace/diagsession I got from application insight/azure profiler, but I can't get it to generate ...
- 87
0
votes
1
answer
178
views
How to find the caller of Kernel32.Beep function with ETW traces?
We have a system where some malicious code sends out arbitrary beeps, probably by calling the Beep() function in the Win32 API
I need to find out which executable does this, and want to use ETW for ...
- 790
1
vote
1
answer
280
views
XPerf/Windows Performance Analyzer Stack not showing names
I'm new to profiling and stack traces. I'm trying to use a stack trace and downloaded it from application insights profiler;however many of the stack names, functions, and so forth don't have a name. ...
- 87
0
votes
1
answer
683
views
Perfview using Stack Trace for App Insight/ASP.NET Core Web APIs
I am new to performance in general and have been learning Perfview.
I was curious how to go about using PerfView to test the performance of my APIs hosted on ASP.NET Core Web APIs?
I was wondering if ...
- 87
0
votes
1
answer
159
views
How to pull DIAGSESSION/ETW/ETL file from Azure into Pipeline
For context, I have API's that are hosted/monitored on Azure and have the profiler enabled.
I was wondering if it was possible to get a DIAGSESSION/ETW/ETL file from application insights profiler and ...
- 87
2
votes
1
answer
344
views
Drawbacks of using ETW for packet capture instead of an NDIS LWF or WFP driver?
Assume we want to capture IPv4 and IPv6 packets and do deep packet scans on them. I came to notice that it is also possible to capture packets using the Microsoft-Windows-NDIS-PacketCapture ETW ...
- 1,066
0
votes
0
answers
1k
views
Using Winshark to Filter by process/PID
I'm following the suggestions in this question to allow filtering packets by process ID in a Windows 10 system.
@OneAndOnly recently suggested WinShark, which has a github page here.
It describes the ...
- 2,033
0
votes
0
answers
126
views
Is it possible for a .NET process to be started without Event Counters?
I have an app that attempts to establish an EventPipe session with some .NET Core processes in order to get an access to their Event Counters.
The code uses Microsoft.Diagnostics.NETCore.Client:
...
- 2,290
0
votes
0
answers
111
views
Undefined variable in generated header from ETW manifest file (Windows event tracing)
I am following the "hello world" style example for the ETW API provided in https://kallanreed.com/2016/05/28/creating-an-etw-provider-step-by-step/
When I use the "mc.exe" to ...
1
vote
0
answers
190
views
real time ETW consumer of file events EDD08927-9CC4-4E65-B970-C2560FB5C289 in VC++
I am trying to create a REAL TIME ETW consumer in VC++ . My objective is to get the file names which are accessed. I am using the GUID. Microsoft-Windows-Kernel-File {EDD08927-9CC4-4E65-...
- 39
0
votes
0
answers
228
views
How can I trace Win32 window-messages on Windows 7?
Lately I've been tracing Win32 Window Messages using ETW (logman, xperf, WPA, et cetera) which is relatively straightforward because the Microsoft-Windows-Win32k provider exports ETW events for ...
- 158k
0
votes
2
answers
497
views
How investigate disk cache usage in Win32 application?
I have a workload similar to the following:
while True:
data = get_data_from_network();
filename = sha1(data);
write_to_file(filename, data, data.size());
Occasionally I read back from ...
- 792
2
votes
0
answers
215
views
How to write Windows ETW logs with golang?
I see there are go packages for collecting ETW logs. But seems no package to write ETW logs. Especially no package using TraceLoggingWrite APIs to implement. Anyone is aware of packages or easy way to ...
- 21
2
votes
1
answer
85
views
Do ETW calls take ownership of string pointers?
I have an ETW provider, but the Visual Studio debug CRT is reporting memory leaks in it. The calls to register an event create a wchar_t* on the heap:
auto msg = convertToWchar(string); // calls ...
- 31.1k
0
votes
0
answers
79
views
How to trace ETW Events inside Parallel.ForEach in C#
Need your help to understand how can we log ETW events to track Task started & Task completed inside parallel.foreach. I basically need to see when event got fired.
I have gone through few ...
- 610
1
vote
0
answers
89
views
How can I create a listener for ArcSoftEventProvider using Python?
I was trying to create a listener for camera events (turn on, turn off).
I found out whenever I turn my camera on/off, ArcSoftEventProvider reports certain events in Windows Event Viewer in my laptop (...
- 13
1
vote
1
answer
3k
views
How to capture events from ETW provider "Microsoft-Windows-Security-Auditing" in real time session?
I'm recently using ETW to collect events from builtin providers. I use logman to consume events and save them to a .etl file, like this:
logman create trace evt -p Microsoft-Windows-RPC -ets
...After ...
- 11
1
vote
1
answer
653
views
Write HoloLens 2 application logs to Windows Device Portal
I am working on a HoloLens 2 application using Unity which includes some features (mainly UDP connection to other device) that requires the application to be deployed to the HoloLens for most test ...
- 119
1
vote
0
answers
58
views
Receiving Multiplied Rundown events instead of once for the same ETW session
I have a simple usage of ETW.
I've subscribed to receive events from USB4 provider.
I have 2 sessions:
A real time session which I use to print to the console log
Second for log the events to a log ...
- 195
0
votes
1
answer
114
views
Get method name from Image RVA
I want to export stack trace data from an ETL file (Event Tracing for Windows) into a more readable format.
CPU profiling data is only useful with method names, but when on the recording machine no ...
- 13.6k
-1
votes
1
answer
802
views
Troubleshooting Windows Event Viewer USB error 0x26 status 0xc000038e
I need some guidance in how to troubleshoot a low level issue I am facing with some USB devices.
Background: I have a .NET Windows Service that, scans connected USB devices via WMI queries + reads low ...
- 11.6k
0
votes
0
answers
110
views
Can you detect a specific DLLand function load using ETW?
Is it possible to monitor calls to specific DLL functions in ETW?
I am still new to ETW, so is there any good site or procedure that might be helpful to me?
It would be great to be able to run it from ...
- 1
5
votes
0
answers
5k
views
Why is my Azure App Service complaining that ETW resources have been exhausted? [closed]
I have two code-identical .NET 6 applications running on two separate App Services under two separate App Service Plans on Azure.
The first one I deployed a few months back and seems to be running ...
- 2,062
1
vote
1
answer
1k
views
ETW Monitoring Process Start / Stop and get Command line
I want to subscribe my script to ETW to Microsoft-Windows-Kernel-Process => Process Start event.
But I can't find any way to get the Command line parameters and working directory how my process has ...
- 93
0
votes
1
answer
576
views
How to get rundown events with circular buffer tracing with ETW
I have been trying to use ETW for always on profiling within my app, by using the circular buffer tracing mode. Specifically CPU profiler events for the entire system, using the kernel mode event ...
- 511
1
vote
0
answers
129
views
In a TCP connection, what does "protocol copied data on bahalf of user" mean?
I am using ETW (Event Tracing for Windows) to track certain network events such as:
TCP connection accepted
TCP data sent
TCP data received, etc.
If you are not familiar with ETW, that is OK, my ...
- 280
4
votes
0
answers
202
views
Microsoft-Windows-Winsock-AFD events unavailable in Windows container
I'm trying to get socket connections data for analysis from the Microsoft-Windows-Winsock-AFD publisher on both Windows host machine and docker container. But it seems like that these events are ...
- 41
0
votes
1
answer
251
views
Errors linking to tdh.lib
I'm trying to use functions from the Microsoft TDH library building with Visual Studio 2019. The project is using WindowsApplicationForDrivers10.0 Platform Toolset and the program is very simple:
#...
- 669
2
votes
0
answers
249
views
ETW lost events
I am using ETW to get some Microsoft pre-defined events. I set the EVENT_TRACE_PROPERTIE as follow:
TraceProperties->LogFileMode = EVENT_TRACE_REAL_TIME_MODE;
TraceProperties->MaximumFileSize = ...
- 21
2
votes
0
answers
65
views
How do I add spaces to folder names being created in Event Viewer > Application and Services logs?
Currently, I'm using EventSourceAttribute to create a hierarchy of subfolders in Application and Services log in Event Viewer. This is my code
[EventSource(Name = "Service-MacClient-EventSource&...
- 2,105
0
votes
1
answer
135
views
Where is the list of device driver images stored in ETW?
I am trying to programatically get the list of device drives from an ETW with the great TraceProcessing Library which is used by WPA.
using ITraceProcessor processor = TraceProcessor.Create(...
- 13.6k