-
-
Save kellthenoise/5c44e5ef08cae835caee5da486d0a7e6 to your computer and use it in GitHub Desktop.
ETW microsoft code
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#define INITGUID // Include this #define to use SystemTraceControlGuid in Evntrace.h. | |
#include <windows.h> | |
#include <stdio.h> | |
#include <conio.h> | |
#include <strsafe.h> | |
#include <wmistr.h> | |
#include <evntrace.h> | |
#define LOGFILE_PATH L"<FULLPATHTOTHELOGFILE.etl>" | |
void wmain(void) | |
{ | |
ULONG status = ERROR_SUCCESS; | |
TRACEHANDLE SessionHandle = 0; | |
EVENT_TRACE_PROPERTIES* pSessionProperties = NULL; | |
ULONG BufferSize = 0; | |
// Allocate memory for the session properties. The memory must | |
// be large enough to include the log file name and session name, | |
// which get appended to the end of the session properties structure. | |
BufferSize = sizeof(EVENT_TRACE_PROPERTIES) + sizeof(LOGFILE_PATH) + sizeof(KERNEL_LOGGER_NAME); | |
pSessionProperties = (EVENT_TRACE_PROPERTIES*) malloc(BufferSize); | |
if (NULL == pSessionProperties) | |
{ | |
wprintf(L"Unable to allocate %d bytes for properties structure.\n", BufferSize); | |
goto cleanup; | |
} | |
// Set the session properties. You only append the log file name | |
// to the properties structure; the StartTrace function appends | |
// the session name for you. | |
ZeroMemory(pSessionProperties, BufferSize); | |
pSessionProperties->Wnode.BufferSize = BufferSize; | |
pSessionProperties->Wnode.Flags = WNODE_FLAG_TRACED_GUID; | |
pSessionProperties->Wnode.ClientContext = 1; //QPC clock resolution | |
pSessionProperties->Wnode.Guid = SystemTraceControlGuid; | |
pSessionProperties->EnableFlags = EVENT_TRACE_FLAG_NETWORK_TCPIP; | |
pSessionProperties->LogFileMode = EVENT_TRACE_FILE_MODE_CIRCULAR; | |
pSessionProperties->MaximumFileSize = 5; // 5 MB | |
pSessionProperties->LoggerNameOffset = sizeof(EVENT_TRACE_PROPERTIES); | |
pSessionProperties->LogFileNameOffset = sizeof(EVENT_TRACE_PROPERTIES) + sizeof(KERNEL_LOGGER_NAME); | |
StringCbCopy((LPWSTR)((char*)pSessionProperties + pSessionProperties->LogFileNameOffset), sizeof(LOGFILE_PATH), LOGFILE_PATH); | |
// Create the trace session. | |
status = StartTrace((PTRACEHANDLE)&SessionHandle, KERNEL_LOGGER_NAME, pSessionProperties); | |
if (ERROR_SUCCESS != status) | |
{ | |
if (ERROR_ALREADY_EXISTS == status) | |
{ | |
wprintf(L"The NT Kernel Logger session is already in use.\n"); | |
} | |
else | |
{ | |
wprintf(L"EnableTrace() failed with %lu\n", status); | |
} | |
goto cleanup; | |
} | |
wprintf(L"Press any key to end trace session "); | |
_getch(); | |
cleanup: | |
if (SessionHandle) | |
{ | |
status = ControlTrace(SessionHandle, KERNEL_LOGGER_NAME, pSessionProperties, EVENT_TRACE_CONTROL_STOP); | |
if (ERROR_SUCCESS != status) | |
{ | |
wprintf(L"ControlTrace(stop) failed with %lu\n", status); | |
} | |
} | |
if (pSessionProperties) | |
free(pSessionProperties); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment