XP/2003 上的 ETW 文件 IO 监控 [英] ETW File IO Monitoring on XP/2003

问题描述

我一直在研究用于进程/文件/注册表/网络监控的 ETW.看起来它在 Win7 上拥有我需要的一切.但是，在 XP 上，它似乎缺乏相同级别的细节.具体来说，对于文件 IO，似乎只记录了FileCreate"事件，而进程创建事件没有提供完整路径.

I've been investigating ETW for process/file/registry/network monitoring. It looks like it on Win7 it has everything I need. However, on XP it seems to be lacking the same level of detail. Specifcally, with file IO only "FileCreate" events seem to be logged and process creation events don't give a full path.

是否可以使用 ETW 确定何时在 XP 上写入文件?以及流程启动事件的完整路径如何?

Is it possible to determine when a file is written to on XP with ETW? And how about the full path to a process start event?

推荐答案

从 Vista 开始 MS 向 Windows 添加了许多 ETW 提供程序.XP/Server 只有几个.所以你不能为 XP 解决这个问题.

Starting with Vista MS added a lot of ETW providers to Windows. XP/Server only had a few of them. So you can't fix this for XP.

这篇关于XP/2003 上的 ETW 文件 IO 监控的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！