如何注册为NT内核事件的实时ETW消费者？ [英] How do I register as a real-time ETW consumer for NT Kernel Events?

问题描述

我已经能够使用logman成功地转储一些内核跟踪。然而，我希望能够在我的应用程序中以编程方式实现内核事件的实时消耗（主要是线程/进程创建/删除和文件I / O）。

I have been able to use logman with some success to dump some kernel traces. However, I'd like to be able to programatically enable real-time consumption of kernel events (mainly thread/process creation/deletion and file I/O) in my application. What is the best approach to this task?

推荐答案

您可以在 StartTrace 。在 EVENT_TRACE_PROPERTIES 中，您传递给StartTrace，EnableFlags包含不同内核事件提供者的各种标志。将EVENT_TRACE_PROPERTIES中的LogFileMode设置为 EVENT_TRACE_REAL_TIME_MODE 成为实时消费者。然后，您可以使用 ProcessTrace 使用这些事件。

You enable kernel events in StartTrace. In the EVENT_TRACE_PROPERTIES you pass to StartTrace, EnableFlags contains various flags for the different kernel event providers. Set LogFileMode in EVENT_TRACE_PROPERTIES to EVENT_TRACE_REAL_TIME_MODE to be a real-time consumer. You can then consume the events using ProcessTrace.

这篇关于如何注册为NT内核事件的实时ETW消费者？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！