ETW事件描述符 [英] ETW event descriptor
问题描述
大家好,
我正在实施应该提供ETW信息的程序。我只获得进程ID和事件描述符。我只是想知道事件开始和事件停止的事件id,我可以从ETW提供者获得的事件描述符中过滤掉。任何人都可以
帮助我获得正确的输出,我也想了解有关事件描述符的详细知识以及有关事件的所有其他属性。
谢谢
感谢您在此发布。
>>任何人都可以帮助我要获得正确的输出,我还需要有关事件描述符和有关事件的所有其他属性的详细知识。
此EVENT_DESCRIPTOR结构表示清单中定义的事件。您没有声明并填充此结构,而是使用
消息编译器(MC.exe)生成一个头文件,为清单中的每个事件声明并填充此结构。这个结构也包含在
EVENT_HEADER 结构与使用
消费事件时的事件记录
EventRecordCallback 回调。对于MOF定义的事件,Opcode成员包含事件类型值。版本和级别成员包含预期信息。
您可能需要有关事件跟踪功能知识的文档。请参考下面这个。
https://msdn.microsoft.com/en-us/library/windows/desktop/bb968803(v = vs.85).aspx
或者我已经给你的博客。
https://blogs.msdn.microsoft.com/dcook/2015/09/30/etw-overview/
最诚挚的问候,
Hi everyone,
I'm implementing program that should give ETW information. I'm getting only process id and event descriptor. I just wanted to know event id for event start and event stop which I can filter out from event descriptor i'm getting from ETW provider. Could anyone help me to get correct output and I also want detailed knowledge about event descriptor and all other properties about event.
Thanks
thanks for posting here.
>>Could anyone help me to get correct output and I also want detailed knowledge about event descriptor and all other properties about event.
This EVENT_DESCRIPTOR structure represents an event defined in the manifest. You do not declare and populate this structure, instead you use the Message Compiler (MC.exe) to generate a header file that declares and populates this structure for each event in the manifest.This structure is also included in the EVENT_HEADER structure that is returned with the event record when you consume events using the EventRecordCallback callback. For MOF-defined events, the Opcode member contains the event type value. The Version and Level members contain the expected information.
Maybe you need a document about the knowledge of Event Trace feature. Please refer to this one below.
https://msdn.microsoft.com/en-us/library/windows/desktop/bb968803(v=vs.85).aspx
Or the blog which I have already gave to you.
https://blogs.msdn.microsoft.com/dcook/2015/09/30/etw-overview/
Best Regards,
这篇关于ETW事件描述符的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
