是否仅为提供程序中的某些特定ETW任务激活堆栈? [英] Activate Stacks only for some specific ETW Tasks in a provider?
问题描述
从Windows 7开始,可以为用户模式事件激活调用堆栈 .这可以正常工作,但有时不需要为提供程序中的所有任务/事件激活堆栈,最好仅为某些特定任务激活堆栈.这可能吗?
Since Windows 7 it is possible to activate callstacks for usermode events. This works fine, but sometimes activating stacks for all tasks/Events in a provider is not needed and it would be nice to only activate stacks for some specific Tasks. Is this possible?
推荐答案
是的,这是可能的,因为Windows 8.1在 EVENT_FILTER_TYPE_STACKWALK .
Yes, this is possible since Windows 8.1 with the type entry in _EVENT_FILTER_DESCRIPTOR when it is set to EVENT_FILTER_TYPE_STACKWALK when you call EnableTraceEx2.
在Windows 8.1,Windows Server 2012 R2和更高版本上,事件有效负载, 范围和堆栈遍历筛选器可以由EnableTraceEx2使用 函数以及ENABLE_TRACE_PARAMETERS和EVENT_FILTER_DESCRIPTOR 可以根据记录器会话中的特定条件进行过滤的结构.
On Windows 8.1,Windows Server 2012 R2, and later, event payload, scope, and stack walk filters can be used by the EnableTraceEx2 function and the ENABLE_TRACE_PARAMETERS and EVENT_FILTER_DESCRIPTOR structures to filter on specific conditions in a logger session.
为提供程序启用堆栈漫游时,则堆栈为 为提供程序生成的所有事件捕获的.大部分的 时间,用户仅对特定数量的堆栈感兴趣 事件.
When stack walking is enabled for a provider, then the stack is captured for all the events generated by the provider. Most of the time, the user is only interested in stack from only certain number of events.
此功能允许启用或禁用堆栈列表上的堆栈遍历 事件.提供的过滤器包括EVENT_FILTER_EVENT_ID结构 包含事件ID的数组和一个指示值的布尔值 是否为指定的事件启用或禁用堆栈捕获. 每个事件写调用都将快速遍历此数组以查找 是否应该捕获堆栈.
This feature allows enabling or disabling stack walking on a list of events. The provided filter includes a EVENT_FILTER_EVENT_ID structure that contains an array of event IDs and a Boolean value that indicates whether to enable or disable stack capturing for the specified events. Each event write call will go through this array quickly to find out whether the stack should be captured or not.
使用 Windows Performance Recorder ,可以在 WPR配置文件中使用第二个 EventCollectorId 条目,该条目具有
With Windows Performance Recorder it is possible to achieve this in the WPR Profile with a second EventCollectorId entry which has an EventProviders entry where stackwalking is enabled.
在此演示配置文件中,我为提供者Microsoft-Windows-DotNETRuntime创建了一个不带堆栈的EventProvider(EventProvider_DotNETRuntime),但没有堆栈来捕获JIT和GC数据;为提供者Microsoft-Windows-DotNETRuntime创建了另一个具有堆栈的EventProvider(EventProvider_DotNETRuntime_Stack),带堆栈来为捕获堆栈.异常和加载程序事件.
In this demo profile, I created one EventProvider (EventProvider_DotNETRuntime) for provider Microsoft-Windows-DotNETRuntime without stacks to capture JIT and GC data and an other EventProvider (EventProvider_DotNETRuntime_Stack) for provider Microsoft-Windows-DotNETRuntime with stacks to capture stacks for Exceptions and Loader Events.
<?xml version="1.0" encoding="utf-8"?>
<WindowsPerformanceRecorder Version="1.0" Author="MagicAndre1981" Copyright="MagicAndre1981">
<Profiles>
<SystemCollector Id="SystemCollector" Name="NT Kernel Logger">
<BufferSize Value="1024" />
<Buffers Value="384" />
</SystemCollector>
<EventCollector Id="EventCollector_DotNETRuntime_Session" Name="DotNETRuntime_Session">
<BufferSize Value="1024" />
<Buffers Value="128" />
</EventCollector>
<EventCollector Id="EventCollector_DotNETRuntime_with_Stack" Name="DotNETRuntime_Session_with_Stack">
<BufferSize Value="1024" />
<Buffers Value="128" />
</EventCollector>
<SystemProvider Id="SystemProvider">
<Keywords>
<Keyword Value="ProcessThread" /> <!--PROC_THREAD-->
<Keyword Value="Loader" /> <!--LOADER-->
<Keyword Value="SampledProfile" /> <!--PROFILE-->
<Keyword Value="Interrupt"/> <!--INTERRUPT-->
<Keyword Value="DPC"/> <!--DPC-->
<Keyword Value="ReadyThread" /> <!--Dispatcher-->
<Keyword Value="CSwitch" /> <!--CSwitch-->
</Keywords>
<Stacks>
<Stack Value="SampledProfile" /> <!--Profile-->
<Stack Value="CSwitch" /> <!--CSwitch-->
<Stack Value="ReadyThread" /> <!--ReadyThread-->
<Stack Value="ImageLoad" /> <!--ImageLoad-->
<Stack Value="ImageUnload" /> <!--ImageUnload-->
</Stacks>
</SystemProvider>
<EventProvider Id="EventProvider_DotNETRuntime" Name="Microsoft-Windows-DotNETRuntime" Level="5" Stack="false">
<Keywords>
<Keyword Value="0x111" /> <!--GCKeyword, JitKeyword, JitRundownKeyword, EndRundownKeyword -->
</Keywords>
</EventProvider>
<EventProvider Id="EventProvider_DotNETRuntime_Stack" Name="Microsoft-Windows-DotNETRuntime" Level="5" Stack="true">
<Keywords>
<Keyword Value="0x8008" /> <!--LoaderKeyword, LoaderRundownKeyword, ExceptionKeyword -->
</Keywords>
</EventProvider>
<EventProvider Id="EventProvider_DotNETRuntimePrivate" Name="763fd754-7086-4dfe-95eb-c01a46faf4ca" Level="5" Stack="false">
<Keywords>
<Keyword Value="0xE" />
</Keywords>
</EventProvider>
<EventProvider Id="EventProvider_DotNETRuntimeRundown_CaptureState" Name="Microsoft-Windows-DotNETRuntimeRundown" Level="5" CaptureStateOnly="true" Stack="false">
<CaptureStateOnSave>
<Keyword Value="0x118" />
</CaptureStateOnSave>
</EventProvider>
<Profile Id="DotNetRuntimeProfile.Verbose.File" Name="DotNetRuntimeProfile" Description="DotNetRuntime Profile" LoggingMode="File" DetailLevel="Verbose">
<Collectors>
<SystemCollectorId Value="SystemCollector">
<SystemProviderId Value="SystemProvider" />
</SystemCollectorId>
<EventCollectorId Value="EventCollector_DotNETRuntime_Session">
<EventProviders>
<EventProviderId Value="EventProvider_DotNETRuntime" />
<EventProviderId Value="EventProvider_DotNETRuntimePrivate" />
<EventProviderId Value="EventProvider_DotNETRuntimeRundown_CaptureState" />
</EventProviders>
</EventCollectorId>
<EventCollectorId Value="EventCollector_DotNETRuntime_with_Stack">
<EventProviders>
<EventProviderId Value="EventProvider_DotNETRuntime_Stack" />
</EventProviders>
</EventCollectorId>
</Collectors>
</Profile>
<Profile Id="DotNetRuntimeProfile.Verbose.Memory" Name="DotNetRuntimeProfile" Description="DotNetRuntime Profile" Base="DotNetRuntimeProfile.Verbose.File" LoggingMode="Memory" DetailLevel="Verbose"/>
</Profiles>
<TraceMergeProperties>
<TraceMergeProperty Id="BaseVerboseTraceMergeProperties" Name="BaseTraceMergeProperties" Base="">
<CustomEvents>
<CustomEvent Value="ImageId"/>
<CustomEvent Value="BuildInfo"/>
<CustomEvent Value="VolumeMapping"/>
<CustomEvent Value="EventMetadata"/>
<CustomEvent Value="PerfTrackMetadata"/>
<CustomEvent Value="NetworkInterface"/>
</CustomEvents>
<FileCompression Value="true" />
</TraceMergeProperty>
</TraceMergeProperties>
</WindowsPerformanceRecorder>
现在运行Windows Performance Recorder捕获数据时:
When you now run Windows Performance Recorder to capture the data:
"C:\Program Files (x86)\Windows Kits\8.1\Windows Performance Toolkit\wpr.exe" -start DotNetRuntime.wprp
,停止录制
"C:\Program Files (x86)\Windows Kits\8.1\Windows Performance Toolkit\wpr.exe" -stop Result.etl
使用 Windows Performance Analyzer 打开跟踪, 加载调试符号,您可以看到堆栈异常数据,但不适用于Jit或GC事件:
open the trace with Windows Performance Analyzer, load the debug symbols you can see the stacks for the Exception data, but not for Jit or GC events:
注意.在Windows 7或Windows 8(内部版本9200)下运行此命令时,提供程序的最后一个EventLogger与指定的关键字和堆栈选项一起使用.在这里,您应该创建2个WPRP配置文件,并检测Windows版本并运行正确的配置文件.
Attention. When you run this under Windows 7 or Windows 8 (Build 9200), the last EventLogger for the provider is used with the specified keywords and stack options. Here you should create 2 WPRP profiles and detect the Windows version and run the correct profile.
这篇关于是否仅为提供程序中的某些特定ETW任务激活堆栈?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
