通过事件跟踪（ETW）会话的特定进程获取创建/修改/删除的文件 [英] Get created/modified/deleted files by a specific process from an event tracing (ETW) session

问题描述

我一直在寻找解决方案，通过事件跟踪（ETW）会话的特定过程获取所有创建/修改和删除的文件（我将处理来自etl文件的数据而不是实时会话）。

I've been searching for a solution to get all created/modified and deleted files by a specific process from an event trace (ETW) session (I will process data from an etl file not from a real-time session).

显然，最简单的解决方案是从 FileIo_Name 类并将其映射到相应的 DiskIo_TypeGroup1 事件。但是，这个解决方案对我来说不起作用，因为我没有收到相应的 FileDelete 事件的任何 DiskIo_TypeGroup1 事件，所以我无法获取进程ID。也不是所有的 FileCreate 事件有一个关联的 DiskIo_TypeGroup1 事件（我认为这是为空的创建文件或仅为打开的文件发生）。

Apparently the simplest solution to get this done was to get the FileCreate and FileDelete events from FileIo_Name class and map them to the corresponding DiskIo_TypeGroup1 events. However, this solution isn't working for me since I don't receive any DiskIo_TypeGroup1 events for the corresponding FileDelete events, so I can not get the process ID. Also not all FileCreate events have an associated DiskIo_TypeGroup1 event (I think this happens for the empty created files or only for the opened files).

注意：我需要 DiskIo_TypeGroup1 映射，因为 FileIo_Name 事件没有 ThreadId 和 ProcessId （ULONG）-1 。此外，我不能决定哪些文件刚刚打开或修改，而不知道文件写入大小。 DiskIo_TypeGroup1 也没有填充 ThreadId 和 ProcessId （在事件头中，在较新的操作系统上）成员，但它具有 IssuingThreadId 结构成员，我可以从中获取 ProcessId 映射到 Thread_TypeGroup1 类事件。

Note: I need DiskIo_TypeGroup1 mapping because FileIo_Name events don't have the ThreadId and ProcessId members populated - they are set to (ULONG)-1. Also, I can not decide which files where just opened or modified without knowing the "file write size". DiskIo_TypeGroup1 also don't have the ThreadId and ProcessId (in event header, on newer OS's) members populated, but it has the IssuingThreadId structure member from which I can obtain the ProcessId mapping to Thread_TypeGroup1 class events.

所以我调查了 FileIo_Create 类可以帮助我，并表示我可以获得可以具有以下标志的 CreateOptions 成员：（FILE_SUPERSEDE，FILE_CREATE，FILE_OPEN， FILE_OPEN_IF，FILE_OVERWRITE，FILE_OVERWRITE_IF）。但最初的问题仍然存在。如何检查文件是否从头开始创建，而不是刚刚打开（例如，在 FILE_SUPERSEDE 的情况下）？

So I investigated how the FileIo_Create class can help me, and remarked that I can get the CreateOptions member which can have the following flags: (FILE_SUPERSEDE, FILE_CREATE, FILE_OPEN, FILE_OPEN_IF, FILE_OVERWRITE, FILE_OVERWRITE_IF). But the initial problem still persists. How can I check if a file was created from scratch instead of being just opened (e.g. in case of FILE_SUPERSEDE)?

也许我可以使用 FileIo_ReadWrite 类来获取写入事件。像使用 DiskIo_TypeGroup1 类。那么，如果有一些东西写在一个文件中，那么我可以假设这个文件是被创建还是被修改？

Maybe I can use the FileIo_ReadWrite class to get Write event. Like using the DiskIo_TypeGroup1 class. So, if something was written to a file, then can I suppose that the file was either created or modified?

要找到被删除的文件，我认为这个 FileIo_Info 类和删除事件是解决方案。猜测我可以接收删除事件并将其映射到 FileIo_Name 以获取文件名。

To find the deleted files I think that the FileIo_Info class and Delete event are the solution. Guess that I can receive Delete events and map them to FileIo_Name to get the file names.

注意： FileIo_Create ， FileIo_Info ， FileIo_ReadWrite 包含有关进程标识的信息。我的假设是正确的吗？

Note: The FileIo_Create, FileIo_Info, FileIo_ReadWrite contain information about process id.

对于我的问题，什么是最好的解决方案？

Are my suppositions right? What will be the best solution for my problem?

推荐答案

我将分享我实现的解决方案如下：

I will share my implemented solution as follow :

1. 创建的文件：

1. Created Files:

• 我已经存储所有 FileIo_Create 事件作为待处理的创建操作，并等待接收相关联的 FileIo_OpEnd 以确定文件是否已从 ExtraInfo 结构中打开，创建，覆盖或替代成员。

• I have stored all FileIo_Create events as a pending create operation and waited to receive associated FileIo_OpEnd to decide if the file was opened, created, overwritten, or superseded from the ExtraInfo structure member.

修改的文件：

• 我从 FileIo_ReadWrite 每个写入事件标记文件为脏，每个类型的InfoInfo 事件与InfoClass-> FileEndOfFileInformation 和 InfoClass-> FileValidDataLengthInformation FileIo_Info 。最后，从 FileIo_SimpleOp 上的清理事件，验证文件是否被标记为脏，并保存为修改。

• I marked files as dirty for every Write event from FileIo_ReadWrite and every SetInfo event with InfoClass->FileEndOfFileInformation and InfoClass->FileValidDataLengthInformation from FileIo_Info. Finally on Cleanup event from FileIo_SimpleOp verify if the file was marked as dirty and store as modified.

已删除的文件：

• 如果使用 CreateOptions- > FileIo_Create 中的FILE_DELETE_ON_CLOSE 标志，或者显示 FileIo_Info 中的删除事件。最后，从 FileIo_SimpleOp 中的清理事件将文件存储为已删除。

• I marked the files as deleted if was opened with the CreateOptions->FILE_DELETE_ON_CLOSE flag from FileIo_Create or if a Delete event from FileIo_Info appears. Finally on Cleanup event from FileIo_SimpleOp stored the file as deleted.

此外，进程标识和文件名是从 FileIo_Create 事件获取的，更准确地说，来自 OpenPath 结构成员和 ProcessId 事件标题成员。

Also the process id and file name was obtained from the FileIo_Create events, more precisely from OpenPath structure member and ProcessId event header member.

这篇关于通过事件跟踪（ETW）会话的特定进程获取创建/修改/删除的文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！