ETW system calls tracing

Asked Oct 18 '14 at 14:10

Active Oct 18 '14 at 15:25

Viewed 747 times

How one could get a process id who generated the system call in ETW? As long as ProcessID and ThreadID members of event header are = to -1, this can't be used. I heard about activating CSWitch flag to capture every single context switch, but that only gives me, NewThreadId and OldThreadId according the MOF class. I want the process id too.

Thanks

edited Oct 18 '14 at 15:25

asked Oct 18 '14 at 14:10

Nedo

which calls do you wan to trace? – magicandre1981 Oct 18 '14 at 15:18
Basically, all system calls, but I want to know which process from the user space made a call. – Nedo Oct 18 '14 at 15:22
I still don't know what you mean. You already see the kernel calls. – magicandre1981 Oct 19 '14 at 07:58
Can't you keep track of which process each thread belongs to? – arx Oct 19 '14 at 09:40
@arx yes, I figured out there is an API call to do that, GetProcessIdOfThread. – Nedo Oct 19 '14 at 10:05

ETW system calls tracing

0 Answers0

Linked