3

We are working on ETW real time consumer application by referring to https://msdn.microsoft.com/en-us/library/windows/desktop/aa364157(v=vs.85).aspx sample.

We have been successful getting callback and print "ParentGuid" of EVENT_TRACE structure within callback. However we are getting MofData pointer as always NULL and MofLength as always 0 (zero).

On the other hand if we use non real time ETW consumer method i.e. file mode; reading from .etl file we are able to get valid MofData pointer.

We are trying to consume Kernel events such as CPU usage, DISK IO details from Events in real time.

So does it mean we cannot consume Kernel events in real time? Can some one suggest why we are not getting valid pointer/MofData?

// ConsoleApplication5.cpp : Defines the entry point for the console application.
//

//Turns the DEFINE_GUID for EventTraceGuid into a const.
#define INITGUID
#include "stdafx.h"
#include <windows.h>
#include <stdio.h>
#include <evntrace.h>

#define LOGSESSION_NAME L"power"

// Used to calculate CPU usage
ULONG g_TimerResolution = 0;

void WINAPI ProcessEvent(PEVENT_TRACE pEvent);

void wmain(void)
{
    ULONG status = ERROR_SUCCESS;
    EVENT_TRACE_LOGFILE trace;
    TRACE_LOGFILE_HEADER* pHeader = &trace.LogfileHeader;
    TRACEHANDLE hTrace = 0;
    HRESULT hr = S_OK;

    // Identify the log file from which you want to consume events
    // and the callbacks used to process the events and buffers.

    ZeroMemory(&trace, sizeof(EVENT_TRACE_LOGFILE));
    trace.LoggerName = (LPWSTR)LOGSESSION_NAME;
    trace.CurrentTime = 0;
    trace.BuffersRead = 0;
    trace.BufferSize = 0;
    trace.Filled = 0;
    trace.EventsLost = 0;
    trace.Context = NULL;
    trace.ProcessTraceMode = PROCESS_TRACE_MODE_REAL_TIME |     PROCESS_TRACE_MODE_EVENT_RECORD;
    trace.EventCallback = (PEVENT_CALLBACK)(ProcessEvent);
    trace.BufferCallback = (PEVENT_TRACE_BUFFER_CALLBACK)(ProcessBuffer);


    hTrace = OpenTrace(&trace);
    if ((TRACEHANDLE)INVALID_HANDLE_VALUE == hTrace)
    {
        wprintf(L"OpenTrace failed with %lu\n", GetLastError());
        goto cleanup;
    }


    if (pHeader->TimerResolution > 0)
    {
        g_TimerResolution = pHeader->TimerResolution / 10000;
    }

    wprintf(L"Number of events lost:  %lu\n", pHeader->EventsLost);

    // Use pHeader to access all fields prior to LoggerName.
    // Adjust pHeader based on the pointer size to access
    // all fields after LogFileName. This is required only if
    // you are consuming events on an architecture that is 
    // different from architecture used to write the events.

    if (pHeader->PointerSize != sizeof(PVOID))
    {
        pHeader = (PTRACE_LOGFILE_HEADER)((PUCHAR)pHeader +
            2 * (pHeader->PointerSize - sizeof(PVOID)));
    }

    wprintf(L"Number of buffers lost: %lu\n\n", pHeader->BuffersLost);

    status = ProcessTrace(&hTrace, 1, 0, 0);
    if (status != ERROR_SUCCESS && status != ERROR_CANCELLED)
    {
        wprintf(L"ProcessTrace failed with %lu\n", status);
        goto cleanup;
    }

cleanup:

    if ((TRACEHANDLE)INVALID_HANDLE_VALUE != hTrace)
    {
        status = CloseTrace(hTrace);
    }

}


VOID WINAPI ProcessEvent(PEVENT_TRACE pEvent)
{
    PBYTE pEventData = NULL;
    pEventData = (PBYTE)(pEvent->MofData);
    printf("\n hi%d", pEventData);
    printf("\n length %d", pEvent->MofLength);
}
user1187176
  • 169
  • 1
  • 3
  • 8
  • I can't tell why you don't get Kernel events in real time without seeing your code, but you definitely can consume them. It's probably only a configuration error. Post some code and it will help diagnose your problem. – ALOToverflow Apr 27 '15 at 19:01
  • Updated post with code snippet. Can some one suggest if the configuration I am using is correct receive MofData from real time session? – user1187176 Apr 28 '15 at 10:32
  • Is there any change in the configuration needed to get valid MofData/MofLength in real time? – user1187176 May 06 '15 at 07:42
  • I believe you are getting the right data out of MofData and MofLength (https://msdn.microsoft.com/en-us/library/windows/desktop/aa363773(v=vs.85).aspx), you are trying to log events from the Kernel relative to the power management? – ALOToverflow May 06 '15 at 10:47
  • Hi, "power" is the name of session that I have started. "xperf -start power -on Microsoft-Windows-Kernel-Disk -realtime" is the command used. But original idea is to log Kernel ETW such as – user1187176 May 07 '15 at 06:38
  • We want to get Kernel logging as well working in real time mode with following command: "xperf -on PROC_THREAD+LOADER+INTERRUPT+DPC+CSWITCH+IDLE_STATES+TIMER+CLOCKINT+IPI+POWER -realtime" – user1187176 May 07 '15 at 06:49
  • However this command starts starts always session with name "NT Kernel Logger" which we are not able to open session with "NT Kernel Logger" session, we always get error code 4201. and xperf does not allow to rename the Kernel logging session. Hence as a proof of concept we want to start known session session with name that we provide and parse some of common events such as Disk IO. Not sure what else we are missing. – user1187176 May 07 '15 at 06:49
  • Hi, Can someone suggest from the code what could be reason for not getting MofData/Length from real time session? – user1187176 May 28 '15 at 11:47
  • I also did see following comments from MSDN for real time event consumer application: "Only users with administrative privileges, users in the Performance Log Users group, and applications running as LocalSystem, LocalService, NetworkService can consume events in real time. To grant a restricted user the ability to consume events in real time, add them to the Performance Log Users group or call EventAccessControl." I always run the consumer application in admin mode. Can you please suggest if I am missing anything else? – user1187176 May 29 '15 at 05:49
  • Also can someone point me to the working Real-time consumer sample that can be referred to compare? – user1187176 May 29 '15 at 05:51
  • @user1187176, were you able to run it? – user1669844 Jun 12 '20 at 02:01

0 Answers0