3

I'm trying to consume Event Trace for Windows(ETW) from provider "Active Directory Domain Services: Core"[1].
I've collect events successfully, event names are parse correctly, however most payload can not be parsed.
By using the example code below, I can parse nothing but timestamp.
Rest print [CANT PARSE]

Is "Active Directory Domain Services: Core" a Classic provider or Manifest-based provider?
How to parse these payload?

remark

  1. "Active Directory Domain Services: Core" is a etw provider for Active Directory Domain Services.
  2. The question is raised under the environment of Windows Server 2012 R2 with Active Directory Domain Services enabled

Code

using Diagnostics.Tracing;
using Diagnostics.Tracing.Parsers;
using System;
using System.Diagnostics;
using System.IO;

namespace ProcessMonitor
{
    class Program
    {
        static int Main(string[] args)
        {
            if (!(TraceEventSession.IsElevated() ?? false))
            {
                Console.WriteLine("To turn on ETW events you need to be Administrator, please run from an Admin process.");
                return -1;
            }

            var sessionName = "ProessMonitorSession";
            using (var session = new TraceEventSession(sessionName, null))
            {
                session.StopOnDispose = true;

                Console.CancelKeyPress += delegate(object sender, ConsoleCancelEventArgs e) { session.Dispose(); };

                using (var source = new ETWTraceEventSource(sessionName, TraceEventSourceType.Session))
                {
                    Action<TraceEvent> action = delegate(TraceEvent data)
                    {
                        var taskName = data.TaskName;
                        var eventName = data.EventName;
                        if (taskName == "DsDirSearch" && eventName == "DsDirSearch/Start")
                        {
                            Console.WriteLine("{0:yyyy-MM-dd HH:mm:ss.fff}: {1}, {2}, {3}, {4}, {5}, {6}, {7}", 
                                data.TimeStamp,
                                data.PayloadByName("Signature"),
                                data.PayloadByName("caller"),
                                data.PayloadByName("Choice"),
                                data.PayloadByName("CommonArgs"),
                                data.PayloadByName("Null7"),
                                data.PayloadByName("Null8"),
                                data.PayloadByName("ObjDN"));
                        }
                    };

                    var registeredParser = new RegisteredTraceEventParser(source);
                    registeredParser.All += action;

                    var processProviderGuid = TraceEventSession.GetProviderByName("Active Directory Domain Services: Core");
                    if (processProviderGuid == Guid.Empty)
                    {
                        Console.WriteLine("Error could not find Microsoft-Windows-Kernel-Process etw provider.");
                        return -1;
                    }

                    session.EnableProvider(processProviderGuid, TraceEventLevel.Informational, 0x254);

                    Console.WriteLine("Starting Listening for events");
                    source.Process();
                    Console.WriteLine();
                    Console.WriteLine("Stopping Listening for events");
                }
            }
            return 0;
        }
    }

}
ling7334
  • 444
  • 3
  • 13
  • I don't have this provider. I only see **Active Directory Domain Services: SAM** in my Win10 1709 VM, but I can't vuew the manifest in Perfview. – magicandre1981 Mar 26 '18 at 14:04
  • Sorry for not mention that‘s for **Windows Server 2012 R2** Domain Sevice. I guess **Active Directory Domain Services: SAM** and **Active Directory Domain Services: Core** are similar, so classic provider. what should i do about the payload. – ling7334 Mar 27 '18 at 04:49
  • 1
    use Perfview, click on capture->capture->advance->additional providers and here search for Active Directory Domain Services: Core , select it and click on "view manifest" – magicandre1981 Mar 27 '18 at 15:03
  • no, cant find it. log is `[Looking up manifest for Active Directory Domain Services: Core ] Error: Could not find provider with at GUID of 1c83b2fc-c04f-11d1-8afc-00c04fc21914` – ling7334 Mar 28 '18 at 05:20
  • 1
    I see the `Active Directory Domain Services: Core` is defined in the `ntdsa.mof` in winsxs folder. So this is a classic provider, no manifest based one. – magicandre1981 Mar 28 '18 at 14:33
  • this is progress, but what should i do about the payload – ling7334 Mar 29 '18 at 01:33
  • I have no idea. I only used manifest based providers (and EventSource based ones) – magicandre1981 Mar 29 '18 at 13:39

0 Answers0