我们正在参考https://msdn.microsoft.com/en-us/library/windows/desktop/aa364157(v=vs.85).aspx样本来研究ETW实时消费者应用程序。
我们成功获得回调并在回调中打印EVENT_TRACE结构的“ParentGuid”。但是我们将MofData指针始终设为NULL,将MofLength设为始终为0(零)。
另一方面,如果我们使用非实时ETW消费者方法,即文件模式;从.etl文件中读取,我们可以获得有效的MofData指针。
我们正在尝试实时消耗事件中的CPU使用率,DISK IO详细信息等内核事件。
那么这是否意味着我们不能实时消费内核事件?有人能说明为什么我们没有得到有效的指针/ MofData吗?
// ConsoleApplication5.cpp : Defines the entry point for the console application.
//
//Turns the DEFINE_GUID for EventTraceGuid into a const.
#define INITGUID
#include "stdafx.h"
#include <windows.h>
#include <stdio.h>
#include <evntrace.h>
#define LOGSESSION_NAME L"power"
// Used to calculate CPU usage
ULONG g_TimerResolution = 0;
void WINAPI ProcessEvent(PEVENT_TRACE pEvent);
void wmain(void)
{
ULONG status = ERROR_SUCCESS;
EVENT_TRACE_LOGFILE trace;
TRACE_LOGFILE_HEADER* pHeader = &trace.LogfileHeader;
TRACEHANDLE hTrace = 0;
HRESULT hr = S_OK;
// Identify the log file from which you want to consume events
// and the callbacks used to process the events and buffers.
ZeroMemory(&trace, sizeof(EVENT_TRACE_LOGFILE));
trace.LoggerName = (LPWSTR)LOGSESSION_NAME;
trace.CurrentTime = 0;
trace.BuffersRead = 0;
trace.BufferSize = 0;
trace.Filled = 0;
trace.EventsLost = 0;
trace.Context = NULL;
trace.ProcessTraceMode = PROCESS_TRACE_MODE_REAL_TIME | PROCESS_TRACE_MODE_EVENT_RECORD;
trace.EventCallback = (PEVENT_CALLBACK)(ProcessEvent);
trace.BufferCallback = (PEVENT_TRACE_BUFFER_CALLBACK)(ProcessBuffer);
hTrace = OpenTrace(&trace);
if ((TRACEHANDLE)INVALID_HANDLE_VALUE == hTrace)
{
wprintf(L"OpenTrace failed with %lu\n", GetLastError());
goto cleanup;
}
if (pHeader->TimerResolution > 0)
{
g_TimerResolution = pHeader->TimerResolution / 10000;
}
wprintf(L"Number of events lost: %lu\n", pHeader->EventsLost);
// Use pHeader to access all fields prior to LoggerName.
// Adjust pHeader based on the pointer size to access
// all fields after LogFileName. This is required only if
// you are consuming events on an architecture that is
// different from architecture used to write the events.
if (pHeader->PointerSize != sizeof(PVOID))
{
pHeader = (PTRACE_LOGFILE_HEADER)((PUCHAR)pHeader +
2 * (pHeader->PointerSize - sizeof(PVOID)));
}
wprintf(L"Number of buffers lost: %lu\n\n", pHeader->BuffersLost);
status = ProcessTrace(&hTrace, 1, 0, 0);
if (status != ERROR_SUCCESS && status != ERROR_CANCELLED)
{
wprintf(L"ProcessTrace failed with %lu\n", status);
goto cleanup;
}
cleanup:
if ((TRACEHANDLE)INVALID_HANDLE_VALUE != hTrace)
{
status = CloseTrace(hTrace);
}
}
VOID WINAPI ProcessEvent(PEVENT_TRACE pEvent)
{
PBYTE pEventData = NULL;
pEventData = (PBYTE)(pEvent->MofData);
printf("\n hi%d", pEventData);
printf("\n length %d", pEvent->MofLength);
}