代码改变世界

ETW写事件基础步骤

2013-02-19 22:06  Clingingboy  阅读(1995)  评论(0编辑  收藏  举报

 

 

一.调用EventRegister注册一个REGHANDLE

DWORD status = ERROR_SUCCESS;
REGHANDLE RegistrationHandle = NULL; 
status = EventRegister(
    &ProviderGuid,      // GUID that identifies the provider
    NULL,               // Callback not used
    NULL,               // Context noot used
    &RegistrationHandle // Used when calling EventWrite and EventUnregister
    );

二.构造一个PEVENT_DATA_DESCRIPTOR 数组

EventWrite不仅仅只是记录字符串类型而已,还可以写入复杂的数据类型

EVENT_DATA_DESCRIPTOR结构

 

//
// EVENT_DATA_DESCRIPTOR is used to pass in user data items
// in events.
// 
typedef struct _EVENT_DATA_DESCRIPTOR {

    ULONGLONG   Ptr;        // Pointer to data
    ULONG       Size;       // Size of data in bytes
    ULONG       Reserved;

} EVENT_DATA_DESCRIPTOR, *PEVENT_DATA_DESCRIPTOR;

Ptr:Pointer to the data.

Size:Size of the data, in bytes.
Reserved:Reserved.

使用EventDataDescCreate方法初始化EVENT_DATA_DESCRIPTOR

EventDataDescCreate(&Descriptors[i++], &pImage, sizeof(ULONG));
EventDataDescCreate(&Descriptors[i++], Scores, sizeof(Scores));
EventDataDescCreate(&Descriptors[i++], Guid, sizeof(GUID));
EventDataDescCreate(&Descriptors[i++], Cert, sizeof(Cert));
EventDataDescCreate(&Descriptors[i++], &IsLocal, sizeof(BOOL));
EventDataDescCreate(&Descriptors[i++], Path, (ULONG)(wcslen(Path) + 1) * sizeof(WCHAR));
EventDataDescCreate(&Descriptors[i++], &ArraySize, sizeof(USHORT));

EventDataDescCreate宏原型

FORCEINLINE
VOID
EventDataDescCreate(
    __out PEVENT_DATA_DESCRIPTOR EventDataDescriptor,
    __in const VOID* DataPtr,
    __in ULONG DataSize
    )
{
    EventDataDescriptor->Ptr = (ULONGLONG)(ULONG_PTR)DataPtr;
    EventDataDescriptor->Size = DataSize;
    EventDataDescriptor->Reserved = 0;
    return;
}

三.写事件EventWrite

1

status = EventWrite(
    RegistrationHandle,              // From EventRegister
    &TransferEvent,                  // EVENT_DESCRIPTOR generated from the manifest
    (ULONG)MAX_PAYLOAD_DESCRIPTORS,  // Size of the array of EVENT_DATA_DESCRIPTORs
    &Descriptors[0]                  // Array of descriptors that contain the event data
);

四.注销事件

EventUnregister(RegistrationHandle);

五.注意点

写事件传入的参数个数需要与EventWrite的第二个参数的事件模板参数相同,如下模板

<!-- <?xml version="1.0" encoding="UTF-16"?> -->
<instrumentationManifest xmlns="http://schemas.microsoft.com/win/2004/08/events"
                         xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events"
                         xmlns:xs="http://www.w3.org/2001/XMLSchema">

    <instrumentation>
        <events>

            <provider name="Microsoft-Windows-ETWProvider"
                      guid="{D8909C24-5BE9-4502-98CA-AB7BDC24899D}"
                      symbol="ProviderGuid"
                      resourceFileName="c:\code\etw\v2provider\debug\v2provider.exe"
                      messageFileName="c:\code\etw\v2provider\debug\v2provider.exe"
                      message="$(string.Provider.Name)">

                <keywords>
                    <keyword name="Read"
                             symbol="READ_KEYWORD"
                             mask="0x1" />
                    <keyword name="Write"
                             symbol="WRITE_KEYWORD"
                             mask="0x2" />
                    <keyword name="Local"
                             symbol="LOCAL_KEYWORD"
                             mask="0x4" />
                    <keyword name="Remote"
                             symbol="REMOTE_KEYWORD"
                             mask="0x8" />
                </keywords>

                <maps>
                    <valueMap name="TransferType">
                        <map value="1"
                             message="$(string.Map.Download)" />
                        <map value="2"
                             message="$(string.Map.Upload)" />
                        <map value="3"
                             message="$(string.Map.UploadReply)" />
                    </valueMap>

                    <bitMap name="DaysOfTheWeek">
                        <map value="0x1"
                             message="$(string.Map.Sunday)" />
                        <map value="0x2"
                             message="$(string.Map.Monday)" />
                        <map value="0x4"
                             message="$(string.Map.Tuesday)" />
                        <map value="0x8"
                             message="$(string.Map.Wednesday)" />
                        <map value="0x10"
                             message="$(string.Map.Thursday)" />
                        <map value="0x20"
                             message="$(string.Map.Friday)" />
                        <map value="0x40"
                             message="$(string.Map.Saturday)" />
                    </bitMap>
                </maps>

                <templates>

                    <template tid="TransferTemplate">
                        <data name="Image"
                              inType="win:Pointer" />
                        <data name="Scores"
                              inType="win:UInt16"
                              count="3" />
                        <data name="ID"
                              inType="win:GUID" />
                        <data name="Certificate"
                              inType="win:Binary"
                              length="11" />
                        <data name="IsLocal"
                              inType="win:Boolean" />
                        <data name="Path"
                              inType="win:UnicodeString" />

                        <data name="ValuesCount"
                              inType="win:UInt16" />
                        <struct name="Values"
                                count="ValuesCount">
                            <data name="Name"
                                  inType="win:UnicodeString" />
                            <data name="Value"
                                  inType="win:UInt16" />
                        </struct>

                        <data name="Day"
                              inType="win:UInt32"
                              map="DaysOfTheWeek" />
                        <data name="Transfer"
                              inType="win:UInt32"
                              map="TransferType" />

                        <UserData>
                            <EventData xmlns="ProviderNamespace">
                                <Transfer>%10</Transfer>
                                <Day>%9</Day>
                                <ValuesCount>%7</ValuesCount>
                                <Values>%8</Values>
                                <Path>%6</Path>
                                <IsLocal>%5</IsLocal>
                                <Scores>%2</Scores>
                                <Image>%1</Image>
                                <Certificate>%4</Certificate>
                                <ID>%3</ID>
                            </EventData>
                        </UserData>
                    </template>

                </templates>

                <events>
                    <event value="1"
                           level="win:Informational"
                           template="TransferTemplate"
                           symbol="TransferEvent"
                           message="$(string.Event.WhenToTransfer)"
                           keywords="Read Local" />
                </events>


            </provider>

        </events>

    </instrumentation>

    <localization>
        <resources culture="en-US">
            <stringTable>

                <string id="Provider.Name"
                        value="Microsoft-Windows-ETWProvider" />

                <string id="Map.Download"
                        value="Download" />
                <string id="Map.Upload"
                        value="Upload" />
                <string id="Map.UploadReply"
                        value="Upload-reply" />

                <string id="Map.Sunday"
                        value="Sunday" />
                <string id="Map.Monday"
                        value="Monday" />
                <string id="Map.Tuesday"
                        value="Tuesday" />
                <string id="Map.Wednesday"
                        value="Wednesday" />
                <string id="Map.Thursday"
                        value="Thursday" />
                <string id="Map.Friday"
                        value="Friday" />
                <string id="Map.Saturday"
                        value="Saturday" />

                <string id="Event.WhenToTransfer"
                        value="The %10 transfer will occur %9." />

            </stringTable>
        </resources>
    </localization>

</instrumentationManifest>

1