private void ReadProcessStopEvent(ref EtwNativeEvent traceEvent)
{
switch (traceEvent.Version)
{
case 0:
case 1:
// Both version 0 and version 1 have the same initial fields:
//
// <data name="ProcessID" inType="win:UInt32" outType="win:PID"></data>
// <data name="CreateTime" inType="win:FILETIME" outType="xs:dateTime"></data>
// <data name="ExitTime" inType="win:FILETIME" outType="xs:dateTime"></data>
// <data name="ExitCode" inType="win:UInt32" outType="xs:unsignedInt"></data>
EventHandler <ProcessEventArgs> handler = this.ProcessStopped;
if (handler != null)
{
int processId = (int)traceEvent.ReadUInt32();
traceEvent.ReadFileTime(); // ignore
DateTime exitTime = traceEvent.ReadFileTime();
int exitCode = (int)traceEvent.ReadUInt32();
ProcessEventArgs e = new ProcessEventArgs()
{
ExitCode = exitCode,
Id = processId,
Timestamp = exitTime
};
handler(this, e);
}
break;
}
}
private void ReadProcessStartEvent(ref EtwNativeEvent traceEvent)
{
if (traceEvent.Version == 0)
{
// <data name="ProcessID" inType="win:UInt32" outType="win:PID"></data>
// <data name="CreateTime" inType="win:FILETIME" outType="xs:dateTime"></data>
// <data name="ParentProcessID" inType="win:UInt32" outType="win:PID"></data>
// <data name="SessionID" inType="win:UInt32" outType="xs:unsignedInt"></data>
// <data name="ImageName" inType="win:UnicodeString" outType="xs:string"></data>
EventHandler <ProcessEventArgs> handler = this.ProcessStarted;
if (handler != null)
{
int processId = (int)traceEvent.ReadUInt32();
DateTime createTime = traceEvent.ReadFileTime();
traceEvent.ReadUInt32(); // ignore
traceEvent.ReadUInt32(); // ignore
string imageName = traceEvent.ReadUnicodeString();
ProcessEventArgs e = new ProcessEventArgs()
{
Id = processId,
ImageName = imageName,
Timestamp = createTime
};
handler(this, e);
}
}
}