ProcessData GetProcessData(TraceEvent obj)
{
ProcessData process = null;
ProcessDataMap.TryGetValue(obj.ProcessID, out process);
return(process);
}
private void Kernel_ThreadCSwitch(Microsoft.Diagnostics.Tracing.Parsers.Kernel.CSwitchTraceData obj)
{
ProcessData newProcess = null;
if (ProcessDataMap.TryGetValue(obj.NewProcessID, out newProcess))
{
ThreadData thread = newProcess.Threads[obj.NewThreadID];
thread.WorkIntervals.Add(new WorkIntervalData()
{
Start = obj.TimeStamp,
CpuID = obj.ProcessorNumber,
Finish = DateTime.MinValue,
});
ActiveCoresMap[obj.ProcessorNumber] = thread;
}
else
{
ActiveCoresMap[obj.ProcessorNumber] = null;
}
ProcessData oldProcess = null;
if (ProcessDataMap.TryGetValue(obj.OldProcessID, out oldProcess))
{
ThreadData thread = oldProcess.Threads[obj.OldThreadID];
if (thread.WorkIntervals.Count > 0)
{
WorkIntervalData interval = thread.WorkIntervals[thread.WorkIntervals.Count - 1];
interval.Finish = obj.TimeStamp;
interval.WaitReason = (int)obj.OldThreadWaitReason;
}
}
}
private void ETWCollector_ProcessEvent(ProcessData obj)
{
Application.Current.Dispatcher.Invoke((Action)(() =>
{
lock (GroupLock)
{
Group.Add(obj);
}
}));
}
private void Kernel_ProcessStop(Microsoft.Diagnostics.Tracing.Parsers.Kernel.ProcessTraceData obj)
{
ProcessData ev = null;
if (ProcessDataMap.TryGetValue(obj.ProcessID, out ev))
{
ev.Finish = obj.TimeStamp;
ev.Result = obj.ExitStatus;
ProcessDataMap.Remove(obj.ProcessID);
}
}
ThreadData GetThreadData(TraceEvent obj)
{
ThreadData thread = null;
ProcessData process = GetProcessData(obj);
if (process != null)
{
process.Threads.TryGetValue(obj.ThreadID, out thread);
}
return(thread);
}
private void Kernel_ThreadStart(Microsoft.Diagnostics.Tracing.Parsers.Kernel.ThreadTraceData obj)
{
ProcessData process = GetProcessData(obj);
if (process != null)
{
process.Threads[obj.ThreadID] = new ThreadData()
{
ThreadID = obj.ThreadID,
Start = obj.TimeStamp,
};
}
}
private void Kernel_ImageLoad(Microsoft.Diagnostics.Tracing.Parsers.Kernel.ImageLoadTraceData obj)
{
ProcessData process = GetProcessData(obj);
if (process != null)
{
process.Images.Add(new ImageData()
{
FileName = obj.FileName,
DefaultBase = obj.DefaultBase,
ImageBase = obj.ImageBase,
ImageChecksum = obj.ImageChecksum,
ImageSize = obj.ImageSize
});
}
}
private static void CollectArtifacts(ProcessData ev)
{
for (int start = ev.CommandLine.IndexOf('@'); start != -1; start = ev.CommandLine.IndexOf('@', start + 1))
{
int finish = Math.Max(ev.CommandLine.IndexOf(' ', start), ev.CommandLine.Length);
String path = ev.CommandLine.Substring(start + 1, finish - start - 1);
path = path.Trim(CharacterToTrim);
try
{
String text = File.ReadAllText(path);
ev.AddArtifact(path, text);
}
catch (FileNotFoundException) { }
}
}
private void Kernel_ProcessStart(Microsoft.Diagnostics.Tracing.Parsers.Kernel.ProcessTraceData obj)
{
if (Filters.Contains(obj.ImageFileName))
{
ProcessData ev = new ProcessData()
{
Name = obj.ImageFileName,
CommandLine = obj.CommandLine,
Start = obj.TimeStamp,
ProcessID = obj.ProcessID,
UniqueKey = obj.UniqueProcessKey,
};
ProcessDataMap.Add(obj.ProcessID, ev);
ProcessEvent?.Invoke(ev);
Task.Run(() => CollectArtifacts(ev));
}
}
public void Add(ProcessData process)
{
Processes.Add(process);
}
