Beispiel #1
0
        /// <summary>
        ///     Constructor
        /// </summary>
        /// <param name="observer">Observer to push events into</param>
        /// <param name="sessionName">real-time session name</param>
        public EtwListener(IObserver <EtwNativeEvent> observer, string sessionName)
        {
            if (sessionName == null)
            {
                throw new ArgumentNullException("sessionName");
            }

            // I don't know how to check for "Performance Log Users" group
            var principal = new WindowsPrincipal(WindowsIdentity.GetCurrent());

            if (!principal.IsInRole(WindowsBuiltInRole.Administrator))
            {
                throw new Exception("To use ETW real-time session, you have to be Administrator");
            }

            _observer = observer;
            _logFile  = new EVENT_TRACE_LOGFILE
            {
                ProcessTraceMode    = EtwNativeMethods.TraceModeRealTime | EtwNativeMethods.TraceModeEventRecord,
                LoggerName          = sessionName,
                EventRecordCallback = EtwCallback
            };

            _thread      = new Thread(ThreadProc);
            _thread.Name = "EtwSession " + sessionName;
            _thread.Start();
        }
Beispiel #2
0
        /// <summary>
        ///     Constructor
        /// </summary>
        /// <param name="observer">Observer to push events into</param>
        /// <param name="sequential">set sequential to true to sequentially stream the logs</param>
        /// <param name="startTime">start time for the events from logs</param>
        /// <param name="endTime">end time for the events from logs</param>
        /// <param name="etlFiles">.etl (Event Trace Log) files to read. Up to 63 files are supported in non sequential mode.
        /// Theoritically no limits on number of files in sequential mode.</param>
        public EtwFileReader(IObserver<EtwNativeEvent> observer, bool sequential, DateTime startTime, DateTime endTime, params string[] etlFiles)
        {
            _observer = observer;
            _startTime = startTime;
            _endTime = endTime;

            // pin the strings in memory, allowing pointers to be passed in the event callback
            _logFiles = new EVENT_TRACE_LOGFILE[etlFiles.Length];
            _logFileHandles = new GCHandle[etlFiles.Length];
            for (int i = 0; i < _logFileHandles.Length; i++)
            {
                _logFiles[i] = new EVENT_TRACE_LOGFILE
                {
                    ProcessTraceMode = EtwNativeMethods.TraceModeEventRecord,
                    LogFileName = Path.GetFullPath(etlFiles[i]),
                    EventRecordCallback = EtwCallback
                };
                _logFileHandles[i] = GCHandle.Alloc(_logFiles[i]);
            }

            if (sequential == true)
            {
                _thread = new Thread(ProcessTracesInSequence) { Name = "EtwFileObservable" };
            }
            else
            {
                _thread = new Thread(MergeTracesAndProcess) { Name = "EtwFileObservable" };
            }
            _thread.Start();
        }
Beispiel #3
0
        /// <summary>
        ///     Constructor
        /// </summary>
        /// <param name="observer">Observer to push events into</param>
        /// <param name="etlFiles">.etl (Event Trace Log) files to read. Up to 63 files are supported</param>
        public EtwFileReader(IObserver<EtwNativeEvent> observer, params string[] etlFiles)
        {
            _observer = observer;

            // pin the strings in memory, allowing pointers to be passed in the event callback
            _logFiles = new EVENT_TRACE_LOGFILE[etlFiles.Length];
            _logFileHandles = new GCHandle[etlFiles.Length];
            for (int i = 0; i < _logFileHandles.Length; i++)
            {
                _logFiles[i] = new EVENT_TRACE_LOGFILE
                    {
                        ProcessTraceMode = EtwNativeMethods.TraceModeEventRecord,
                        LogFileName = Path.GetFullPath(etlFiles[i]),
                        EventRecordCallback = EtwCallback
                    };
                _logFileHandles[i] = GCHandle.Alloc(_logFiles[i]);
            }

            _thread = new Thread(ThreadProc) {Name = "EtwFileObservable"};
            _thread.Start();
        }
Beispiel #4
0
        /// <summary>
        ///     Constructor
        /// </summary>
        /// <param name="observer">Observer to push events into</param>
        /// <param name="sessionName">real-time session name</param>
        public EtwListener(IObserver<EtwNativeEvent> observer, string sessionName)
        {
            if (sessionName == null)
                throw new ArgumentNullException("sessionName");

            // I don't know how to check for "Performance Log Users" group
            var principal = new WindowsPrincipal(WindowsIdentity.GetCurrent());
            if (!principal.IsInRole(WindowsBuiltInRole.Administrator))
                throw new Exception("To use ETW real-time session, you have to be Administrator");

            _observer = observer;
            _logFile = new EVENT_TRACE_LOGFILE
                {
                    ProcessTraceMode = EtwNativeMethods.TraceModeRealTime | EtwNativeMethods.TraceModeEventRecord,
                    LoggerName = sessionName,
                    EventRecordCallback = EtwCallback
                };

            _thread = new Thread(ThreadProc);
            _thread.Name = "EtwSession " + sessionName;
            _thread.Start();
        }
Beispiel #5
0
        /// <summary>
        ///     Constructor
        /// </summary>
        /// <param name="observer">Observer to push events into</param>
        /// <param name="sequential">set sequential to true to sequentially stream the logs</param>
        /// <param name="startTime">start time for the events from logs</param>
        /// <param name="endTime">end time for the events from logs</param>
        /// <param name="etlFiles">.etl (Event Trace Log) files to read. Up to 63 files are supported in non sequential mode.
        /// Theoritically no limits on number of files in sequential mode.</param>
        public EtwFileReader(IObserver <EtwNativeEvent> observer, bool sequential, DateTime startTime, DateTime endTime, params string[] etlFiles)
        {
            _observer  = observer;
            _startTime = startTime;
            _endTime   = endTime;

            // pin the strings in memory, allowing pointers to be passed in the event callback
            _logFiles       = new EVENT_TRACE_LOGFILE[etlFiles.Length];
            _logFileHandles = new GCHandle[etlFiles.Length];
            for (int i = 0; i < _logFileHandles.Length; i++)
            {
                _logFiles[i] = new EVENT_TRACE_LOGFILE
                {
                    ProcessTraceMode    = EtwNativeMethods.TraceModeEventRecord,
                    LogFileName         = Path.GetFullPath(etlFiles[i]),
                    EventRecordCallback = EtwCallback
                };
                _logFileHandles[i] = GCHandle.Alloc(_logFiles[i]);
            }

            if (sequential == true)
            {
                _thread = new Thread(ProcessTracesInSequence)
                {
                    Name = "EtwFileObservable"
                };
            }
            else
            {
                _thread = new Thread(MergeTracesAndProcess)
                {
                    Name = "EtwFileObservable"
                };
            }
            _thread.Start();
        }
Beispiel #6
0
        /// <summary>
        ///     Constructor
        /// </summary>
        /// <param name="observer">Observer to push events into</param>
        /// <param name="etlFiles">.etl (Event Trace Log) files to read. Up to 63 files are supported</param>
        public EtwFileReader(IObserver <EtwNativeEvent> observer, params string[] etlFiles)
        {
            _observer = observer;

            // pin the strings in memory, allowing pointers to be passed in the event callback
            _logFiles       = new EVENT_TRACE_LOGFILE[etlFiles.Length];
            _logFileHandles = new GCHandle[etlFiles.Length];
            for (int i = 0; i < _logFileHandles.Length; i++)
            {
                _logFiles[i] = new EVENT_TRACE_LOGFILE
                {
                    ProcessTraceMode    = EtwNativeMethods.TraceModeEventRecord,
                    LogFileName         = Path.GetFullPath(etlFiles[i]),
                    EventRecordCallback = EtwCallback
                };
                _logFileHandles[i] = GCHandle.Alloc(_logFiles[i]);
            }

            _thread = new Thread(ThreadProc)
            {
                Name = "EtwFileObservable"
            };
            _thread.Start();
        }
Beispiel #7
0
 public static extern UInt64 OpenTrace(ref EVENT_TRACE_LOGFILE logfile);
Beispiel #8
0
 public static extern UInt64 OpenTrace(ref EVENT_TRACE_LOGFILE logfile);