Ejemplo n.º 1
0
        /// <summary>
        /// Sends the CAPUTURE_STATE command to the provider 
        /// 
        /// This routine only works Win7 and above, since previous versions don't have this concept.   The providers also has 
        /// to support it.  
        /// 
        /// You can use KernelTraceEventParser.ProviderGuid here to cause rundown for the system.  
        /// </summary>
        /// <param name="providerGuid">The GUID that identifies the provider to send the CaptureState command to</param>
        /// <param name="matchAnyKeywords">The Keywords to send as part of the command (can influnced what is sent back)</param>
        /// <param name="filterType">if non-zero, this is passed along to the provider as type of the filter data.</param>
        /// <param name="data">If non-null this is either an int, or a byte array and is passed along as filter data.</param>
        public void CaptureState(Guid providerGuid, ulong matchAnyKeywords = ulong.MaxValue, int filterType = 0, object data = null)
        {
            var parameters = new TraceEventNativeMethods.ENABLE_TRACE_PARAMETERS();
            var filter = new TraceEventNativeMethods.EVENT_FILTER_DESCRIPTOR();
            parameters.Version = TraceEventNativeMethods.ENABLE_TRACE_PARAMETERS_VERSION;

            byte[] asArray = data as byte[];
            if (data is int)
            {
                int intVal = (int)data;
                asArray = new byte[4];
                asArray[0] = (byte)intVal;
                asArray[1] = (byte)(intVal >> 8);
                asArray[2] = (byte)(intVal >> 16);
                asArray[3] = (byte)(intVal >> 24);
            }
            fixed (byte* filterDataPtr = asArray)
            {
                if (asArray != null)
                {
                    parameters.EnableFilterDesc = &filter;
                    filter.Type = filterType;
                    filter.Size = asArray.Length;
                    filter.Ptr = filterDataPtr;
                }
                int hr = TraceEventNativeMethods.EnableTraceEx2(
                    m_SessionHandle, ref providerGuid, TraceEventNativeMethods.EVENT_CONTROL_CODE_CAPTURE_STATE,
                    (byte)TraceEventLevel.Verbose, matchAnyKeywords, 0, 0, ref parameters);

                Marshal.ThrowExceptionForHR(TraceEventNativeMethods.GetHRFromWin32(hr));
            }
        }
Ejemplo n.º 2
0
        /// <summary>
        /// Do intialization common to the contructors.  
        /// </summary>
        private bool EnableProvider(Guid providerGuid, TraceEventLevel providerLevel, ulong matchAnyKeywords, ulong matchAllKeywords, TraceEventOptions options, int providerDataType, byte[] providerData, int providerDataSize)
        {
            if (m_SessionName == KernelTraceEventParser.KernelSessionName)
                throw new NotSupportedException("Can only enable kernel events on a kernel session.");

            bool ret = InsureStarted();
            TraceEventNativeMethods.EVENT_FILTER_DESCRIPTOR* dataDescrPtr = null;
            fixed (byte* providerDataPtr = providerData)
            {
                string regKeyName = @"Software\Microsoft\Windows\CurrentVersion\Winevt\Publishers\{" + providerGuid + "}";
                byte[] registryData = null;
                // If this is an update operation, remember the data in registry so that even providers
                // that have not yet started will get the data.   We don't do this for any other kind of command (providerDataType)
                // since we don't know that they are desired 'on startup'.  
                if (providerData != null && providerDataType == 0)
                {
                    TraceEventNativeMethods.EVENT_FILTER_DESCRIPTOR dataDescr = new TraceEventNativeMethods.EVENT_FILTER_DESCRIPTOR();
                    dataDescr.Ptr = null;
                    dataDescr.Size = providerDataSize;
                    dataDescr.Type = providerDataType;
                    dataDescrPtr = &dataDescr;

                    if (providerData == null)
                        providerData = new byte[0];
                    else
                        dataDescr.Ptr = providerDataPtr;

                    // Set the registry key so providers get the information even if they are not active now
                    registryData = new byte[providerDataSize + 4];
                    // providerDataType is always zero, but older versions assume it is here, so we put the redundant value here for compatibility. 
                    registryData[0] = (byte)(providerDataType);
                    registryData[1] = (byte)(providerDataType >> 8);
                    registryData[2] = (byte)(providerDataType >> 16);
                    registryData[3] = (byte)(providerDataType >> 24);
                    Array.Copy(providerData, 0, registryData, 4, providerDataSize);
                }
                SetOrDelete(regKeyName, "ControllerData", registryData);
                int hr;

                try
                {
                    try
                    {
                        // Try the Win7 API
                        TraceEventNativeMethods.ENABLE_TRACE_PARAMETERS parameters = new TraceEventNativeMethods.ENABLE_TRACE_PARAMETERS();
                        parameters.Version = TraceEventNativeMethods.ENABLE_TRACE_PARAMETERS_VERSION;
                        if ((options & TraceEventOptions.Stacks) != 0)
                            parameters.EnableProperty = TraceEventNativeMethods.EVENT_ENABLE_PROPERTY_STACK_TRACE;
                        parameters.EnableFilterDesc = dataDescrPtr;

                        hr = TraceEventNativeMethods.EnableTraceEx2(m_SessionHandle, ref providerGuid,
                            TraceEventNativeMethods.EVENT_CONTROL_CODE_ENABLE_PROVIDER, (byte)providerLevel,
                            matchAnyKeywords, matchAllKeywords, 0, ref parameters);
                    }
                    catch (EntryPointNotFoundException)
                    {
                        // OK that did not work, try the VISTA API
                        hr = TraceEventNativeMethods.EnableTraceEx(ref providerGuid, null, m_SessionHandle, 1,
                            (byte)providerLevel, matchAnyKeywords, matchAllKeywords, 0, dataDescrPtr);
                    }
                }
                catch (EntryPointNotFoundException)
                {
                    // Try with the old pre-vista API
                    hr = TraceEventNativeMethods.EnableTrace(1, (int)matchAnyKeywords, (int)providerLevel, ref providerGuid, m_SessionHandle);
                }
                Marshal.ThrowExceptionForHR(TraceEventNativeMethods.GetHRFromWin32(hr));
            }
            m_IsActive = true;
            return ret;
        }
Ejemplo n.º 3
0
 /// <summary>
 /// Disables a provider completely
 /// </summary>
 public void DisableProvider(Guid providerGuid)
 {
     int hr;
     try
     {
         try
         {
             // Try the Win7 API
             var parameters = new TraceEventNativeMethods.ENABLE_TRACE_PARAMETERS { Version = TraceEventNativeMethods.ENABLE_TRACE_PARAMETERS_VERSION };
             hr = TraceEventNativeMethods.EnableTraceEx2(
                 m_SessionHandle, ref providerGuid, TraceEventNativeMethods.EVENT_CONTROL_CODE_DISABLE_PROVIDER,
                 0, 0, 0, 0, ref parameters);
         }
         catch (EntryPointNotFoundException)
         {
             // OK that did not work, try the VISTA API
             hr = TraceEventNativeMethods.EnableTraceEx(ref providerGuid, null, m_SessionHandle, 0, 0, 0, 0, 0, null);
         }
     }
     catch (EntryPointNotFoundException)
     {
         // Try with the old pre-vista API
         hr = TraceEventNativeMethods.EnableTrace(0, 0, 0, ref providerGuid, m_SessionHandle);
     }
     Marshal.ThrowExceptionForHR(TraceEventNativeMethods.GetHRFromWin32(hr));
 }