/// <summary>
/// Trigger the service.
/// </summary>
public override void Trigger()
{
using (var reg = EventTracing.Register(SubType))
{
reg.Write();
}
}
internal EtwServiceTriggerInformation(SERVICE_TRIGGER trigger)
: base(trigger)
{
var sd = EventTracing.QueryTraceSecurity(SubType, false);
if (sd.IsSuccess)
{
SecurityDescriptor = sd.Result;
}
}
private protected override void RunAccessCheck(IEnumerable <TokenEntry> tokens)
{
NtType type = NtType.GetTypeByType <NtEtwRegistration>();
AccessMask access_rights = type.GenericMapping.MapMask(Access);
var providers = EventTracing.GetProviders();
if (ProviderId != null && ProviderId.Length > 0)
{
HashSet <Guid> guids = new HashSet <Guid>(ProviderId);
providers = providers.Where(p => guids.Contains(p.Id));
}
else if (Name != null && Name.Length > 0)
{
var names = new HashSet <string>(Name, StringComparer.OrdinalIgnoreCase);
providers = providers.Where(p => names.Contains(p.Name));
}
foreach (var provider in providers)
{
var sd = provider.SecurityDescriptor;
if (sd == null)
{
WriteWarning($"Couldn't query security for ETW Provider {provider.Name}. Perhaps run as administrator.");
continue;
}
foreach (TokenEntry token in tokens)
{
AccessMask granted_access = NtSecurity.GetMaximumAccess(sd,
token.Token, type.GenericMapping);
if (IsAccessGranted(granted_access, access_rights))
{
WriteObject(new EventTraceAccessCheckResult(provider, type,
granted_access, sd, token.Information));
}
}
}
}
internal EtwServiceTriggerInformation(SERVICE_TRIGGER trigger)
: base(trigger)
{
_security_descriptor = new Lazy <SecurityDescriptor>(() => EventTracing.QueryTraceSecurity(SubType, false).GetResultOrDefault());
}
private protected override string GetSubTypeDescription()
{
return($"{base.GetSubTypeDescription()} {EventTracing.GetProviderName(SubType) ?? SubType.ToString("B")}");
}