internal static bool IsVersionOrLater(OperatingSystemVersion version)
{
//
int major;
int minor;
PlatformID platform = PlatformID.Win32NT;
switch (version)
{
case OperatingSystemVersion.Windows8:
major = 6;
minor = 2;
break;
case OperatingSystemVersion.Windows7:
major = 6;
minor = 1;
break;
case OperatingSystemVersion.WindowsVista:
major = 6;
minor = 0;
break;
case OperatingSystemVersion.WindowsXPSP2:
default:
major = 5;
minor = 1;
break;
}
OperatingSystem os = Environment.OSVersion;
return (os.Platform == platform) &&
(((os.Version.Major == major) && (os.Version.Minor >= minor)) || (os.Version.Major > major));
}
internal static bool IsVersionOrLater(OperatingSystemVersion version)
{
int major;
int minor;
PlatformID platform = PlatformID.Win32NT;
switch (version)
{
case OperatingSystemVersion.Windows8:
major = 6;
minor = 2;
break;
case OperatingSystemVersion.Windows7:
major = 6;
minor = 1;
break;
case OperatingSystemVersion.WindowsVista:
major = 6;
minor = 0;
break;
case OperatingSystemVersion.WindowsXPSP2:
default:
major = 5;
minor = 1;
break;
}
OperatingSystem os = Environment.OSVersion;
return((os.Platform == platform) &&
(((os.Version.Major == major) && (os.Version.Minor >= minor)) || (os.Version.Major > major)));
}
//https://github.com/libyal/winreg-kb/wiki/Application-Compatibility-Cache-key
//https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf
private void Init(byte[] rawBytes, bool is32)
{
IAppCompatCache appCache = null;
OperatingSystem = OperatingSystemVersion.Unknown;
string signature;
//TODO check minimum length of rawBytes and throw exception if not enough data
signature = Encoding.ASCII.GetString(rawBytes, 128, 4);
if (signature == "\u0018\0\0\0" || signature == "Y\0\0\0")
{
OperatingSystem = OperatingSystemVersion.WindowsXP;
appCache = new WindowsXP(rawBytes, is32);
}
else if (signature == "00ts")
{
OperatingSystem = OperatingSystemVersion.Windows80_Windows2012;
appCache = new Windows8x(rawBytes, OperatingSystem);
}
else if (signature == "10ts")
{
OperatingSystem = OperatingSystemVersion.Windows81_Windows2012R2;
appCache = new Windows8x(rawBytes, OperatingSystem);
}
else
{
//is it windows 10?
signature = Encoding.ASCII.GetString(rawBytes, 48, 4);
if (signature == "10ts")
{
OperatingSystem = OperatingSystemVersion.Windows10;
appCache = new Windows10(rawBytes);
}
else
{
//win7
if (rawBytes[0] == 0xee & rawBytes[1] == 0xf & rawBytes[2] == 0xdc & rawBytes[3] == 0xba)
{
if (is32)
{
OperatingSystem = OperatingSystemVersion.Windows7x86;
}
else
{
OperatingSystem = OperatingSystemVersion.Windows7x64_Windows2008R2;
}
appCache = new Windows7(rawBytes, is32);
}
}
}
Cache = appCache;
}
internal static void CheckAndApplyTheme(ContentControl control)
{
OperatingSystemVersion os = OperatingSystemVersion.Current;
if (os.OSVersion == OSVersion.Win7)
{
ThemeManager.ApplyTheme(control, "BureauBlue");
}
}
public OperatingSystemSupportedAttribute(OperatingSystemVersion mininum, OperatingSystemVersion maximum = OperatingSystemVersion.None)
{
if (mininum == OperatingSystemVersion.None)
{
throw new ArgumentOutOfRangeException(nameof(mininum));
}
this.Mininum = GetVersion(mininum);
this.Maximum = GetVersion(maximum);
}
internal static bool IsOsVersionOrGreater(OperatingSystemVersion osVer)
{
switch (osVer)
{
case OperatingSystemVersion.Windows10RS5:
return(IsOsWindows10RS5OrGreater);
case OperatingSystemVersion.Windows10RS4:
return(IsOsWindows10RS4OrGreater);
case OperatingSystemVersion.Windows10RS3:
return(IsOsWindows10RS3OrGreater);
case OperatingSystemVersion.Windows10RS2:
return(IsOsWindows10RS2OrGreater);
case OperatingSystemVersion.Windows10RS1:
return(IsOsWindows10RS1OrGreater);
case OperatingSystemVersion.Windows10TH2:
return(IsOsWindows10TH2OrGreater);
case OperatingSystemVersion.Windows10:
return(IsOsWindows10OrGreater);
case OperatingSystemVersion.Windows8Point1:
return(IsOsWindows8Point1OrGreater);
case OperatingSystemVersion.Windows8:
return(IsOsWindows8OrGreater);
case OperatingSystemVersion.Windows7SP1:
return(IsOsWindows7SP1OrGreater);
case OperatingSystemVersion.Windows7:
return(IsOsWindows7OrGreater);
case OperatingSystemVersion.WindowsVistaSP2:
return(IsOsWindowsVistaSP2OrGreater);
case OperatingSystemVersion.WindowsVistaSP1:
return(IsOsWindowsVistaSP1OrGreater);
case OperatingSystemVersion.WindowsVista:
return(IsOsWindowsVistaOrGreater);
case OperatingSystemVersion.WindowsXPSP3:
return(IsOsWindowsXPSP3OrGreater);
case OperatingSystemVersion.WindowsXPSP2:
return(IsOsWindowsXPSP2OrGreater);
}
throw new ArgumentException(string.Format("{0} is not a valid OS!", osVer.ToString()), "osVer");
}
/// <inheritdoc />
public override int GetHashCode()
{
unchecked
{
var hashCode = EntryAssemblyName?.GetHashCode() ?? 0;
hashCode = (hashCode * 397) ^ (EntryAssemblyVersion?.GetHashCode() ?? 0);
hashCode = (hashCode * 397) ^ (HostName?.GetHashCode() ?? 0);
hashCode = (hashCode * 397) ^ (LocalTimeString?.GetHashCode() ?? 0);
hashCode = (hashCode * 397) ^ (MachineName?.GetHashCode() ?? 0);
hashCode = (hashCode * 397) ^ (OperatingSystem?.GetHashCode() ?? 0);
hashCode = (hashCode * 397) ^ (OperatingSystemVersion?.GetHashCode() ?? 0);
hashCode = (hashCode * 397) ^ (ProcessName?.GetHashCode() ?? 0);
hashCode = (hashCode * 397) ^ (ProcessorCount?.GetHashCode() ?? 0);
return(hashCode);
}
}
public override int GetHashCode()
{
unchecked
{
var hashCode = FrameworkDescription != null?FrameworkDescription.GetHashCode() : 0;
hashCode = (hashCode * 397) ^ (RunningEnvironment != null ? RunningEnvironment.GetHashCode() : 0);
hashCode = (hashCode * 397) ^ (EntryAssemblyName != null ? EntryAssemblyName.GetHashCode() : 0);
hashCode = (hashCode * 397) ^ (EntryAssemblyVersion != null ? EntryAssemblyVersion.GetHashCode() : 0);
hashCode = (hashCode * 397) ^ (LocalTimeString != null ? LocalTimeString.GetHashCode() : 0);
hashCode = (hashCode * 397) ^ (MachineName != null ? MachineName.GetHashCode() : 0);
hashCode = (hashCode * 397) ^ (OperatingSystemPlatform != null ? OperatingSystemPlatform.GetHashCode() : 0);
hashCode = (hashCode * 397) ^ (OperatingSystemArchitecture != null ? OperatingSystemArchitecture.GetHashCode() : 0);
hashCode = (hashCode * 397) ^ (OperatingSystemVersion != null ? OperatingSystemVersion.GetHashCode() : 0);
hashCode = (hashCode * 397) ^ (ProcessArchitecture != null ? ProcessArchitecture.GetHashCode() : 0);
hashCode = (hashCode * 397) ^ (ProcessorCount != null ? ProcessorCount.GetHashCode() : 0);
return(hashCode);
}
}
/// <summary>
/// Create an ETWReloggerTraceEventSource that can takes its input from a variety of sources (either a single file,
/// a set of files, or a real time ETW session (based on 'type'), and can write these events to a new ETW output
/// file 'outputFileName.
/// </summary>
public ETWReloggerTraceEventSource(string fileOrSessionName, TraceEventSourceType type, string outputFileName)
: base()
{
if (!OperatingSystemVersion.AtLeast(62))
{
throw new NotSupportedException("System Tracing is only supported on Windows 8 and above.");
}
m_relogger = new CTraceRelogger();
if (type == TraceEventSourceType.FileOnly)
{
m_traceHandleForFirstStream = m_relogger.AddLogfileTraceStream(fileOrSessionName, IntPtr.Zero);
}
else if (type == TraceEventSourceType.Session)
{
m_traceHandleForFirstStream = m_relogger.AddRealtimeTraceStream(fileOrSessionName, IntPtr.Zero);
}
else
{
Debug.Assert(type == TraceEventSourceType.MergeAll);
List <string> logFileNames = ETWTraceEventSource.GetMergeAllLogFiles(fileOrSessionName);
bool first = true;
foreach (var logFileName in logFileNames)
{
var handle = m_relogger.AddLogfileTraceStream(logFileName, IntPtr.Zero);
if (first)
{
m_traceHandleForFirstStream = handle;
first = false;
}
}
}
m_relogger.SetOutputFilename(outputFileName);
m_myCallbacks = new ReloggerCallbacks(this);
m_relogger.RegisterCallback(m_myCallbacks);
m_scratchBufferSize = 0;
m_scratchBuffer = null;
}
public static bool IsSupportedCosmetic(OperatingSystemVersion mininum, OperatingSystemVersion maximum = OperatingSystemVersion.None) => IsSupported(GetVersion(mininum), PreferencesPage.GetCosmeticVersion(), GetVersion(maximum));
public static bool IsSupported(OperatingSystemVersion mininum, OperatingSystemVersion maximum = OperatingSystemVersion.None) => IsSupported(GetVersion(mininum), GetVersion(maximum));
public static Version GetVersion(OperatingSystemVersion version) => version == OperatingSystemVersion.None ? null : _versions[(int)version - 1];
private void Initialize(string fileOrSessionName, TraceEventSourceType type)
{
// Allocate the LOGFILE and structures and arrays that hold them
// Figure out how many log files we have
if (type == TraceEventSourceType.MergeAll)
{
List <string> allLogFiles = GetMergeAllLogFiles(fileOrSessionName);
logFiles = new TraceEventNativeMethods.EVENT_TRACE_LOGFILEW[allLogFiles.Count];
for (int i = 0; i < allLogFiles.Count; i++)
{
logFiles[i].LogFileName = allLogFiles[i];
}
}
else
{
logFiles = new TraceEventNativeMethods.EVENT_TRACE_LOGFILEW[1];
if (type == TraceEventSourceType.FileOnly)
{
logFiles[0].LogFileName = fileOrSessionName;
}
else
{
Debug.Assert(type == TraceEventSourceType.Session);
logFiles[0].LoggerName = fileOrSessionName;
logFiles[0].LogFileMode |= TraceEventNativeMethods.EVENT_TRACE_REAL_TIME_MODE;
IsRealTime = true;
}
}
handles = new ulong[logFiles.Length];
// Fill out the first log file information (we will clone it later if we have multiple files).
logFiles[0].BufferCallback = this.TraceEventBufferCallback;
handles[0] = TraceEventNativeMethods.INVALID_HANDLE_VALUE;
useClassicETW = !OperatingSystemVersion.AtLeast(OperatingSystemVersion.Vista);
if (useClassicETW)
{
IntPtr mem = Marshal.AllocHGlobal(sizeof(TraceEventNativeMethods.EVENT_RECORD));
TraceEventNativeMethods.ZeroMemory(mem, sizeof(TraceEventNativeMethods.EVENT_RECORD));
convertedHeader = (TraceEventNativeMethods.EVENT_RECORD *)mem;
logFiles[0].EventCallback = RawDispatchClassic;
}
else
{
logFiles[0].LogFileMode |= TraceEventNativeMethods.PROCESS_TRACE_MODE_EVENT_RECORD;
logFiles[0].EventCallback = RawDispatch;
}
// We want the raw timestamp because it is needed to match up stacks with the event they go with.
logFiles[0].LogFileMode |= TraceEventNativeMethods.PROCESS_TRACE_MODE_RAW_TIMESTAMP;
// Copy the information to any additional log files
for (int i = 1; i < logFiles.Length; i++)
{
logFiles[i].BufferCallback = logFiles[0].BufferCallback;
logFiles[i].EventCallback = logFiles[0].EventCallback;
logFiles[i].LogFileMode = logFiles[0].LogFileMode;
handles[i] = handles[0];
}
DateTime minSessionStartTimeUTC = DateTime.MaxValue;
DateTime maxSessionEndTimeUTC = DateTime.MinValue + new TimeSpan(1 * 365, 0, 0, 0); // TO avoid roundoff error when converting to QPC add a year.
// Open all the traces
for (int i = 0; i < handles.Length; i++)
{
handles[i] = TraceEventNativeMethods.OpenTrace(ref logFiles[i]);
if (handles[i] == TraceEventNativeMethods.INVALID_HANDLE_VALUE)
{
Marshal.ThrowExceptionForHR(TraceEventNativeMethods.GetHRForLastWin32Error());
}
// Start time is minimum of all start times
DateTime logFileStartTimeUTC = SafeFromFileTimeUtc(logFiles[i].LogfileHeader.StartTime);
DateTime logFileEndTimeUTC = SafeFromFileTimeUtc(logFiles[i].LogfileHeader.EndTime);
if (logFileStartTimeUTC < minSessionStartTimeUTC)
{
minSessionStartTimeUTC = logFileStartTimeUTC;
}
// End time is maximum of all start times
if (logFileEndTimeUTC > maxSessionEndTimeUTC)
{
maxSessionEndTimeUTC = logFileEndTimeUTC;
}
// TODO do we even need log pointer size anymore?
// We take the max pointer size.
if ((int)logFiles[i].LogfileHeader.PointerSize > pointerSize)
{
pointerSize = (int)logFiles[i].LogfileHeader.PointerSize;
}
}
_QPCFreq = logFiles[0].LogfileHeader.PerfFreq;
if (_QPCFreq == 0)
{
_QPCFreq = Stopwatch.Frequency;
}
// Real time providers don't set this to something useful
if ((logFiles[0].LogFileMode & TraceEventNativeMethods.EVENT_TRACE_REAL_TIME_MODE) != 0)
{
DateTime nowUTC = DateTime.UtcNow;
long nowQPC = QPCTime.GetUTCTimeAsQPC(nowUTC);
_syncTimeQPC = nowQPC;
_syncTimeUTC = nowUTC;
sessionStartTimeQPC = nowQPC - _QPCFreq / 10; // Subtract 1/10 sec to keep now and nowQPC in sync.
sessionEndTimeQPC = long.MaxValue; // Represents infinity.
Debug.Assert(SessionStartTime < SessionEndTime);
}
else
{
_syncTimeUTC = minSessionStartTimeUTC;
// UTCDateTimeToQPC is actually going to give the wrong value for these because we have
// not set _syncTimeQPC, but will be adjusted when we see the event Header and know _syncTypeQPC.
sessionStartTimeQPC = this.UTCDateTimeToQPC(minSessionStartTimeUTC);
sessionEndTimeQPC = this.UTCDateTimeToQPC(maxSessionEndTimeUTC);
}
Debug.Assert(_QPCFreq != 0);
if (pointerSize == 0) // Real time does not set this (grrr).
{
pointerSize = sizeof(IntPtr);
Debug.Assert((logFiles[0].LogFileMode & TraceEventNativeMethods.EVENT_TRACE_REAL_TIME_MODE) != 0);
}
Debug.Assert(pointerSize == 4 || pointerSize == 8);
cpuSpeedMHz = (int)logFiles[0].LogfileHeader.CpuSpeedInMHz;
numberOfProcessors = (int)logFiles[0].LogfileHeader.NumberOfProcessors;
// We ask for raw timestamps, but the log file may have used system time as its raw timestamp.
// SystemTime is like a QPC time that happens 10M times a second (100ns).
// ReservedFlags is actually the ClockType 0 = Raw, 1 = QPC, 2 = SystemTimne 3 = CpuTick (we don't support)
if (logFiles[0].LogfileHeader.ReservedFlags == 2) // If ClockType == EVENT_TRACE_CLOCK_SYSTEMTIME
{
_QPCFreq = 10000000;
}
Debug.Assert(_QPCFreq != 0);
int ver = (int)logFiles[0].LogfileHeader.Version;
osVersion = new Version((byte)ver, (byte)(ver >> 8));
// Logic for looking up process names
processNameForID = new Dictionary <int, string>();
var kernelParser = new KernelTraceEventParser(this, KernelTraceEventParser.ParserTrackingOptions.None);
kernelParser.ProcessStartGroup += delegate(ProcessTraceData data)
{
// Get just the file name without the extension. Can't use the 'Path' class because
// it tests to make certain it does not have illegal chars etc. Since KernelImageFileName
// is not a true user mode path, we can get failures.
string path = data.KernelImageFileName;
int startIdx = path.LastIndexOf('\\');
if (0 <= startIdx)
{
startIdx++;
}
else
{
startIdx = 0;
}
int endIdx = path.LastIndexOf('.');
if (endIdx <= startIdx)
{
endIdx = path.Length;
}
processNameForID[data.ProcessID] = path.Substring(startIdx, endIdx - startIdx);
};
kernelParser.ProcessEndGroup += delegate(ProcessTraceData data)
{
processNameForID.Remove(data.ProcessID);
};
kernelParser.EventTraceHeader += delegate(EventTraceHeaderTraceData data)
{
if (_syncTimeQPC == 0)
{ // In merged files there can be more of these, we only set the QPC time on the first one
// We were using a 'start location' of 0, but we want it to be the timestamp of this events, so we add this to our
// existing QPC values.
_syncTimeQPC = data.TimeStampQPC;
sessionStartTimeQPC += data.TimeStampQPC;
sessionEndTimeQPC += data.TimeStampQPC;
}
};
}
public static bool IsGreaterThan(this OperatingSystem operatingSystem, OperatingSystemVersion version) => operatingSystem.Version.Build > (int)version;
//https://github.com/libyal/winreg-kb/wiki/Application-Compatibility-Cache-key
//https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf
private IAppCompatCache Init(byte[] rawBytes, bool is32, int controlSet)
{
IAppCompatCache appCache = null;
OperatingSystem = OperatingSystemVersion.Unknown;
string signature;
var sigNum = BitConverter.ToUInt32(rawBytes, 0);
//TODO check minimum length of rawBytes and throw exception if not enough data
signature = Encoding.ASCII.GetString(rawBytes, 128, 4);
var log1 = LogManager.GetCurrentClassLogger();
log1.Debug($@"**** Signature {signature}, Sig num 0x{sigNum:X}");
if (sigNum == 0xDEADBEEF) //DEADBEEF, WinXp
{
OperatingSystem = OperatingSystemVersion.WindowsXP;
log1.Debug(@"**** Processing XP hive");
appCache = new WindowsXP(rawBytes, is32, controlSet);
}
else if (sigNum == 0xbadc0ffe)
{
OperatingSystem = OperatingSystemVersion.WindowsVistaWin2k3Win2k8;
appCache = new VistaWin2k3Win2k8(rawBytes, is32, controlSet);
}
else if (sigNum == 0xBADC0FEE) //BADC0FEE, Win7
{
if (is32)
{
OperatingSystem = OperatingSystemVersion.Windows7x86;
}
else
{
OperatingSystem = OperatingSystemVersion.Windows7x64_Windows2008R2;
}
appCache = new Windows7(rawBytes, is32, controlSet);
}
else if (signature == "00ts")
{
OperatingSystem = OperatingSystemVersion.Windows80_Windows2012;
appCache = new Windows8x(rawBytes, OperatingSystem, controlSet);
}
else if (signature == "10ts")
{
OperatingSystem = OperatingSystemVersion.Windows81_Windows2012R2;
appCache = new Windows8x(rawBytes, OperatingSystem, controlSet);
}
else
{
//is it windows 10?
var offsetToEntries = BitConverter.ToInt32(rawBytes, 0);
OperatingSystem = OperatingSystemVersion.Windows10;
if (offsetToEntries == 0x34)
{
OperatingSystem = OperatingSystemVersion.Windows10Creators;
}
signature = Encoding.ASCII.GetString(rawBytes, offsetToEntries, 4);
if (signature == "10ts")
{
appCache = new Windows10(rawBytes, controlSet);
}
}
if (appCache == null)
{
throw new Exception("Unable to determine operating system! Please send the hive to [email protected]");
}
return(appCache);
}
// added computerName argument
private IAppCompatCache Init(byte[] rawBytes, bool is32, int controlSet, string computerName)
{
IAppCompatCache appCache = null;
OperatingSystem = OperatingSystemVersion.Unknown;
string signature;
var sigNum = BitConverter.ToUInt32(rawBytes, 0);
//TODO check minimum length of rawBytes and throw exception if not enough data
signature = Encoding.ASCII.GetString(rawBytes, 128, 4);
if (sigNum == 0xbadc0ffe) // Vista
{
OperatingSystem = OperatingSystemVersion.WindowsVistaWin2k3Win2k8;
appCache = new VistaWin2k3Win2k8(rawBytes, is32, controlSet, computerName);
}
else if (sigNum == 0xbadc0fee) // Win7
{
if (is32)
{
OperatingSystem = OperatingSystemVersion.Windows7x86;
}
else
{
OperatingSystem = OperatingSystemVersion.Windows7x64_Windows2008R2;
}
appCache = new Windows7(rawBytes, is32, controlSet, computerName);
}
else if ((signature == "00ts"))
{
OperatingSystem = OperatingSystemVersion.Windows80_Windows2012;
appCache = new Windows8x(rawBytes, OperatingSystem, controlSet, computerName);
}
else if (signature == "10ts")
{
OperatingSystem = OperatingSystemVersion.Windows81_Windows2012R2;
appCache = new Windows8x(rawBytes, OperatingSystem, controlSet, computerName);
}
else
{
//is it windows 10?
var offsetToEntries = BitConverter.ToInt32(rawBytes, 0);
OperatingSystem = OperatingSystemVersion.Windows10;
if (offsetToEntries == 0x34)
{
OperatingSystem = OperatingSystemVersion.Windows10Creators;
}
signature = Encoding.ASCII.GetString(rawBytes, offsetToEntries, 4);
if ((signature == "10ts"))
{
appCache = new Windows10(rawBytes, controlSet, computerName);
}
}
if (appCache == null)
{
throw new Exception("Unable to determine operating system...");
}
return(appCache);
}
