internal EventType(EtwNativeEvent evt)
{
ProviderId = evt.ProviderId;
EventId = evt.Id;
Opcode = evt.Opcode;
Version = evt.Version;
}
static void CustomCallback(EtwNativeEvent evt)
{
if (evt.Id != 11)
{
return;
}
evt.ReadUInt32(); // skip PID
uint size = evt.ReadUInt32();
uint daddr = evt.ReadUInt32();
lock (_lock)
{
StatisticsBucket bucket = null;
if (!_statistics.TryGetValue(daddr, out bucket))
{
bucket = new StatisticsBucket {
Total = size
};
_statistics.Add(daddr, bucket);
return;
}
bucket.Total += size;
}
}
private static Envelope ParseV1(EtwNativeEvent etwNativeEvent)
{
// EventId is one. This is a log written using EventSource Byte Array logging support.
// Reading like this ensures that if exception is thrown, we know what failed
long occurenceFileTimeUtc = etwNativeEvent.ReadInt64();
long receiveFileTimeUtc = etwNativeEvent.ReadInt64();
string protocol = etwNativeEvent.ReadUnicodeString();
string source = etwNativeEvent.ReadUnicodeString();
string manifestId = etwNativeEvent.ReadUnicodeString();
uint eventPayloadLength = etwNativeEvent.ReadUInt32(); // There is a side-effect being used here with the binary length.
etwNativeEvent.ReadInt32(); // EventSource based byte array writer actually stores the byte array length here. Skip 4 bytes to account for it.
byte[] eventPayload = etwNativeEvent.ReadBytes();
return(new Envelope(
occurenceFileTimeUtc >= 0
? DateTimeOffset.FromFileTime(occurenceFileTimeUtc)
: DateTimeOffset.MinValue,
receiveFileTimeUtc >= 0
? DateTimeOffset.FromFileTime(receiveFileTimeUtc)
: DateTimeOffset.MinValue,
protocol,
source,
manifestId,
eventPayload,
null));
}
private static BinaryEnvelope ParseV1(EtwNativeEvent etwNativeEvent)
{
// EventId is one. This is a log written using EventSource Byte Array logging support.
// Reading like this ensures that if exception is thrown, we know what failed
long occurenceFileTimeUtc = etwNativeEvent.ReadInt64();
long receiveFileTimeUtc = etwNativeEvent.ReadInt64();
string protocol = etwNativeEvent.ReadUnicodeString();
string source = etwNativeEvent.ReadUnicodeString();
string manifestId = etwNativeEvent.ReadUnicodeString();
uint eventPayloadLength = etwNativeEvent.ReadUInt32(); // There is a side-effect being used here with the binary length.
etwNativeEvent.ReadInt32(); // EventSource based byte array writer actually stores the byte array length here. Skip 4 bytes to account for it.
byte[] eventPayload = etwNativeEvent.ReadBytes();
return(new BinaryEnvelope
{
ActivityId = etwNativeEvent.ActivityId,
OccurenceFileTimeUtc = occurenceFileTimeUtc,
ReceiveFileTimeUtc = receiveFileTimeUtc,
Protocol = protocol,
Source = source,
PayloadId = manifestId,
EventPayload = eventPayload,
EventPayloadLength = eventPayloadLength
});
}
private void ReadProcessStopEvent(ref EtwNativeEvent traceEvent)
{
switch (traceEvent.Version)
{
case 0:
case 1:
// Both version 0 and version 1 have the same initial fields:
//
// <data name="ProcessID" inType="win:UInt32" outType="win:PID"></data>
// <data name="CreateTime" inType="win:FILETIME" outType="xs:dateTime"></data>
// <data name="ExitTime" inType="win:FILETIME" outType="xs:dateTime"></data>
// <data name="ExitCode" inType="win:UInt32" outType="xs:unsignedInt"></data>
EventHandler <ProcessEventArgs> handler = this.ProcessStopped;
if (handler != null)
{
int processId = (int)traceEvent.ReadUInt32();
traceEvent.ReadFileTime(); // ignore
DateTime exitTime = traceEvent.ReadFileTime();
int exitCode = (int)traceEvent.ReadUInt32();
ProcessEventArgs e = new ProcessEventArgs()
{
ExitCode = exitCode,
Id = processId,
Timestamp = exitTime
};
handler(this, e);
}
break;
}
}
private void ReadProcessStartEvent(ref EtwNativeEvent traceEvent)
{
if (traceEvent.Version == 0)
{
// <data name="ProcessID" inType="win:UInt32" outType="win:PID"></data>
// <data name="CreateTime" inType="win:FILETIME" outType="xs:dateTime"></data>
// <data name="ParentProcessID" inType="win:UInt32" outType="win:PID"></data>
// <data name="SessionID" inType="win:UInt32" outType="xs:unsignedInt"></data>
// <data name="ImageName" inType="win:UnicodeString" outType="xs:string"></data>
EventHandler <ProcessEventArgs> handler = this.ProcessStarted;
if (handler != null)
{
int processId = (int)traceEvent.ReadUInt32();
DateTime createTime = traceEvent.ReadFileTime();
traceEvent.ReadUInt32(); // ignore
traceEvent.ReadUInt32(); // ignore
string imageName = traceEvent.ReadUnicodeString();
ProcessEventArgs e = new ProcessEventArgs()
{
Id = processId,
ImageName = imageName,
Timestamp = createTime
};
handler(this, e);
}
}
}
static void ProduceEvents(IObserver <EtwNativeEvent> input)
{
while (true)
{
fixed(EVENT_RECORD *p = &record)
{
EtwNativeEvent evt = new EtwNativeEvent();
evt.record = p;
input.OnNext(evt);
}
}
}
private void OnNext(EtwNativeEvent traceEvent)
{
// An event is uniquely identified by 3 values -- provider ID, event ID, event version
if (traceEvent.ProviderId == KernelProcessProviderId)
{
switch (traceEvent.Id)
{
case ProcessStartId:
this.ReadProcessStartEvent(ref traceEvent);
break;
case ProcessStopId:
this.ReadProcessStopEvent(ref traceEvent);
break;
}
}
}
private static Envelope ParseV0(EtwNativeEvent etwNativeEvent)
{
// Reading like this ensures that if exception is thrown, we know what failed
long occurenceFileTimeUtc = etwNativeEvent.ReadInt64();
long receiveFileTimeUtc = etwNativeEvent.ReadInt64();
string protocol = etwNativeEvent.ReadUnicodeString();
bool isValid = !(protocol ?? string.Empty).StartsWith(@"rceException: ", StringComparison.OrdinalIgnoreCase);
string source;
string manifestId;
uint eventPayloadLength;
byte[] eventPayload;
if (isValid)
{
source = etwNativeEvent.ReadUnicodeString();
manifestId = etwNativeEvent.ReadUnicodeString();
eventPayloadLength = etwNativeEvent.ReadUInt32(); // There is a side-effect being used here with the binary length.
// Payload overflow events also could be saved with event Id 0
eventPayload = (eventPayloadLength < 65000) ? etwNativeEvent.ReadBytes() : new byte[0];
}
else
{
protocol = string.Empty;
source = string.Empty;
manifestId = string.Empty;
eventPayloadLength = 0;
eventPayload = new byte[0];
}
return(new Envelope(
occurenceFileTimeUtc >= 0
? DateTimeOffset.FromFileTime(occurenceFileTimeUtc)
: DateTimeOffset.MinValue,
receiveFileTimeUtc >= 0
? DateTimeOffset.FromFileTime(receiveFileTimeUtc)
: DateTimeOffset.MinValue,
protocol,
source,
manifestId,
eventPayload,
null));
}
internal EventManifest ParseManifest(EtwNativeEvent etwNativeEvent)
{
EventManifest result = null;
if (etwNativeEvent.ProviderId == this.etwProviderId)
{
switch (etwNativeEvent.Id)
{
case 3:
result = ParseRegularManifest(etwNativeEvent);
break;
case 4:
result = this.ParseChunkedManifest(etwNativeEvent);
break;
}
}
return(result);
}
public void EventTypeStatisticsCallback(EtwNativeEvent evt)
{
EventType evtType = new EventType(evt);
EventStatistics statistics;
if (_baselineStatistics.TryGetValue(evtType, out statistics))
{
statistics.count++;
}
else
{
statistics = new EventStatistics
{
type = evtType,
count = 1,
};
_baselineStatistics.Add(statistics.type, statistics);
};
}
private static EventManifest ParseRegularManifest(EtwNativeEvent etwNativeEvent)
{
// EventId is one. This is a log written using EventSource Byte Array logging support.
// Reading like this ensures that if exception is thrown, we know what failed
long occurenceFileTimeUtc = etwNativeEvent.ReadInt64();
long receiveFileTimeUtc = etwNativeEvent.ReadInt64();
string protocol = etwNativeEvent.ReadUnicodeString();
string source = etwNativeEvent.ReadUnicodeString();
string manifestId = etwNativeEvent.ReadUnicodeString();
string manifest = etwNativeEvent.ReadUnicodeString();
return(new EventManifest
{
ActivityId = etwNativeEvent.ActivityId,
OccurenceFileTimeUtc = occurenceFileTimeUtc,
ReceiveFileTimeUtc = receiveFileTimeUtc,
Protocol = protocol,
Source = source,
ManifestId = manifestId,
Manifest = manifest,
});
}
internal Envelope Parse(EtwNativeEvent etwNativeEvent)
{
Envelope result = null;
if (etwNativeEvent.ProviderId == this.etwProviderId)
{
switch (etwNativeEvent.Id)
{
case 0:
result = ParseV0(etwNativeEvent);
break;
case 1:
result = ParseV1(etwNativeEvent);
break;
case 2:
result = this.ParseV2(etwNativeEvent);
break;
}
}
return(result);
}
private Envelope ParseV2(EtwNativeEvent etwNativeEvent)
{
uint packageId = etwNativeEvent.ReadUInt32();
long occurenceFileTimeUtc = etwNativeEvent.ReadInt64();
long receiveFileTimeUtc = etwNativeEvent.ReadInt64();
string protocol = etwNativeEvent.ReadUnicodeString();
string source = etwNativeEvent.ReadUnicodeString();
string manifestId = etwNativeEvent.ReadUnicodeString();
uint chunkCount = etwNativeEvent.ReadUInt32();
uint currentChunkNumber = etwNativeEvent.ReadUInt32();
uint eventPayloadLength = etwNativeEvent.ReadUInt32(); // There is a side-effect being used here with the binary length.
etwNativeEvent.ReadUInt32();
byte[] eventPayload = etwNativeEvent.ReadBytes();
if (chunkCount == 1)
{
this.eventCache.Clear();
return(new Envelope(
occurenceFileTimeUtc >= 0
? DateTimeOffset.FromFileTime(occurenceFileTimeUtc)
: DateTimeOffset.MinValue,
receiveFileTimeUtc >= 0
? DateTimeOffset.FromFileTime(receiveFileTimeUtc)
: DateTimeOffset.MinValue,
protocol,
source,
manifestId,
eventPayload,
null));
}
else if (chunkCount > currentChunkNumber)
{
if (this.currentEventPackageId != packageId || this.eventCache.Count != currentChunkNumber)
{
this.eventCache.Clear();
this.currentEventPackageId = packageId;
}
this.eventCache.Add(eventPayload);
if (chunkCount == (currentChunkNumber + 1))
{
var payload = ByteArrayHelper.Join(this.eventCache);
this.eventCache.Clear();
return(new Envelope(
occurenceFileTimeUtc >= 0
? DateTimeOffset.FromFileTime(occurenceFileTimeUtc)
: DateTimeOffset.MinValue,
receiveFileTimeUtc >= 0
? DateTimeOffset.FromFileTime(receiveFileTimeUtc)
: DateTimeOffset.MinValue,
protocol,
source,
manifestId,
eventPayload,
null));
}
}
else
{
this.eventCache.Clear();
}
return(null);
}
private EventManifest ParseChunkedManifest(EtwNativeEvent etwNativeEvent)
{
uint packageId = etwNativeEvent.ReadUInt32();
long occurenceFileTimeUtc = etwNativeEvent.ReadInt64();
long receiveFileTimeUtc = etwNativeEvent.ReadInt64();
string protocol = etwNativeEvent.ReadUnicodeString();
string source = etwNativeEvent.ReadUnicodeString();
string manifestId = etwNativeEvent.ReadUnicodeString();
uint chunkCount = etwNativeEvent.ReadUInt32();
uint currentChunkNumber = etwNativeEvent.ReadUInt32();
string manifest = etwNativeEvent.ReadUnicodeString();
if (chunkCount == 1)
{
this.manifestCache.Clear();
return(new EventManifest
{
ActivityId = etwNativeEvent.ActivityId,
OccurenceFileTimeUtc = occurenceFileTimeUtc,
ReceiveFileTimeUtc = receiveFileTimeUtc,
Protocol = protocol,
Source = source,
ManifestId = manifestId,
Manifest = manifest
});
}
else if (chunkCount > currentChunkNumber)
{
if (this.currentManifestPackageId != packageId || this.manifestCache.Count != currentChunkNumber)
{
this.manifestCache.Clear();
this.currentManifestPackageId = packageId;
}
this.manifestCache.Add(manifest);
if (chunkCount == (currentChunkNumber + 1))
{
string payload = string.Join("", this.manifestCache.ToArray());
this.manifestCache.Clear();
return(new EventManifest
{
ActivityId = etwNativeEvent.ActivityId,
OccurenceFileTimeUtc = occurenceFileTimeUtc,
ReceiveFileTimeUtc = receiveFileTimeUtc,
Protocol = protocol,
Source = source,
ManifestId = manifestId,
Manifest = payload,
});
}
}
else
{
this.manifestCache.Clear();
}
return(null);
}
public void EventCountCallback(EtwNativeEvent evt)
{
_eventCount++;
}
private BinaryEnvelope ParseV2(EtwNativeEvent etwNativeEvent)
{
uint packageId = etwNativeEvent.ReadUInt32();
long occurenceFileTimeUtc = etwNativeEvent.ReadInt64();
long receiveFileTimeUtc = etwNativeEvent.ReadInt64();
string protocol = etwNativeEvent.ReadUnicodeString();
string source = etwNativeEvent.ReadUnicodeString();
string manifestId = etwNativeEvent.ReadUnicodeString();
uint chunkCount = etwNativeEvent.ReadUInt32();
uint currentChunkNumber = etwNativeEvent.ReadUInt32();
uint eventPayloadLength = etwNativeEvent.ReadUInt32(); // There is a side-effect being used here with the binary length.
etwNativeEvent.ReadUInt32();
byte[] eventPayload = etwNativeEvent.ReadBytes();
if (chunkCount == 1)
{
this.eventCache.Clear();
return(new BinaryEnvelope
{
ActivityId = etwNativeEvent.ActivityId,
OccurenceFileTimeUtc = occurenceFileTimeUtc,
ReceiveFileTimeUtc = receiveFileTimeUtc,
Protocol = protocol,
Source = source,
PayloadId = manifestId,
EventPayload = eventPayload,
EventPayloadLength = eventPayloadLength
});
}
else if (chunkCount > currentChunkNumber)
{
if (this.currentEventPackageId != packageId || this.eventCache.Count != currentChunkNumber)
{
this.eventCache.Clear();
this.currentEventPackageId = packageId;
}
this.eventCache.Add(eventPayload);
if (chunkCount == (currentChunkNumber + 1))
{
var payload = ByteArrayHelper.Join(this.eventCache);
this.eventCache.Clear();
return(new BinaryEnvelope
{
ActivityId = etwNativeEvent.ActivityId,
OccurenceFileTimeUtc = occurenceFileTimeUtc,
ReceiveFileTimeUtc = receiveFileTimeUtc,
Protocol = protocol,
Source = source,
PayloadId = manifestId,
EventPayload = payload,
EventPayloadLength = unchecked ((uint)(payload.Length)),
});
}
}
else
{
this.eventCache.Clear();
}
return(null);
}