public void Parse(TraceEvent data)
{
ProcessEventsFromAutoLoggerFirst();
if (data.ProviderName == WMIProviderDefinitions.WMI_Activity_Provider_Name)
{
switch ((int)data.ID)
{
case WMIProviderDefinitions.WMI_Activity_Start:
OnWMIOperationStart?.Invoke(new WMIStart(data, mySource, null));
break;
case WMIProviderDefinitions.WMI_Activity_Disconnect:
OnWMIOperationStop?.Invoke(new WmiDisconnect(data));
break;
case WMIProviderDefinitions.WMI_Activity_ExecAsync:
OnWMIExecAsync?.Invoke(new WmiExecAsync(data));
break;
case WMIProviderDefinitions.WMI_Activity_Transfer:
break;
default:
break;
}
;
}
}
private void ProcessEventsFromAutoLoggerFirst()
{
if (myUnprocessedEvents != null && myUnprocessedEvents.Count > 0)
{
// since the AutogLogger session has no kernel session attached we only get raw process ids
// To work around that we fill in the process names from still running processes from the realtime session
foreach (WMIStart wmiStartEvent in myUnprocessedEvents)
{
TraceProcess process = mySource?.TraceLog.Processes.Where(p => p.ProcessID == wmiStartEvent.ClientProcessId).FirstOrDefault();
if (process != null)
{
wmiStartEvent.ClientProcess = process.CommandLine;
}
OnWMIOperationStart?.Invoke(wmiStartEvent);
}
myUnprocessedEvents.Clear();
}
}