public void Start(TraceElements elements, bool includeInit) { _includeInit = includeInit; _session = new TraceEventSession(KernelTraceEventParser.KernelSessionName) { BufferSizeMB = 128, CpuSampleIntervalMSec = 10 }; _session.EnableKernelProvider((KernelTraceEventParser.Keywords)elements); _processingThread = new Thread(() => { _parser = new KernelTraceEventParser(_session.Source); SetupCallbacks(elements); _session.Source.Process(); }); _processingThread.Priority = ThreadPriority.Lowest; _processingThread.IsBackground = true; _processingThread.Start(); }
private void SetupCallbacks(TraceElements elements) { if (elements.HasFlag(TraceElements.Process)) { _parser.ProcessStart += OnProcessStart; if (_includeInit) { _parser.ProcessDCStart += OnProcessDCStart; _parser.ProcessDCStop += obj => ProcessTrace?.Invoke((ProcessTraceData)obj.Clone(), EventType.ProcessExited); } _parser.ProcessStop += OnProcessStop; } if (elements.HasFlag(TraceElements.Thread)) { _parser.ThreadStart += OnThreadStart; _parser.ThreadStop += OnThreadStop; } if (elements.HasFlag(TraceElements.Registry)) { _parser.RegistryCreate += OnRegistryCreate; _parser.RegistryOpen += obj => RegistryTrace?.Invoke((RegistryTraceData)obj.Clone(), EventType.RegistryOpenKey); } }