private bool ApplyFilterCategoryEventToEventItem(EventItem ei)
{
bool washidden = ei.IsHidden;
switch (ei.Event)
{
case "CreateProcess":
case "CreateProcessAsUser":
if ((bool)cbCatProcess.IsChecked)
{
ei.IsEventCatHidden = false;
}
else
{
ei.IsEventCatHidden = true;
}
break;
case "CreateFile":
case "CreateFile2":
case "CopyFile":
case "CopyFile2":
case "CopyFileEx":
case "CreateHardLink":
case "CreateSymbolicLink":
case "DeleteFile":
case "MoveFile":
case "MoveFileEx":
case "ReplaceFile":
case "FindFirstFile":
case "FindFirstFileEx":
case "FindNextFile":
case "FindClose":
case "CreateDirectory":
case "CreateDirectoryEx":
case "RemoveDirectory":
case "SetCurrentDirectory":
case "GetCurrentDirectory":
case "GetFileAttributes":
case "SetFileAttributes":
case "GetFileAttributesEx":
if ((bool)cbCatFile.IsChecked)
{
ei.IsEventCatHidden = false;
}
else
{
ei.IsEventCatHidden = true;
}
break;
case "RegCreateKey":
case "RegCreateKeyEx":
case "RegOpenKey":
case "RegOpenKeyEx":
case "RegGetValue":
case "RegQueryValue":
case "RegQueryValueEx":
case "RegSetKeyValue":
case "RegSetValue":
case "RegSetValueEx":
case "RegDeleteKey":
case "RegDeleteKeyEx":
case "RegDeleteKeyValue":
case "RegDeleteValue":
case "RegDeleteTree":
case "RegCopyTree":
case "RegEnumKey":
case "RegEnumKeyEx":
case "RegEnumValue":
if ((bool)cbCatReg.IsChecked)
{
ei.IsEventCatHidden = false;
}
else
{
ei.IsEventCatHidden = true;
}
break;
// NT Level
case "NtCreateFile":
case "NtOpenFile":
case "NtCreateDirectoryObject":
case "NtOpenDirectoryObject":
case "NtQueryDirectoryObject":
case "NtOpenSymbolicLinkObject":
case "NtQuerySymbolicLinkObject":
if ((bool)cbCatNTFile.IsChecked)
{
ei.IsEventCatHidden = false;
}
else
{
ei.IsEventCatHidden = true;
}
break;
case "NtCreateKey":
case "NtOpenKey":
case "NtOpenKeyEx":
case "NtSetValueKey":
case "NtQueryValueKey":
if ((bool)cbCatNTReg.IsChecked)
{
ei.IsEventCatHidden = false;
}
else
{
ei.IsEventCatHidden = true;
}
break;
case "AddDllDirectory":
case "LoadLibrary":
case "LoadLibraryEx":
case "LoadModule":
case "LoadPackagedLibrary":
case "RemoveDllDirectory":
case "SetDefaultDllDirectories":
case "SetDllDirectory":
if ((bool)cbCatDll.IsChecked)
{
ei.IsEventCatHidden = false;
}
else
{
ei.IsEventCatHidden = true;
}
break;
// Kernel traces
case "Process/Start":
case "Process/Stop":
if ((bool)cbCatKernelProcess.IsChecked)
{
ei.IsEventCatHidden = false;
}
else
{
ei.IsEventCatHidden = true;
}
break;
case "Image/Load":
if ((bool)cbCatKernelImageLoad.IsChecked)
{
ei.IsEventCatHidden = false;
}
else
{
ei.IsEventCatHidden = true;
}
break;
case "FileIO/Query":
case "FileIO/QueryInfo":
case "FileIO/Create":
case "FileIO/FileCreate":
case "FileIO/Read":
case "FileIO/Write":
case "FileIO/Close":
case "FileIO/Cleanup":
case "FileIO/OperationEnd":
case "FileIO/DirEnum":
case "FileIO/SetInfo":
case "FileIO/Rename":
case "FileIO/Delete":
case "FileIO/FileDelete":
case "FileIO/Flush":
if ((bool)cbCatKernelFile.IsChecked)
{
ei.IsEventCatHidden = false;
}
else
{
ei.IsEventCatHidden = true;
}
break;
case "DiskIO/Read":
case "DiskIO/Write":
if ((bool)cbCatKernelDisk.IsChecked)
{
ei.IsEventCatHidden = false;
}
else
{
ei.IsEventCatHidden = true;
}
break;
case "Registry/Open":
case "Registry/Query":
case "Registry/QueryValue":
case "Registry/SetInformation":
case "Registry/Close":
case "Registry/Create":
case "Registry/SetValue":
case "Registry/EnumerateKey":
case "Registry/Delete":
case "Registry/DeleteValue":
case "Registry/EnumerateValueKey":
if ((bool)cbCatKernelRegistry.IsChecked)
{
ei.IsEventCatHidden = false;
}
else
{
ei.IsEventCatHidden = true;
}
break;
case "Application":
if ((bool)cbCatApplicationLog.IsChecked)
{
ei.IsEventCatHidden = false;
}
else
{
ei.IsEventCatHidden = true;
}
break;
case "System":
if ((bool)cbCatSystemLog.IsChecked)
{
ei.IsEventCatHidden = false;
}
else
{
ei.IsEventCatHidden = true;
}
break;
default:
if ((bool)cbCatOther.IsChecked)
{
ei.IsEventCatHidden = false;
}
else
{
ei.IsEventCatHidden = true;
}
break;
}
if (ei.IsHidden != washidden)
{
return(true);
}
else
{
return(false);
}
}
private bool ApplyFilterResultToEventItem(EventItem ei)
{
bool washidden = ei.IsHidden;
if (ei.Result.StartsWith("Success"))
{
if ((bool)cbSuccesss.IsChecked)
{
ei.IsResultHidden = false;
}
else
{
ei.IsResultHidden = true;
}
ei.EventIsResultClass = "Normal";
}
else if (ei.Result.StartsWith("Unknown") ||
ei.Result.StartsWith("Indeterminate"))
{
if ((bool)cbIntermediate.IsChecked)
{
ei.IsResultHidden = false;
}
else
{
ei.IsResultHidden = true;
}
ei.EventIsResultClass = "Warning";
}
else if (ei.Result.StartsWith("Expected Failure"))
{
if ((bool)cbExpectedFailure.IsChecked)
{
ei.IsResultHidden = false;
}
else
{
ei.IsResultHidden = true;
}
ei.EventIsResultClass = "Warning";
}
else if (ei.Result.StartsWith("Failure"))
{
if ((bool)cbFailure.IsChecked)
{
ei.IsResultHidden = false;
}
else
{
ei.IsResultHidden = true;
}
ei.EventIsResultClass = "Failure";
}
else
{
ei.EventIsResultClass = "Normal"; // TODO: Reults starting with other stuff
}
if (ei.IsHidden != washidden)
{
return(true);
}
else
{
return(false);
}
}
} // ETWTraceInBackground_Start()
private void Eventbgw_DoWork(object sender, DoWorkEventArgs e)
{
// This is the background thread
Provider etwp = e.Argument as Provider;
BackgroundWorker worker = sender as BackgroundWorker;
Thread.CurrentThread.Name = "ETWReader";
using (myTraceEventSession = new TraceEventSession(etwp.name, TraceEventSessionOptions.Create))
{
myTraceEventSession.StopOnDispose = true;
myTraceEventSession.Source.Dynamic.All += delegate(TraceEvent data) // Set Source (stream of events) from session.
{ // Get dynamic parser (knows about EventSources)
// Subscribe to all EventSource events
string operation = "";
string inputs = "";
string result = "";
string outputs = "";
string caller = "";
Int64 start = 0;
Int64 end = 0;
try
{
operation = (string)data.PayloadByName("Operation");
}
catch
{
// expected possible condition
}
try
{
inputs = (string)data.PayloadByName("Inputs");
}
catch
{
// expected possible condition
}
try
{
result = (string)data.PayloadByName("Result");
}
catch
{
// expected possible condition
}
try
{
outputs = (string)data.PayloadByName("Outputs");
}
catch
{
// expected possible condition
}
try
{
caller = (string)data.PayloadByName("Caller");
}
catch
{
// expected possible condition
}
if (inputs == null && result == null && outputs == null)
{
try
{
outputs = (string)data.PayloadByName("Message");
}
catch
{
// expected possible condition
}
}
try
{
start = (Int64)data.PayloadByName("Start");
}
catch
{
// expected possible condition
}
try
{
end = (Int64)data.PayloadByName("End");
}
catch
{
// expected possible condition
}
EventItem ei = new EventItem((int)data.EventIndex,
start,
end,
data.TimeStamp,
data.ProcessName,
data.ProcessID,
data.ThreadID,
data.ProviderName,
operation,
inputs,
result,
outputs,
caller
);
lock (_TEventListsLock)
{
_TEventListItems.Add(ei);
AddToProcIDsList(data.ProcessID);
}
worker.ReportProgress((int)data.EventIndex);
};
EventTraceProviderEnablementResultCode = myTraceEventSession.EnableProvider(etwp.guid);
if (!EventTraceProviderEnablementResultCode)
{
// Attempt resetting for second run...
myTraceEventSession.DisableProvider(etwp.guid);
EventTraceProviderEnablementResultCode = myTraceEventSession.EnableProvider(etwp.guid);
}
EventTraceProviderSourceResultCode = myTraceEventSession.Source.Process();
}
} // Eventbgw_DoWork()
} // Eventbgw_RunWorkerCompleted()
#region UIFilter
private void AppplyFilterToEventItem(EventItem ei)
{
ApplyFilterResultToEventItem(ei);
ApplyFilterCategoryEventToEventItem(ei);
ApplyFilterProcessIdToEventItem(ei);
}
} //ETWTraceInBackground_Start_APPS()
private void ETWTraceInBackground_DoWork_APPS(object sender, DoWorkEventArgs e)
{
// This is the background thread
int count = 0;
string etwclass = e.Argument as string;
BackgroundWorker worker = sender as BackgroundWorker;
Thread.CurrentThread.Name = "ETWReaderAPPS";
//Thread.CurrentThread.Priority = ThreadPriority.BelowNormal;
try
{
string sQuery = "*[System/Level>0]";
EventLogQuery Q_Operational = new EventLogQuery(etwclass, PathType.LogName, sQuery);
EventBookmark Ev_OperationalBookmark = null;
EventLogReader R_Operational;
R_Operational = new EventLogReader(Q_Operational); // Walk through existing list to create a bookmark
R_Operational.Seek(System.IO.SeekOrigin.End, 0);
for (EventRecord eventInstance = R_Operational.ReadEvent();
null != eventInstance;
eventInstance = R_Operational.ReadEvent())
{
Ev_OperationalBookmark = eventInstance.Bookmark;
}
R_Operational.Dispose();
WaitingForEventStart_APPS = false;
worker.ReportProgress(count++);
while (!worker.CancellationPending && !PleaseStopCollecting)
{
Thread.Sleep(1000);
R_Operational = new EventLogReader(Q_Operational, Ev_OperationalBookmark);
for (EventRecord eventInstance = R_Operational.ReadEvent();
null != eventInstance;
eventInstance = R_Operational.ReadEvent())
{
Ev_OperationalBookmark = eventInstance.Bookmark;
try
{
DateTime et = eventInstance.TimeCreated.GetValueOrDefault();
EventItem eItem = new EventItem((int)et.Ticks, et.Ticks, et.Ticks, et, eventInstance.ProcessId.ToString(), (int)eventInstance.ProcessId, (int)eventInstance.ThreadId,
eventInstance.LogName, "Application", eventInstance.Id.ToString(), eventInstance.LevelDisplayName, eventInstance.FormatDescription(), "");
worker.ReportProgress(count++, eItem);
}
catch
{
// app provider might be virtual or missing
string leveldisplayname = "";
string stuff = "Formatter not available. Details:";
int ProcessId = -1;
int ThreadId = -1;
switch (eventInstance.Level)
{
case 1:
leveldisplayname = "Critical";
break;
case 2:
leveldisplayname = "Error";
break;
case 3:
leveldisplayname = "Warning";
break;
case 4:
leveldisplayname = "Information";
break;
default:
break;
}
foreach (EventProperty p in eventInstance.Properties)
{
stuff += p.Value.ToString() + " ";
}
if (eventInstance.ProcessId != null)
{
ProcessId = (int)eventInstance.ProcessId;
}
if (eventInstance.ThreadId != null)
{
ThreadId = (int)eventInstance.ThreadId;
}
DateTime et = eventInstance.TimeCreated.GetValueOrDefault();
EventItem eItem = new EventItem((int)et.Ticks, et.Ticks, et.Ticks, et, eventInstance.ProcessId.ToString(), (int)eventInstance.ProcessId, (int)eventInstance.ThreadId,
eventInstance.LogName, "Application", eventInstance.Id.ToString(), leveldisplayname, stuff, "");
worker.ReportProgress(count++, eItem);
}
}
R_Operational.Dispose();
}
}
catch
{
WaitingForEventStart_APPS = false;
}
} // ETWTraceInBackground_DoWork_APPS()