private static void Console_CancelKeyPress(object sender, ConsoleCancelEventArgs e)
{
try
{
T.Stop();
T.Dispose();
P.Dispose();
}
catch (Exception error)
{
Console.WriteLine(error.Message);
}
}
public static void SetupCtrlC(UserTrace trace)
{
// It's important that this comes before the
// trace.Start() call below. The Start() call will
// block the thread since it gets donated to ETW for
// processing.
Console.CancelKeyPress += (sender, eventArg) =>
{
if (trace != null)
{
Console.WriteLine("Ctrl+C detected, killing trace.");
// Calling Stop on the trace is important
// because there are a limited number of trace
// sessions permitted on the OS. If you kill the
// program without calling Stop(), the trace session
// is left open and would need to be manually cleaned
// up.
//
// The easiest way to clean up the traces is to stop
// and delete them in the Computer Management>Performance
// section called "Event Trace Sessions".
//
// Alternatively, you can restart the machine.
trace.Stop();
}
};
}
static void Main(string[] args)
{
var filter = new EventFilter(Filter
.EventIdIs(3018)
.Or(Filter.EventIdIs(3020)));
filter.OnEvent += (IEventRecord r) => {
var query = r.GetUnicodeString("QueryName");
var result = r.GetUnicodeString("QueryResults");
TimeSpan t = DateTime.UtcNow - new DateTime(1970, 1, 1);
int secondsSinceEpoch = (int)t.TotalSeconds;
Console.WriteLine($"{secondsSinceEpoch} | {r.Id} | {query} | {result}");
};
var provider = new Provider("Microsoft-Windows-DNS-Client");
provider.AddFilter(filter);
var trace = new UserTrace();
trace.Enable(provider);
Console.CancelKeyPress += (sender, eventArg) =>
{
if (trace != null)
{
trace.Stop();
}
};
trace.Start();
}
static void Main(string[] args)
{
var trace = new UserTrace();
var processProvider = new Provider("Microsoft-Windows-Kernel-Process");
processProvider.All = 0x40; // Enable the WINEVENT_KEYWORD_IMAGE flag.
var filter = new EventFilter(Filter.EventIdIs(5));
filter.OnEvent += (record) =>
{
var dllName = record.GetUnicodeString("ImageName", "<UNKNOWN>");
if (dllName.ToLower().EndsWith("mscoree.dll"))
{
var pid = record.GetUInt32("ProcessID", 0);
var processName = string.Empty;
try { processName = System.Diagnostics.Process.GetProcessById((int)pid).ProcessName; }
catch (Exception) { }
Console.WriteLine($"{processName} (PID: {pid}) loaded .NET runtime ({dllName})");
}
};
processProvider.AddFilter(filter);
trace.Enable(processProvider);
Console.CancelKeyPress += (sender, eventArg) =>
{
if (trace != null)
{
trace.Stop();
}
};
trace.Start();
}
internal void Stop()
{
lock (_sync)
{
if (!_isRunning)
{
return;
}
_trace.Stop();
Reset();
_isRunning = false;
}
}
static void Main(string[] args)
{
var count = 0;
var cts = new CancellationTokenSource();
var trace = new UserTrace("MY AWESOME TEST THING");
//var provider = new RawProvider(EventSource.GetGuid(typeof(TestEventSource)));
var provider = new Provider(Guid.Parse("{A0C1853B-5C40-4B15-8766-3CF1C58F985A}"));
// Only pull in method invocations
var powershellFilter = new EventFilter(Filter.EventIdIs(7937)
.And(UnicodeString.Contains("Payload", "Started")));
powershellFilter.OnEvent += e =>
{
Console.WriteLine($"{e.ProviderName} - {e.Id}: {count++}");
};
provider.AddFilter(powershellFilter);
Console.CancelKeyPress += (s, e) =>
{
cts.Cancel();
trace.Stop();
};
trace.Enable(provider);
var statsLoop = Task.Run(() => PrintStats(trace, cts.Token));
Task.Run(() => trace.Start())
.ContinueWith(t => Console.WriteLine($"Task ended with status {t.Status}"));
Console.WriteLine("Enter to restart trace");
Console.ReadKey();
Task.Run(() => trace.Start())
.ContinueWith(t => Console.WriteLine($"Task ended with status {t.Status}"));
Console.WriteLine("Ctrl+C to quit");
statsLoop.Wait();
Console.WriteLine("Done");
}
static void Main(string[] args)
{
var filter = new EventFilter(
Filter.EventIdIs(5)
//.Or(Filter.EventIdIs(6))
);
// Microsoft-Windows-RPC EventID 5 - Client RPC call started
// EventID 6 - Server RPC call started.
filter.OnEvent += (IEventRecord r) =>
{
var endpoint = r.GetUnicodeString("Endpoint");
var opNum = r.GetUInt32("ProcNum");
var protocol = r.GetUInt32("Protocol");
Console.WriteLine($"RPC Event {r.Id}");
Console.WriteLine($"Endpoint: {endpoint}");
Console.WriteLine($"Protocol {protocol,0:X}");
Console.WriteLine($"OpNum: {opNum}");
};
var provider = new Provider("Microsoft-Windows-RPC");
provider.AddFilter(filter);
var trace = new UserTrace();
trace.Enable(provider);
Console.CancelKeyPress += (sender, eventArg) =>
{
if (trace != null)
{
trace.Stop();
}
};
trace.Start();
}
static void Main(string[] args)
{
var trace = new UserTrace();
// The name of the PowerShell provider that gives us with detailed
// method execution logging is "Microsoft-Windows-PowerShell".
//
// If you want to explore all the events in this provider,
// you'll need to use Message Analyzer to load the trace and explore
// the events.
//
// Download: https://www.microsoft.com/en-us/download/details.aspx?id=44226
var powershellProvider = new Provider("Microsoft-Windows-PowerShell");
var powershellFilter = new EventFilter(
Filter.EventIdIs(7937)
.And(UnicodeString.Contains("Payload", "Started")));
powershellFilter.OnEvent += OnEvent;
// The "Any" and "All" flags can be sussed out using Microsoft Message Analyzer.
powershellProvider.Any = 0x20;
powershellProvider.AddFilter(powershellFilter);
trace.Enable(powershellProvider);
Console.CancelKeyPress += (sender, eventArg) =>
{
if (trace != null)
{
trace.Stop();
}
};
// This is a blocking call. Ctrl-C to stop.
trace.Start();
}