private void RegisterEvents() { m_parser.MethodDCStartInit += e => { // Nothing, currently. AppDomain enumerate technically starts now. }; m_parser.MethodDCStartComplete += e => { if (e.ProcessID != m_processId) { return; } m_session?.Stop(); m_cts.Cancel(); }; m_parser.LoaderAppDomainDCStart += e => { if (e.ProcessID != m_processId) { return; } AppDomains.Add(new AppDomainInfo() { Id = e.AppDomainID, Name = e.AppDomainName, Index = e.AppDomainIndex }); }; }
public void Pause() // deconstructor (really a pauser) of a Monitor class instance { running = false; lock (sessionLock) { // stops TraceEvent session so events aren't being tracked session.Stop(); } // sends an HTTP request with the data stored before pausing monitor // creates object that will store all event instances Metric_List list = new Metric_List(); lock (lockObject) { list.session = instance; list.cpu = CPUVals; list.mem = MemVals; list.exceptions = ExceptionVals; list.requests = RequestVals; list.contentions = ContentionVals; list.gc = GCVals; list.jit = JitVals; // creates new pointers for metric value collections CPUVals = new List <CPU_Usage>(); MemVals = new List <Mem_Usage>(); ExceptionVals = new List <Exceptions>(); RequestVals = new List <Http_Request>(); ContentionVals = new List <Contention>(); GCVals = new List <GC>(); JitVals = new List <Jit>(); } String output; try { output = JsonConvert.SerializeObject(list); // escapes string so that JSON object is interpreted as a single string output = JsonConvert.ToString(output); HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Post, "api/v1/General"); request.Content = new StringContent(output, System.Text.Encoding.UTF8, "application/json"); // sends POST request to server, containing JSON representation of events try { HttpResponseMessage response = client.SendAsync(request).Result; } catch { } } catch { } }
private void WatchDog(object o) { while (true) { Thread.Sleep(TimeSpan.FromSeconds(1)); if (session.IsActive && DateTime.UtcNow.Subtract( lastTimeEventWasReceivedUtc) > rundownTimeout) { // rundown should be finished by now session.Stop(); break; } } }
internal void Stop() { TraceEventSession.Stop(); Console.CancelKeyPress -= OnConsoleCancelKeyPress; AppDomain.CurrentDomain.ProcessExit -= OnProcessExit; }
private static void BuildEtwProcesses(IEnumerable <ProcessInfo> processesToRun, int degreeOfParallelism) { using (TraceEventSession traceEventSession = new TraceEventSession("ReadyToRunTestSession")) { traceEventSession.EnableProvider(ClrTraceEventParser.ProviderGuid, TraceEventLevel.Verbose, (ulong)(ClrTraceEventParser.Keywords.Jit | ClrTraceEventParser.Keywords.Loader)); using (ReadyToRunJittedMethods jittedMethods = new ReadyToRunJittedMethods(traceEventSession, processesToRun)) { Task.Run(() => { BuildProjects(processesToRun, jittedMethods, degreeOfParallelism); traceEventSession.Stop(); }); } traceEventSession.Source.Process(); } // Append jitted method info to the logs foreach (ProcessInfo processInfo in processesToRun) { if (processInfo.CollectJittedMethods) { using (StreamWriter logWriter = new StreamWriter(processInfo.LogPath, append: true)) { logWriter.WriteLine($"Jitted methods ({processInfo.JittedMethods.Sum(moduleMethodsKvp => moduleMethodsKvp.Value.Count)} total):"); foreach (KeyValuePair <string, HashSet <string> > jittedMethodsPerModule in processInfo.JittedMethods) { foreach (string method in jittedMethodsPerModule.Value) { logWriter.WriteLine(jittedMethodsPerModule.Key + " -> " + method); } } } } } }
public static void StartTrace() { Console.WriteLine("******************** ETW Keylogger ********************"); if (TraceEventSession.IsElevated() != true) { Console.WriteLine("Must be Admin to run this utility."); Debugger.Break(); return; } Console.WriteLine("Press Ctrl-C to stop monitoring."); using (var userSession = new TraceEventSession("ObserveEventSource")) { userSession.StopOnDispose = true; // Set up Ctrl-C to stop trace sessions SetupCtrlCHandler(() => { userSession?.Stop(); }); using (var source = new ETWTraceEventSource("ObserveEventSource", TraceEventSourceType.Session)) { var usb2EventParser = new DynamicTraceEventParser(source); usb2EventParser.All += delegate(TraceEvent data) { byte[] usbPayload = null; if (data.EventData().Length >= 243) { usbPayload = data.EventData().Skip(115).ToArray(); var message = new USBMessage(usbPayload); if (message.Header.Length >= 128 && message.BulkOrInterrupt.Payload != null) { if (ValidatePayload(message.BulkOrInterrupt.Payload)) { try { KeyboardKeymap key = (KeyboardKeymap)message.BulkOrInterrupt.Payload[(byte)PayloadKeys.KeyCode]; KeyboardModifier modifier = (KeyboardModifier)message.BulkOrInterrupt.Payload[(byte)PayloadKeys.Modifier]; Console.WriteLine($"Key modifier: {modifier} - Key pressed: {key} "); Console.WriteLine(BitConverter.ToString(message.BulkOrInterrupt.Payload)); } catch (Exception) { Console.WriteLine("Can't decode keypress"); } } } } }; userSession.EnableProvider(USB2_PROVIDERNAME); userSession.EnableProvider(USB3_PROVIDERNAME); source.Process(); } } }
/// <summary> /// Captures desired events and publish them in an async internal queue. /// <para>The trace session runs in another thread.</para> /// </summary> public void StartWatching(CancellationToken cancellation) { try { Task.Run(() => { Debug.Assert(!string.IsNullOrEmpty(SessionName)); using (var session = new TraceEventSession(SessionName)) { Capture(session); cancellation.Register(() => session.Stop(true)); session.Source.Process(); // Listen (forever) for events } }, cancellation); } catch (TaskCanceledException) { //do nothing, just exit. } catch (Exception) { //TODO: log throw; } }
internal void Stop() { TraceEventSession.Stop(); Console.CancelKeyPress -= OnConsoleCancelKeyPress; NativeWindowsConsoleHelper.OnExit -= OnConsoleCancelKeyPress; }
public void StopWatching() { if (session?.IsActive ?? false) { session?.Stop(); } }
/// <summary> /// Stops the current ETW session. /// </summary> public void Stop() { if (this.eventSource != null) { this.eventSource.StopProcessing(); this.eventSource.Dispose(); this.eventSource = null; } if (this.eventSession != null) { this.eventSession.Stop(true); this.eventSession.Dispose(); this.eventSession = null; } if (TraceEventSession.GetActiveSessionNames().Contains(this.name, StringComparer.OrdinalIgnoreCase)) { using (TraceEventSession session = new TraceEventSession(this.name)) { session.Stop(true); } } this.isStarted = false; }
public static void StartCapture(string newSessionName = null) { if (newSessionName != null) { sessionName = newSessionName; } using (var session = new TraceEventSession(sessionName)) { if (TraceEventSession.IsElevated() != true) { Console.Out.WriteLine("[!] run as admin"); return; } SetupCtrlCHandler(() => { if (session != null) { session.Stop(); } }); session.Source.Dynamic.All += EventCallback; session.EnableProvider(UsbUcx); session.EnableProvider(UsbPort); Console.WriteLine("starting capture ..."); session.Source.Process(); } }
private static void RunTest(TraceEventSession session, string testArguments, out int exitCode) { exitCode = -100; try { using (var process = new Process()) { process.StartInfo.FileName = _coreRunExePath; process.StartInfo.Arguments = _testExe + " " + testArguments; process.StartInfo.UseShellExecute = false; process.Start(); process.OutputDataReceived += delegate(object sender, DataReceivedEventArgs args) { Console.WriteLine(args.Data); }; process.ErrorDataReceived += delegate(object sender, DataReceivedEventArgs args) { Console.WriteLine(args.Data); }; if (process.WaitForExit(DefaultTestTimeOut)) { exitCode = process.ExitCode; } else { // Do our best to kill it if there's a timeout, but if it fails, not much we can do try { process.Kill(); } catch { } Console.WriteLine("Test execution timed out."); exitCode = StatusTestErrorTimeOut; } Console.WriteLine($"Test exited with code {process.ExitCode}"); if (session != null && session.EventsLost > 0) { exitCode = StatusTestErrorEventsLost; Console.WriteLine($"Error - {session.EventsLost} got lost in the nether."); return; } } } finally { // Stop ETL collection on the main thread session?.Stop(); } }
private static BuildTrace TraceChildren(int rootPid) { Dictionary <int, string> subprocessCommandLines = new Dictionary <int, string>(); subprocessCommandLines.Add(rootPid, "root"); var fileWrites = new Dictionary <int, (HashSet <string> set, List <string> list)>(); var fileReads = new Dictionary <int, (HashSet <string> set, List <string> list)>(); fileWrites.Add(rootPid, (new HashSet <string>(), new List <string>())); fileReads.Add(rootPid, (new HashSet <string>(), new List <string>())); var argsFiles = new Dictionary <string, FileStream>(); var lastCreateFileType = new Dictionary <(int pid, string path), CreateFileType>(); using var session = new TraceEventSession("BuildTracer"); Console.CancelKeyPress += (sender, eventArgs) => session.Stop(); Task _ = Task.Run(async() => { await Task.Delay(5000); session.Stop(); }); session.EnableKernelProvider(KernelTraceEventParser.Keywords.Process | KernelTraceEventParser.Keywords.FileIOInit | KernelTraceEventParser.Keywords.FileIO | KernelTraceEventParser.Keywords.DiskFileIO | KernelTraceEventParser.Keywords.VAMap); session.Source.Kernel.ProcessStart += processData => { if (subprocessCommandLines.ContainsKey(processData.ParentID)) { subprocessCommandLines.Add(processData.ProcessID, processData.CommandLine); fileReads.Add(processData.ProcessID, (new HashSet <string>(), new List <string>())); fileWrites.Add(processData.ProcessID, (new HashSet <string>(), new List <string>())); Console.WriteLine($"Start: PID {processData.ProcessID}, Process {processData.ProcessName}, Parent: {processData.ParentID}, Command line: {processData.CommandLine}"); } }; session.Source.Kernel.ProcessStop += processData => { if (subprocessCommandLines.ContainsKey(processData.ParentID)) { // subprocessCommandLines.Remove(processData.ProcessID); Console.WriteLine($"Stop: - PID {processData.ProcessID}, Process {processData.ProcessName}"); } };
private void TraceDotnetFullProcess(int processId) { using var etwSession = new TraceEventSession(WinTraceUserTraceSessionName); // ReSharper disable once AccessToDisposedClosure using var reg = cts.Token.Register(() => etwSession.Stop()); new SystemDiagnosticsTraceEventHandler(processId, traceOutput).Subscribe(etwSession); etwSession.Source.Process(); }
public void Stop() { if (etwSesion != null) { etwSesion.Stop(); } runner = null; etwSesion = null; }
/// <summary> /// Stops event tracing session /// </summary> public static void StopCapture() { if (session != null) { session.Stop(); session.Dispose(); session = null; } }
/// <summary> /// Stop monitoring STUN pings. /// </summary> public static void Stop() { if (!Running) { return; } Running = false; kernelSession.Stop(); }
public bool StopTrace() { mEtwSession.Dispose(); mEtwSession.Stop(); mEtwSession = null; Output.Print("Finished tracing to " + mConfig.EtlOutputFile); return(true); }
/// <summary> /// Turning on providers and creating files /// </summary> private static void DataCollection(string dataFileName) { Out.WriteLine("Collecting 10 seconds of kernel and CLR events to a file, and then printing."); Out.WriteLine(); Out.WriteLine("Start a .NET program while monitoring to see some events!"); Out.WriteLine(); if (TraceEventSession.IsElevated() != true) { Out.WriteLine("Must be elevated (Admin) to run this program."); Debugger.Break(); return; } string kernelDataFileName = Path.ChangeExtension(dataFileName, ".kernel.etl"); // Create one user mode session and one kernel mode session Out.WriteLine("Creating two raw files, one with kernel events and one with clr events."); using (var userSession = new TraceEventSession("MonitorKernelAndClrEventsSession", dataFileName)) using (var kernelSession = new TraceEventSession(KernelTraceEventParser.KernelSessionName, kernelDataFileName)) { // Set up Ctrl-C to stop both user mode and kernel mode sessions Console.CancelKeyPress += delegate(object sender, ConsoleCancelEventArgs cancelArgs) { Out.WriteLine("Insuring all ETW sessions are stopped."); kernelSession.Stop(true); // true means don't throw on error userSession.Stop(true); // true means don't throw on error // Since we don't cancel the Ctrl-C we will terminate the process as normal for Ctrl-C Out.WriteLine("OnCtrl C handler ending."); }; // Enable the events we care about for the kernel in the kernel session // For this instant the session will buffer any incoming events. kernelSession.EnableKernelProvider( KernelTraceEventParser.Keywords.ImageLoad | KernelTraceEventParser.Keywords.Process | KernelTraceEventParser.Keywords.Thread); // Enable the events we care about for the CLR (in the user session). // unlike the kernel session, you can call EnableProvider on other things too. // For this instant the session will buffer any incoming events. userSession.EnableProvider( ClrTraceEventParser.ProviderGuid, TraceEventLevel.Informational, (ulong)(ClrTraceEventParser.Keywords.Default)); Out.WriteLine("Collecting data for 10 seconds (run a .Net program to generate events)."); Thread.Sleep(10000); Out.WriteLine("Stopping sessions"); }// Using clauses will insure that session are disposed (and thus stopped) before Main returns. Out.WriteLine("Merging the raw files into a single '{0}' file.", dataFileName); TraceEventSession.MergeInPlace(dataFileName, Out); Out.WriteLine("Merge complete."); }
/// <summary> /// Turning on providers and creating files /// </summary> static void DataCollection(string dataFileName) { Out.WriteLine("Collecting 10 seconds of kernel and CLR events to a file, and then printing."); Out.WriteLine(); Out.WriteLine("Start a .NET program while monitoring to see some events!"); Out.WriteLine(); if (TraceEventSession.IsElevated() != true) { Out.WriteLine("Must be elevated (Admin) to run this program."); Debugger.Break(); return; } string kernelDataFileName = Path.ChangeExtension(dataFileName, ".kernel.etl"); // Create one user mode session and one kernel mode session Out.WriteLine("Creating two raw files, one with kernel events and one with clr events."); using (var userSession = new TraceEventSession("MonitorKernelAndClrEventsSession", dataFileName)) using (var kernelSession = new TraceEventSession(KernelTraceEventParser.KernelSessionName, kernelDataFileName)) { // Set up Ctrl-C to stop both user mode and kernel mode sessions Console.CancelKeyPress += delegate(object sender, ConsoleCancelEventArgs cancelArgs) { Out.WriteLine("Insuring all ETW sessions are stopped."); kernelSession.Stop(true); // true means don't throw on error userSession.Stop(true); // true means don't throw on error // Since we don't cancel the Ctrl-C we will terminate the process as normal for Ctrl-C Out.WriteLine("OnCtrl C handler ending."); }; // Enable the events we care about for the kernel in the kernel session // For this instant the session will buffer any incoming events. kernelSession.EnableKernelProvider( KernelTraceEventParser.Keywords.ImageLoad | KernelTraceEventParser.Keywords.Process | KernelTraceEventParser.Keywords.Thread); // Enable the events we care about for the CLR (in the user session). // unlike the kernel session, you can call EnableProvider on other things too. // For this instant the session will buffer any incoming events. userSession.EnableProvider( ClrTraceEventParser.ProviderGuid, TraceEventLevel.Informational, (ulong)(ClrTraceEventParser.Keywords.Default)); Out.WriteLine("Collecting data for 10 seconds (run a .Net program to generate events)."); Thread.Sleep(10000); Out.WriteLine("Stopping sessions"); } // Using clauses will insure that session are disposed (and thus stopped) before Main returns. Out.WriteLine("Merging the raw files into a single '{0}' file.", dataFileName); TraceEventSession.MergeInPlace(dataFileName, Out); Out.WriteLine("Merge complete."); }
static void TraceRealTime(int traceDuration) { TraceEventSession session = new TraceEventSession("ILoggerSession"); Task ParserTask = Task.Run(() => { session.Source.Dynamic.All += ParserDelegate; session.EnableProvider("Microsoft-Extensions-Logging", TraceEventLevel.Verbose, ulong.MaxValue, new TraceEventProviderOptions(new String[] { "FilterSpecs", "App*:Information;*" })); session.Source.Process(); }); Thread.Sleep(traceDuration * 1000); session.Stop(); }
static void Main() { // create a real time user mode session using (var session = new TraceEventSession("MySession")) { // use UWP logging channel provider session.EnableProvider(new Guid("01234567-01234-01234-01234-012345678901")); // use the same guid as for your LoggingChannel session.Source.AllEvents += Source_AllEvents; // Set up Ctrl-C to stop the session Console.CancelKeyPress += (object s, ConsoleCancelEventArgs a) => session.Stop(); session.Source.Process(); // Listen (forever) for events } }
private bool disposedValue = false; // To detect redundant calls protected virtual void Dispose(bool disposing) { if (!disposedValue) { if (disposing) { _traceEventSession?.Stop(); _isStarted = false; } disposedValue = true; } }
public void Process() { while (true) { var processing = Task.Run(ProcessData); if (processing.Wait(RestartTime) == false) { FileLogger.Logger.Log("Restarting ETW Monitoring to prevent memory leaks"); myRealtimeSession?.Stop(); myTraceLogSource.Dispose(); processing.Wait(); FileLogger.Logger.Log("Current ETW Monitoring was successfully stopped."); } } }
/// <summary> /// Disable the CLR provider and stop listening to the provider for the two kinds of events. /// </summary> public void DisableILStubSession() { // stop ETW trace session if (!m_isEnabled) { return; } // ILStub Session may not be stopped, if it is alreadly started before the application starts. m_ILStubSession.Stop(); // We need to abort the IL Stub Process Trace thread no matter whether ILStub session is stopped. ExitILStubTraceProcess(); m_isEnabled = false; }
public void Stop() { if (traceSession.IsActive) { var eventsLost = traceSession.EventsLost; Trace.WriteLine($"### Stopping {traceSession.SessionName} session..."); traceSession.Stop(); // This timeout is needed to handle all the DCStop events // (in case we ever are going to do anything about them) Thread.Sleep(1500); Trace.WriteLine($"### {traceSession.SessionName} session stopped. Number of lost events: {eventsLost:#,0}"); } }
public void RichPayloadEventSourceEtwPayloadSerializationTest() { if (IsRunningOnEnvironmentSupportingRichPayloadEventSource()) { var request = new RequestTelemetry() { Name = "TestRequest", Url = new Uri("https://www.example.com/api/test&id=1234"), ResponseCode = "200", Success = true, Duration = TimeSpan.FromTicks(314159) }; request.Context.InstrumentationKey = Guid.NewGuid().ToString(); request.Context.Operation.Name = "TestOperation"; request.Context.Operation.Id = "ABC123"; using (var eventSource = new RichPayloadEventSource($"Microsoft-ApplicationInsights-{nameof(RichPayloadEventSourceEtwPayloadSerializationTest)}")) using (var session = new TraceEventSession($"{nameof(RichPayloadEventSourceEtwPayloadSerializationTest)}")) { session.EnableProvider(eventSource.EventSourceInternal.Guid); session.Source.AllEvents += traceEvent => { var payload = traceEvent.EventData(); var parsedPayload = PayloadParser.ParsePayload(payload); Assert.AreEqual(request.Context.InstrumentationKey, parsedPayload.InstrumentationKey); Assert.AreEqual(request.Context.Operation.Name, parsedPayload.OperationName); Assert.AreEqual(request.Context.Operation.Id, parsedPayload.OperationId); Assert.AreEqual(request.Data.ver, parsedPayload.Version); Assert.AreEqual(request.Data.id, parsedPayload.RequestId); Assert.AreEqual(request.Data.source, parsedPayload.Source); Assert.AreEqual(request.Data.name, parsedPayload.Name); Assert.AreEqual(request.Data.duration, parsedPayload.Duration); }; Task.Run(() => { eventSource.Process(request); session.Stop(); }); session.Source.Process(); } } }
private static void BuildEtwProcesses(int startIndex, int endIndex, int totalCount, List <ProcessInfo> processList, int degreeOfParallelism) { using (TraceEventSession traceEventSession = new TraceEventSession("ReadyToRunTestSession")) { traceEventSession.EnableProvider(ClrTraceEventParser.ProviderGuid, TraceEventLevel.Verbose, (ulong)(ClrTraceEventParser.Keywords.Jit | ClrTraceEventParser.Keywords.Loader)); using (ReadyToRunJittedMethods jittedMethods = new ReadyToRunJittedMethods(traceEventSession, processList, startIndex, endIndex)) { Task.Run(() => { BuildProjects(startIndex, endIndex, totalCount, processList, jittedMethods, degreeOfParallelism); traceEventSession.Stop(); }); } traceEventSession.Source.Process(); } // Append jitted method info to the logs for (int index = startIndex; index < endIndex; index++) { ProcessInfo processInfo = processList[index]; if (processInfo.Parameters.CollectJittedMethods) { using (StreamWriter processLogWriter = new StreamWriter(processInfo.Parameters.LogPath, append: true)) { if (processInfo.JittedMethods != null) { processLogWriter.WriteLine($"Jitted methods ({processInfo.JittedMethods.Sum(moduleMethodsKvp => moduleMethodsKvp.Value.Count)} total):"); foreach (KeyValuePair <string, HashSet <string> > jittedMethodsPerModule in processInfo.JittedMethods) { foreach (string method in jittedMethodsPerModule.Value) { processLogWriter.WriteLine(jittedMethodsPerModule.Key + " -> " + method); } } } else { processLogWriter.WriteLine("Jitted method info not available"); } } } } }
static void ProcStart(string procKeyword) { Console.WriteLine("Waiting for a process containing \"{0}\" to start...", procKeyword); using (var session = new TraceEventSession("KernelSession")) //Change this for OPSEC { session.EnableKernelProvider(KernelTraceEventParser.Keywords.Process); session.Source.Kernel.ProcessStart += delegate(ProcessTraceData data) { if (data.ProcessName.Contains(procKeyword)) { Console.WriteLine($"Detected execution of {data.ProcessName} matching keyword \"{procKeyword}\""); DoEvil(); } }; session.Source.Process(); Console.CancelKeyPress += (object s, ConsoleCancelEventArgs args) => session.Stop(); session.Dispose(); } }
private static void ReadEvents() { using (TraceEventSession session = new TraceEventSession("MySession")) { session.StopOnDispose = true; session.EnableProvider(MyEtwProvider); session.EnableProvider( ClrTraceEventParser.ProviderGuid, TraceEventLevel.Verbose, (ulong)(ClrTraceEventParser.Keywords.GC | ClrTraceEventParser.Keywords.Exception)); session.Source.Clr.GCHeapStats += (GCHeapStatsTraceData data) => Console.WriteLine("GCHeapStats {0}", data.GenerationSize0.ToString("N1")); session.Source.Clr.ExceptionStart += Print; session.Source.Dynamic.All += Print; Task.Run(() => { session.Source.Process(); }); Source.Token.WaitHandle.WaitOne(); session.Stop(true); } }
private static void BuildEtwProcesses(int startIndex, int endIndex, int totalCount, int failureCount, List <ProcessInfo> processList, int degreeOfParallelism, bool measurePerf) { using (TraceEventSession traceEventSession = new TraceEventSession("ReadyToRunTestSession")) { traceEventSession.EnableProvider(ClrTraceEventParser.ProviderGuid, TraceEventLevel.Verbose, (ulong)(ClrTraceEventParser.Keywords.Jit | ClrTraceEventParser.Keywords.Loader)); int warmupRuns = 0; int realRuns = 1; PerfEventSourceListener perfMeasurer = null; if (measurePerf) { Debug.Assert(processList.Count == 1); warmupRuns = 1; realRuns = 5; perfMeasurer = new PerfEventSourceListener(traceEventSession, warmupRuns, realRuns); } using (ReadyToRunJittedMethods jittedMethods = new ReadyToRunJittedMethods(traceEventSession, processList, startIndex, endIndex)) { Task.Run(() => { // Warmup runs if (measurePerf) { Console.WriteLine("Warmup runs:"); for (int run = 0; run < warmupRuns; ++run) { BuildProjects(startIndex, endIndex, totalCount, failureCount, processList, jittedMethods, degreeOfParallelism); } // Wait for all the warmup events to come in before starting the real run so there is no interference perfMeasurer.WaitForWarmupFinished(); Console.WriteLine("Real runs:"); } for (int run = 0; run < realRuns; ++run) { BuildProjects(startIndex, endIndex, totalCount, failureCount, processList, jittedMethods, degreeOfParallelism); } if (measurePerf) { perfMeasurer.PrintPerfResults(); } traceEventSession.Stop(); }); } traceEventSession.Source.Process(); } // Append jitted method info to the logs for (int index = startIndex; index < endIndex; index++) { ProcessInfo processInfo = processList[index]; if (processInfo.Parameters.CollectJittedMethods) { using (StreamWriter processLogWriter = new StreamWriter(processInfo.Parameters.LogPath, append: true)) { if (processInfo.JittedMethods != null) { processLogWriter.WriteLine($"Jitted methods ({processInfo.JittedMethods.Sum(moduleMethodsKvp => moduleMethodsKvp.Value.Count)} total):"); foreach (KeyValuePair <string, HashSet <string> > jittedMethodsPerModule in processInfo.JittedMethods) { foreach (string method in jittedMethodsPerModule.Value) { processLogWriter.WriteLine(jittedMethodsPerModule.Key + " -> " + method); } } } else { processLogWriter.WriteLine("Jitted method info not available"); } } } } }
public static void Run() { Out.WriteLine("******************** ObserveGCEvents DEMO ********************"); Out.WriteLine("This program Demos using the reactive framework (IObservable) to monitor"); Out.WriteLine(".NET Garbage collector (GC) events."); Out.WriteLine(); Out.WriteLine("The program will print a line every time 100K of memory was allocated"); Out.WriteLine("on the GC heap along with the type of the object that 'tripped' the 100K"); Out.WriteLine("sample. It will also print a line every time a GC happened and show "); Out.WriteLine("the sizes of each generation after the GC."); Out.WriteLine(); Out.WriteLine("Run a .NET Program while the monitoring is active to see GC events."); Out.WriteLine(); if (TraceEventSession.IsElevated() != true) { Out.WriteLine("Must be elevated (Admin) to run this method."); Debugger.Break(); return; } var monitoringTimeSec = 10; Out.WriteLine("The monitor will run for a maximum of {0} seconds", monitoringTimeSec); Out.WriteLine("Press Ctrl-C to stop monitoring of GC Allocs"); // create a real time user mode session using (var userSession = new TraceEventSession("ObserveGCAllocs")) { // Set up Ctrl-C to stop the session SetupCtrlCHandler(() => { userSession.Stop(); }); // enable the CLR provider with default keywords (minus the rundown CLR events) userSession.EnableProvider(ClrTraceEventParser.ProviderGuid, TraceEventLevel.Verbose, (ulong)(ClrTraceEventParser.Keywords.GC)); // Create a stream of GC Allocation events (happens every time 100K of allocations happen) IObservable<GCAllocationTickTraceData> gcAllocStream = userSession.Source.Clr.Observe<GCAllocationTickTraceData>(); // Print the outgoing stream to the console gcAllocStream.Subscribe(allocData => Out.WriteLine("GC Alloc : Proc: {0,10} Amount: {1,6:f1}K TypeSample: {2}", GetProcessName(allocData.ProcessID), allocData.AllocationAmount / 1000.0, allocData.TypeName)); // Create a stream of GC Collection events IObservable<GCHeapStatsTraceData> gcCollectStream = userSession.Source.Clr.Observe<GCHeapStatsTraceData>(); // Print the outgoing stream to the console gcCollectStream.Subscribe(collectData => Out.WriteLine("GC Collect: Proc: {0,10} Gen0: {1,6:f1}M Gen1: {2,6:f1}M Gen2: {3,6:f1}M LargeObj: {4,6:f1}M", GetProcessName(collectData.ProcessID), collectData.GenerationSize0 / 1000000.0, collectData.GenerationSize1 / 1000000.0, collectData.GenerationSize2 / 1000000.0, collectData.GenerationSize3 / 1000000.0)); IObservable<long> timer = Observable.Timer(new TimeSpan(0, 0, monitoringTimeSec)); timer.Subscribe(delegate { Out.WriteLine("Stopped after {0} sec", monitoringTimeSec); userSession.Dispose(); }); // OK we are all set up, time to listen for events and pass them to the observers. userSession.Source.Process(); } Out.WriteLine("Done with program."); }
public static void CloseDuplicateTraceSession(string sessionName) { InternalLogger.Write.ConflictingTraceSessionFound(sessionName); TraceEventSession s = null; try { // we can't control this session so we need to stop it s = new TraceEventSession(sessionName); // might throw if it's in the midst of being shut down s.Stop(); } catch (FileNotFoundException) { // well, okay, then it's probably gone now. } finally { if (s != null) { s.Dispose(); } } // Now we enter a brief waiting period to make sure it dies. We must do this because ControlTrace() // (the underlying win32 API) is asynchronous and our request to terminate the session may take // a small amount of time to complete. if (!WaitForSessionChange(sessionName, false)) { InternalLogger.Write.ConflictingTraceSessionStuck(sessionName); throw new OperationCanceledException("could not tear down existing trace session"); } }
public static void Run() { Out.WriteLine("******************** ObserveEventSource DEMO ********************"); Out.WriteLine("This program Demos using the reactive framework (IObservable) to monitor"); Out.WriteLine("EventSource events in real time, parsing their payloads dynamically."); Out.WriteLine(); Out.WriteLine("The program has an EventSource that generates two kinds of events for 10 secs."); Out.WriteLine("while another part of the program reads them using IObservables and prints"); Out.WriteLine("their parsed payload values. "); Out.WriteLine(); if (TraceEventSession.IsElevated() != true) { Out.WriteLine("Must be elevated (Admin) to run this method."); Debugger.Break(); return; } var monitoringTimeSec = 15; Out.WriteLine("The monitor will run for a maximum of {0} seconds", monitoringTimeSec); Out.WriteLine("Press Ctrl-C to stop monitoring."); // create a real time user mode session using (var userSession = new TraceEventSession("ObserveEventSource")) { // Set up Ctrl-C to stop both user mode and kernel mode sessions SetupCtrlCHandler(() => { if (userSession != null) userSession.Stop(); }); // Turn on the Microsoft-Demos-SimpleMonitor provider userSession.EnableProvider("Microsoft-Demos-SimpleMonitor"); // Create a stream of the 'MyFirstEvent' event source events and print their payloads IObservable<TraceEvent> firstEventStream = userSession.Source.Dynamic.Observe("Microsoft-Demos-SimpleMonitor", "MyFirstEvent"); firstEventStream.Subscribe(onNext: ev => Out.WriteLine("FIRST_EVENTS : MyName: '{0}' MyId: {1}", ev.PayloadByName("MyName"), ev.PayloadByName("MyId"))); // Create a stream of the 'MySecond'Event' event source events and print their payloads IObservable<TraceEvent> secondEventStream = userSession.Source.Dynamic.Observe("Microsoft-Demos-SimpleMonitor", "MySecondEvent"); secondEventStream.Subscribe(onNext: ev => Out.WriteLine("SECOND_EVENTS : MyId: {0}", ev.PayloadByName("MyId"))); // For debugging purposes, print every event from the SimpleMonitor stream IObservable<TraceEvent> allEventStream = userSession.Source.Dynamic.Observe(null); allEventStream.Subscribe(onNext: ev => Out.WriteLine("FROM_EVENTSOURCE: {0}/{1} ", ev.ProviderName, ev.EventName)); // It is also useful for debugging purposes to see any events that entered by were not handled by any parser. These can be bugs. IObservable<TraceEvent> unhandledEventStream = userSession.Source.ObserveUnhandled(); unhandledEventStream.Subscribe(onNext: ev => Out.WriteLine("UNHANDLED : {0}/{1} ", ev.ProviderName, ev.EventName)); // Start Generate some events so we have something to see Producer.EventGenerator.CreateEvents(); // Set up a timer to stop processing after monitoringTimeSec IObservable<long> timer = Observable.Timer(new TimeSpan(0, 0, monitoringTimeSec)); timer.Subscribe(delegate { Out.WriteLine("Stopped after {0} sec", monitoringTimeSec); userSession.Dispose(); }); // OK we are all set up, time to listen for events and pass them to the observers. userSession.Source.Process(); } Out.WriteLine("Done with program."); }
internal static void EnsureStopped() { using (var session = new TraceEventSession("EventSourceTestSession", "EventSourceTestData.etl")) session.Stop(); }