private void InitializeSystemHandlers(TraceCollector kernelCollector, bool collectDriverStats)
{
kernelCollector.AddHandler(new SystemConfigTraceEventHandler(traceOutput));
if (collectDriverStats)
{
kernelCollector.AddHandler(new IsrDpcTraceEventHandler(traceOutput));
}
}
private void InitializeProcessHandlers(TraceCollector kernelCollector, TraceCollector customCollector,
int pid, bool traceChildProcesses)
{
kernelCollector.AddHandler(new FileIOTraceEventHandler(pid, traceOutput));
kernelCollector.AddHandler(new AlpcTraceEventHandler(pid, traceOutput));
kernelCollector.AddHandler(new NetworkTraceEventHandler(pid, traceOutput));
kernelCollector.AddHandler(new ProcessThreadsTraceEventHandler(pid, traceOutput, traceChildProcesses ?
(int processId) => { InitializeProcessHandlers(kernelCollector, customCollector, processId, true); } : emptyAction));
// DISABLED ON PURPOSE:
// kernelCollector.AddHandler(new RegistryTraceEventHandler(pid, traceOutput)); // TODO: strange and sometimes missing key names
customCollector.AddHandler(new EventHandlers.PowerShell.PowerShellTraceEventHandler(pid, traceOutput));
customCollector.AddHandler(new EventHandlers.Rpc.RpcTraceEventHandler(pid, traceOutput));
}
