private void OnProcessStarted(object sender, ProcessEventArgs e)
{
// Note that it is possible (but unlikely) that we already have an entry for
// a process with this ID. This can happen if the stopped event was lost.
ProcessData data;
if (!this.processes.TryGetValue(e.Id, out data))
{
data = new ProcessData();
this.processes.Add(e.Id, data);
}
data.Id = e.Id;
data.Name = Path.GetFileName(e.ImageName);
data.StartTime = e.Timestamp;
}
private void OnProcessStarted(object sender, ProcessEventArgs e)
{
// Note that it is possible (but unlikely) that we already have an entry for
// a process with this ID. This can happen if the stopped event was lost.
ProcessData data;
if (!this.processes.TryGetValue(e.Id, out data))
{
data = new ProcessData();
this.processes.Add(e.Id, data);
}
data.Id = e.Id;
data.Name = Path.GetFileName(e.ImageName);
data.StartTime = e.Timestamp;
}
private void OnProcessStopped(object sender, ProcessEventArgs e)
{
// Note that it is possible that we do not have an entry for this process. For
// example, a process could have started just before we began tracking events.
ProcessData data;
if (this.processes.TryGetValue(e.Id, out data))
{
this.processes.Remove(e.Id);
data.ExitCode = e.ExitCode;
data.ExitTime = e.Timestamp;
EventHandler<ProcessDataEventArgs> handler = this.ProcessStopped;
if (handler != null)
{
handler(this, new ProcessDataEventArgs(data));
}
}
}
private void OnProcessStopped(object sender, ProcessEventArgs e)
{
// Note that it is possible that we do not have an entry for this process. For
// example, a process could have started just before we began tracking events.
ProcessData data;
if (this.processes.TryGetValue(e.Id, out data))
{
this.processes.Remove(e.Id);
data.ExitCode = e.ExitCode;
data.ExitTime = e.Timestamp;
EventHandler <ProcessDataEventArgs> handler = this.ProcessStopped;
if (handler != null)
{
handler(this, new ProcessDataEventArgs(data));
}
}
}
private void ReadProcessStartEvent(ref EtwNativeEvent traceEvent)
{
if (traceEvent.Version == 0)
{
// <data name="ProcessID" inType="win:UInt32" outType="win:PID"></data>
// <data name="CreateTime" inType="win:FILETIME" outType="xs:dateTime"></data>
// <data name="ParentProcessID" inType="win:UInt32" outType="win:PID"></data>
// <data name="SessionID" inType="win:UInt32" outType="xs:unsignedInt"></data>
// <data name="ImageName" inType="win:UnicodeString" outType="xs:string"></data>
EventHandler<ProcessEventArgs> handler = this.ProcessStarted;
if (handler != null)
{
int processId = (int)traceEvent.ReadUInt32();
DateTime createTime = traceEvent.ReadFileTime();
traceEvent.ReadUInt32(); // ignore
traceEvent.ReadUInt32(); // ignore
string imageName = traceEvent.ReadUnicodeString();
ProcessEventArgs e = new ProcessEventArgs()
{
Id = processId,
ImageName = imageName,
Timestamp = createTime
};
handler(this, e);
}
}
}
private void ReadProcessStopEvent(ref EtwNativeEvent traceEvent)
{
switch (traceEvent.Version)
{
case 0:
case 1:
// Both version 0 and version 1 have the same initial fields:
//
// <data name="ProcessID" inType="win:UInt32" outType="win:PID"></data>
// <data name="CreateTime" inType="win:FILETIME" outType="xs:dateTime"></data>
// <data name="ExitTime" inType="win:FILETIME" outType="xs:dateTime"></data>
// <data name="ExitCode" inType="win:UInt32" outType="xs:unsignedInt"></data>
EventHandler<ProcessEventArgs> handler = this.ProcessStopped;
if (handler != null)
{
int processId = (int)traceEvent.ReadUInt32();
traceEvent.ReadFileTime(); // ignore
DateTime exitTime = traceEvent.ReadFileTime();
int exitCode = (int)traceEvent.ReadUInt32();
ProcessEventArgs e = new ProcessEventArgs()
{
ExitCode = exitCode,
Id = processId,
Timestamp = exitTime
};
handler(this, e);
}
break;
}
}
