private void ReadProcessStopEvent(TraceEvent traceEvent)
{
switch (traceEvent.Version)
{
case 0:
case 1:
// Both version 0 and version 1 have the same initial fields:
//
// <data name="ProcessID" inType="win:UInt32" outType="win:PID"></data>
// <data name="CreateTime" inType="win:FILETIME" outType="xs:dateTime"></data>
// <data name="ExitTime" inType="win:FILETIME" outType="xs:dateTime"></data>
// <data name="ExitCode" inType="win:UInt32" outType="xs:unsignedInt"></data>
EventHandler <ProcessEventArgs> handler = this.ProcessStopped;
if (handler != null)
{
int processId = traceEvent.GetInt32At(0);
DateTime exitTime = DateTime.FromFileTime(traceEvent.GetInt64At(12));
int exitCode = traceEvent.GetInt32At(20);
ProcessEventArgs e = new ProcessEventArgs()
{
ExitCode = exitCode,
Id = processId,
Timestamp = exitTime
};
handler(this, e);
}
break;
}
}
private void ReadProcessStartEvent(TraceEvent traceEvent)
{
if (traceEvent.Version == 0)
{
// <data name="ProcessID" inType="win:UInt32" outType="win:PID"></data>
// <data name="CreateTime" inType="win:FILETIME" outType="xs:dateTime"></data>
// <data name="ParentProcessID" inType="win:UInt32" outType="win:PID"></data>
// <data name="SessionID" inType="win:UInt32" outType="xs:unsignedInt"></data>
// <data name="ImageName" inType="win:UnicodeString" outType="xs:string"></data>
EventHandler <ProcessEventArgs> handler = this.ProcessStarted;
if (handler != null)
{
int processId = traceEvent.GetInt32At(0);
DateTime createTime = DateTime.FromFileTime(traceEvent.GetInt64At(4));
string imageName = traceEvent.GetUnicodeStringAt(20);
ProcessEventArgs e = new ProcessEventArgs()
{
Id = processId,
ImageName = imageName,
Timestamp = createTime
};
handler(this, e);
}
}
}
private void ReadProcessStopEvent(TraceEvent traceEvent)
{
switch (traceEvent.Version)
{
case 0:
case 1:
// Both version 0 and version 1 have the same initial fields:
//
// <data name="ProcessID" inType="win:UInt32" outType="win:PID"></data>
// <data name="CreateTime" inType="win:FILETIME" outType="xs:dateTime"></data>
// <data name="ExitTime" inType="win:FILETIME" outType="xs:dateTime"></data>
// <data name="ExitCode" inType="win:UInt32" outType="xs:unsignedInt"></data>
EventHandler<ProcessEventArgs> handler = this.ProcessStopped;
if (handler != null)
{
int processId = traceEvent.GetInt32At(0);
DateTime exitTime = DateTime.FromFileTime(traceEvent.GetInt64At(12));
int exitCode = traceEvent.GetInt32At(20);
ProcessEventArgs e = new ProcessEventArgs()
{
ExitCode = exitCode,
Id = processId,
Timestamp = exitTime
};
handler(this, e);
}
break;
}
}
private void ReadProcessStartEvent(TraceEvent traceEvent)
{
if (traceEvent.Version == 0)
{
// <data name="ProcessID" inType="win:UInt32" outType="win:PID"></data>
// <data name="CreateTime" inType="win:FILETIME" outType="xs:dateTime"></data>
// <data name="ParentProcessID" inType="win:UInt32" outType="win:PID"></data>
// <data name="SessionID" inType="win:UInt32" outType="xs:unsignedInt"></data>
// <data name="ImageName" inType="win:UnicodeString" outType="xs:string"></data>
EventHandler<ProcessEventArgs> handler = this.ProcessStarted;
if (handler != null)
{
int processId = traceEvent.GetInt32At(0);
DateTime createTime = DateTime.FromFileTime(traceEvent.GetInt64At(4));
string imageName = traceEvent.GetUnicodeStringAt(20);
ProcessEventArgs e = new ProcessEventArgs()
{
Id = processId,
ImageName = imageName,
Timestamp = createTime
};
handler(this, e);
}
}
}
