private void RegisterEvents()
{
m_parser.MethodDCStartInit += e =>
{
// Nothing, currently. AppDomain enumerate technically starts now.
};
m_parser.MethodDCStartComplete += e =>
{
if (e.ProcessID != m_processId)
{
return;
}
m_session?.Stop();
m_cts.Cancel();
};
m_parser.LoaderAppDomainDCStart += e =>
{
if (e.ProcessID != m_processId)
{
return;
}
AppDomains.Add(new AppDomainInfo()
{
Id = e.AppDomainID,
Name = e.AppDomainName,
Index = e.AppDomainIndex
});
};
}
public void Pause() // deconstructor (really a pauser) of a Monitor class instance
{
running = false;
lock (sessionLock)
{
// stops TraceEvent session so events aren't being tracked
session.Stop();
}
// sends an HTTP request with the data stored before pausing monitor
// creates object that will store all event instances
Metric_List list = new Metric_List();
lock (lockObject)
{
list.session = instance;
list.cpu = CPUVals;
list.mem = MemVals;
list.exceptions = ExceptionVals;
list.requests = RequestVals;
list.contentions = ContentionVals;
list.gc = GCVals;
list.jit = JitVals;
// creates new pointers for metric value collections
CPUVals = new List <CPU_Usage>();
MemVals = new List <Mem_Usage>();
ExceptionVals = new List <Exceptions>();
RequestVals = new List <Http_Request>();
ContentionVals = new List <Contention>();
GCVals = new List <GC>();
JitVals = new List <Jit>();
}
String output;
try
{
output = JsonConvert.SerializeObject(list);
// escapes string so that JSON object is interpreted as a single string
output = JsonConvert.ToString(output);
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Post, "api/v1/General");
request.Content = new StringContent(output, System.Text.Encoding.UTF8, "application/json");
// sends POST request to server, containing JSON representation of events
try
{
HttpResponseMessage response = client.SendAsync(request).Result;
}
catch { }
}
catch { }
}
private void WatchDog(object o)
{
while (true)
{
Thread.Sleep(TimeSpan.FromSeconds(1));
if (session.IsActive && DateTime.UtcNow.Subtract(
lastTimeEventWasReceivedUtc) > rundownTimeout)
{
// rundown should be finished by now
session.Stop();
break;
}
}
}
internal void Stop()
{
TraceEventSession.Stop();
Console.CancelKeyPress -= OnConsoleCancelKeyPress;
AppDomain.CurrentDomain.ProcessExit -= OnProcessExit;
}
private static void BuildEtwProcesses(IEnumerable <ProcessInfo> processesToRun, int degreeOfParallelism)
{
using (TraceEventSession traceEventSession = new TraceEventSession("ReadyToRunTestSession"))
{
traceEventSession.EnableProvider(ClrTraceEventParser.ProviderGuid, TraceEventLevel.Verbose, (ulong)(ClrTraceEventParser.Keywords.Jit | ClrTraceEventParser.Keywords.Loader));
using (ReadyToRunJittedMethods jittedMethods = new ReadyToRunJittedMethods(traceEventSession, processesToRun))
{
Task.Run(() =>
{
BuildProjects(processesToRun, jittedMethods, degreeOfParallelism);
traceEventSession.Stop();
});
}
traceEventSession.Source.Process();
}
// Append jitted method info to the logs
foreach (ProcessInfo processInfo in processesToRun)
{
if (processInfo.CollectJittedMethods)
{
using (StreamWriter logWriter = new StreamWriter(processInfo.LogPath, append: true))
{
logWriter.WriteLine($"Jitted methods ({processInfo.JittedMethods.Sum(moduleMethodsKvp => moduleMethodsKvp.Value.Count)} total):");
foreach (KeyValuePair <string, HashSet <string> > jittedMethodsPerModule in processInfo.JittedMethods)
{
foreach (string method in jittedMethodsPerModule.Value)
{
logWriter.WriteLine(jittedMethodsPerModule.Key + " -> " + method);
}
}
}
}
}
}
public static void StartTrace()
{
Console.WriteLine("******************** ETW Keylogger ********************");
if (TraceEventSession.IsElevated() != true)
{
Console.WriteLine("Must be Admin to run this utility.");
Debugger.Break();
return;
}
Console.WriteLine("Press Ctrl-C to stop monitoring.");
using (var userSession = new TraceEventSession("ObserveEventSource"))
{
userSession.StopOnDispose = true;
// Set up Ctrl-C to stop trace sessions
SetupCtrlCHandler(() =>
{
userSession?.Stop();
});
using (var source = new ETWTraceEventSource("ObserveEventSource", TraceEventSourceType.Session))
{
var usb2EventParser = new DynamicTraceEventParser(source);
usb2EventParser.All += delegate(TraceEvent data)
{
byte[] usbPayload = null;
if (data.EventData().Length >= 243)
{
usbPayload = data.EventData().Skip(115).ToArray();
var message = new USBMessage(usbPayload);
if (message.Header.Length >= 128 && message.BulkOrInterrupt.Payload != null)
{
if (ValidatePayload(message.BulkOrInterrupt.Payload))
{
try
{
KeyboardKeymap key = (KeyboardKeymap)message.BulkOrInterrupt.Payload[(byte)PayloadKeys.KeyCode];
KeyboardModifier modifier = (KeyboardModifier)message.BulkOrInterrupt.Payload[(byte)PayloadKeys.Modifier];
Console.WriteLine($"Key modifier: {modifier} - Key pressed: {key} ");
Console.WriteLine(BitConverter.ToString(message.BulkOrInterrupt.Payload));
}
catch (Exception)
{
Console.WriteLine("Can't decode keypress");
}
}
}
}
};
userSession.EnableProvider(USB2_PROVIDERNAME);
userSession.EnableProvider(USB3_PROVIDERNAME);
source.Process();
}
}
}
/// <summary>
/// Captures desired events and publish them in an async internal queue.
/// <para>The trace session runs in another thread.</para>
/// </summary>
public void StartWatching(CancellationToken cancellation)
{
try
{
Task.Run(() =>
{
Debug.Assert(!string.IsNullOrEmpty(SessionName));
using (var session = new TraceEventSession(SessionName))
{
Capture(session);
cancellation.Register(() => session.Stop(true));
session.Source.Process(); // Listen (forever) for events
}
}, cancellation);
}
catch (TaskCanceledException)
{
//do nothing, just exit.
}
catch (Exception)
{
//TODO: log
throw;
}
}
internal void Stop()
{
TraceEventSession.Stop();
Console.CancelKeyPress -= OnConsoleCancelKeyPress;
NativeWindowsConsoleHelper.OnExit -= OnConsoleCancelKeyPress;
}
public void StopWatching()
{
if (session?.IsActive ?? false)
{
session?.Stop();
}
}
/// <summary>
/// Stops the current ETW session.
/// </summary>
public void Stop()
{
if (this.eventSource != null)
{
this.eventSource.StopProcessing();
this.eventSource.Dispose();
this.eventSource = null;
}
if (this.eventSession != null)
{
this.eventSession.Stop(true);
this.eventSession.Dispose();
this.eventSession = null;
}
if (TraceEventSession.GetActiveSessionNames().Contains(this.name, StringComparer.OrdinalIgnoreCase))
{
using (TraceEventSession session = new TraceEventSession(this.name))
{
session.Stop(true);
}
}
this.isStarted = false;
}
public static void StartCapture(string newSessionName = null)
{
if (newSessionName != null)
{
sessionName = newSessionName;
}
using (var session = new TraceEventSession(sessionName))
{
if (TraceEventSession.IsElevated() != true)
{
Console.Out.WriteLine("[!] run as admin");
return;
}
SetupCtrlCHandler(() => { if (session != null)
{
session.Stop();
}
});
session.Source.Dynamic.All += EventCallback;
session.EnableProvider(UsbUcx);
session.EnableProvider(UsbPort);
Console.WriteLine("starting capture ...");
session.Source.Process();
}
}
private static void RunTest(TraceEventSession session, string testArguments, out int exitCode)
{
exitCode = -100;
try
{
using (var process = new Process())
{
process.StartInfo.FileName = _coreRunExePath;
process.StartInfo.Arguments = _testExe + " " + testArguments;
process.StartInfo.UseShellExecute = false;
process.Start();
process.OutputDataReceived += delegate(object sender, DataReceivedEventArgs args)
{
Console.WriteLine(args.Data);
};
process.ErrorDataReceived += delegate(object sender, DataReceivedEventArgs args)
{
Console.WriteLine(args.Data);
};
if (process.WaitForExit(DefaultTestTimeOut))
{
exitCode = process.ExitCode;
}
else
{
// Do our best to kill it if there's a timeout, but if it fails, not much we can do
try
{
process.Kill();
}
catch
{
}
Console.WriteLine("Test execution timed out.");
exitCode = StatusTestErrorTimeOut;
}
Console.WriteLine($"Test exited with code {process.ExitCode}");
if (session != null && session.EventsLost > 0)
{
exitCode = StatusTestErrorEventsLost;
Console.WriteLine($"Error - {session.EventsLost} got lost in the nether.");
return;
}
}
}
finally
{
// Stop ETL collection on the main thread
session?.Stop();
}
}
private static BuildTrace TraceChildren(int rootPid)
{
Dictionary <int, string> subprocessCommandLines = new Dictionary <int, string>();
subprocessCommandLines.Add(rootPid, "root");
var fileWrites = new Dictionary <int, (HashSet <string> set, List <string> list)>();
var fileReads = new Dictionary <int, (HashSet <string> set, List <string> list)>();
fileWrites.Add(rootPid, (new HashSet <string>(), new List <string>()));
fileReads.Add(rootPid, (new HashSet <string>(), new List <string>()));
var argsFiles = new Dictionary <string, FileStream>();
var lastCreateFileType = new Dictionary <(int pid, string path), CreateFileType>();
using var session = new TraceEventSession("BuildTracer");
Console.CancelKeyPress += (sender, eventArgs) => session.Stop();
Task _ = Task.Run(async() =>
{
await Task.Delay(5000);
session.Stop();
});
session.EnableKernelProvider(KernelTraceEventParser.Keywords.Process | KernelTraceEventParser.Keywords.FileIOInit | KernelTraceEventParser.Keywords.FileIO | KernelTraceEventParser.Keywords.DiskFileIO | KernelTraceEventParser.Keywords.VAMap);
session.Source.Kernel.ProcessStart += processData =>
{
if (subprocessCommandLines.ContainsKey(processData.ParentID))
{
subprocessCommandLines.Add(processData.ProcessID, processData.CommandLine);
fileReads.Add(processData.ProcessID, (new HashSet <string>(), new List <string>()));
fileWrites.Add(processData.ProcessID, (new HashSet <string>(), new List <string>()));
Console.WriteLine($"Start: PID {processData.ProcessID}, Process {processData.ProcessName}, Parent: {processData.ParentID}, Command line: {processData.CommandLine}");
}
};
session.Source.Kernel.ProcessStop += processData =>
{
if (subprocessCommandLines.ContainsKey(processData.ParentID))
{
// subprocessCommandLines.Remove(processData.ProcessID);
Console.WriteLine($"Stop: - PID {processData.ProcessID}, Process {processData.ProcessName}");
}
};
private void TraceDotnetFullProcess(int processId)
{
using var etwSession = new TraceEventSession(WinTraceUserTraceSessionName);
// ReSharper disable once AccessToDisposedClosure
using var reg = cts.Token.Register(() => etwSession.Stop());
new SystemDiagnosticsTraceEventHandler(processId, traceOutput).Subscribe(etwSession);
etwSession.Source.Process();
}
public void Stop()
{
if (etwSesion != null)
{
etwSesion.Stop();
}
runner = null;
etwSesion = null;
}
/// <summary>
/// Stops event tracing session
/// </summary>
public static void StopCapture()
{
if (session != null)
{
session.Stop();
session.Dispose();
session = null;
}
}
/// <summary>
/// Stop monitoring STUN pings.
/// </summary>
public static void Stop()
{
if (!Running)
{
return;
}
Running = false;
kernelSession.Stop();
}
public bool StopTrace()
{
mEtwSession.Dispose();
mEtwSession.Stop();
mEtwSession = null;
Output.Print("Finished tracing to " + mConfig.EtlOutputFile);
return(true);
}
/// <summary>
/// Turning on providers and creating files
/// </summary>
private static void DataCollection(string dataFileName)
{
Out.WriteLine("Collecting 10 seconds of kernel and CLR events to a file, and then printing.");
Out.WriteLine();
Out.WriteLine("Start a .NET program while monitoring to see some events!");
Out.WriteLine();
if (TraceEventSession.IsElevated() != true)
{
Out.WriteLine("Must be elevated (Admin) to run this program.");
Debugger.Break();
return;
}
string kernelDataFileName = Path.ChangeExtension(dataFileName, ".kernel.etl");
// Create one user mode session and one kernel mode session
Out.WriteLine("Creating two raw files, one with kernel events and one with clr events.");
using (var userSession = new TraceEventSession("MonitorKernelAndClrEventsSession", dataFileName))
using (var kernelSession = new TraceEventSession(KernelTraceEventParser.KernelSessionName, kernelDataFileName))
{
// Set up Ctrl-C to stop both user mode and kernel mode sessions
Console.CancelKeyPress += delegate(object sender, ConsoleCancelEventArgs cancelArgs)
{
Out.WriteLine("Insuring all ETW sessions are stopped.");
kernelSession.Stop(true); // true means don't throw on error
userSession.Stop(true); // true means don't throw on error
// Since we don't cancel the Ctrl-C we will terminate the process as normal for Ctrl-C
Out.WriteLine("OnCtrl C handler ending.");
};
// Enable the events we care about for the kernel in the kernel session
// For this instant the session will buffer any incoming events.
kernelSession.EnableKernelProvider(
KernelTraceEventParser.Keywords.ImageLoad |
KernelTraceEventParser.Keywords.Process |
KernelTraceEventParser.Keywords.Thread);
// Enable the events we care about for the CLR (in the user session).
// unlike the kernel session, you can call EnableProvider on other things too.
// For this instant the session will buffer any incoming events.
userSession.EnableProvider(
ClrTraceEventParser.ProviderGuid,
TraceEventLevel.Informational,
(ulong)(ClrTraceEventParser.Keywords.Default));
Out.WriteLine("Collecting data for 10 seconds (run a .Net program to generate events).");
Thread.Sleep(10000);
Out.WriteLine("Stopping sessions");
}// Using clauses will insure that session are disposed (and thus stopped) before Main returns.
Out.WriteLine("Merging the raw files into a single '{0}' file.", dataFileName);
TraceEventSession.MergeInPlace(dataFileName, Out);
Out.WriteLine("Merge complete.");
}
/// <summary>
/// Turning on providers and creating files
/// </summary>
static void DataCollection(string dataFileName)
{
Out.WriteLine("Collecting 10 seconds of kernel and CLR events to a file, and then printing.");
Out.WriteLine();
Out.WriteLine("Start a .NET program while monitoring to see some events!");
Out.WriteLine();
if (TraceEventSession.IsElevated() != true)
{
Out.WriteLine("Must be elevated (Admin) to run this program.");
Debugger.Break();
return;
}
string kernelDataFileName = Path.ChangeExtension(dataFileName, ".kernel.etl");
// Create one user mode session and one kernel mode session
Out.WriteLine("Creating two raw files, one with kernel events and one with clr events.");
using (var userSession = new TraceEventSession("MonitorKernelAndClrEventsSession", dataFileName))
using (var kernelSession = new TraceEventSession(KernelTraceEventParser.KernelSessionName, kernelDataFileName))
{
// Set up Ctrl-C to stop both user mode and kernel mode sessions
Console.CancelKeyPress += delegate(object sender, ConsoleCancelEventArgs cancelArgs)
{
Out.WriteLine("Insuring all ETW sessions are stopped.");
kernelSession.Stop(true); // true means don't throw on error
userSession.Stop(true); // true means don't throw on error
// Since we don't cancel the Ctrl-C we will terminate the process as normal for Ctrl-C
Out.WriteLine("OnCtrl C handler ending.");
};
// Enable the events we care about for the kernel in the kernel session
// For this instant the session will buffer any incoming events.
kernelSession.EnableKernelProvider(
KernelTraceEventParser.Keywords.ImageLoad |
KernelTraceEventParser.Keywords.Process |
KernelTraceEventParser.Keywords.Thread);
// Enable the events we care about for the CLR (in the user session).
// unlike the kernel session, you can call EnableProvider on other things too.
// For this instant the session will buffer any incoming events.
userSession.EnableProvider(
ClrTraceEventParser.ProviderGuid,
TraceEventLevel.Informational,
(ulong)(ClrTraceEventParser.Keywords.Default));
Out.WriteLine("Collecting data for 10 seconds (run a .Net program to generate events).");
Thread.Sleep(10000);
Out.WriteLine("Stopping sessions");
} // Using clauses will insure that session are disposed (and thus stopped) before Main returns.
Out.WriteLine("Merging the raw files into a single '{0}' file.", dataFileName);
TraceEventSession.MergeInPlace(dataFileName, Out);
Out.WriteLine("Merge complete.");
}
static void TraceRealTime(int traceDuration)
{
TraceEventSession session = new TraceEventSession("ILoggerSession");
Task ParserTask = Task.Run(() => {
session.Source.Dynamic.All += ParserDelegate;
session.EnableProvider("Microsoft-Extensions-Logging", TraceEventLevel.Verbose, ulong.MaxValue, new TraceEventProviderOptions(new String[] { "FilterSpecs", "App*:Information;*" }));
session.Source.Process();
});
Thread.Sleep(traceDuration * 1000);
session.Stop();
}
static void Main()
{
// create a real time user mode session
using (var session = new TraceEventSession("MySession"))
{
// use UWP logging channel provider
session.EnableProvider(new Guid("01234567-01234-01234-01234-012345678901")); // use the same guid as for your LoggingChannel
session.Source.AllEvents += Source_AllEvents;
// Set up Ctrl-C to stop the session
Console.CancelKeyPress += (object s, ConsoleCancelEventArgs a) => session.Stop();
session.Source.Process(); // Listen (forever) for events
}
}
private bool disposedValue = false; // To detect redundant calls
protected virtual void Dispose(bool disposing)
{
if (!disposedValue)
{
if (disposing)
{
_traceEventSession?.Stop();
_isStarted = false;
}
disposedValue = true;
}
}
public void Process()
{
while (true)
{
var processing = Task.Run(ProcessData);
if (processing.Wait(RestartTime) == false)
{
FileLogger.Logger.Log("Restarting ETW Monitoring to prevent memory leaks");
myRealtimeSession?.Stop();
myTraceLogSource.Dispose();
processing.Wait();
FileLogger.Logger.Log("Current ETW Monitoring was successfully stopped.");
}
}
}
/// <summary>
/// Disable the CLR provider and stop listening to the provider for the two kinds of events.
/// </summary>
public void DisableILStubSession()
{
// stop ETW trace session
if (!m_isEnabled)
{
return;
}
// ILStub Session may not be stopped, if it is alreadly started before the application starts.
m_ILStubSession.Stop();
// We need to abort the IL Stub Process Trace thread no matter whether ILStub session is stopped.
ExitILStubTraceProcess();
m_isEnabled = false;
}
public void Stop()
{
if (traceSession.IsActive)
{
var eventsLost = traceSession.EventsLost;
Trace.WriteLine($"### Stopping {traceSession.SessionName} session...");
traceSession.Stop();
// This timeout is needed to handle all the DCStop events
// (in case we ever are going to do anything about them)
Thread.Sleep(1500);
Trace.WriteLine($"### {traceSession.SessionName} session stopped. Number of lost events: {eventsLost:#,0}");
}
}
public void RichPayloadEventSourceEtwPayloadSerializationTest()
{
if (IsRunningOnEnvironmentSupportingRichPayloadEventSource())
{
var request = new RequestTelemetry()
{
Name = "TestRequest",
Url = new Uri("https://www.example.com/api/test&id=1234"),
ResponseCode = "200",
Success = true,
Duration = TimeSpan.FromTicks(314159)
};
request.Context.InstrumentationKey = Guid.NewGuid().ToString();
request.Context.Operation.Name = "TestOperation";
request.Context.Operation.Id = "ABC123";
using (var eventSource = new RichPayloadEventSource($"Microsoft-ApplicationInsights-{nameof(RichPayloadEventSourceEtwPayloadSerializationTest)}"))
using (var session = new TraceEventSession($"{nameof(RichPayloadEventSourceEtwPayloadSerializationTest)}"))
{
session.EnableProvider(eventSource.EventSourceInternal.Guid);
session.Source.AllEvents += traceEvent =>
{
var payload = traceEvent.EventData();
var parsedPayload = PayloadParser.ParsePayload(payload);
Assert.AreEqual(request.Context.InstrumentationKey, parsedPayload.InstrumentationKey);
Assert.AreEqual(request.Context.Operation.Name, parsedPayload.OperationName);
Assert.AreEqual(request.Context.Operation.Id, parsedPayload.OperationId);
Assert.AreEqual(request.Data.ver, parsedPayload.Version);
Assert.AreEqual(request.Data.id, parsedPayload.RequestId);
Assert.AreEqual(request.Data.source, parsedPayload.Source);
Assert.AreEqual(request.Data.name, parsedPayload.Name);
Assert.AreEqual(request.Data.duration, parsedPayload.Duration);
};
Task.Run(() =>
{
eventSource.Process(request);
session.Stop();
});
session.Source.Process();
}
}
}
private static void BuildEtwProcesses(int startIndex, int endIndex, int totalCount, List <ProcessInfo> processList, int degreeOfParallelism)
{
using (TraceEventSession traceEventSession = new TraceEventSession("ReadyToRunTestSession"))
{
traceEventSession.EnableProvider(ClrTraceEventParser.ProviderGuid, TraceEventLevel.Verbose, (ulong)(ClrTraceEventParser.Keywords.Jit | ClrTraceEventParser.Keywords.Loader));
using (ReadyToRunJittedMethods jittedMethods = new ReadyToRunJittedMethods(traceEventSession, processList, startIndex, endIndex))
{
Task.Run(() =>
{
BuildProjects(startIndex, endIndex, totalCount, processList, jittedMethods, degreeOfParallelism);
traceEventSession.Stop();
});
}
traceEventSession.Source.Process();
}
// Append jitted method info to the logs
for (int index = startIndex; index < endIndex; index++)
{
ProcessInfo processInfo = processList[index];
if (processInfo.Parameters.CollectJittedMethods)
{
using (StreamWriter processLogWriter = new StreamWriter(processInfo.Parameters.LogPath, append: true))
{
if (processInfo.JittedMethods != null)
{
processLogWriter.WriteLine($"Jitted methods ({processInfo.JittedMethods.Sum(moduleMethodsKvp => moduleMethodsKvp.Value.Count)} total):");
foreach (KeyValuePair <string, HashSet <string> > jittedMethodsPerModule in processInfo.JittedMethods)
{
foreach (string method in jittedMethodsPerModule.Value)
{
processLogWriter.WriteLine(jittedMethodsPerModule.Key + " -> " + method);
}
}
}
else
{
processLogWriter.WriteLine("Jitted method info not available");
}
}
}
}
}
static void ProcStart(string procKeyword)
{
Console.WriteLine("Waiting for a process containing \"{0}\" to start...", procKeyword);
using (var session = new TraceEventSession("KernelSession")) //Change this for OPSEC
{
session.EnableKernelProvider(KernelTraceEventParser.Keywords.Process);
session.Source.Kernel.ProcessStart += delegate(ProcessTraceData data) {
if (data.ProcessName.Contains(procKeyword))
{
Console.WriteLine($"Detected execution of {data.ProcessName} matching keyword \"{procKeyword}\"");
DoEvil();
}
};
session.Source.Process();
Console.CancelKeyPress += (object s, ConsoleCancelEventArgs args) => session.Stop();
session.Dispose();
}
}
private static void ReadEvents()
{
using (TraceEventSession session = new TraceEventSession("MySession"))
{
session.StopOnDispose = true;
session.EnableProvider(MyEtwProvider);
session.EnableProvider(
ClrTraceEventParser.ProviderGuid,
TraceEventLevel.Verbose,
(ulong)(ClrTraceEventParser.Keywords.GC | ClrTraceEventParser.Keywords.Exception));
session.Source.Clr.GCHeapStats += (GCHeapStatsTraceData data) =>
Console.WriteLine("GCHeapStats {0}", data.GenerationSize0.ToString("N1"));
session.Source.Clr.ExceptionStart += Print;
session.Source.Dynamic.All += Print;
Task.Run(() => { session.Source.Process(); });
Source.Token.WaitHandle.WaitOne();
session.Stop(true);
}
}
private static void BuildEtwProcesses(int startIndex, int endIndex, int totalCount, int failureCount, List <ProcessInfo> processList, int degreeOfParallelism, bool measurePerf)
{
using (TraceEventSession traceEventSession = new TraceEventSession("ReadyToRunTestSession"))
{
traceEventSession.EnableProvider(ClrTraceEventParser.ProviderGuid, TraceEventLevel.Verbose, (ulong)(ClrTraceEventParser.Keywords.Jit | ClrTraceEventParser.Keywords.Loader));
int warmupRuns = 0;
int realRuns = 1;
PerfEventSourceListener perfMeasurer = null;
if (measurePerf)
{
Debug.Assert(processList.Count == 1);
warmupRuns = 1;
realRuns = 5;
perfMeasurer = new PerfEventSourceListener(traceEventSession, warmupRuns, realRuns);
}
using (ReadyToRunJittedMethods jittedMethods = new ReadyToRunJittedMethods(traceEventSession, processList, startIndex, endIndex))
{
Task.Run(() =>
{
// Warmup runs
if (measurePerf)
{
Console.WriteLine("Warmup runs:");
for (int run = 0; run < warmupRuns; ++run)
{
BuildProjects(startIndex, endIndex, totalCount, failureCount, processList, jittedMethods, degreeOfParallelism);
}
// Wait for all the warmup events to come in before starting the real run so there is no interference
perfMeasurer.WaitForWarmupFinished();
Console.WriteLine("Real runs:");
}
for (int run = 0; run < realRuns; ++run)
{
BuildProjects(startIndex, endIndex, totalCount, failureCount, processList, jittedMethods, degreeOfParallelism);
}
if (measurePerf)
{
perfMeasurer.PrintPerfResults();
}
traceEventSession.Stop();
});
}
traceEventSession.Source.Process();
}
// Append jitted method info to the logs
for (int index = startIndex; index < endIndex; index++)
{
ProcessInfo processInfo = processList[index];
if (processInfo.Parameters.CollectJittedMethods)
{
using (StreamWriter processLogWriter = new StreamWriter(processInfo.Parameters.LogPath, append: true))
{
if (processInfo.JittedMethods != null)
{
processLogWriter.WriteLine($"Jitted methods ({processInfo.JittedMethods.Sum(moduleMethodsKvp => moduleMethodsKvp.Value.Count)} total):");
foreach (KeyValuePair <string, HashSet <string> > jittedMethodsPerModule in processInfo.JittedMethods)
{
foreach (string method in jittedMethodsPerModule.Value)
{
processLogWriter.WriteLine(jittedMethodsPerModule.Key + " -> " + method);
}
}
}
else
{
processLogWriter.WriteLine("Jitted method info not available");
}
}
}
}
}
public static void Run()
{
Out.WriteLine("******************** ObserveGCEvents DEMO ********************");
Out.WriteLine("This program Demos using the reactive framework (IObservable) to monitor");
Out.WriteLine(".NET Garbage collector (GC) events.");
Out.WriteLine();
Out.WriteLine("The program will print a line every time 100K of memory was allocated");
Out.WriteLine("on the GC heap along with the type of the object that 'tripped' the 100K");
Out.WriteLine("sample. It will also print a line every time a GC happened and show ");
Out.WriteLine("the sizes of each generation after the GC.");
Out.WriteLine();
Out.WriteLine("Run a .NET Program while the monitoring is active to see GC events.");
Out.WriteLine();
if (TraceEventSession.IsElevated() != true)
{
Out.WriteLine("Must be elevated (Admin) to run this method.");
Debugger.Break();
return;
}
var monitoringTimeSec = 10;
Out.WriteLine("The monitor will run for a maximum of {0} seconds", monitoringTimeSec);
Out.WriteLine("Press Ctrl-C to stop monitoring of GC Allocs");
// create a real time user mode session
using (var userSession = new TraceEventSession("ObserveGCAllocs"))
{
// Set up Ctrl-C to stop the session
SetupCtrlCHandler(() => { userSession.Stop(); });
// enable the CLR provider with default keywords (minus the rundown CLR events)
userSession.EnableProvider(ClrTraceEventParser.ProviderGuid, TraceEventLevel.Verbose,
(ulong)(ClrTraceEventParser.Keywords.GC));
// Create a stream of GC Allocation events (happens every time 100K of allocations happen)
IObservable<GCAllocationTickTraceData> gcAllocStream = userSession.Source.Clr.Observe<GCAllocationTickTraceData>();
// Print the outgoing stream to the console
gcAllocStream.Subscribe(allocData =>
Out.WriteLine("GC Alloc : Proc: {0,10} Amount: {1,6:f1}K TypeSample: {2}", GetProcessName(allocData.ProcessID), allocData.AllocationAmount / 1000.0, allocData.TypeName));
// Create a stream of GC Collection events
IObservable<GCHeapStatsTraceData> gcCollectStream = userSession.Source.Clr.Observe<GCHeapStatsTraceData>();
// Print the outgoing stream to the console
gcCollectStream.Subscribe(collectData =>
Out.WriteLine("GC Collect: Proc: {0,10} Gen0: {1,6:f1}M Gen1: {2,6:f1}M Gen2: {3,6:f1}M LargeObj: {4,6:f1}M",
GetProcessName(collectData.ProcessID),
collectData.GenerationSize0 / 1000000.0,
collectData.GenerationSize1 / 1000000.0,
collectData.GenerationSize2 / 1000000.0,
collectData.GenerationSize3 / 1000000.0));
IObservable<long> timer = Observable.Timer(new TimeSpan(0, 0, monitoringTimeSec));
timer.Subscribe(delegate
{
Out.WriteLine("Stopped after {0} sec", monitoringTimeSec);
userSession.Dispose();
});
// OK we are all set up, time to listen for events and pass them to the observers.
userSession.Source.Process();
}
Out.WriteLine("Done with program.");
}
public static void CloseDuplicateTraceSession(string sessionName)
{
InternalLogger.Write.ConflictingTraceSessionFound(sessionName);
TraceEventSession s = null;
try
{
// we can't control this session so we need to stop it
s = new TraceEventSession(sessionName); // might throw if it's in the midst of being shut down
s.Stop();
}
catch (FileNotFoundException)
{
// well, okay, then it's probably gone now.
}
finally
{
if (s != null)
{
s.Dispose();
}
}
// Now we enter a brief waiting period to make sure it dies. We must do this because ControlTrace()
// (the underlying win32 API) is asynchronous and our request to terminate the session may take
// a small amount of time to complete.
if (!WaitForSessionChange(sessionName, false))
{
InternalLogger.Write.ConflictingTraceSessionStuck(sessionName);
throw new OperationCanceledException("could not tear down existing trace session");
}
}
public static void Run()
{
Out.WriteLine("******************** ObserveEventSource DEMO ********************");
Out.WriteLine("This program Demos using the reactive framework (IObservable) to monitor");
Out.WriteLine("EventSource events in real time, parsing their payloads dynamically.");
Out.WriteLine();
Out.WriteLine("The program has an EventSource that generates two kinds of events for 10 secs.");
Out.WriteLine("while another part of the program reads them using IObservables and prints");
Out.WriteLine("their parsed payload values. ");
Out.WriteLine();
if (TraceEventSession.IsElevated() != true)
{
Out.WriteLine("Must be elevated (Admin) to run this method.");
Debugger.Break();
return;
}
var monitoringTimeSec = 15;
Out.WriteLine("The monitor will run for a maximum of {0} seconds", monitoringTimeSec);
Out.WriteLine("Press Ctrl-C to stop monitoring.");
// create a real time user mode session
using (var userSession = new TraceEventSession("ObserveEventSource"))
{
// Set up Ctrl-C to stop both user mode and kernel mode sessions
SetupCtrlCHandler(() => { if (userSession != null) userSession.Stop(); });
// Turn on the Microsoft-Demos-SimpleMonitor provider
userSession.EnableProvider("Microsoft-Demos-SimpleMonitor");
// Create a stream of the 'MyFirstEvent' event source events and print their payloads
IObservable<TraceEvent> firstEventStream = userSession.Source.Dynamic.Observe("Microsoft-Demos-SimpleMonitor", "MyFirstEvent");
firstEventStream.Subscribe(onNext: ev => Out.WriteLine("FIRST_EVENTS : MyName: '{0}' MyId: {1}", ev.PayloadByName("MyName"), ev.PayloadByName("MyId")));
// Create a stream of the 'MySecond'Event' event source events and print their payloads
IObservable<TraceEvent> secondEventStream = userSession.Source.Dynamic.Observe("Microsoft-Demos-SimpleMonitor", "MySecondEvent");
secondEventStream.Subscribe(onNext: ev => Out.WriteLine("SECOND_EVENTS : MyId: {0}", ev.PayloadByName("MyId")));
// For debugging purposes, print every event from the SimpleMonitor stream
IObservable<TraceEvent> allEventStream = userSession.Source.Dynamic.Observe(null);
allEventStream.Subscribe(onNext: ev => Out.WriteLine("FROM_EVENTSOURCE: {0}/{1} ", ev.ProviderName, ev.EventName));
// It is also useful for debugging purposes to see any events that entered by were not handled by any parser. These can be bugs.
IObservable<TraceEvent> unhandledEventStream = userSession.Source.ObserveUnhandled();
unhandledEventStream.Subscribe(onNext: ev => Out.WriteLine("UNHANDLED : {0}/{1} ", ev.ProviderName, ev.EventName));
// Start Generate some events so we have something to see
Producer.EventGenerator.CreateEvents();
// Set up a timer to stop processing after monitoringTimeSec
IObservable<long> timer = Observable.Timer(new TimeSpan(0, 0, monitoringTimeSec));
timer.Subscribe(delegate
{
Out.WriteLine("Stopped after {0} sec", monitoringTimeSec);
userSession.Dispose();
});
// OK we are all set up, time to listen for events and pass them to the observers.
userSession.Source.Process();
}
Out.WriteLine("Done with program.");
}
internal static void EnsureStopped()
{
using (var session = new TraceEventSession("EventSourceTestSession", "EventSourceTestData.etl"))
session.Stop();
}