static void Main(string[] args)
{
var trace = new UserTrace();
// The name of the PowerShell provider that gives us with detailed
// method execution logging is "Microsoft-Windows-PowerShell".
//
// If you want to explore all the events in this provider,
// you'll need to use Message Analyzer to load the trace and explore
// the events.
//
// Download: https://www.microsoft.com/en-us/download/details.aspx?id=44226
var powershellProvider = new Provider("Microsoft-Windows-PowerShell");
var powershellFilter = new EventFilter(
Filter.EventIdIs(7937)
.And(UnicodeString.Contains("Payload", "Started")));
powershellFilter.OnEvent += OnEvent;
// The "Any" and "All" flags can be sussed out using Microsoft Message Analyzer.
powershellProvider.Any = 0x20;
powershellProvider.AddFilter(powershellFilter);
trace.Enable(powershellProvider);
// This is a blocking call. Ctrl-C to stop.
trace.Start();
}
public void when_data_contains_query_but_differs_in_case_contains_should_not_match()
{
var data = "Foo Bar Baz";
var query = "BAR";
var record = PowerShellEvent.CreateRecord(data, String.Empty, String.Empty);
var predicate = UnicodeString.Contains(PowerShellEvent.UserData, query);
Assert.IsFalse(predicate.Test(record));
}
public void when_data_contains_query_contains_should_match()
{
var data = "Foo Bar Baz";
var query = "Bar";
var record = PowerShellEvent.CreateRecord(data, String.Empty, String.Empty);
var predicate = UnicodeString.Contains(PowerShellEvent.UserData, query);
Assert.IsTrue(predicate.Test(record));
}
private PSEtwUserProvider CreatePowerShellProvider()
{
const string providerName = "Microsoft-Windows-PowerShell";
var powershellProvider = new Provider(providerName);
var filter = new EventFilter(Filter.ProcessIdIs((int)_processId)
.And(Filter.EventIdIs(7937))
.And(UnicodeString.Contains("Payload", "Started.")));
filter.OnEvent += DefaultEventHandler;
powershellProvider.AddFilter(filter);
return(new PSEtwUserProvider(powershellProvider, providerName));
}
static void Main(string[] args)
{
var count = 0;
var cts = new CancellationTokenSource();
var trace = new UserTrace("MY AWESOME TEST THING");
//var provider = new RawProvider(EventSource.GetGuid(typeof(TestEventSource)));
var provider = new Provider(Guid.Parse("{A0C1853B-5C40-4B15-8766-3CF1C58F985A}"));
// Only pull in method invocations
var powershellFilter = new EventFilter(Filter.EventIdIs(7937)
.And(UnicodeString.Contains("Payload", "Started")));
powershellFilter.OnEvent += e =>
{
Console.WriteLine($"{e.ProviderName} - {e.Id}: {count++}");
};
provider.AddFilter(powershellFilter);
Console.CancelKeyPress += (s, e) =>
{
cts.Cancel();
trace.Stop();
};
trace.Enable(provider);
var statsLoop = Task.Run(() => PrintStats(trace, cts.Token));
Task.Run(() => trace.Start())
.ContinueWith(t => Console.WriteLine($"Task ended with status {t.Status}"));
Console.WriteLine("Enter to restart trace");
Console.ReadKey();
Task.Run(() => trace.Start())
.ContinueWith(t => Console.WriteLine($"Task ended with status {t.Status}"));
Console.WriteLine("Ctrl+C to quit");
statsLoop.Wait();
Console.WriteLine("Done");
}
public static void Start()
{
// UserTrace instances should be used for any non-kernel traces that are defined
// by components or programs in Windows. They can optionally take a name -- if none
// is provided, a random GUID is assigned as the name.
var trace = new UserTrace();
// A trace can have any number of providers, which are identified by GUID. These
// GUIDs are defined by the components that emit events, and their GUIDs can
// usually be found with various ETW tools (like wevutil).
var powershellProvider = new Provider(Guid.Parse("{A0C1853B-5C40-4B15-8766-3CF1C58F985A}"));
// UserTrace providers typically have any and all flags, whose meanings are
// unique to the specific providers that are being invoked. To understand these
// flags, you'll need to look to the ETW event producer.
powershellProvider.Any = Provider.AllBitsSet;
// In UserTrace003.cs, we use ETW-based filtering to select a specific event ID.
//
// We can combine ETW-based filtering with predicate filters to filter on specific
// event properties without impacting performance.
var filter = new EventFilter(7937, UnicodeString.Contains("ContextInfo", "Write-Host"));
// EventFilters have attached callbacks, just like a regular provider.
filter.OnEvent += (record) =>
{
System.Diagnostics.Debug.Assert(record.Id == 7937);
Console.WriteLine(record.GetUnicodeString("ContextInfo"));
};
// EventFilters are attached to providers. Events that are attached to the filter
// will only be called when the filter allows the event through. Any events attached
// to the provider directly will be called for all events that are fired by the ETW
// producer.
powershellProvider.AddFilter(filter);
trace.Enable(powershellProvider);
trace.Start();
}