/// <summary> /// Constructor /// </summary> /// <param name="observer">Observer to push events into</param> /// <param name="sessionName">real-time session name</param> public EtwListener(IObserver <EtwNativeEvent> observer, string sessionName) { if (sessionName == null) { throw new ArgumentNullException("sessionName"); } // I don't know how to check for "Performance Log Users" group var principal = new WindowsPrincipal(WindowsIdentity.GetCurrent()); if (!principal.IsInRole(WindowsBuiltInRole.Administrator)) { throw new Exception("To use ETW real-time session, you have to be Administrator"); } _observer = observer; _logFile = new EVENT_TRACE_LOGFILE { ProcessTraceMode = EtwNativeMethods.TraceModeRealTime | EtwNativeMethods.TraceModeEventRecord, LoggerName = sessionName, EventRecordCallback = EtwCallback }; _thread = new Thread(ThreadProc); _thread.Name = "EtwSession " + sessionName; _thread.Start(); }
/// <summary> /// Constructor /// </summary> /// <param name="observer">Observer to push events into</param> /// <param name="sequential">set sequential to true to sequentially stream the logs</param> /// <param name="startTime">start time for the events from logs</param> /// <param name="endTime">end time for the events from logs</param> /// <param name="etlFiles">.etl (Event Trace Log) files to read. Up to 63 files are supported in non sequential mode. /// Theoritically no limits on number of files in sequential mode.</param> public EtwFileReader(IObserver<EtwNativeEvent> observer, bool sequential, DateTime startTime, DateTime endTime, params string[] etlFiles) { _observer = observer; _startTime = startTime; _endTime = endTime; // pin the strings in memory, allowing pointers to be passed in the event callback _logFiles = new EVENT_TRACE_LOGFILE[etlFiles.Length]; _logFileHandles = new GCHandle[etlFiles.Length]; for (int i = 0; i < _logFileHandles.Length; i++) { _logFiles[i] = new EVENT_TRACE_LOGFILE { ProcessTraceMode = EtwNativeMethods.TraceModeEventRecord, LogFileName = Path.GetFullPath(etlFiles[i]), EventRecordCallback = EtwCallback }; _logFileHandles[i] = GCHandle.Alloc(_logFiles[i]); } if (sequential == true) { _thread = new Thread(ProcessTracesInSequence) { Name = "EtwFileObservable" }; } else { _thread = new Thread(MergeTracesAndProcess) { Name = "EtwFileObservable" }; } _thread.Start(); }
/// <summary> /// Constructor /// </summary> /// <param name="observer">Observer to push events into</param> /// <param name="etlFiles">.etl (Event Trace Log) files to read. Up to 63 files are supported</param> public EtwFileReader(IObserver<EtwNativeEvent> observer, params string[] etlFiles) { _observer = observer; // pin the strings in memory, allowing pointers to be passed in the event callback _logFiles = new EVENT_TRACE_LOGFILE[etlFiles.Length]; _logFileHandles = new GCHandle[etlFiles.Length]; for (int i = 0; i < _logFileHandles.Length; i++) { _logFiles[i] = new EVENT_TRACE_LOGFILE { ProcessTraceMode = EtwNativeMethods.TraceModeEventRecord, LogFileName = Path.GetFullPath(etlFiles[i]), EventRecordCallback = EtwCallback }; _logFileHandles[i] = GCHandle.Alloc(_logFiles[i]); } _thread = new Thread(ThreadProc) {Name = "EtwFileObservable"}; _thread.Start(); }
/// <summary> /// Constructor /// </summary> /// <param name="observer">Observer to push events into</param> /// <param name="sessionName">real-time session name</param> public EtwListener(IObserver<EtwNativeEvent> observer, string sessionName) { if (sessionName == null) throw new ArgumentNullException("sessionName"); // I don't know how to check for "Performance Log Users" group var principal = new WindowsPrincipal(WindowsIdentity.GetCurrent()); if (!principal.IsInRole(WindowsBuiltInRole.Administrator)) throw new Exception("To use ETW real-time session, you have to be Administrator"); _observer = observer; _logFile = new EVENT_TRACE_LOGFILE { ProcessTraceMode = EtwNativeMethods.TraceModeRealTime | EtwNativeMethods.TraceModeEventRecord, LoggerName = sessionName, EventRecordCallback = EtwCallback }; _thread = new Thread(ThreadProc); _thread.Name = "EtwSession " + sessionName; _thread.Start(); }
/// <summary> /// Constructor /// </summary> /// <param name="observer">Observer to push events into</param> /// <param name="sequential">set sequential to true to sequentially stream the logs</param> /// <param name="startTime">start time for the events from logs</param> /// <param name="endTime">end time for the events from logs</param> /// <param name="etlFiles">.etl (Event Trace Log) files to read. Up to 63 files are supported in non sequential mode. /// Theoritically no limits on number of files in sequential mode.</param> public EtwFileReader(IObserver <EtwNativeEvent> observer, bool sequential, DateTime startTime, DateTime endTime, params string[] etlFiles) { _observer = observer; _startTime = startTime; _endTime = endTime; // pin the strings in memory, allowing pointers to be passed in the event callback _logFiles = new EVENT_TRACE_LOGFILE[etlFiles.Length]; _logFileHandles = new GCHandle[etlFiles.Length]; for (int i = 0; i < _logFileHandles.Length; i++) { _logFiles[i] = new EVENT_TRACE_LOGFILE { ProcessTraceMode = EtwNativeMethods.TraceModeEventRecord, LogFileName = Path.GetFullPath(etlFiles[i]), EventRecordCallback = EtwCallback }; _logFileHandles[i] = GCHandle.Alloc(_logFiles[i]); } if (sequential == true) { _thread = new Thread(ProcessTracesInSequence) { Name = "EtwFileObservable" }; } else { _thread = new Thread(MergeTracesAndProcess) { Name = "EtwFileObservable" }; } _thread.Start(); }
/// <summary> /// Constructor /// </summary> /// <param name="observer">Observer to push events into</param> /// <param name="etlFiles">.etl (Event Trace Log) files to read. Up to 63 files are supported</param> public EtwFileReader(IObserver <EtwNativeEvent> observer, params string[] etlFiles) { _observer = observer; // pin the strings in memory, allowing pointers to be passed in the event callback _logFiles = new EVENT_TRACE_LOGFILE[etlFiles.Length]; _logFileHandles = new GCHandle[etlFiles.Length]; for (int i = 0; i < _logFileHandles.Length; i++) { _logFiles[i] = new EVENT_TRACE_LOGFILE { ProcessTraceMode = EtwNativeMethods.TraceModeEventRecord, LogFileName = Path.GetFullPath(etlFiles[i]), EventRecordCallback = EtwCallback }; _logFileHandles[i] = GCHandle.Alloc(_logFiles[i]); } _thread = new Thread(ThreadProc) { Name = "EtwFileObservable" }; _thread.Start(); }
public static extern UInt64 OpenTrace(ref EVENT_TRACE_LOGFILE logfile);