abergl
commented
4 years ago Maybe try additional keywords or increase the logging level.
Closed Nimunru closed 4 years ago
abergl
commented
4 years ago Maybe try additional keywords or increase the logging level.
Nimunru
commented
4 years ago I tried level 2 to 5, seems like not change too much. When I use the keyword "PROCESS", all events can be captured successfully. But when I use keyword "FILEIO", many events are lost. It only captured events of the first 3 minutes if I run the logger 20 minutes. I think it might because the "FILEIO" events are too much so that the buffer is overflowed. Do you have any solutions?
SuprHackerSteve
commented
4 years ago @Nimunru have you tested with another ETW tool to verify this is an issue with pywintrace? The loss could be coming from the ETW providers themselves, since pywintrace simply wraps the OS APIs.
Nimunru
commented
4 years ago @SuprHackerSteve Actually, I have tried other tools and they also have the same problem. I wrote event to file in every callback, maybe that is the reason.
SuprHackerSteve
commented
4 years ago @Nimunru cool. I bet that the buffer might be being overwhelmed. I am closing the issue. Feel free to open if you see something change.
I'm using Provider Windows Kernel Trace {9E814AAD-3204-11D2-9A82-006008A86939} to capture the behavior of a PE, whose function is search some files and move them to other directory. But not all events can be captured. Is it because of the value of ring_buf_size? I have tried to increase the ring_buf_size to 10240, but the problem is still unsolved.