how to get old_file_name, new_file_name from rename event in etw

microsoft / krabsetw

KrabsETW provides a modern C++ wrapper and a .NET wrapper around the low-level ETW trace consumption functions.

Other

588 stars 147 forks source link

how to get old_file_name, new_file_name from rename event in etw #152

Closed yangjian123 closed 3 years ago

yangjian123 commented 3 years ago

i want to use krabsetw to monitor fileio event , include create,delete, read, write,rename, but how can i get new_file_name, old_file_name,does krabsetw supply this feature?

jdu2600 commented 3 years ago

Suggest looking at event 19 (Rename) and event 29 (Rename29) in the Microsoft-Windows-Kernel-File provider.

You might need to resolve FileObject and FileKey pointers to file names. Some hints for that are here - https://lowleveldesign.org/2020/08/15/fixing-empty-paths-in-fileio-events-etw/