zeze-zeze
commented
3 years ago It turns out that the reason that cause the error is the error code returned from ControlTrace(), which is called from register_trace(), so if we comment the register_trace(), the script works.
Another way to fix it, we can add catch(ERROR_INVALID_PARAMETER) in register_trace to avoid the abort. For example,
catch (invalid_parameter) {
trace_.registrationHandle_ = INVALID_PROCESSTRACE_HANDLE;
return;
}Though it works, I don't think it is a correct way to handle it.
According to MSDN, we can find what error code means. In Windows10 19042.928, it returns 5, which corresponds to ERROR_ACCESS_DENIED. In Windows Server 2012 and Windows10 1079, it returns 87, which corresponds to ERROR_INVALID_PARAMETER.
However, I still don't know why the error codes returned are different.
swannman
I tested the Microsoft-Windows-Security-Auditing in user_trace_005.cpp, which could work in Windows10 19042.928 (host), while it aborted when using Windows Server 2012, Windows 7, Windows10 1079 (vm using vmware).
In all of the tests I used system privilege to run the program.
Any clue would be grateful !