search

microsoft / krabsetw

KrabsETW provides a modern C++ wrapper and a .NET wrapper around the low-level ETW trace consumption functions.
Other
610 stars 151 forks source link

Problem with determining the size of the property #182

Open kaaleksandr opened 3 years ago

kaaleksandr commented 3 years ago

Manifests itself on the provider Microsoft-Windows-USB-USBPORT.

Part of my log:

... ETW PropertyName: fid_USBPORT_HC, Type: 3. Exception: Property size doesn't match requested size ETW PropertyName: fid_USBPORT_HC_Idle_Status, Type: 9. Exception: Property size doesn't match requested size ETW PropertyName: fid_USBPORT_HC, Type: 6. Exception: Property size doesn't match requested size ETW PropertyName: fid_USBPORT_Device, Type: 12. Exception: Property size doesn't match requested size ETW PropertyName: fid_USBPORT_Device_Descriptor, Type: 19. Exception: Failed to get a SID from a property ETW PropertyName: fid_USBPORT_HC, Type: 6. Exception: Property size doesn't match requested size ETW PropertyName: fid_USBPORT_Device, Type: 12. Exception: Property size doesn't match requested size ETW PropertyName: fid_USBPORT_Device_Descriptor, Type: 19. Exception: Failed to get a SID from a property ETW PropertyName: fid_USBPORT_HC, Type: 6. Exception: Property size doesn't match requested size ETW PropertyName: fid_USBPORT_Device, Type: 12. Exception: Property size doesn't match requested size ETW PropertyName: fid_USBPORT_Device_Descriptor, Type: 19. Exception: Failed to get a SID from a property ETW PropertyName: fid_USBPORT_HC, Type: 4. Exception: Property size doesn't match requested size ETW PropertyName: fid_USBPORT_Device, Type: 10. Exception: Property size doesn't match requested size ETW PropertyName: fid_USBPORT_Endpoint, Type: 17. Exception: Property size doesn't match requested size ETW PropertyName: fid_USBPORT_Endpoint_Descriptor, Type: 20. Exception: Property size doesn't match requested size ...

kaaleksandr commented 3 years ago

OS: Windows 7 x64

kaaleksandr commented 3 years ago

For example: Property fid_USBPORT_HC have type 3 (TDH_INTYPE_INT8), but func TdhGetPropertySize returned 20. 1b != 20.

kaaleksandr commented 3 years ago

see Remarks: https://docs.microsoft.com/en-us/windows/win32/api/tdh/nf-tdh-tdhgetpropertysize

kaaleksandr commented 3 years ago

example code:

krabs::user_trace trace{ L"TestUsbSession_1234" };

// see: https://github.com/repnz/etw-providers-docs/blob/master/Manifests-Win10-18990/Microsoft-Windows-USB-UCX.xml
krabs::provider<> provider(krabs::guid(L"{36da592d-e43a-4e28-af6f-4bc57c5a11e8}"));

provider.add_on_event_callback([](const EVENT_RECORD &record, const krabs::trace_context &trace_context) {

    krabs::schema schema(record, trace_context.schema_locator);

    std::wcout << L"Event " << schema.event_id();
    std::wcout << L"(" << schema.event_name() << L") received." << std::endl;

    krabs::parser parser(schema);

    for(auto elem : parser.properties())
    {
        switch (elem.type())
        {
            case TDH_INTYPE_UINT8:
            {
                auto usbPort = parser.parse<uint8_t>(elem.name());
                int bp = 1;
            }
        }
    }
});

trace.enable(provider);
trace.start();
kaaleksandr commented 3 years ago

Krabs_unh_exception

kaaleksandr commented 3 years ago

Krabs_unh_exception_2