Open daladim opened 2 years ago
Nice find @daladim! I think you are correct that opcode
and level
don't need to be part of the schema cache key, at least for manifest-based providers. I wonder whether we need to maintain these for TraceLogging events?
Hello. Reading at the Microsoft documentation, krabsetw (and its Rust-counterpart ferrisetw), I am puzzled about how to distinguish different schemas.
The doc says (emphasis mine):
AFAICT, this would mean that a
schema_key
would only need to contain these 3 fields. However,struct schema_key
also containsopcode
andlevel
. Is there a reason for it? Is it to support "non-manifest-based ETW"?Besides,
schema_key::operator==
consistently compares these 5 fields. Butschema::operator==
only compares the 3 fields described in the documentation. I am not knowledgeable enough in ETW to tell whether this is an inconsistency, or whether that's fine.Do you have any ideas on this matter?
(Note: I saw this potential inconsistency in ferrisetw, then I saw that it mirrored what you've written here, so I'm asking at the source of truth :smile: I hope I'll find my answers here)