"no_trace_sessions_remaining" exception

[findream]

hello： I use "Microsoft-Windows-Kernel-Process" to monitor process creation, but throw "no_trace_sessions_remaining" exception。

krabs::user_trace trace;
krabs::provider<> provider(L"Microsoft-Windows-Kernel-Process");
provider.any(0x10);  // WINEVENT_KEYWORD_PROCESS
auto process_callback = [](const EVENT_RECORD& record, const krabs::trace_context& trace_context) {
    krabs::schema schema(record, trace_context.schema_locator);
    krabs::parser parser(schema);
    uint32_t ppid = parser.parse<uint32_t>(L"ParentProcessID");
    uint32_t pid = parser.parse<uint32_t>(L"ProcessID");
    std::wstring image_name = parser.parse<std::wstring>(L"ImageName");

    std::wcout << L"[>] Process Name: " << image_name << std::endl;
    std::wcout << L"[>] ParentProcess ID: " << ppid << std::endl;
    std::wcout << L"[>] ProcessID " << pid << std::endl;
    std::wcout << std::endl;
};
// real-time process start events
krabs::event_filter process_filter(krabs::predicates::id_is(1));
process_filter.add_on_event_callback(process_callback);
provider.add_filter(process_filter);
trace.enable(provider);
trace.start();

[swannman]

Hi @findream, Windows has a fixed limit of trace sessions that can be created. To remove old, unused trace sessions and make space for new ones, launch Performance Monitor as an administrator and navigate to Data Collector Sets > Event Trace Sessions. Right-click to stop a session if it's running, and right-click again to delete it.

To prevent future stale trace sessions from being created, supply a name when instantiating the krabs::trace instead of using the default constructor (which creates a random GUID-named trace session each time):

krabs::user_trace trace(L"My trace session");

instead of

krabs::user_trace trace;