I used EVENT_ENABLE_PROPERTY_STACK_TRACE as a flag and used schema.stack_trace() to retrieve the call stack and return PC.
However, almost all call stacks obtained only have kernel mode call stacks (PC > 0xFFFF000000000000), and there are no user mode call stacks.
After consulting the documentation, I found that the EVENT_EXTENDED_ITEM_STACK_TRACE64 structure contains ULONG64 MatchId;, as described in the documentation:
MatchId
A unique identifier that you use to match the kernel-mode calls to the user-mode calls; the kernel-mode calls and user-mode calls are captured in separate events if the environment prevents both from being captured in the same event. If the kernel-mode and user-mode calls were captured in the same event, the value is zero.
There are many messages that have non-zero MatchId values. How can I use this value to find the user mode call stack?
I used
EVENT_ENABLE_PROPERTY_STACK_TRACEas a flag and usedschema.stack_trace()to retrieve the call stack and return PC.However, almost all call stacks obtained only have kernel mode call stacks (PC > 0xFFFF000000000000), and there are no user mode call stacks.
After consulting the documentation, I found that the
EVENT_EXTENDED_ITEM_STACK_TRACE64structure containsULONG64 MatchId;, as described in the documentation:There are many messages that have non-zero MatchId values. How can I use this value to find the user mode call stack?
Thanks.