search

microsoft / krabsetw

KrabsETW provides a modern C++ wrapper and a .NET wrapper around the low-level ETW trace consumption functions.
Other
581 stars 149 forks source link

Can't query providers infomation using logman when setup a kernel trace using krabs::kernel::virtual_alloc_provider provider. #228

Closed Cishanduwang closed 6 months ago

Cishanduwang commented 6 months ago

I use krabs::kernel::virtual_alloc_provider provider created a kernel trace named "My Custome Trace".

krabs::kernel_trace trace(L"My Custome Trace");

krabs::kernel::virtual_alloc_provider provider;

provider.add_on_event_callback([](const EVENT_RECORD& record, const krabs::trace_context& trace_context) {
krabs::schema schema(record, trace_context.schema_locator);
........

When i start my program it works well and can get info correctly. But when i use logman to query trace session there is no providers show up.

logman "My Custome Trace" -ets

Command result is:

Name:                   My Custome Trace
Status:                   Running
Root Path:                  %systemdrive%\PerfLogs\Admin
......

Name:                   My Custome Trace\My Custome Trace
Type:                   Trace
......
File Mode:           real time

Command Success

I expect there will be a provider named "Windows Kernel Trace" GUID is :{9E814AAD-3204-11D2-9A82-006008A86939} below "file mode", but there is not. Why?

Thank you for your help.

Cishanduwang commented 6 months ago

Well, I figure out myself. Code above just create a NT Kernel Logger Session which is a reserved trace session that is built into Windows and enable virtualloc trace function. There is other function can be enabled like Process, Thread, DiskIo and TcpIp.