search

microsoft / krabsetw

KrabsETW provides a modern C++ wrapper and a .NET wrapper around the low-level ETW trace consumption functions.
Other
605 stars 149 forks source link

Unable to parse Schannel events #89

Closed bartecargo closed 4 years ago

bartecargo commented 4 years ago

I'm unable to get the schema properties or event_name from the Schannel (1f678132-5938-4686-9fdc-c8ff68f15c85) provider. I note that the same event is processed correctly in Microsoft Message Analyzer when I capture live events simultaneously on the same Windows 10 machine.

The provider_name and event_id values appear to be valid, however, I only get gibberish from the event_name method, and an exception is thrown when I try to enumerate the properties via parser.

The same code works well for the Microsoft-Windows-SChannel-Events provider. Is there something that I should be doing differently for the Schannel provider?

swannman commented 4 years ago

Looks like this will be fixed by #131

swannman commented 4 years ago

Resolved by #131