search

microsoft / perfview

PerfView is a CPU and memory performance-analysis tool
http://channel9.msdn.com/Series/PerfView-Tutorial
MIT License
4.11k stars 703 forks source link

Microsoft.Diagnostics.Tracing: Incomplete data in payload for some OS providers #1611

Open palenshus opened 2 years ago

palenshus commented 2 years ago

For some type(s) of built-in Windows events, I'm not getting the complete payload, namely AppId/AppVersion, and also I can't figure out how to get PartA data. To demonstrate, here’s a short LINQPad code sample: http://share.linqpad.net/5hsr9t.linq

using var session = new TraceEventSession("EtwMonitor", TraceEventSessionOptions.Create);
session.EnableProvider(new Guid("487d6e37-1b9d-46d3-a8fd-54ce8bdf8a53"));

session.Source.Dynamic.All += delegate (TraceEvent e)
{
    if (e.EventName == "AppInteractivitySummary")
    {
        LINQPad.Extensions.Dump(e, e.EventName, collapseTo: 0);
        e.ToString().Dump();
    }
};
session.Source.Process();

However, it doesn’t give me the PartA properties, or even the AppId in the data section. Here’s what I get from the library:

<Event MSec=  "4249.0443"
    PID="45780"
    PName=        ""
    TID="48412"
    EventName="AppInteractivitySummary"
    ProviderName="Win32kTraceLogging"
    UTCReplace_AppId="0000b2d4-0002-001e-2a75-1bec3a50d801"
    UTCReplace_AppVersion="True"
    UTCReplace_CommandLineHash="True"
    PartATransform_AppSessionGuidToUserSid="0000b2d4-0002-001e-2a75-1bec3a50d801"
    AppSessionId="0000b2d4-0002-001e-2a75-1bec3a50d801"
    AggregationStartTime="4/14/2022 12:56:06 PM"
    ...
/>

And here’s what I get from the TelemetryRealTimeTool:

"data": {
        "AppId": "U:Microsoft.WindowsCalculator_11.2203.1.0_x64__8wekyb3d8bbwe!App",
        "AppVersion": "11.2203.1.0_x64_!2022/03/29:18:19:11!0!calculatorapp.exe",
        "CommandLineHash": 791235508,
        "AppSessionId": "00010D88-0002-001E-8F8D-E8B72F50D801",
        "AggregationStartTime": "2022-04-14T18:33:13.8264585Z",
    …

Any idea why AppId/AppVersion are being stripped replaced? Is it some kind of security feature at work? And is there any way to get PartA event data using the library? Thanks!

palenshus commented 2 years ago

Additionally, I tried to follow the instructions at https://github.com/microsoft/perfview/blob/main/documentation/TraceEvent/TraceEventProgrammersGuide.md#building-compile-time-traceeventparser-parsers-using-traceparsergen to generate a manifest for the Win32kTraceLogging provider, but it didn't work, fails with:

Error: Could not find provider with name Win32kTraceLogging

Using the GUID results in a similar error.