EVT API

 

// ETW_FrameWork.cpp : Defines the entry point for the console application.//#include "stdafx.h"#define INITGUID  // Include this #define to use SystemTraceControlGuid in Evntrace.h.#include <windows.h>#include <stdio.h>#include <conio.h>#include <strsafe.h>#include <wmistr.h>#include <evntrace.h>#define LOGFILE_PATH L"<FULL PATH TO THE LOG FILE.etl>"int _tmain(int argc, _TCHAR* argv[]){    ULONG status = ERROR_SUCCESS;    TRACEHANDLE SessionHandle = 0;    EVENT_TRACE_PROPERTIES* pSessionProperties = NULL;    ULONG BufferSize = 0;    // Allocate memory for the session properties. The memory must    // be large enough to include the log file name and session name,    // which get appended to the end of the session properties structure.    BufferSize = sizeof(EVENT_TRACE_PROPERTIES) + sizeof(LOGFILE_PATH) + sizeof(KERNEL_LOGGER_NAME);    pSessionProperties = (EVENT_TRACE_PROPERTIES*) malloc(BufferSize);        if (NULL == pSessionProperties)    {        wprintf(L"Unable to allocate %d bytes for properties structure.\n", BufferSize);        goto cleanup;    }    // Set the session properties. You only append the log file name    // to the properties structure; the StartTrace function appends    // the session name for you.    ZeroMemory(pSessionProperties, BufferSize);    pSessionProperties->Wnode.BufferSize = BufferSize;    pSessionProperties->Wnode.Flags = WNODE_FLAG_TRACED_GUID;    pSessionProperties->Wnode.ClientContext = 1; //QPC clock resolution    pSessionProperties->Wnode.Guid = SystemTraceControlGuid;     pSessionProperties->EnableFlags = EVENT_TRACE_FLAG_NETWORK_TCPIP;    pSessionProperties->LogFileMode = EVENT_TRACE_FILE_MODE_CIRCULAR;    pSessionProperties->MaximumFileSize = 5;  // 5 MB    pSessionProperties->LoggerNameOffset = sizeof(EVENT_TRACE_PROPERTIES);    pSessionProperties->LogFileNameOffset = sizeof(EVENT_TRACE_PROPERTIES) + sizeof(KERNEL_LOGGER_NAME);     StringCbCopy((LPWSTR)((char*)pSessionProperties + pSessionProperties->LogFileNameOffset), sizeof(LOGFILE_PATH), LOGFILE_PATH);    // Create the trace session.    status = StartTrace((PTRACEHANDLE)&SessionHandle, KERNEL_LOGGER_NAME, pSessionProperties);    if (ERROR_SUCCESS != status)    {        if (ERROR_ALREADY_EXISTS == status)        {            wprintf(L"The NT Kernel Logger session is already in use.\n");        }        else        {            wprintf(L"EnableTrace() failed with %lu\n", status);        }        goto cleanup;    }    BOOL TraceOn = TRUE;    status = EnableTrace(                TraceOn,                 // TRUE enables the provider               0,                       // No enable flags                TRACE_LEVEL_INFORMATION, // Enable informational, warning, error and critical events                NULL,//(LPCGUID)&ProviderGuid,  // Provider to enable                SessionHandle            // Session handle from StartTrace                );        if (ERROR_SUCCESS != status)    {                wprintf(L"EnableTrace() failed with %lu\n", status);                TraceOn = FALSE;                goto cleanup;        }    wprintf(L"Press any key to end trace session ");    _getch();    return 0;cleanup:    if (SessionHandle)    {        status = ControlTrace(SessionHandle, KERNEL_LOGGER_NAME, pSessionProperties, EVENT_TRACE_CONTROL_STOP);        if (ERROR_SUCCESS != status)        {            wprintf(L"ControlTrace(stop) failed with %lu\n", status);        }    }    if (pSessionProperties)        free(pSessionProperties);    return 0;}