一、枚举ETW
EnumerateTraceGuidsEx 来枚举Providers 的注册者的相关ETW的注册信息
#include <windows.h>
#include <stdio.h>
#include <evntcons.h>
DWORD GetProviderInfo(GUID ProviderGuid, PTRACE_GUID_INFO & pInfo);
void wmain(void)
{
ULONG status = ERROR_SUCCESS;
GUID *pTemp = NULL;
GUID *pGuids = NULL;
DWORD GuidListSize = 0;
DWORD GuidCount = 0;
DWORD RequiredListSize = 0;
WCHAR ProviderGuid[50];
PTRACE_GUID_INFO pInfo = NULL;
PTRACE_PROVIDER_INSTANCE_INFO pInstance = NULL;
PTRACE_ENABLE_INFO pEnable = NULL;
// Get the required buffer size for the query.
status = EnumerateTraceGuidsEx(TraceGuidQueryList, NULL, 0, pGuids, GuidListSize, &RequiredListSize);
// The number of registered providers could change between the
// time you called to get the buffer size and the time you called
// to get the actual data, so call EnumerateTraceGuidsEx in a loop
// until you no longer get ERROR_INSUFFICIENT_BUFFER.
while (ERROR_INSUFFICIENT_BUFFER == status)
{
pTemp = (GUID *) realloc(pGuids, RequiredListSize);
if (NULL == pTemp)
{
wprintf(L"Error allocating memory for list of provider GUIDs.\n");
goto cleanup;
}
pGuids = pTemp;
pTemp = NULL;
GuidListSize = RequiredListSize;
ZeroMemory(pGuids, GuidListSize);
status = EnumerateTraceGuidsEx(TraceGuidQueryList, NULL, 0, pGuids, GuidListSize, &RequiredListSize);
}
if (ERROR_SUCCESS == status)
{
GuidCount = GuidListSize / sizeof(GUID);
// For each registered provider on the computer, get information
// about how it was registered. If a session enabled the
// provider, get information on how the session enabled the provider.
for (USHORT i = 0; i < GuidCount; i++)
{
StringFromGUID2(pGuids[i], ProviderGuid, sizeof(ProviderGuid)),
wprintf(L"Provider: %s\n", ProviderGuid);
status = GetProviderInfo(pGuids[i], pInfo);
if (ERROR_SUCCESS == status)
{
pInstance = (PTRACE_PROVIDER_INSTANCE_INFO)((PBYTE)pInfo + sizeof(TRACE_GUID_INFO));
if (pInfo->InstanceCount > 1)
{
wprintf(L"There are %d providers that use the same GUID.\n", pInfo->InstanceCount);
}
for (DWORD j = 0; j < pInfo->InstanceCount; j++)
{
wprintf(L"\tThe PID of the process that registered the provider is %lu.\n", pInstance->Pid);
if ((pInstance->Flags & TRACE_PROVIDER_FLAG_PRE_ENABLE) == TRACE_PROVIDER_FLAG_PRE_ENABLE)
{
wprintf(L"\tThe provider is not registered; however, one or more sessions have enabled the provider.\n");
}
else
{
if ((pInstance->Flags & TRACE_PROVIDER_FLAG_LEGACY) == TRACE_PROVIDER_FLAG_LEGACY)
{
wprintf(L"\tThe provider used RegisterTraceGuids to register itself.\n");
}
else
{
wprintf(L"\tThe provider used EventRegister to register itself.\n");
}
}
if (pInstance->EnableCount > 0)
{
wprintf(L"\tThe provider is enabled to the following sessions.\n");
pEnable = (PTRACE_ENABLE_INFO)((PBYTE)pInstance + sizeof(TRACE_PROVIDER_INSTANCE_INFO));
for (DWORD k = 0; k < pInstance->EnableCount; k++)
{
wprintf(L"\t\tSession Id: %hu\n", pEnable->LoggerId);
wprintf(L"\t\tLevel used to enable the provider: %hu\n", pEnable->Level);
wprintf(L"\t\tMatchAnyKeyword value used to enable the provider: %I64u\n", pEnable->MatchAnyKeyword);
wprintf(L"\t\tMatchAllKeyword value used to enable the provider: %I64u\n", pEnable->MatchAllKeyword);
if (pEnable->EnableProperty > 0)
{
wprintf(L"\t\tThe session requested that the following information be included with each event:\n");
if ((pEnable->EnableProperty & EVENT_ENABLE_PROPERTY_SID) == EVENT_ENABLE_PROPERTY_SID)
{
wprintf(L"\t\t\tThe SID of the user that logged the event\n");
}
if ((pEnable->EnableProperty & EVENT_ENABLE_PROPERTY_TS_ID) == EVENT_ENABLE_PROPERTY_TS_ID)
{
wprintf(L"\t\t\tThe terminal session ID\n");
}
}
pEnable++;
wprintf(L"\n");
}
}
pInstance = (PTRACE_PROVIDER_INSTANCE_INFO)((PBYTE)pInstance + pInstance->NextOffset);
wprintf(L"\n");
}
wprintf(L"\n");
}
else
{
wprintf(L"Error retrieving provider info (%lu)\n\n", status);
}
}
wprintf(L"\nRegistered provider count is %lu.\n", GuidCount);
}
else
{
wprintf(L"EnumerateTraceGuidsEx(TraceGuidQueryList) failed with %lu.\n", status);
goto cleanup;
}
cleanup:
if (pGuids)
{
free(pGuids);
pGuids = NULL;
}
if (pInfo)
{
free(pInfo);
pInfo = NULL;
}
}
// Get information about the specified provider.
DWORD GetProviderInfo(GUID ProviderGuid, PTRACE_GUID_INFO & pInfo)
{
ULONG status = ERROR_SUCCESS;
PTRACE_GUID_INFO pTemp = NULL;
DWORD InfoListSize = 0;
DWORD RequiredListSize = 0;
status = EnumerateTraceGuidsEx(TraceGuidQueryInfo, &ProviderGuid, sizeof(GUID), pInfo, InfoListSize, &RequiredListSize);
while (ERROR_INSUFFICIENT_BUFFER == status)
{
pTemp = (PTRACE_GUID_INFO) realloc(pInfo, RequiredListSize);
if (NULL == pTemp)
{
wprintf(L"Error allocating memory for provider info.\n");
goto cleanup;
}
pInfo = pTemp;
pTemp = NULL;
InfoListSize = RequiredListSize;
ZeroMemory(pInfo, InfoListSize);
status = EnumerateTraceGuidsEx(TraceGuidQueryInfo, &ProviderGuid, sizeof(GUID), pInfo, InfoListSize, &RequiredListSize);
}
if (ERROR_SUCCESS != status)
{
wprintf(L"EnumerateTraceGuidsEx(TraceGuidQueryInfo) failed with %lu.\n", status);
}
cleanup:
return status;
}
View Code
二、关闭ETW
2.1 StopTrace
status = StopTraceW(SessionHandle, LOGSESSION_NAME, pSessionProperties);
if (ERROR_SUCCESS != status)
{
wprintf(L"StopTraceW(stop) failed with %lu\n", status);
}
2.2 ControlTrace传入EVENT_TRACE_CONTROL_STOP
实际StopTrace就是调用ControlTrace传入EVENT_TRACE_CONTROL_STOP来实现的
status = ControlTraceW(SessionHandle, LOGSESSION_NAME, pSessionProperties, EVENT_TRACE_CONTROL_STOP);
if (ERROR_SUCCESS != status)
{
wprintf(L"ControlTrace(stop) failed with %lu\n", status);
}
2.3 EnableTraceEx2传入EVENT_CONTROL_CODE_DISABLE_PROVIDER
status = EnableTraceEx2(
SessionHandle,
(LPCGUID)&__KernelNetworkGuid,
EVENT_CONTROL_CODE_DISABLE_PROVIDER,
TRACE_LEVEL_INFORMATION,
0,
0,
0,
NULL
);