一、枚举ETW
EnumerateTraceGuidsEx 来枚举Providers 的注册者的相关ETW的注册信息
#include <windows.h> #include <stdio.h> #include <evntcons.h> DWORD GetProviderInfo(GUID ProviderGuid, PTRACE_GUID_INFO & pInfo); void wmain(void) { ULONG status = ERROR_SUCCESS; GUID *pTemp = NULL; GUID *pGuids = NULL; DWORD GuidListSize = 0; DWORD GuidCount = 0; DWORD RequiredListSize = 0; WCHAR ProviderGuid[50]; PTRACE_GUID_INFO pInfo = NULL; PTRACE_PROVIDER_INSTANCE_INFO pInstance = NULL; PTRACE_ENABLE_INFO pEnable = NULL; // Get the required buffer size for the query. status = EnumerateTraceGuidsEx(TraceGuidQueryList, NULL, 0, pGuids, GuidListSize, &RequiredListSize); // The number of registered providers could change between the // time you called to get the buffer size and the time you called // to get the actual data, so call EnumerateTraceGuidsEx in a loop // until you no longer get ERROR_INSUFFICIENT_BUFFER. while (ERROR_INSUFFICIENT_BUFFER == status) { pTemp = (GUID *) realloc(pGuids, RequiredListSize); if (NULL == pTemp) { wprintf(L"Error allocating memory for list of provider GUIDs.\n"); goto cleanup; } pGuids = pTemp; pTemp = NULL; GuidListSize = RequiredListSize; ZeroMemory(pGuids, GuidListSize); status = EnumerateTraceGuidsEx(TraceGuidQueryList, NULL, 0, pGuids, GuidListSize, &RequiredListSize); } if (ERROR_SUCCESS == status) { GuidCount = GuidListSize / sizeof(GUID); // For each registered provider on the computer, get information // about how it was registered. If a session enabled the // provider, get information on how the session enabled the provider. for (USHORT i = 0; i < GuidCount; i++) { StringFromGUID2(pGuids[i], ProviderGuid, sizeof(ProviderGuid)), wprintf(L"Provider: %s\n", ProviderGuid); status = GetProviderInfo(pGuids[i], pInfo); if (ERROR_SUCCESS == status) { pInstance = (PTRACE_PROVIDER_INSTANCE_INFO)((PBYTE)pInfo + sizeof(TRACE_GUID_INFO)); if (pInfo->InstanceCount > 1) { wprintf(L"There are %d providers that use the same GUID.\n", pInfo->InstanceCount); } for (DWORD j = 0; j < pInfo->InstanceCount; j++) { wprintf(L"\tThe PID of the process that registered the provider is %lu.\n", pInstance->Pid); if ((pInstance->Flags & TRACE_PROVIDER_FLAG_PRE_ENABLE) == TRACE_PROVIDER_FLAG_PRE_ENABLE) { wprintf(L"\tThe provider is not registered; however, one or more sessions have enabled the provider.\n"); } else { if ((pInstance->Flags & TRACE_PROVIDER_FLAG_LEGACY) == TRACE_PROVIDER_FLAG_LEGACY) { wprintf(L"\tThe provider used RegisterTraceGuids to register itself.\n"); } else { wprintf(L"\tThe provider used EventRegister to register itself.\n"); } } if (pInstance->EnableCount > 0) { wprintf(L"\tThe provider is enabled to the following sessions.\n"); pEnable = (PTRACE_ENABLE_INFO)((PBYTE)pInstance + sizeof(TRACE_PROVIDER_INSTANCE_INFO)); for (DWORD k = 0; k < pInstance->EnableCount; k++) { wprintf(L"\t\tSession Id: %hu\n", pEnable->LoggerId); wprintf(L"\t\tLevel used to enable the provider: %hu\n", pEnable->Level); wprintf(L"\t\tMatchAnyKeyword value used to enable the provider: %I64u\n", pEnable->MatchAnyKeyword); wprintf(L"\t\tMatchAllKeyword value used to enable the provider: %I64u\n", pEnable->MatchAllKeyword); if (pEnable->EnableProperty > 0) { wprintf(L"\t\tThe session requested that the following information be included with each event:\n"); if ((pEnable->EnableProperty & EVENT_ENABLE_PROPERTY_SID) == EVENT_ENABLE_PROPERTY_SID) { wprintf(L"\t\t\tThe SID of the user that logged the event\n"); } if ((pEnable->EnableProperty & EVENT_ENABLE_PROPERTY_TS_ID) == EVENT_ENABLE_PROPERTY_TS_ID) { wprintf(L"\t\t\tThe terminal session ID\n"); } } pEnable++; wprintf(L"\n"); } } pInstance = (PTRACE_PROVIDER_INSTANCE_INFO)((PBYTE)pInstance + pInstance->NextOffset); wprintf(L"\n"); } wprintf(L"\n"); } else { wprintf(L"Error retrieving provider info (%lu)\n\n", status); } } wprintf(L"\nRegistered provider count is %lu.\n", GuidCount); } else { wprintf(L"EnumerateTraceGuidsEx(TraceGuidQueryList) failed with %lu.\n", status); goto cleanup; } cleanup: if (pGuids) { free(pGuids); pGuids = NULL; } if (pInfo) { free(pInfo); pInfo = NULL; } } // Get information about the specified provider. DWORD GetProviderInfo(GUID ProviderGuid, PTRACE_GUID_INFO & pInfo) { ULONG status = ERROR_SUCCESS; PTRACE_GUID_INFO pTemp = NULL; DWORD InfoListSize = 0; DWORD RequiredListSize = 0; status = EnumerateTraceGuidsEx(TraceGuidQueryInfo, &ProviderGuid, sizeof(GUID), pInfo, InfoListSize, &RequiredListSize); while (ERROR_INSUFFICIENT_BUFFER == status) { pTemp = (PTRACE_GUID_INFO) realloc(pInfo, RequiredListSize); if (NULL == pTemp) { wprintf(L"Error allocating memory for provider info.\n"); goto cleanup; } pInfo = pTemp; pTemp = NULL; InfoListSize = RequiredListSize; ZeroMemory(pInfo, InfoListSize); status = EnumerateTraceGuidsEx(TraceGuidQueryInfo, &ProviderGuid, sizeof(GUID), pInfo, InfoListSize, &RequiredListSize); } if (ERROR_SUCCESS != status) { wprintf(L"EnumerateTraceGuidsEx(TraceGuidQueryInfo) failed with %lu.\n", status); } cleanup: return status; }View Code
二、关闭ETW
2.1 StopTrace
status = StopTraceW(SessionHandle, LOGSESSION_NAME, pSessionProperties); if (ERROR_SUCCESS != status) { wprintf(L"StopTraceW(stop) failed with %lu\n", status); }
2.2 ControlTrace传入EVENT_TRACE_CONTROL_STOP
实际StopTrace就是调用ControlTrace传入EVENT_TRACE_CONTROL_STOP来实现的
status = ControlTraceW(SessionHandle, LOGSESSION_NAME, pSessionProperties, EVENT_TRACE_CONTROL_STOP); if (ERROR_SUCCESS != status) { wprintf(L"ControlTrace(stop) failed with %lu\n", status); }
2.3 EnableTraceEx2传入EVENT_CONTROL_CODE_DISABLE_PROVIDER
status = EnableTraceEx2( SessionHandle, (LPCGUID)&__KernelNetworkGuid, EVENT_CONTROL_CODE_DISABLE_PROVIDER, TRACE_LEVEL_INFORMATION, 0, 0, 0, NULL );