如何使用 TraceProcessor 读取 FileVersionTraceData?

How to read FileVersionTraceData with TraceProcessor?

我想试用新的 ETW 处理 TraceProcessor 库。到目前为止,我在将 ETW 事件从 Tracevent 映射到新库时遇到了问题。我想要例如使用 Microsoft.Windows.EventTracing.Processing.All 从 FileVersionTraceData 事件中转储数据。为此,我需要添加一些 trace.Usexxxxx,其中定义了许多 Use 子句,但它们没有告诉我它们实际上会发生哪些事件 return。 我之后的 ETW 事件包含字段

对应的 Use 子句是什么?它在新世界中的类型名称是什么?

事件通过 TraceEvent 从提供者 KernelTraceControl 映射到 FileVersionTraceData,文件版本为 0x40:

    internal static readonly Guid ImageIDTaskGuid = new Guid(unchecked((int)0xB3E675D7), 0x2554, 0x4f18, 0x83, 0x0B, 0x27, 0x62, 0x73, 0x25, 0x60, 0xDE);
    public static readonly string ProviderName = "KernelTraceControl";
    public static readonly Guid ProviderGuid = new Guid(0x28ad2447, 0x105b, 0x4fe2, 0x95, 0x99, 0xe5, 0x9b, 0x2a, 0xa9, 0xa6, 0x34);

    public const int DBGID_LOG_TYPE_FILEVERSION = 0x40;

    source.RegisterEventTemplate(new FileVersionTraceData(value, 0xFFFF, 0, "ImageID", ImageIDTaskGuid, DBGID_LOG_TYPE_FILEVERSION, "FileVersion", ProviderGuid, ProviderName));

(我是 Microsoft 的一名开发人员,我从事 TraceProcessor 库的工作。)

在我们的文档中(https://aka.ms/TraceProcessing) we have a list 各种 trace.Use*() 调用以及每个调用都可以访问的相应数据。

我不是 TraceEvent 方面的专家,但我 searched for FileVersionTraceData in their repo, and it seems to me that it maps to the IImage type in the TraceProcessor library. A list of the images loaded into a process's address space during the trace appears in the IProcess type 可以通过 trace.UseProcesses() 调用访问。

例如,您可以这样做:

using Microsoft.Windows.EventTracing;
using Microsoft.Windows.EventTracing.Processes;
using System;
using System.Globalization;

class Program
{
    static void Main(string[] args)
    {
        if (args.Length != 1)
        {
            Console.Error.WriteLine("Usage: ListImages.exe <trace.etl>");
            return;
        }

        string tracePath = args[0];

        using (ITraceProcessor trace = TraceProcessor.Create(tracePath))
        {
            IPendingResult<IProcessDataSource> pendingProcessData = trace.UseProcesses();

            trace.Process();

            IProcessDataSource processData = pendingProcessData.Result;

            foreach (IProcess process in processData.Processes)
            {
                foreach (IImage image in process.Images)
                {
                    DataSize ImageSize = image.Size;
                    long TimeDataStamp = image.Timestamp;
                    string OrigFileName = image.OriginalFileName;
                    string FileDescription = image.FileDescription;
                    string FileVersion = image.FileVersion;
                    Version BinFileVersion = image.FileVersionNumber;
                    CultureInfo VerLanguage = image.Locale;
                    string ProductName = image.ProductName;
                    string CompanyName = image.CompanyName;
                    string ProductVersion = image.ProductVersion;
                    string FileId = image.CompatibilityFileId;
                    string ProgramId = image.CompatibilityProgramId;
                }
            }
        }
    }
}

我使用您问题中的字段名称作为变量名称来显示映射。我没有看到 BuildTime 数据,但如果找到它,我会回复。