I have been able to use logman with some success to dump some kernel traces. However, I'd like to be able to programatically enable real-time consumption of kernel events (mainly thread/process creation/deletion and file I/O) in my application. What is the best approach to this task?
问题:
回答1:
You enable kernel events in StartTrace. In the EVENT_TRACE_PROPERTIES you pass to StartTrace, EnableFlags contains various flags for the different kernel event providers. Set LogFileMode in EVENT_TRACE_PROPERTIES to EVENT_TRACE_REAL_TIME_MODE to be a real-time consumer. You can then consume the events using ProcessTrace.
回答2:
Note that StartTrace may fail with ERROR_ALREADY_EXISTS, at which point if you need to change the session properties you'll want to use ControlTrace. Also note that you'll have to run your program 'as Administrator' if you have UAC enabled; and that if you're debugging you'll need to run Visual Studio 'as Administrator' as well. Your program will also need to have its manifest (if you have one) set to 'as Administrator' for privileges.
If you search on MSDN for OpenTrace, ProcessTrace, and StartTrace you'll find links to various examples that will give you what you want.