iluxa1810
Reputation: 298
In Event Tracing for Windows (ETW), TraceEventSession don't catch read event from notepad
I use hits filters:
session.EnableKernelProvider(KernelTraceEventParser.Keywords.DiskFileIO |
KernelTraceEventParser.Keywords.FileIOInit |
KernelTraceEventParser.Keywords.FileIO);
I subscribe on DiskIORead and FileIORead events.
If I open the file through notepad, then the event does not occur.
However, if I open the file through notepad ++, then this happens.
UPD:
Full Code:
class Program
{
static void Main(string[] args)
{
using(var session=new TraceEventSession("Test"))
{
session.EnableKernelProvider(KernelTraceEventParser.Keywords.DiskFileIO |
KernelTraceEventParser.Keywords.FileIOInit |
KernelTraceEventParser.Keywords.FileIO);
session.Source.Kernel.FileIORead += Kernel_FileIORead;
session.Source.Kernel.DiskIORead += Kernel_DiskIORead;
session.Source.Process();
}
}
private static void Kernel_FileIORead(Microsoft.Diagnostics.Tracing.Parsers.Kernel.FileIOReadWriteTraceData obj)
{
if (obj.FileName.ToUpper().StartsWith(@"E"))
{
Console.WriteLine("2:" + obj.FileName);
}
}
private static void Kernel_DiskIORead(Microsoft.Diagnostics.Tracing.Parsers.Kernel.DiskIOTraceData obj)
{
if (obj.FileName.ToUpper().StartsWith(@"E"))
{
Console.WriteLine("2:"+obj.FileName);
}
}
}
I use Windows 10.
Upvotes: 2
Views: 1942
Answers (1)
Clint
Reputation: 6499
Add Source for FileIOQueryInfo like this
session.Source.Kernel.FileIOQueryInfo += Kernel_FileIOQuery;
Event Handler
private static void Kernel_FileIOQuery(FileIOInfoTraceData obj)
{
if (obj.FileName.ToUpper().StartsWith(@"E"))
{
Console.WriteLine("queryInfo:" + obj.FileName);
}
}
Note: Issue replicated by partitioning E:\
Tested it by opening a txt file in E:\ via notepad, wordpad.
Tested it by opening a word file in E:\ drive via MSWord
PS
If you want to filter by process then you can use obj.ProcessName == "notepad"
References
Highly Recommend going through this doc from GIT
Upvotes: 2
Related Questions
- Access user data associated with event provided using TraceLoggingWrite
- ETW Logging - TraceEventSession overwrites file
- Microsoft TraceEvent - How to log to the Event Viewer
- ETW not logging events to channel (event log)
- Consuming "Event Tracing for Windows" events
- ETW/Eventsource tracing to file (dump)
- ETW EventSource not logging events on Windows Server
- Reading circular ETW log file with ETWTraceEventSource
- System.Diagnostic.Tracing.EventSource - no events in EventListener
- Why isn't my Event Trace for Windows working?