Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support filter per PID for system traces #51

Open
daladim opened this issue Oct 26, 2022 · 0 comments
Open

Support filter per PID for system traces #51

daladim opened this issue Oct 26, 2022 · 0 comments

Comments

@daladim
Copy link
Collaborator

daladim commented Oct 26, 2022
edited
Loading

EventFilter::ByPids are only effective on kernel mode logger session.

see https://learn.microsoft.com/en-us/windows/win32/api/evntprov/ns-evntprov-event_filter_descriptor:

The PIDs based filter-blob is only valid for a kernel mode logger session because the private logger session runs inside a user-mode process

But this does not work for KernelTraces in ferrisetw. This would be good to support it.

Ideas:

  • Maybe there's a distinction between "a trace run in kernel-mode" and a "System trace"? But is a ferrisetw::KernelTrace one of them in the first place?
  • Maybe that's post-win10 build 20348 anyway? (see https://learn.microsoft.com/en-us/windows/win32/etw/system-providers)
  • Maybe that's not possible at all, and this should be documented in ferrisetw

If this eventually works, this should be added in an integration test
daladim added a commit to daladim/ferrisetw that referenced this issue Nov 7, 2022
@daladim
[doc] Event filters
a552a2a 
* Some filters are not effetive on Win7
* By-PID filters may not work, even for kernel traces
  See n4r1b#51
daladim added a commit to JustRustThings/ferrisetw that referenced this issue Nov 8, 2022
@daladim
[doc] Event filters
d816f2b 
* Some filters are not effetive on Win7
* By-PID filters may not work, even for kernel traces
  See n4r1b#51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@daladim