|
|
/*++
Copyright (c) 1997-2000 Microsoft Corporation
Module Name:
callbacks.c
Abstract:
Setting up and handling the callbacks for the events from the trace file.
Author:
Melur Raghuraman (mraghu) 03-Oct-1997
Environment:
Revision History:
Insung Park (insungp) 05-Jan-2001
Updated DumpEvent() so that by default, it searches WBEM namespace for the event data layout information. Functions added/modified: GetArraySize, GetItemType, GetPropertiesFromWBEM, GetGuidsWbem, GetGuidsFile, and GetGuids.
Insung Park (insungp) 16-Jan-2001
Changes enabling tracerpt to handle an invalid type name array in the WBEM namespace. Bug fixes for memory corruption (GetPropertiesFromWBEM and GetGuidsWBEM).
--*/#ifdef __cplusplus
extern "C"{#endif
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include "cpdata.h"
#include <wbemidl.h>
#include "tracectr.h"
#include "item.h"
#include "guids.h"
#define BUFFER_SIZE 64*1024
#define MAX_BUFFER_SIZE 10*1024*1024
#define MOFWSTR 16360
#define MOFSTR 32720
#define MAXTYPE 256
#define MAXGUIDSTR 128
#define UC(x) ( (UINT)((x) & 0xFF) )
#define NTOHS(x) ( (UC(x) * 256) + UC((x) >> 8) )
//
// IRP Flags from ntos\inc\io.h for Io event processing.
//
#define IRP_NOCACHE 0x00000001
#define IRP_PAGING_IO 0x00000002
#define IRP_SYNCHRONOUS_API 0x00000004
#define IRP_ASSOCIATED_IRP 0x00000008
#define IRP_BUFFERED_IO 0x00000010
#define IRP_DEALLOCATE_BUFFER 0x00000020
#define IRP_SYNCHRONOUS_PAGING_IO 0x00000040
#define IRP_CREATE_OPERATION 0x00000080
#define IRP_READ_OPERATION 0x00000100
#define IRP_WRITE_OPERATION 0x00000200
#define IRP_CLOSE_OPERATION 0x00000400
#define IRP_DEFER_IO_COMPLETION 0x00000800
#define IRP_OB_QUERY_NAME 0x00001000
#define IRP_HOLD_DEVICE_QUEUE 0x00002000
int IdleEndCount = 0;ULONG PageFaultCount = 0;ULONG EventCount = 0;
extern PTRACE_CONTEXT_BLOCK TraceContext;extern ULONG TotalBuffersRead;extern BOOLEAN XPorHigher;
ULONG HPFReadCount = 0;ULONG HPFWriteCount = 0;
ULONG TotalEventsLost = 0;ULONG TotalEventCount = 0;ULONG TimerResolution = 10;__int64 ElapseTime;
PCHAR MofData = NULL;size_t MofLength = 0;BOOLEAN fIgnorePerfClock = FALSE;BOOLEAN fRealTimeCircular = FALSE;ULONG PointerSize = 0;
BOOL g_bUserMode = FALSE;
static ULONG NumProc = 0;ULONGLONG BogusThreads[64];ULONG BogusCount=0;ULONG IdleThreadCount=0;BOOLEAN bCaptureBogusThreads=TRUE;
BOOLEAN bIISEvents = FALSE;ULONG IISRequestsDiscarded = 0;ULONG IISEventsDiscarded = 0;
IWbemServices *pWbemServices = NULL;LIST_ENTRY g_ValueMapTable;
void AnsiToUnicode(PCHAR str, PWCHAR wstr);
ULONG ahextoi( WCHAR *s);
ULONG StringToNumber( LPWSTR sz );
PMOF_VERSIONGetGuids( GUID Guid, SHORT nVersion, CHAR nLevel, SHORT nType, BOOL bKernelEvent );
HRESULTWbemConnect( IWbemServices** pWbemServices );
ULONG GetArraySize( IN IWbemQualifierSet *pQualSet );
ITEM_TYPEGetItemType( IN CIMTYPE_ENUMERATION CimType, IN IWbemQualifierSet *pQualSet );
PMOF_VERSIONGetPropertiesFromWBEM( IWbemClassObject *pTraceSubClasses, GUID Guid, SHORT nVersion, CHAR nLevel, SHORT nType, BOOL bKernelEvent );
PMOF_VERSIONGetGuidsWBEM ( GUID Guid, SHORT nVersion, CHAR nLevel, SHORT nType, BOOL bKernelEvent );
PMOF_VERSIONGetGuidsMofFiles( GUID Guid, SHORT nVersion, CHAR nLevel, SHORT nType, BOOL bKernelEvent );
PMOF_VERSIONGetGuidsFile( FILE *f, GUID Guid, SHORT nVersion, CHAR nLevel, SHORT nType, BOOL bKernelEvent );
VOIDEventCallback( PEVENT_TRACE pEvent, PTHREAD_RECORD pThread );
VOIDAddMofInfo( PLIST_ENTRY List, LPWSTR strType, SHORT nType, UINT ArraySize, PVALUEMAP pValueMap);
VOIDUpdateThreadPrintData( PPRINT_JOB_RECORD pJob, PEVENT_TRACE_HEADER pHeader, PTHREAD_RECORD pThread );
VOIDPrintJobCallback( PEVENT_TRACE pEvent );
VOIDUpdateThreadIisData( PHTTP_REQUEST_RECORD pReq, PEVENT_TRACE_HEADER pHeader, PTHREAD_RECORD pThread );
VOIDSumUpCPUTime( PHTTP_REQUEST_RECORD pReq );
VOIDIISEventCallback( PEVENT_TRACE pEvent );
voidWINAPIDumpEvent( PEVENT_TRACE pEvent );
voidDumpMofVersionItem( PMOF_VERSION pMofVersion );
voidDumpMofList();
extern PWCHAR CpdiGuidToString(PWCHAR s, ULONG len, LPGUID piid);
ULONG Interpolate(ULONGLONG timeStart, ULONG deltaStart, ULONGLONG timeEnd, ULONG deltaEnd, ULONGLONG timeMiddle){ return deltaStart + (deltaEnd - deltaStart) * ((ULONG) (timeMiddle - timeStart)) / ((ULONG) (timeEnd - timeStart));}
BOOLEANInTimeWindow( PEVENT_TRACE pEvent, PTHREAD_RECORD pThread ){ PEVENT_TRACE_HEADER pHeader = (PEVENT_TRACE_HEADER) & pEvent->Header; BOOLEAN fResult = (pThread) ? (TRUE) : (FALSE);
if (fResult && fDSOnly) { if ( ((ULONGLONG) pHeader->TimeStamp.QuadPart < DSStartTime) || ((ULONGLONG) pHeader->TimeStamp.QuadPart > DSEndTime)) { fResult = FALSE; } } return fResult;}
VOIDAdjustThreadTime( PEVENT_TRACE pEvent, PTHREAD_RECORD pThread ){ PEVENT_TRACE_HEADER pHeader = (PEVENT_TRACE_HEADER) & pEvent->Header;
if (IsEqualGUID(&pHeader->Guid, &EventTraceGuid)) { return; } else if (!pThread || pThread->DeadFlag) { return; } else if (fDSOnly) { if ( ((ULONGLONG) pHeader->TimeStamp.QuadPart >= DSStartTime) && ((ULONGLONG) pHeader->TimeStamp.QuadPart <= DSEndTime)) { if (pThread->TimeStart < DSStartTime) { pThread->TimeStart = DSStartTime; pThread->KCPUStart = Interpolate( pThread->TimeEnd, pThread->KCPUStart, pHeader->TimeStamp.QuadPart, pHeader->KernelTime, DSStartTime); pThread->UCPUStart = Interpolate( pThread->TimeEnd, pThread->UCPUStart, pHeader->TimeStamp.QuadPart, pHeader->UserTime, DSStartTime); }
pThread->KCPUEnd = pHeader->KernelTime; pThread->UCPUEnd = pHeader->UserTime; pThread->TimeEnd = (ULONGLONG)pHeader->TimeStamp.QuadPart; } else if ((ULONGLONG) pHeader->TimeStamp.QuadPart < DSStartTime) { pThread->TimeStart = pThread->TimeEnd = (ULONGLONG) pHeader->TimeStamp.QuadPart; pThread->KCPUStart = pThread->KCPUEnd = pHeader->KernelTime; pThread->UCPUStart = pThread->UCPUEnd = pHeader->UserTime; } else if ((ULONGLONG) pHeader->TimeStamp.QuadPart > DSEndTime) { if (pThread->TimeEnd < DSEndTime) { if (pThread->TimeEnd < DSStartTime) { pThread->KCPUStart = Interpolate( pThread->TimeEnd, pThread->KCPUStart, pHeader->TimeStamp.QuadPart, pHeader->KernelTime, DSStartTime); pThread->UCPUStart = Interpolate( pThread->TimeEnd, pThread->UCPUStart, pHeader->TimeStamp.QuadPart, pHeader->UserTime, DSStartTime); pThread->TimeStart = DSStartTime; } pThread->KCPUEnd = Interpolate( pThread->TimeEnd, pThread->KCPUEnd, pHeader->TimeStamp.QuadPart, pHeader->KernelTime, DSEndTime); pThread->UCPUEnd = Interpolate( pThread->TimeEnd, pThread->UCPUEnd, pHeader->TimeStamp.QuadPart, pHeader->UserTime, DSEndTime); pThread->TimeEnd = DSEndTime; } } } else { pThread->TimeEnd = pHeader->TimeStamp.QuadPart; if (pThread->KCPUEnd <= pHeader->KernelTime) pThread->KCPUEnd = pHeader->KernelTime; if (pThread->UCPUEnd <= pHeader->UserTime) pThread->UCPUEnd = pHeader->UserTime; }}
//
// This routine allocates a new MOF_VERSION entry for
// the given type, version and Level.
//
PMOF_VERSIONGetNewMofVersion( SHORT nType, SHORT nVersion, CHAR nLevel ){ PMOF_VERSION pMofVersion = NULL;
pMofVersion = (PMOF_VERSION)malloc(sizeof(MOF_VERSION));
if( NULL == pMofVersion ){ return NULL; }
RtlZeroMemory(pMofVersion, sizeof(MOF_VERSION));
InitializeListHead(&pMofVersion->ItemHeader); pMofVersion->TypeIndex = nType; pMofVersion->Level = nLevel; pMofVersion->Version = nVersion;
return pMofVersion;}
static void reduceA(char *Src){ char *Start = Src; if (!Src) return; while (*Src) { if ('\t' == *Src) *Src = ' '; else if (',' == *Src) *Src = ' '; else if ('\n' == *Src) *Src = ','; else if ('\r' == *Src) *Src = ' '; ++Src; } --Src; while ((Start < Src) && ((' ' == *Src) || (',' == *Src))) { *Src = 0x00; --Src; }}
static void reduceW(WCHAR *Src){ WCHAR *Start = Src; if (!Src) return; while (*Src) { if (L'\t' == *Src) *Src = L' '; else if (L',' == *Src) *Src = L' '; else if (L'\n' == *Src) *Src = L','; else if (L'\r' == *Src) *Src = L' '; ++Src; } --Src; while ((Start < Src) && ((L' ' == *Src) || (L',' == *Src))) { *Src = 0x00; --Src; }}
static void replaceNLW(WCHAR *Src){ WCHAR *Start = Src; if (!Src) return; while (*Src) { if (L'\n' == *Src) *Src = L' '; else if (L'\r' == *Src) *Src = L' '; ++Src; } --Src; while ((Start < Src) && (L' ' == *Src)) { *Src = 0x00; --Src; }}
//
// Given a GUID, return a MOF_INFO
//
PMOF_INFOGetMofInfoHead( LPCGUID pGuid ){ PLIST_ENTRY Head, Next; PMOF_INFO pMofInfo; PLIST_ENTRY EventListHead;
if (pGuid == NULL) return NULL;
// Search the eventList for this Guid and find the head
//
//
// Traverse the list and look for the Mof info head for this Guid.
EventListHead = &CurrentSystem.EventListHead; Head = EventListHead; Next = Head->Flink;
while (Head != Next) { pMofInfo = CONTAINING_RECORD(Next, MOF_INFO, Entry); if (IsEqualGUID(&pMofInfo->Guid, pGuid)) { return pMofInfo; } Next = Next->Flink; }
//
// If not found, add a new entry for this GUID
//
pMofInfo = (PMOF_INFO)malloc(sizeof(MOF_INFO)); if (pMofInfo == NULL) { return NULL; } RtlZeroMemory (pMofInfo, sizeof(MOF_INFO)); pMofInfo->Guid = *pGuid; InitializeListHead(&pMofInfo->VersionHeader); InitializeListHead(&pMofInfo->DataListHead);
InsertTailList(EventListHead, &pMofInfo->Entry); return pMofInfo;}
//
// Locate the mof version information for the given guid
//
PMOF_VERSIONGetMofVersion( PMOF_INFO pMofInfo, SHORT nType, SHORT nVersion, CHAR nLevel
){ PLIST_ENTRY Head, Next; SHORT nMatchLevel = 0; SHORT nMatchCheck = 0; PMOF_VERSION pMofVersion = NULL; PMOF_VERSION pBestMatch = NULL;
if (pMofInfo == NULL) return NULL; //
// Traverse the list and look for the Mof info head for this Guid.
Head = &pMofInfo->VersionHeader; Next = Head->Flink;
while (Head != Next) {
nMatchCheck = 0; pMofVersion = CONTAINING_RECORD(Next, MOF_VERSION, Entry); Next = Next->Flink;
if( pMofVersion->TypeIndex == nType ){ nMatchCheck++; } if( pMofVersion->Level == nLevel ){ nMatchCheck++; } if( pMofVersion->Version == nVersion ){ nMatchCheck++; }
if( nMatchCheck == 3 ){ // Exact Match
return pMofVersion; }
if( nMatchCheck > nMatchLevel ){ // Close Match
nMatchLevel = nMatchCheck; pBestMatch = pMofVersion; }
if( pMofVersion->TypeIndex == EVENT_TYPE_DEFAULT && // Total Guess
pBestMatch == NULL ){
pBestMatch = pMofVersion; }
}
if (pBestMatch != NULL) { return pBestMatch; } //
// If One does not exist, look it up.
//
pMofVersion = GetGuids( pMofInfo->Guid, nVersion, nLevel, nType, 0 );
// If still not found, create a unknown place holder
if( NULL == pMofVersion ){ pMofVersion = GetNewMofVersion( nType, nVersion, nLevel ); if( pMofVersion != NULL ){ InsertTailList( &pMofInfo->VersionHeader, &pMofVersion->Entry ); if (nType == EVENT_TRACE_TYPE_INFO) { LPWSTR szHeader = L"Header"; pMofVersion->strType = (PWCHAR)malloc((lstrlenW(szHeader)+1)*sizeof(WCHAR)); if( pMofVersion->strType != NULL ){ StringCchCopyW( pMofVersion->strType, lstrlenW(szHeader)+1, szHeader); } } } }
return pMofVersion;}
//
// This routine adds a ITEM_DESC entry to all the MOF_VERSION
// structures in the List
//
VOIDAddMofInfo( PLIST_ENTRY List, LPWSTR strType, SHORT nType, UINT ArraySize, PVALUEMAP pValueMap ){ PITEM_DESC pItem; PMOF_VERSION pMofVersion;
PLIST_ENTRY Head = List; PLIST_ENTRY Next = Head->Flink;
//
// Traverse through the list of MOF_VERSIONS
//
while (Head != Next) { pMofVersion = CONTAINING_RECORD(Next, MOF_VERSION, Entry); Next = Next->Flink;
if( NULL != pMofVersion ){
//
// ALLOCATE a new ITEM_DESC for the given type
//
pItem = (PITEM_DESC) malloc(sizeof(ITEM_DESC)); if( NULL == pItem ){ return; } ZeroMemory( pItem, sizeof(ITEM_DESC) ); pItem->ItemType = (ITEM_TYPE)nType; pItem->ArraySize = ArraySize;
// All standard datatypes with fixed sizes will be filled here.
switch (nType) { case ItemChar : case ItemUChar : pItem->DataSize = sizeof (char); break; case ItemCharHidden : pItem->DataSize = sizeof (char); break; case ItemBool : pItem->DataSize = sizeof (BOOL); break; case ItemWChar : pItem->DataSize = sizeof (WCHAR); break; case ItemShort : case ItemPort : case ItemUShort : pItem->DataSize = sizeof (short); break; case ItemSizeT : case ItemPtr : pItem->DataSize = PointerSize / 8; break; // BUG when two files (Win64 & Win32) are used.
case ItemLong : case ItemIPAddr : case ItemCPUTime : case ItemULong : case ItemULongX : pItem->DataSize = sizeof (ULONG); break; case ItemGuid : pItem->DataSize = sizeof(GUID); break; case ItemLongLong : case ItemULongLong : pItem->DataSize = sizeof (__int64); break; case ItemChar4 : pItem->DataSize = sizeof(char) * 4; break; // This is the maximum size for TDI address.
case ItemTDIAddr : pItem->DataSize = sizeof(USHORT) + sizeof(TDI_ADDRESS_IP6); break; case ItemOptArgs : default : pItem->DataSize = 0; }
pItem->strDescription = (PWCHAR) malloc((lstrlenW(strType)+1)*sizeof(WCHAR)); if( NULL == pItem->strDescription ){ free( pItem ); return; } StringCchCopyW(pItem->strDescription, lstrlenW(strType)+1, strType);
if( NULL != pValueMap ){ pItem->pValueMap = pValueMap; /*
if( NULL == pItem->pValueMap ){ free( pItem->strDescription ); free( pItem ); return; }
pItem->pValueMap->dwValueType = pValueMap->dwValueType; SafeArrayCopy( pValueMap->saValueMap, &pItem->pValueMap->saValueMap ); SafeArrayCopy( pValueMap->saValues, &pItem->pValueMap->saValues ); */ }
//
// Insert the new entry into the ItemHeader list for
// this Version, Type, Level combination
//
InsertTailList( &(pMofVersion->ItemHeader), &pItem->Entry); } }}
VOIDDeclareKernelEvents(){ PMOF_VERSION pMofVersion;
pMofVersion = GetGuids(FileIoGuid, EVENT_TYPE_DEFAULT, EVENT_VERSION_DEFAULT, EVENT_LEVEL_DEFAULT, TRUE); pMofVersion = GetGuids(DiskIoGuid, EVENT_TYPE_DEFAULT, EVENT_VERSION_DEFAULT, EVENT_LEVEL_DEFAULT, TRUE); pMofVersion = GetGuids(PageFaultGuid, EVENT_TYPE_DEFAULT, EVENT_VERSION_DEFAULT, EVENT_LEVEL_DEFAULT, TRUE); pMofVersion = GetGuids(ProcessGuid, EVENT_TYPE_DEFAULT, EVENT_VERSION_DEFAULT, EVENT_LEVEL_DEFAULT, TRUE); pMofVersion = GetGuids(ImageLoadGuid, EVENT_TYPE_DEFAULT, EVENT_VERSION_DEFAULT, EVENT_LEVEL_DEFAULT, TRUE); pMofVersion = GetGuids(ThreadGuid, EVENT_TYPE_DEFAULT, EVENT_VERSION_DEFAULT, EVENT_LEVEL_DEFAULT, TRUE); pMofVersion = GetGuids(TcpIpGuid, EVENT_TYPE_DEFAULT, EVENT_VERSION_DEFAULT, EVENT_LEVEL_DEFAULT, TRUE); pMofVersion = GetGuids(UdpIpGuid, EVENT_TYPE_DEFAULT, EVENT_VERSION_DEFAULT, EVENT_LEVEL_DEFAULT, TRUE); pMofVersion = GetGuids(EventTraceConfigGuid, EVENT_TYPE_DEFAULT, EVENT_VERSION_DEFAULT, EVENT_LEVEL_DEFAULT, TRUE); pMofVersion = GetGuids(RegistryGuid, EVENT_TYPE_DEFAULT, EVENT_VERSION_DEFAULT, EVENT_LEVEL_DEFAULT, TRUE); pMofVersion = GetGuids(EventTraceGuid, 0, 0, EVENT_TRACE_TYPE_INFO, TRUE);
}
VOIDLogHeaderCallback( PEVENT_TRACE pEvent ){ PEVENT_TRACE_HEADER pHeader; ULONG BuildNumber; PPROCESS_FILE_RECORD pFileRec; PTRACE_LOGFILE_HEADER pEvmInfo; ULONGLONG HeaderStartTime = 0;
if (pEvent == NULL) { return; } pHeader = (PEVENT_TRACE_HEADER)&pEvent->Header;
if ( (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_GUIDMAP) || (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_EXTENSION) ) { return; }
pEvmInfo = (PTRACE_LOGFILE_HEADER) pEvent->MofData; BuildNumber = pEvmInfo->ProviderVersion; BuildNumber &= (0xFAFFFFFF); CurrentSystem.BuildNumber = BuildNumber;
CurrentSystem.TimerResolution = pEvmInfo->TimerResolution / 10000; CurrentSystem.NumberOfProcessors = pEvmInfo->NumberOfProcessors; CurrentSystem.CpuSpeed = pEvmInfo->CpuSpeedInMHz;
g_bUserMode = (pEvmInfo->LogFileMode & EVENT_TRACE_PRIVATE_LOGGER_MODE); if(pEvmInfo->TimerResolution > 0){ TimerResolution = pEvmInfo->TimerResolution / 10000; } TotalEventsLost += pEvmInfo->EventsLost;
//
// If Multiple files are given, use the values from the first file.
//
if (NumProc == 0) { NumProc = pEvmInfo->NumberOfProcessors; RtlZeroMemory(&BogusThreads, 64*sizeof(ULONG)); }
if (PointerSize < pEvmInfo->PointerSize * 8) { // We have multiple files with different pointer size. We cannot
// resolve this because event callback has no pointersize or origin
// file information.
// For now, we will assume that a larger pointer size. This needs to
// be fixed in longhorn.
PointerSize = pEvmInfo->PointerSize * 8; } if (PointerSize < 16){ // minimum is 16 bits
PointerSize = 32; // defaults = 32 bits
}
// When we pick up names and start time from individual files here, we don't use
// global pointersize for the reason mentioned above.
if (pEvmInfo->PointerSize == 4 && sizeof(PVOID) == 8) { RtlCopyMemory(&HeaderStartTime, ((PUCHAR)(&(pEvmInfo->StartTime)) - 8), sizeof(ULONGLONG)); } else if (pEvmInfo->PointerSize == 8 && sizeof(PVOID) == 4) { RtlCopyMemory(&HeaderStartTime, ((PUCHAR)(&(pEvmInfo->StartTime)) + 8), sizeof(ULONGLONG)); } else { HeaderStartTime = (ULONGLONG)(pEvmInfo->StartTime.QuadPart); } //
// With Multiple LogFiles always take the largest time window
//
if ((CurrentSystem.StartTime == (ULONGLONG)0) || (CurrentSystem.StartTime > HeaderStartTime)) { CurrentSystem.StartTime = HeaderStartTime; }
if (DSStartTime == 0) { DSStartTime = CurrentSystem.StartTime; } if (fDSOnly && CurrentSystem.StartTime < DSStartTime) { CurrentSystem.StartTime = DSStartTime; }
if ((CurrentSystem.EndTime == (ULONGLONG)0) || (CurrentSystem.EndTime < (ULONGLONG)pEvmInfo->EndTime.QuadPart)) { CurrentSystem.EndTime = pEvmInfo->EndTime.QuadPart; } if (!(CurrentSystem.fNoEndTime)) { CurrentSystem.fNoEndTime = ((ULONGLONG)pEvmInfo->EndTime.QuadPart == 0); }
if (DSEndTime == 0) { DSEndTime = CurrentSystem.EndTime; } if (fDSOnly && CurrentSystem.EndTime > DSEndTime) { CurrentSystem.EndTime = DSEndTime; }
if (TraceContext->Flags & TRACE_REDUCE) { pFileRec = (PPROCESS_FILE_RECORD)malloc(sizeof(PROCESS_FILE_RECORD)); if( pFileRec != NULL ){ // Temporary... WMI Should dereference ->LogFileName
LPWSTR pName = (LPWSTR)pEvmInfo; if (pEvmInfo->PointerSize == 4 && sizeof(PVOID) == 8) { pName = (LPWSTR)((PCHAR)pName + sizeof( TRACE_LOGFILE_HEADER ) - 8); } else if (pEvmInfo->PointerSize == 8 && sizeof(PVOID) == 4) { pName = (LPWSTR)((PCHAR)pName + sizeof( TRACE_LOGFILE_HEADER ) + 8); } else { pName = (LPWSTR)((PCHAR)pName + sizeof( TRACE_LOGFILE_HEADER )); } pFileRec->TraceName = (LPWSTR)malloc( ( lstrlenW(pName)+1 )*sizeof(WCHAR) ); if( pFileRec->TraceName != NULL ){ StringCchCopyW( pFileRec->TraceName, lstrlenW(pName)+1, pName ); }
pName += lstrlenW( pName ) + 1; pFileRec->FileName = (LPWSTR)malloc( ( lstrlenW(pName)+1 )*sizeof(WCHAR) ); if( pFileRec->FileName != NULL ){ StringCchCopyW( pFileRec->FileName, lstrlenW(pName)+1, pName ); } pFileRec->StartTime = HeaderStartTime; pFileRec->EndTime = pEvmInfo->EndTime.QuadPart; InsertTailList( &CurrentSystem.ProcessFileListHead, &pFileRec->Entry ); } }}
VOIDIoWriteCallback( PEVENT_TRACE pEvent, PTHREAD_RECORD pThread ){ PEVENT_TRACE_HEADER pHeader = (PEVENT_TRACE_HEADER)&pEvent->Header; ULONG DiskNumber= 0; ULONG BytesWrite=0; PTDISK_RECORD Disk; PPROCESS_RECORD pProcess, pDiskProcess; PPROTO_PROCESS_RECORD pProto; PFILE_OBJECT fileObj; PFILE_RECORD pProcFile; PVOID fDO = NULL; ULONG IrpFlags = 0; LONGLONG ByteOffset = 0; ULONG pFlag = FALSE; BOOLEAN fValidWrite = (BOOLEAN) (!fDSOnly || ( ((ULONGLONG) pHeader->TimeStamp.QuadPart >= DSStartTime) && ((ULONGLONG) pHeader->TimeStamp.QuadPart <= DSEndTime)));
GetMofData(pEvent, L"DiskNumber", &DiskNumber, sizeof(ULONG)); GetMofData(pEvent, L"IrpFlags", &IrpFlags, sizeof(ULONG)); GetMofData(pEvent, L"TransferSize", &BytesWrite, sizeof(ULONG)); GetMofData(pEvent, L"FileObject", &fDO, sizeof(ULONG)); GetMofData(pEvent, L"ByteOffset", &ByteOffset, sizeof(LONGLONG));
if (((IrpFlags & IRP_PAGING_IO) != 0) || ((IrpFlags & IRP_SYNCHRONOUS_PAGING_IO) != 0)) { pFlag = TRUE; }
if ((Disk = FindGlobalDiskById(DiskNumber)) == NULL) { if ( !AddDisk(DiskNumber, &Disk) ) { return; } } BytesWrite /= 1024; // Convert to Kbytes.
if (fValidWrite) { Disk->WriteCount++; Disk->WriteSize += BytesWrite; }
if (pThread == NULL) {
//
// Logger Thread Creation is MISSED by the collector.
// So we must handle it here.
//
if (AddThread( pHeader->ThreadId, pEvent, &pThread )) {
/*
#if DBG
DbgPrint("WARNING(%d): Thread %x added to charge IO Write event.\n", EventCount, pHeader->ThreadId);#endif
*/ pThread->pProcess = FindProcessById(0, TRUE); // Charge it the system ???
pThread->TimeStart = pHeader->TimeStamp.QuadPart; pThread->fOrphan = TRUE; //
// Note: All ThreadStart record at the start of data collection
// have the same TID in the header and in the Aux Fields.
// Real ThreadStart events will have the Parent threadId in the
// header and the new ThreadId in the Aux Field.
//
pThread->KCPUStart = pHeader->KernelTime; pThread->UCPUStart = pHeader->UserTime; AdjustThreadTime(pEvent, pThread); } else {/*
#if DBG
DbgPrint("FATBUG(%d): Cannot add thread %x for IO Write Event.\n", EventCount, pHeader->ThreadId);#endif
*/ return; } }/*
#if DBG
else if (pThread->fOrphan) { DbgPrint("INFO(%d): IO Write Event Thread %x Is Still Orphan.\n", EventCount, pHeader->ThreadId); } else if (pThread->DeadFlag) { DbgPrint("INFO(%d): IO Write Event Thread %x Is Already Dead.\n", EventCount, pHeader->ThreadId); }#endif
*/ if (fValidWrite) { if (pThread->pMofData != NULL) { ((PMOF_DATA)pThread->pMofData)->WriteCount++; } pThread->WriteIO++; pThread->WriteIOSize += BytesWrite; }
// 2. Disk->Process
//
pDiskProcess = FindDiskProcessById(Disk, pThread->pProcess->PID); if (fValidWrite && pDiskProcess != NULL) { if (pFlag) { pDiskProcess->HPF++; pDiskProcess->HPFSize += BytesWrite; } else { pDiskProcess->WriteIO++; pDiskProcess->WriteIOSize += BytesWrite; } }
// Add the I/O to the process that owns the causing thread.
//
pProcess = pThread->pProcess; if (fValidWrite && (pProcess != NULL ) ) { pProcess->WriteIO++; pProcess->WriteIOSize += BytesWrite; Disk = FindProcessDiskById(pProcess, DiskNumber); if (Disk != NULL) {
Disk->WriteCount++; Disk->WriteSize += BytesWrite; } }
//
// Thread Local Disk.
//
Disk = FindLocalDiskById(&pThread->DiskListHead, DiskNumber); if (fValidWrite && Disk != NULL) { Disk->WriteCount++; Disk->WriteSize += BytesWrite; }
//
// Now add this I/O the file it came from
//
if (fValidWrite) { fileObj = FindFileInTable(fDO); if (fileObj == NULL) { return; } fileObj->ThreadId = pEvent->Header.ThreadId; fileObj->LastByteOffset = ByteOffset; fileObj->DiskNumber = DiskNumber; if (fileObj->fileRec != NULL) { fileObj->fileRec->WriteCount++; fileObj->fileRec->WriteSize += BytesWrite;
pProcFile = FindFileInProcess(pProcess, fileObj->fileRec->FileName); if (pProcFile != NULL) { pProcFile->WriteCount++; pProcFile->WriteSize += BytesWrite; } pProto = FindProtoProcessRecord(fileObj->fileRec, pProcess); if (pProto != NULL) { pProto->WriteCount++; pProto->WriteSize += BytesWrite; } } else { // APC has not happened yet. So Make a copy of the pEvent.
// and Insert it in EventListHead;
AddEvent(fileObj, DiskNumber, BytesWrite, FALSE); } }
if (pFlag || (IrpFlags & IRP_ASSOCIATED_IRP) != 0) { PHPF_FILE_RECORD pHPFFileRecord = NULL;
HPFWriteCount ++; if ( fValidWrite && AddHPFFileRecord(& pHPFFileRecord, HPFWriteCount, IrpFlags, DiskNumber, ByteOffset, BytesWrite, fDO)) { EnterTracelibCritSection(); InsertHeadList(& pThread->HPFWriteListHead, & pHPFFileRecord->Entry); LeaveTracelibCritSection(); } }}
VOIDPsStartCallback( PEVENT_TRACE pEvent ){ PEVENT_TRACE_HEADER pHeader; ULONG ProcessId=0; ULONG ReadId = 0; PPROCESS_RECORD pProcess; PCHAR ImageName; ULONG returnLength, requiredLength; CHAR UserName[64]; CHAR Domain[64]; CHAR FullName[256]; ULONG RetLength; DWORD asize = 0; DWORD bsize = 0; ULONG Sid[64]; PULONG pSid = &Sid[0]; SID_NAME_USE Se;
if (pEvent == NULL) return; pHeader = (PEVENT_TRACE_HEADER)&pEvent->Header;
RetLength = GetMofData(pEvent, L"ProcessId", &ReadId, sizeof(ULONG));// if (RetLength == 0) {
// return;
// }
ProcessId = ReadId; pProcess = FindProcessById(ProcessId, FALSE); // if real thread events get fired first before process start,
// we may already have Process structure created.
if ( pProcess == NULL ) { AddProcess(ProcessId, &pProcess); } else { if ( pProcess->ImageName != NULL ) { free(pProcess->ImageName); pProcess->ImageName = NULL; } if ( pProcess->UserName != NULL ) { free(pProcess->UserName); pProcess->UserName = NULL; } } if ( pProcess != NULL ) { //
// If the Data Collection Start Time and the Process Start Time
// match, then the PsStart was created by the ProcessRunDown
// Code. So Keep the CPU Times to compute the difference at the
// end. Otherwise, zero the starting CPU Times.
//
pProcess->PID = ProcessId; // try with 16 bytes for image name first.
ImageName = (PCHAR)malloc(16 * sizeof(CHAR)); if (ImageName == NULL) { return; } RtlZeroMemory(ImageName, 16 * sizeof(CHAR)); returnLength = 16 * sizeof(CHAR); requiredLength = GetMofData(pEvent, L"ImageFileName", ImageName, returnLength); if (requiredLength > returnLength) { free(ImageName); ImageName = (PCHAR)malloc(requiredLength); if (ImageName == NULL) { return; } RtlZeroMemory(ImageName, requiredLength); GetMofData(pEvent, L"ImageFileName", ImageName, requiredLength); }
asize = lstrlenA(ImageName); if (asize > 0) { pProcess->ImageName = (LPWSTR)malloc((asize + 1) * sizeof(WCHAR)); if (pProcess->ImageName == NULL) { free(ImageName); return; } //
// Process hook has the image name as ASCII. So we need to
// convert it to unicode here.
//
AnsiToUnicode(ImageName, pProcess->ImageName); } else { pProcess->ImageName = (LPWSTR)malloc(MAXSTR * sizeof(WCHAR)); if (pProcess->ImageName == NULL) { free(ImageName); return; } if (ProcessId == 0) { StringCchCopyW(pProcess->ImageName, MAXSTR, L"Idle"); } else { StringCchPrintfW(pProcess->ImageName, MAXSTR, L"Unknown(0x%08X)", ProcessId); } } free(ImageName);
GetMofData(pEvent, L"UserSID", pSid, 64);
asize = 64; bsize = 64; if (LookupAccountSidA(NULL, pSid, &UserName[0], &asize, &Domain[0], &bsize, &Se)) { char* pFullName = &FullName[0]; StringCchCopyA(pFullName, 256, "\\\\"); StringCchCatA(pFullName, 256, Domain); StringCchCatA(pFullName, 256, "\\"); StringCchCatA(pFullName, 256, UserName); asize = lstrlenA(pFullName); if (asize > 0) { pProcess->UserName = (LPWSTR)malloc((asize + 1) * sizeof(WCHAR)); if (pProcess->UserName != NULL) { AnsiToUnicode(pFullName, pProcess->UserName); } } } else { pProcess->UserName = (LPWSTR)malloc(7 * sizeof(WCHAR)); if (pProcess->UserName != NULL) { StringCchCopyW(pProcess->UserName, 7, L"system"); } } }}
VOIDPsEndCallback( PEVENT_TRACE pEvent ){ PEVENT_TRACE_HEADER pHeader; ULONG ProcessId; ULONG ReadId = 0; PPROCESS_RECORD pProcess; PCHAR ImageName; ULONG returnLength, requiredLength; CHAR UserName[64]; CHAR Domain[64]; CHAR FullName[256]; DWORD asize = 0; DWORD bsize = 0; ULONG RetLength;
ULONG Sid[64]; PULONG pSid = &Sid[0]; SID_NAME_USE Se;
if (pEvent == NULL) return;
pHeader = (PEVENT_TRACE_HEADER)&pEvent->Header;
RetLength = GetMofData(pEvent, L"ProcessId", &ReadId, sizeof(ULONG));// if (RetLength == 0) {
// return;
// }
ProcessId = ReadId;
if ( (pProcess = FindProcessById(ProcessId, TRUE)) != NULL ) { if (pProcess->DeadFlag) {/*
#if DBG
DbgPrint("FATBUG(%d): End Process %x Dead Already!\n", EventCount, ProcessId);#endif
*/ return; }
pProcess->DeadFlag = TRUE; // try with 16 bytes for image name first.
ImageName = (PCHAR)malloc(16 * sizeof(CHAR)); if (ImageName == NULL) { return; } RtlZeroMemory(ImageName, 16 * sizeof(CHAR)); returnLength = 16 * sizeof(CHAR); requiredLength = GetMofData(pEvent, L"ImageFileName", ImageName, returnLength); if (requiredLength > returnLength) { free(ImageName); ImageName = (PCHAR)malloc(requiredLength); if (ImageName == NULL) { return; } RtlZeroMemory(ImageName, requiredLength); GetMofData(pEvent, L"ImageFileName", ImageName, requiredLength); }
asize = lstrlenA(ImageName); if (asize > 0) { if (pProcess->ImageName != NULL) { free(pProcess->ImageName); } pProcess->ImageName = (LPWSTR)malloc((asize + 1) * sizeof(WCHAR)); if (pProcess->ImageName != NULL) { AnsiToUnicode(ImageName, pProcess->ImageName); } } free(ImageName);
GetMofData(pEvent, L"UserSID", pSid, 64);
asize = 64; bsize = 64; if (LookupAccountSidA(NULL, pSid, &UserName[0], &asize, &Domain[0], &bsize, &Se)) { char* pFullName = &FullName[0]; StringCchCopyA(pFullName, 256, "\\\\"); StringCchCatA(pFullName, 256, Domain); StringCchCatA(pFullName, 256, "\\"); StringCchCatA(pFullName, 256, UserName); asize = lstrlenA(pFullName); if (asize > 0) { if (pProcess->UserName != NULL) { free(pProcess->UserName); } pProcess->UserName = (LPWSTR)malloc((asize + 1) * sizeof(WCHAR)); if (pProcess->UserName != NULL) { AnsiToUnicode(pFullName, pProcess->UserName); } } } else { if (pProcess->UserName != NULL) { free(pProcess->UserName); } pProcess->UserName = (LPWSTR)malloc(7 * sizeof(WCHAR)); if (pProcess->UserName != NULL) { StringCchCopyW(pProcess->UserName, 7, L"system"); } } }/*
#if DBG
else { DbgPrint("WARNING(%d): PsEnd for Unknown process %x Ignored!\n", EventCount, ProcessId); }#endif
*/}
VOIDThStartCallback( PEVENT_TRACE pEvent ){ PEVENT_TRACE_HEADER pHeader; ULONG ProcessorId; ULONG ProcessId, ThreadId; PPROCESS_RECORD pProcess; PTHREAD_RECORD Thread;
ULONG ReadId = 0; ULONG RetLength;
if (pEvent == NULL) { return; }
pHeader = (PEVENT_TRACE_HEADER)&pEvent->Header; RetLength = GetMofData(pEvent, L"TThreadId", &ReadId, sizeof(ULONG));// if (RetLength == 0) {
// return;
// }
ProcessorId = pEvent->ClientContext & 0x000000FF; ThreadId = ReadId; RetLength = GetMofData(pEvent, L"ProcessId", &ReadId, sizeof(ULONG));// if (RetLength == 0) {
// return;
// }
ProcessId = ReadId; pProcess = FindProcessById(ProcessId, TRUE); if (pProcess == NULL) { // This should not Happen. The PS hooks are supposed to guarantee
// that the process create happens before the thread creates
// for that process.
//
if (!AddProcess(ProcessId, &pProcess)) {/*
#if DBG
DbgPrint("FATBUG(%d): Can not find Process Start Record Th %x PID %x\n", EventCount, ThreadId, ProcessId);#endif
*/ return; } }
if (ThreadId == 0 && ProcessorId == 0) { pEvent->ClientContext += CurrentSystem.CurrentThread0 ++; //ASSERT( CurrentSystem.CurrentThread0 <= CurrentSystem.NumberOfProcessors );
}
Thread = FindGlobalThreadById(ThreadId, pEvent); if (ThreadId != 0 && Thread != NULL && !Thread->DeadFlag) { if (Thread->fOrphan) { Thread->fOrphan = FALSE;/*
#if DBG
DbgPrint("INFO(%d): Attach orphan thread %x to process %x.\n", EventCount, ThreadId, ProcessId);#endif
*/ } else { EVENT_TRACE event;
/*
#if DBG
DbgPrint("WARNING(%d): Two active thread have the same TID %x.\n", EventCount, ThreadId);#endif
*/ event.Header.TimeStamp.QuadPart = pHeader->TimeStamp.QuadPart; event.Header.Class.Type = EVENT_TRACE_TYPE_END; event.Header.ThreadId = ThreadId; event.Header.UserTime = Thread->UCPUEnd; event.Header.KernelTime = Thread->KCPUEnd;
//
// If a DCStart event with non-zero KCPU and UCPU is paired up with
// an end Event for the same ThreadId with less CPU Times, the delta
// can come out negative. We correct it here.
//
if (Thread->KCPUEnd < Thread->KCPUStart) Thread->KCPUEnd = Thread->KCPUStart; if (Thread->UCPUEnd < Thread->UCPUStart) Thread->UCPUEnd = Thread->UCPUStart;
ThEndCallback(&event);
if (!AddThread(ThreadId, pEvent, &Thread)) {
/*
#if DBG
DbgPrint("FATBUG(%d): Cannot add global active thread TID %x.\n", EventCount, ThreadId);#endif
*/ return; } } } else if (!AddThread(ThreadId, pEvent, &Thread)) {
/*
#if DBG
DbgPrint("FATBUG(%d): Cannot add global active thread TID %x.\n", EventCount, ThreadId);#endif
*/ return; }
Thread->pProcess = pProcess; Thread->TimeStart = pHeader->TimeStamp.QuadPart;
// Note: All ThreadStart record at the start of data collection
// have the same TID in the header and in the Aux Fields.
// Real ThreadStart events will have the Parent threadId in the
// header and the new ThreadId in the Aux Field.
//
if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_DC_START) { Thread->KCPUStart = pHeader->KernelTime; Thread->UCPUStart = pHeader->UserTime; } else { Thread->KCPUStart = 0; Thread->UCPUStart = 0; }
//
// For DCStart type, the TID in the pEvent and the new thread
// match. So we can adjust its ThreadTimes.
//
if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_DC_START) { AdjustThreadTime(pEvent, Thread); } else { AdjustThreadTime(pEvent, NULL); }
{ Thread->KCPU_Trans = 0; Thread->KCPU_NoTrans = 0; Thread->UCPU_Trans = 0; Thread->UCPU_NoTrans = 0; Thread->TransLevel = 0; Thread->KCPU_PrevTrans = Thread->KCPUStart; Thread->UCPU_PrevTrans = Thread->UCPUStart; }
if (Thread->TID == 0 && CurrentSystem.BuildNumber <= 1877) { CurrentSystem.NumberOfProcessors++; }}
VOIDShutdownThreads(){ int i; EVENT_TRACE event; PLIST_ENTRY Head,Next; PTHREAD_RECORD Thread;
RtlZeroMemory(&event, sizeof(EVENT_TRACE)); if (CurrentSystem.EndTime > CurrentSystem.LastEventTime) { event.Header.TimeStamp.QuadPart = CurrentSystem.EndTime; } else { event.Header.TimeStamp.QuadPart = CurrentSystem.LastEventTime; }
//
// Move the Thread list from the HashTable to GlobalList
//
for (i=0; i < THREAD_HASH_TABLESIZE; i++) { Head = &CurrentSystem.ThreadHashList[i]; Next = Head->Flink; while (Next != Head) { Thread = CONTAINING_RECORD( Next, THREAD_RECORD, Entry ); Next = Next->Flink;
if (!Thread->DeadFlag){ event.Header.Class.Type = EVENT_TRACE_TYPE_DC_END; event.Header.ThreadId = Thread->TID; event.Header.UserTime = Thread->UCPUEnd; event.Header.KernelTime = Thread->KCPUEnd; ThEndCallback( &event ); } } }}
VOIDShutdownProcesses(){ PLIST_ENTRY pHead = &CurrentSystem.ProcessListHead; PLIST_ENTRY pNext = pHead->Flink; PPROCESS_RECORD pProcess;
while (pNext != pHead){ pProcess = CONTAINING_RECORD(pNext, PROCESS_RECORD, Entry); pNext = pNext->Flink;
if (!pProcess->DeadFlag){ pProcess->DeadFlag = TRUE; } }}
BOOLStopThreadTrans( PLIST_ENTRY Head, PEVENT_TRACE pEvent, PTHREAD_RECORD pThread ){ PTRANS_RECORD pTrans; PLIST_ENTRY Next = Head->Flink; while( Head != Next ){ pTrans = CONTAINING_RECORD(Next, TRANS_RECORD, Entry); Next = Next->Flink; if( !StopThreadTrans( &pTrans->SubTransListHead, pEvent, pThread ) ){ return FALSE; } if( !pTrans->bStarted ){ continue; } RtlCopyMemory( &pEvent->Header.Guid, pTrans->pGuid, sizeof(GUID)); pEvent->Header.Class.Type = EVENT_TRACE_TYPE_END; EventCallback( pEvent, pThread ); return FALSE; // stopping one will credit all running events
} return TRUE;}
VOIDThEndCallback( PEVENT_TRACE pEvent ){ PEVENT_TRACE_HEADER pHeader; ULONG ThreadId; PTHREAD_RECORD Thread;
if (pEvent == NULL) { return; }
pHeader = (PEVENT_TRACE_HEADER)&pEvent->Header; ThreadId = pHeader->ThreadId;
if (ThreadId == 0) { ULONG ProcessorId = pEvent->ClientContext & 0x000000FF; if (ProcessorId == 0) { pEvent->ClientContext += (CurrentSystem.NumberOfProcessors - (CurrentSystem.CurrentThread0 --)); } } Thread = FindGlobalThreadById(ThreadId, pEvent);
if (Thread != NULL) { if (Thread->DeadFlag) {/*
#if DBG
DbgPrint("FATBUG(%d): Thread %x Dead Already\n", EventCount, ThreadId);#endif
*/ return; }
if (Thread->fOrphan) { ULONG ReadId = 0; ULONG ProcessId = 0; PPROCESS_RECORD pProcess = NULL;
GetMofData(pEvent, L"ProcessId", &ReadId, sizeof(ULONG)); ProcessId = ReadId;
pProcess = FindProcessById(ProcessId, TRUE); if (pProcess != NULL) { Thread->fOrphan = FALSE; Thread->pProcess = pProcess; }
/*
#if DBG
DbgPrint("INFO(%d): ThEndCallback() attach orphan thread %X to process %X\n", EventCount, ThreadId, ProcessId);#endif
*/ } //
// Charge any unstopped transactions
//
if ( Thread != NULL && pEvent->Header.Class.Type == EVENT_TRACE_TYPE_DC_END) { StopThreadTrans(&Thread->TransListHead, pEvent, Thread ); }
Thread->DeadFlag = TRUE; if (fDSOnly) { if ((ULONGLONG) pHeader->TimeStamp.QuadPart > DSEndTime) { Thread->TimeEnd = DSEndTime; } else { Thread->KCPUEnd = pHeader->KernelTime; Thread->UCPUEnd = pHeader->UserTime; Thread->TimeEnd = (ULONGLONG) pHeader->TimeStamp.QuadPart; } } else { if (Thread->UCPUEnd < pHeader->UserTime) Thread->UCPUEnd = pHeader->UserTime; if (Thread->KCPUEnd < pHeader->KernelTime) Thread->KCPUEnd = pHeader->KernelTime; Thread->TimeEnd = pHeader->TimeStamp.QuadPart; }
if (Thread->TransLevel <= 0) { Thread->KCPU_NoTrans += Thread->KCPUEnd - Thread->KCPU_PrevTrans; Thread->UCPU_NoTrans += Thread->UCPUEnd - Thread->UCPU_PrevTrans; } else { Thread->KCPU_Trans += Thread->KCPUEnd - Thread->KCPU_PrevTrans; Thread->UCPU_Trans += Thread->UCPUEnd - Thread->UCPU_PrevTrans;/*
#if DBG
DbgPrint("WARNING(%d): Active Transactions in Dead Thread %x\n", EventCount, ThreadId);#endif
*/ } } else {/*
#if DBG
DbgPrint("WARNING(%d): No Thread Start for ThreadId %x\n", EventCount, ThreadId);#endif
*/ if (AddThread(ThreadId, pEvent, &Thread)) { Thread->pProcess = FindProcessById(0, FALSE); Thread->DeadFlag = TRUE; Thread->fOrphan = TRUE; Thread->TimeStart = Thread->TimeEnd = pHeader->TimeStamp.QuadPart; Thread->KCPUStart = Thread->KCPUEnd = pHeader->KernelTime; Thread->UCPUStart = Thread->UCPUEnd = pHeader->UserTime; AdjustThreadTime(pEvent, Thread); } else {/*
#if DBG
DbgPrint("FATBUG(%d): Cannot add thread %x for ThreadEnd Event.\n", EventCount, ThreadId);#endif
*/ } }}
VOIDIoReadCallback( PEVENT_TRACE pEvent, PTHREAD_RECORD pThread ){ PEVENT_TRACE_HEADER pHeader = (EVENT_TRACE_HEADER*)&pEvent->Header; ULONG DiskNumber=0; ULONG BytesRead=0; ULONG IrpFlags=0; PTDISK_RECORD Disk; PPROCESS_RECORD pProcess; PPROTO_PROCESS_RECORD pProto; PFILE_OBJECT fileObj; PFILE_RECORD pProcFile; PVOID fDO; BOOLEAN pFlag = FALSE; PPROCESS_RECORD pDiskProcess; LONGLONG ByteOffset; BOOLEAN fValidRead = (BOOLEAN) (!fDSOnly || ( ((ULONGLONG) pHeader->TimeStamp.QuadPart >= DSStartTime) && ((ULONGLONG) pHeader->TimeStamp.QuadPart <= DSEndTime)));
GetMofData(pEvent, L"DiskNumber", &DiskNumber, sizeof(ULONG)); GetMofData(pEvent, L"IrpFlags", &IrpFlags, sizeof(ULONG)); GetMofData(pEvent, L"TransferSize", &BytesRead, sizeof(ULONG)); GetMofData(pEvent, L"FileObject", &fDO, sizeof(ULONG)); GetMofData(pEvent, L"ByteOffset", &ByteOffset, sizeof(ULONGLONG));
BytesRead /= 1024; // Convert to Kbytes
if (((IrpFlags & IRP_PAGING_IO) != 0) || ((IrpFlags & IRP_SYNCHRONOUS_PAGING_IO) != 0)) { pFlag = TRUE; }//
// TODO: From DiskNumber and Offset get the Logical Disk
// ie., DiskNumber = MapDisk(DiskIndex, Offset);
//
//
// Add the I/O to the DISK
//
if ((Disk = FindGlobalDiskById(DiskNumber)) == NULL) { if (!AddDisk(DiskNumber, &Disk) ) { return; } }
if (fValidRead) { if (pFlag) { Disk->HPF++; Disk->HPFSize += BytesRead; } else { Disk->ReadCount++; Disk->ReadSize += BytesRead; } }
//
// Add the I/O to the THREAD
//
if ( pThread == NULL) {
//
// NOTE: Logger Thread Creation is MISSED by the collector.
// So we must handle it here.
//
if (AddThread(pHeader->ThreadId, pEvent, &pThread )) {
/*
#if DBG
DbgPrint("WARNING(%d): Thread %x added to charge IO Read event\n", EventCount, pHeader->ThreadId);#endif
*/ pThread->pProcess = FindProcessById(0, TRUE); // Charge it the system ???
pThread->TimeStart = pHeader->TimeStamp.QuadPart; pThread->fOrphan = TRUE; //
// Note: All ThreadStart record at the start of data collection
// have the same TID in the header and in the Aux Fields.
// Real ThreadStart events will have the Parent threadId in the
// header and the new ThreadId in the Aux Field.
//
pThread->KCPUStart = pHeader->KernelTime; pThread->UCPUStart = pHeader->UserTime; AdjustThreadTime(pEvent, pThread); } else {/*
#if DBG
DbgPrint("FATBUG(%d): Cannot add thread %x for IO Read Event.\n", EventCount, pHeader->ThreadId);#endif
*/ return; } }/*
#if DBG
else if (pThread->fOrphan) { DbgPrint("INFO(%d): IO Read Event Thread %x Is Still Orphan.\n", EventCount, pHeader->ThreadId); } else if (pThread->DeadFlag) { DbgPrint("INFO(%d): IO Read Event Thread %x Is Already Dead.\n", EventCount, pHeader->ThreadId); }#endif
*/ ASSERT(pThread != NULL);
if (fValidRead && pThread->pMofData != NULL) { ((PMOF_DATA)pThread->pMofData)->ReadCount++; }
if (fValidRead) { if (pFlag) { pThread->HPF++; pThread->HPFSize += BytesRead; } else { pThread->ReadIO++; pThread->ReadIOSize += BytesRead; } }
//
// 2. Disk->Process
//
pDiskProcess = FindDiskProcessById(Disk, pThread->pProcess->PID); if (fValidRead && pDiskProcess != NULL) { if (pFlag) { pDiskProcess->HPF++; pDiskProcess->HPFSize += BytesRead; } else { pDiskProcess->ReadIO++; pDiskProcess->ReadIOSize += BytesRead; } }
//
// Add the I/O to the PROCESS
//
pProcess = pThread->pProcess; if (fValidRead && (pProcess != NULL )) { pProcess->ReadIO++; pProcess->ReadIOSize += BytesRead;
Disk = FindProcessDiskById(pProcess, DiskNumber); if (Disk != NULL) { if (pFlag) { Disk->HPF++; Disk->HPFSize += BytesRead; } else { Disk->ReadCount++; Disk->ReadSize += BytesRead; } } }
//
// Add the I/O to the FILE
//
if (fValidRead) { fileObj = FindFileInTable(fDO); if (fileObj == NULL) { return; } fileObj->ThreadId = pEvent->Header.ThreadId; fileObj->LastByteOffset = ByteOffset; fileObj->DiskNumber = DiskNumber; if (fileObj->fileRec) { fileObj->fileRec->ReadCount++; fileObj->fileRec->ReadSize += BytesRead; pProcFile = FindFileInProcess(pProcess, fileObj->fileRec->FileName); if (pProcFile != NULL) {#if 0
if (pFlag) { pProcFile->HPF++; pProcFile->HPFSize += BytesRead; } else {#endif
pProcFile->ReadCount++; pProcFile->ReadSize += BytesRead;#if 0
}#endif
} pProto = FindProtoProcessRecord(fileObj->fileRec, pProcess); if (pProto != NULL) {#if 0
if (pFlag) { pProto->HPF++; pProto->HPFSize += BytesRead; } else {#endif
pProto->ReadCount++; pProto->ReadSize += BytesRead;#if 0
}#endif
} } else { // APC has not happened yet. So Make a copy of the pEvent.
// and Insert it in EventListHead;
AddEvent(fileObj, DiskNumber, BytesRead, TRUE); } }
//
// Do the Drill Down Calls Now. To Save on memory we need to be
// selective about which ones to create.
//
// 2. Thread->Disk
Disk = FindLocalDiskById(&pThread->DiskListHead, DiskNumber); if (fValidRead && Disk != NULL) { if (pFlag) { Disk->HPF++; Disk->HPFSize += BytesRead; } else { Disk->ReadCount++; Disk->ReadSize += BytesRead; } }
if (pFlag || (IrpFlags & IRP_ASSOCIATED_IRP) != 0) { PHPF_FILE_RECORD pHPFFileRecord = NULL;
HPFReadCount ++; if ( fValidRead && AddHPFFileRecord(& pHPFFileRecord, HPFReadCount, IrpFlags, DiskNumber, ByteOffset, BytesRead, fDO)) { EnterTracelibCritSection(); InsertHeadList(& pThread->HPFReadListHead, & pHPFFileRecord->Entry); LeaveTracelibCritSection(); } }}
VOID LogDriveCallback( PEVENT_TRACE pEvent ){ ULONGLONG StartOffset = 0; ULONGLONG PartitionSize = 0; ULONG DiskNumber = 0; ULONG Size = 0; ULONG DriveType = 0; WCHAR DriveLetter[MAXSTR]; ULONG RetLength;
if (pEvent == NULL) { return; } DriveLetter[0] = UNICODE_NULL;
GetMofData(pEvent, L"StartOffset", &StartOffset, sizeof(ULONGLONG)); GetMofData(pEvent, L"PartitionSize", &PartitionSize, sizeof(ULONGLONG)); GetMofData(pEvent, L"DiskNumber", &DiskNumber, sizeof(ULONG)); GetMofData(pEvent, L"Size", &Size, sizeof(ULONG)); GetMofData(pEvent, L"DriveType", &DriveType, sizeof(SHORT)); RetLength = GetMofData(pEvent, L"DriveLetterString", &DriveLetter[0], MAXSTR*sizeof(WCHAR)); if (RetLength != 0 && RetLength > MAXSTR*sizeof(WCHAR)) { return; }
AddLogicalDrive( StartOffset, PartitionSize, DiskNumber, Size, DriveType, DriveLetter );
}
VOID CpuCallback( PEVENT_TRACE pEvent ){ ULONG MemSize = 0; WCHAR ComputerName[256]; ULONG ComputerNameSize = 0; ULONG RetLength;
ComputerName[0] = UNICODE_NULL;
GetMofData(pEvent, L"MemSize", &MemSize, sizeof(ULONG)); CurrentSystem.MemorySize = MemSize; RetLength = GetMofData(pEvent, L"ComputerName", &ComputerName[0], 256*sizeof(WCHAR)); if (RetLength != 0 && RetLength > MAXSTR*sizeof(WCHAR)) { return; } ComputerNameSize = wcslen(ComputerName); if (ComputerNameSize > 0) { CurrentSystem.ComputerName = (LPWSTR)malloc((ComputerNameSize + 1) * sizeof(WCHAR)); if (CurrentSystem.ComputerName != NULL) { StringCchCopyW(CurrentSystem.ComputerName, ComputerNameSize + 1, ComputerName); } }}
VOIDHotFileCallback( PEVENT_TRACE pEvent ){ PEVENT_TRACE_HEADER pHeader; WCHAR FileName[MAXSTR]; // Not Sure if this is sufficient...
PLIST_ENTRY Next, Head; PFILE_RECORD fileRec, pProcFile = NULL; PLOGICAL_DRIVE_RECORD pLogDrive = NULL; PPROTO_FILE_RECORD protoFileRec; PFILE_OBJECT fileObj; PVOID fDO = NULL; PTHREAD_RECORD pThread = NULL; PPROCESS_RECORD pProcess = NULL; PPROTO_PROCESS_RECORD pProto = NULL; ULONG RetLength;
if (pEvent == NULL) { return; }
pHeader = (PEVENT_TRACE_HEADER)&pEvent->Header;
RtlZeroMemory(&FileName[0], MAXSTR * sizeof(WCHAR));
GetMofData(pEvent, L"FileObject", &fDO, sizeof(PVOID)); RetLength = GetMofData(pEvent, L"FileName", &FileName[0], MAXSTR*sizeof(WCHAR)); if (RetLength != 0 && RetLength > MAXSTR*sizeof(WCHAR)) { return; }
//
// Get the FileObject from the fileTable and update the information.
//
fileObj = FindFileInTable(fDO); if (fileObj == NULL) { return; }
pLogDrive = FindLogicalDrive(fileObj->LastByteOffset, fileObj->DiskNumber); // pLogDrive can be null, and it should be OK.
if ((fileRec = FindFileRecordByName(FileName, pLogDrive)) == NULL) { AddFile(FileName, &fileRec, pLogDrive); }
if (fileObj->fileRec != NULL) {/*
#if DBG
DbgPrint("BUG: APC for known file %ws\n", FileName);#endif
*/ }
if ((pThread = FindGlobalThreadById(fileObj->ThreadId, pEvent)) != NULL) { pProcess = pThread->pProcess; if (pProcess != NULL) { pProcFile = FindFileInProcess(pProcess, FileName); pProto = FindProtoProcessRecord(fileRec, pProcess); } } else { return; }
fileObj->fileRec = fileRec;
//
// Walk through the EventList and add it to this file record
//
Head = &fileObj->ProtoFileRecordListHead; Next = Head->Flink; while (Next != Head) { protoFileRec = CONTAINING_RECORD( Next, PROTO_FILE_RECORD, Entry ); fileRec->DiskNumber = protoFileRec->DiskNumber; if (protoFileRec->ReadFlag) { fileRec->ReadCount++; fileRec->ReadSize += protoFileRec->IoSize; if (pProcFile != NULL) { pProcFile->ReadCount++; pProcFile->ReadSize += protoFileRec->IoSize; } if (pProto != NULL) { pProto->ReadCount++; pProto->ReadSize += protoFileRec->IoSize; } } else { fileRec->WriteCount++; fileRec->WriteSize += protoFileRec->IoSize; if (pProcFile != NULL) { pProcFile->WriteCount++; pProcFile->WriteSize += protoFileRec->IoSize; } if (pProto != NULL) { pProto->WriteCount++; pProto->WriteSize += protoFileRec->IoSize; } } Next = Next->Flink; RemoveEntryList( &protoFileRec->Entry); }
//
// If DrillDown Records are appended, we need to handle those too
//
}
VOIDModuleLoadCallback(PEVENT_TRACE pEvent){ PEVENT_TRACE_HEADER pHeader = (PEVENT_TRACE_HEADER) & pEvent->Header; ULONG lBaseAddress = 0; ULONG lModuleSize = 0; WCHAR strModulePath[256]; WCHAR * strModuleName; ULONG rtnLength = sizeof(WCHAR) * 256;
PLIST_ENTRY pHead = &CurrentSystem.GlobalModuleListHead; PLIST_ENTRY pNext = pHead->Flink; PMODULE_RECORD pMatched = NULL; PMODULE_RECORD pCurrent = NULL; PTHREAD_RECORD pThread = NULL; PPROCESS_RECORD pProcess = NULL;
RtlZeroMemory(strModulePath, 256 * sizeof(WCHAR) ); GetMofData(pEvent, L"ImageBase", & lBaseAddress, sizeof(ULONG)); GetMofData(pEvent, L"ImageSize", & lModuleSize, sizeof(ULONG)); GetMofData(pEvent, L"FileName", &strModulePath[0], rtnLength);
strModuleName = wcsrchr(strModulePath, L'\\'); if (!strModuleName){ strModuleName = strModulePath; }else{ strModuleName ++; }
// Check if loaded image is already in SYSTEM_RECORD::GlobalModuleListHead.
// Otherwise, insert new MODULE_RECORD.
//
while (!pMatched && pNext != pHead){ pMatched = CONTAINING_RECORD(pNext, MODULE_RECORD, Entry); if (_wcsicmp(strModuleName, pMatched->strModuleName)){ pMatched = NULL; pNext = pNext->Flink; } }
if (!pMatched){ if (AddModuleRecord(& pMatched, lBaseAddress, lModuleSize, strModuleName)){ EnterTracelibCritSection(); InsertHeadList( & CurrentSystem.GlobalModuleListHead, & pMatched->Entry); LeaveTracelibCritSection(); pMatched->pProcess = NULL; pMatched->pGlobalPtr = NULL; }else{ return; } }
ASSERT(pMatched);
// Insert loaded image in PROCESS_RECORD::ModuleListHead
//
if (AddModuleRecord(& pCurrent, lBaseAddress, lModuleSize, strModuleName)){ pCurrent->pGlobalPtr = pMatched;
pThread = FindGlobalThreadById(pHeader->ThreadId, pEvent); ASSERT(pThread); if (!pThread){ free( pCurrent ); return; }
pProcess = pThread->pProcess; ASSERT(pProcess); if (!pProcess){ free( pCurrent ); return; }
EnterTracelibCritSection(); pCurrent->pProcess = pProcess; InsertHeadList( & pProcess->ModuleListHead, & pCurrent->Entry); LeaveTracelibCritSection(); }else{ return; }}
VOIDProcessCallback( PEVENT_TRACE pEvent ){ if (pEvent == NULL){ return; }
if ((pEvent->Header.Class.Type == EVENT_TRACE_TYPE_START) || (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_DC_START)) { PsStartCallback(pEvent); } else if ((pEvent->Header.Class.Type == EVENT_TRACE_TYPE_END) || (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_DC_END)) { PsEndCallback(pEvent); }}
VOIDThreadCallback( PEVENT_TRACE pEvent ){ if (pEvent == NULL){ return; }
if ((pEvent->Header.Class.Type == EVENT_TRACE_TYPE_START) || (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_DC_START)) { ThStartCallback(pEvent); } else if ((pEvent->Header.Class.Type == EVENT_TRACE_TYPE_END) || (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_DC_END)) { ThEndCallback(pEvent); }}
PMODULE_RECORDSearchModuleByAddr( PLIST_ENTRY pModuleListHead, ULONG lAddress ){ PLIST_ENTRY pNext = pModuleListHead->Flink; PMODULE_RECORD pModule = NULL; PMODULE_RECORD pCurrent;
while (pNext != pModuleListHead) { pCurrent = CONTAINING_RECORD(pNext, MODULE_RECORD, Entry); pNext = pNext->Flink; if ( (lAddress >= pCurrent->lBaseAddress) && (lAddress < pCurrent->lBaseAddress + pCurrent->lModuleSize)) { pModule = pCurrent; break; } } return pModule;}
voidUpdatePageFaultCount( PPROCESS_RECORD pProcess, PMODULE_RECORD pModule, ULONG lFaultAddr, UCHAR FaultType){ BOOLEAN fFaultInImage = (BOOLEAN) ((lFaultAddr >= pModule->lBaseAddress) && (lFaultAddr < pModule->lBaseAddress + pModule->lModuleSize)); switch(FaultType) { case EVENT_TRACE_TYPE_MM_HPF : if (fFaultInImage) { pProcess->lCodeFaultHF ++; pModule->lCodeFaultHF ++; if (pModule->pGlobalPtr) { pModule->pGlobalPtr->lCodeFaultHF ++; } } else { pProcess->lDataFaultHF ++; pModule->lDataFaultHF ++; if (pModule->pGlobalPtr) { pModule->pGlobalPtr->lDataFaultHF ++; } } break;
case EVENT_TRACE_TYPE_MM_TF : if (fFaultInImage) { pProcess->lCodeFaultTF ++; pModule->lCodeFaultTF ++; if (pModule->pGlobalPtr) { pModule->pGlobalPtr->lCodeFaultTF ++; } } else { pProcess->lDataFaultTF ++; pModule->lDataFaultTF ++; if (pModule->pGlobalPtr) { pModule->pGlobalPtr->lDataFaultTF ++; } } break;
case EVENT_TRACE_TYPE_MM_DZF : if (fFaultInImage) { pProcess->lCodeFaultDZF ++; pModule->lCodeFaultDZF ++; if (pModule->pGlobalPtr) { pModule->pGlobalPtr->lCodeFaultDZF ++; } } else { pProcess->lDataFaultDZF ++; pModule->lDataFaultDZF ++; if (pModule->pGlobalPtr) { pModule->pGlobalPtr->lDataFaultDZF ++; } } break;
case EVENT_TRACE_TYPE_MM_COW : if (fFaultInImage) { pProcess->lCodeFaultCOW ++; pModule->lCodeFaultCOW ++; if (pModule->pGlobalPtr) { pModule->pGlobalPtr->lCodeFaultCOW ++; } } else { pProcess->lDataFaultCOW ++; pModule->lDataFaultCOW ++; if (pModule->pGlobalPtr) { pModule->pGlobalPtr->lDataFaultCOW ++; } } break;
default : break; }}
PMODULE_RECORDSearchSysModule( PPROCESS_RECORD pProcess, ULONG lPC, BOOLEAN fActive ){ PMODULE_RECORD pModule = NULL; PPROCESS_RECORD pSysProcess = FindProcessById(0, fActive); PMODULE_RECORD pCurrent = SearchModuleByAddr(& pSysProcess->ModuleListHead, lPC); if (pCurrent) { if (AddModuleRecord(& pModule, pCurrent->lBaseAddress, pCurrent->lModuleSize, pCurrent->strModuleName)) { EnterTracelibCritSection(); InsertHeadList( & pProcess->ModuleListHead, & pModule->Entry); LeaveTracelibCritSection();
pModule->pProcess = pProcess; pModule->pGlobalPtr = pCurrent->pGlobalPtr; } }
return pModule;}
VOIDPageFaultCallback( PEVENT_TRACE pEvent, PTHREAD_RECORD pThread ){ PEVENT_TRACE_HEADER pHeader; PPROCESS_RECORD pProcess; PMOF_DATA pMofData; ULONG lFaultAddr = 0; ULONG lPC = 0; PVOID fDO = NULL; LONG lByteCount = 0; LONGLONG lByteOffset = 0; WCHAR strHotFileName[1024]; ULONG rtnLength = sizeof(WCHAR) * 1024; BOOLEAN fSpecialHPF = FALSE; BOOLEAN fFound;
if (pEvent == NULL) return;
if (!InTimeWindow(pEvent, pThread)) return;
GetMofData(pEvent, L"VirtualAddress", &lFaultAddr, sizeof(ULONG)); GetMofData(pEvent, L"ProgramCounter", &lPC, sizeof(ULONG));
pHeader = (PEVENT_TRACE_HEADER)&pEvent->Header;
if ( pHeader->Class.Type == EVENT_TRACE_TYPE_MM_HPF && pEvent->MofLength > 2 * sizeof(ULONG)) { fSpecialHPF = TRUE; GetMofData(pEvent, L"FileObject", &fDO, sizeof(ULONG)); GetMofData(pEvent, L"ByteCount", &lByteCount, sizeof(LONG)); GetMofData(pEvent, L"ByteOffset", &lByteOffset, sizeof(LONGLONG)); GetMofData(pEvent, L"FileName", &strHotFileName[0], rtnLength); }
if (pThread == NULL) { if (AddThread(pHeader->ThreadId, pEvent, &pThread )) {
/*
#if DBG
DbgPrint("WARNING(%d): Thread %x added to charge PageFault event\n", EventCount, pHeader->ThreadId);#endif
*/ pThread->pProcess = FindProcessById(0, TRUE); pThread->TimeStart = pHeader->TimeStamp.QuadPart; pThread->fOrphan = TRUE;
pThread->KCPUStart = pHeader->KernelTime; pThread->UCPUStart = pHeader->UserTime; AdjustThreadTime(pEvent, pThread); } else {/*
#if DBG
DbgPrint("FATBUG(%d): Cannot add thread %x for PageFault Event.\n", EventCount, pHeader->ThreadId);#endif
*/ return; } }/*
#if DBG
else if (pThread->fOrphan) { DbgPrint("INFO(%d): PageFault Event Thread %x Is Still Orphan.\n", EventCount, pHeader->ThreadId); } else if (pThread->DeadFlag) { DbgPrint("INFO(%d): PageFault Event Thread %x Is Already Dead.\n", EventCount, pHeader->ThreadId); }#endif
*/ pMofData = (PMOF_DATA)pThread->pMofData;
if (pMofData && !fSpecialHPF) { switch(pHeader->Class.Type) { case EVENT_TRACE_TYPE_MM_TF : pMofData->MmTf++; break; case EVENT_TRACE_TYPE_MM_DZF : pMofData->MmDzf++; break; case EVENT_TRACE_TYPE_MM_COW : pMofData->MmCow++; break; case EVENT_TRACE_TYPE_MM_GPF : pMofData->MmGpf++; break; } }
// Update loaded image MODULE_RECORD::lFaultCount
//
pProcess = pThread->pProcess;
if (pProcess != NULL) { PMODULE_RECORD pModule = SearchModuleByAddr( & pProcess->ModuleListHead, lPC);
fFound = FALSE; if (fSpecialHPF) { PHPF_RECORD pHPFRecord = NULL;
PageFaultCount ++; if (AddHPFRecord(& pHPFRecord, lFaultAddr, fDO, lByteCount, lByteOffset)) { PLIST_ENTRY pHead = & pThread->HPFReadListHead; PLIST_ENTRY pNext = pHead->Flink; PHPF_FILE_RECORD pHPFFileRecord; PHPF_FILE_RECORD pHPFThreadRead; LONG lTotalByte = 0; BOOLEAN fAssociatedIrp = TRUE;
EnterTracelibCritSection(); pHPFRecord->RecordID = PageFaultCount; InsertHeadList(& pProcess->HPFListHead, & pHPFRecord->Entry); while (fAssociatedIrp && pNext != pHead) { pHPFThreadRead = CONTAINING_RECORD(pNext, HPF_FILE_RECORD, Entry); pNext = pNext->Flink; fAssociatedIrp = (BOOLEAN) ((pHPFThreadRead->IrpFlags & IRP_ASSOCIATED_IRP) != 0);
if (!fAssociatedIrp && fDO != pHPFThreadRead->fDO) { fAssociatedIrp = TRUE; continue; }
if (AddHPFFileRecord(& pHPFFileRecord, pHPFThreadRead->RecordID, pHPFThreadRead->IrpFlags, pHPFThreadRead->DiskNumber, pHPFThreadRead->ByteOffset, pHPFThreadRead->BytesCount, pHPFThreadRead->fDO)) { lTotalByte += pHPFThreadRead->BytesCount; InsertHeadList(& pHPFRecord->HPFReadListHead, & pHPFFileRecord->Entry); } RemoveEntryList(& pHPFThreadRead->Entry); free(pHPFThreadRead); } LeaveTracelibCritSection(); }
goto Cleanup; } else if (pHeader->Class.Type == EVENT_TRACE_TYPE_MM_HPF) { PLIST_ENTRY pHead = & pProcess->HPFListHead; PLIST_ENTRY pNext = pHead->Flink; PHPF_RECORD pHPFRecord;
while (pNext != pHead) { pHPFRecord = CONTAINING_RECORD(pNext, HPF_RECORD, Entry); pNext = pNext->Flink; if (pHPFRecord->lFaultAddress == lFaultAddr) { pHPFRecord->lProgramCounter = lPC; break; } } }
if (pModule) { UpdatePageFaultCount( pProcess, pModule, lFaultAddr, pHeader->Class.Type); fFound = TRUE; }
if (!fFound && pProcess->PID != 0) { PMODULE_RECORD pSysModule = SearchSysModule(pProcess, lPC, TRUE); if (pSysModule) { UpdatePageFaultCount( pProcess, pSysModule, lFaultAddr, pHeader->Class.Type); fFound = TRUE; } }
if (!fFound) { PLIST_ENTRY pModuleHead = & pProcess->ModuleListHead; PLIST_ENTRY pModuleNext = pModuleHead->Flink; PMODULE_RECORD pTmpModule;
while (pModuleNext != pModuleHead) { pTmpModule = CONTAINING_RECORD(pModuleNext, MODULE_RECORD, Entry); pModuleNext = pModuleNext->Flink; if (!_wcsicmp(pTmpModule->strModuleName, L"other")) { if ( pTmpModule->lBaseAddress == 0 && pTmpModule->lModuleSize == 0) { pTmpModule->lBaseAddress = lPC; pTmpModule->lModuleSize = 1; } else if (pTmpModule->lBaseAddress > lPC) { pTmpModule->lModuleSize += pTmpModule->lBaseAddress - lPC; pTmpModule->lBaseAddress = lPC; } else if ( pTmpModule->lModuleSize < lPC - pTmpModule->lBaseAddress + 1) { pTmpModule->lModuleSize = lPC - pTmpModule->lBaseAddress + 1; } UpdatePageFaultCount( pProcess, pTmpModule, lFaultAddr, pHeader->Class.Type); break; } } } }/*
else {
#if DBG
DbgPrint("ERROR - PageFaultCallback(0x%08I64x,0x%08I64x,0x%08x,0x%08x) cannot find process\n", pHeader->ThreadId, pThread->pProcess->PID, lPC, lFaultAddr);#endif
}*/Cleanup: return;}
VOIDDiskIoCallback( PEVENT_TRACE pEvent, PTHREAD_RECORD pThread ){ if (pEvent == NULL) return;
if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_IO_READ) { IoReadCallback(pEvent, pThread); } else { IoWriteCallback(pEvent, pThread); }}
VOIDTcpIpCallback( PEVENT_TRACE pEvent, PTHREAD_RECORD pThread ){ PEVENT_TRACE_HEADER pHeader; PPROCESS_RECORD pProcess; ULONG size = 0;
if (pEvent == NULL) return; pHeader = (EVENT_TRACE_HEADER*)&pEvent->Header;
if (!InTimeWindow(pEvent, pThread)) return;
if (pThread == NULL) { if (AddThread(pHeader->ThreadId, pEvent, &pThread )) {
/*
#if DBG
DbgPrint("WARNING(%d): Thread %x added to charge TCP/IP event\n", EventCount, pHeader->ThreadId);#endif
*/ pThread->pProcess = FindProcessById(0, TRUE); pThread->TimeStart = pHeader->TimeStamp.QuadPart; pThread->fOrphan = TRUE;
pThread->KCPUStart = pHeader->KernelTime; pThread->UCPUStart = pHeader->UserTime; AdjustThreadTime(pEvent, pThread); } else {/*
#if DBG
DbgPrint("FATBUG(%d): Cannot add thread %x for TCP/IP Event.\n", EventCount, pHeader->ThreadId);#endif
*/ return; } }/*
#if DBG
else if (pThread->fOrphan) { DbgPrint("INFO(%d): TCP/IP Event Thread %x Is Still Orphan.\n", EventCount, pHeader->ThreadId); } else if (pThread->DeadFlag) { DbgPrint("INFO(%d): TCP/IP Event Thread %x Is Already Dead.\n", EventCount, pHeader->ThreadId); }#endif
*/ if (GetMofData(pEvent, L"size", &size, sizeof(ULONG)) > 0) {
if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_SEND ) {
pThread->SendCount++; pThread->SendSize += size;
if (pThread->pMofData != NULL) { ((PMOF_DATA)pThread->pMofData)->SendCount++; }
if ( (pProcess = pThread->pProcess) != NULL ) { pProcess->SendCount++; pProcess->SendSize += size; }
} else if( pEvent->Header.Class.Type == EVENT_TRACE_TYPE_RECEIVE ) {
pThread->RecvCount++; pThread->RecvSize += size;
if (pThread->pMofData != NULL) { ((PMOF_DATA)pThread->pMofData)->RecvCount++; }
if ( (pProcess = pThread->pProcess) != NULL ) { pProcess->RecvCount++; pProcess->RecvSize += size; } } }}
PFILE_OBJECTFindFileInTable ( IN PVOID fDO ){ PFILE_OBJECT thisFile, lastFile = NULL; PFILE_OBJECT *fileTable; UINT i; fileTable = CurrentSystem.FileTable; for (i = 0; i < MAX_FILE_TABLE_SIZE; i++) { thisFile = fileTable[i]; fileTable[i] = lastFile; lastFile = thisFile; if ((thisFile != NULL) && (thisFile->fDO == fDO)) { fileTable[0] = thisFile; return thisFile; } } if (lastFile == NULL) { lastFile = (PFILE_OBJECT) malloc( sizeof(FILE_OBJECT)); if (lastFile == NULL) { return NULL; } } fileTable[0] = lastFile; lastFile->fDO = fDO; lastFile->fileRec = NULL; InitializeListHead( &lastFile->ProtoFileRecordListHead ); return lastFile;
}
//
// TODO: Redo the EventList as FILE_RECORDS with Unknown Filenames
// The current implementation will create a proto record for
// evenry I/O and if the APC never arrives, it can choke the
// system!
//
VOIDAddEvent( IN PFILE_OBJECT fileObject, IN ULONG DiskNumber, IN ULONG IoSize, IN BOOLEAN ReadFlag ){ PPROTO_FILE_RECORD protoFileRec;
if (fileObject->fileRec != NULL) {/*
#if DBG
DbgPrint("BUG: FileObject is NONNULL in AddEvent\n");#endif
*/ }
protoFileRec = (PPROTO_FILE_RECORD) malloc(sizeof(PROTO_FILE_RECORD)); if (protoFileRec == NULL) { return; } protoFileRec->ReadFlag = ReadFlag; protoFileRec->IoSize = IoSize; protoFileRec->DiskNumber = DiskNumber;
InsertHeadList( &fileObject->ProtoFileRecordListHead, &protoFileRec->Entry);
// Currently NOT Keeping track of the DrillDown data for the File
// if APC has not happened yet. Some Events may be lost.
}
ULONGGetMofData( PEVENT_TRACE pEvent, WCHAR *strName, PVOID ReturnValue, ULONG ReturnLength ){ PITEM_DESC pAuxInfo; PUCHAR pData; ULONG RequiredLength = 0; BOOLEAN AddNull = FALSE; PLIST_ENTRY Head, Next; PMOF_INFO pMofInfo; PMOF_VERSION pMofVersion;
if (pEvent == NULL) return 0;
pData = (PUCHAR) pEvent->MofData;
if (strName == NULL) return 0; if (lstrlenW(strName) <= 0) return 0;
pMofInfo = GetMofInfoHead(&pEvent->Header.Guid); if (pMofInfo == NULL) return 0;
pMofVersion = GetMofVersion(pMofInfo, pEvent->Header.Class.Type, pEvent->Header.Class.Version, pEvent->Header.Class.Level );
if (pMofVersion == NULL) return 0;
Head = &pMofVersion->ItemHeader; Next = Head->Flink; while (Head != Next) { pAuxInfo = CONTAINING_RECORD(Next, ITEM_DESC, Entry); if ( (ULONG) (pData-(PUCHAR)pEvent->MofData) >= pEvent->MofLength) return 0;
switch (pAuxInfo->ItemType) { case ItemChar: case ItemUChar: { if (pAuxInfo->ArraySize > 0) { RequiredLength = pAuxInfo->ArraySize; } else { RequiredLength = sizeof(UCHAR); } } break; case ItemWChar: { if (pAuxInfo->ArraySize > 0) { RequiredLength = pAuxInfo->ArraySize * sizeof(WCHAR); } else { RequiredLength = sizeof(WCHAR); } } break; case ItemShort: case ItemUShort: { RequiredLength = 2; } break; case ItemULong: case ItemULongX: { RequiredLength = 4; } break; case ItemLongLong: case ItemULongLong: { RequiredLength = 8; } break; case ItemPString : pData += sizeof(USHORT); case ItemString : RequiredLength = lstrlenA((PCHAR)pData) + 1; break; case ItemWString :
//
// FileNames etc are not NULL Terminated and only the buffer
// is copied. To find its length, we can't use wcslen.
// The Length is computed from the assumption that this string
// is the last item for this event and the size of the event
// should help determine the size of this string.
RequiredLength = pEvent->MofLength - (ULONG) (pData - (PUCHAR) pEvent->MofData);
AddNull = TRUE;
break;
case ItemSid : { ULONG SidMarker; RtlCopyMemory(&SidMarker, pData, sizeof(ULONG)); if (SidMarker == 0) { RequiredLength = 4; } else { if (PointerSize == 64) { pData += 16; // skip the TOKEN_USER structure
} else { pData += 8; // skip the TOKEN_USER structure
} RequiredLength = 8 + (4*pData[1]); } } break; case ItemSizeT: case ItemPtr : { RequiredLength = PointerSize / 8; if ( (RequiredLength != 4) && (RequiredLength != 8) ) { RequiredLength = 4; } break; } case ItemTDIAddr : { // We assume the rest of the event is all TDIAddr
RequiredLength = pEvent->MofLength - (ULONG) (pData - (PUCHAR) pEvent->MofData); break; } default : RequiredLength = pAuxInfo->DataSize; } if (!wcscmp(pAuxInfo->strDescription, strName)) { if (RequiredLength == 0) return 0; //
// Make Sure there is enough room to copy
//
if (RequiredLength > ReturnLength) {/*
#if DBG
DbgPrint("RequiredLength %d Space Available %d\n", RequiredLength, ReturnLength);#endif
*/ return RequiredLength; }
RtlCopyMemory(ReturnValue, pData, RequiredLength);
if (AddNull) { WCHAR* ws; ws = (WCHAR*) ReturnValue; ws[(RequiredLength/2)] = 0; }
return 0; } pData += RequiredLength; Next = Next->Flink; } return RequiredLength;}
ULONGGetDeltaWithTimeWindow(BOOLEAN fKCPU, PTHREAD_RECORD pThread, ULONGLONG timeStart, ULONGLONG timeEnd, ULONG DeltaStart, ULONG DeltaEnd){ ULONG lResult = 0; ULONG lDeltaStart, lDeltaEnd;
UNREFERENCED_PARAMETER(pThread);
if (!fDSOnly) { lResult = (DeltaEnd > DeltaStart) ? (DeltaEnd - DeltaStart) : (0); } else if ((timeStart >= DSEndTime) || (timeEnd <= DSStartTime)) { lResult = 0; } else if (fKCPU) { lDeltaStart = (timeStart < DSStartTime) ? Interpolate(timeStart, DeltaStart, timeEnd, DeltaEnd, DSStartTime) : DeltaStart; lDeltaEnd = (timeEnd > DSEndTime) ? Interpolate(timeStart, DeltaStart, timeEnd, DeltaEnd, DSEndTime) : DeltaEnd; lResult = (lDeltaEnd > lDeltaStart) ? (lDeltaEnd - lDeltaStart) : (0); } else { lDeltaStart = (timeStart < DSStartTime) ? Interpolate(timeStart, DeltaStart, timeEnd, DeltaEnd, DSStartTime) : DeltaStart; lDeltaEnd = (timeEnd > DSEndTime) ? Interpolate(timeStart, DeltaStart, timeEnd, DeltaEnd, DSEndTime) : DeltaEnd; lResult = (lDeltaEnd > lDeltaStart) ? (lDeltaEnd - lDeltaStart) : (0); } return lResult;}
// Generic Event Callback. Get the Transaction Response Time.
//
VOIDEventCallback( PEVENT_TRACE pEvent, PTHREAD_RECORD pThread ){ PMOF_INFO pMofInfo; PMOF_DATA pMofData; PEVENT_TRACE_HEADER pHeader; PPROCESS_RECORD pProcess; PTRANS_RECORD pThreadTrans = NULL; ULONGLONG delta;
if (pEvent == NULL) return; pHeader = (PEVENT_TRACE_HEADER)&pEvent->Header;
//
// Ignore Process/Thread Start/End transactions. Only go after
// User Defined Transactions.
//
pMofInfo = GetMofInfoHead(&pHeader->Guid); if (pMofInfo == NULL){ return; }
if ( pMofInfo->bKernelEvent ){ return; }
if (IsEqualGUID( &pMofInfo->Guid, &EventTraceGuid ) || pEvent->Header.Class.Type == EVENT_TRACE_TYPE_GUIDMAP) { return; }
if (pThread == NULL) { if (AddThread( pHeader->ThreadId, pEvent, &pThread )) {
/*
#if DBG
DbgPrint("WARNING(%d): Thread %x added to charge Event.\n", EventCount, pHeader->ThreadId);#endif
*/ pThread->pProcess = FindProcessById(0, TRUE); // Charge it the system ???
pThread->TimeStart = pHeader->TimeStamp.QuadPart; pThread->KCPUStart = pHeader->KernelTime; pThread->UCPUStart = pHeader->UserTime; pThread->fOrphan = TRUE; AdjustThreadTime(pEvent, pThread); } else {/*
#if DBG
DbgPrint("FATBUG(%d): Cannot add thread %x for Event.\n", EventCount, pHeader->ThreadId);#endif
*/ return; } }/*
#if DBG
else if (pThread->fOrphan) { DbgPrint("INFO(%d): Generic Event Thread %x Is Still Orphan.\n", EventCount, pHeader->ThreadId); } else if (pThread->DeadFlag) { DbgPrint("INFO(%d): Generic Event Thread %x Is Already Dead.\n", EventCount, pHeader->ThreadId); }#endif
*/ if (pMofInfo->strSortField == NULL){ pMofData = FindMofData(pMofInfo, NULL); } else if ( (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_START) || (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_DC_START)){ WCHAR strSortKey[MAXSTR];
RtlZeroMemory(strSortKey, MAXSTR * sizeof(WCHAR) );
GetMofData(pEvent, pMofInfo->strSortField, &strSortKey[0], MAXSTR); pMofData = FindMofData(pMofInfo, strSortKey ); // pThread->strSortKey is static array
StringCchCopyW(pThread->strSortKey, MAXSTR, strSortKey );
}else{ pMofData = FindMofData( pMofInfo, pThread->strSortKey ); }
pProcess = pThread->pProcess; if ( (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_START) || (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_DC_START)){ pThreadTrans = FindTransByList(& pThread->TransListHead, & pMofInfo->Guid, pThread->TransLevel); } else { LONG i = pThread->TransLevel - 1;
while (i >= 0) { if (IsEqualGUID(& pHeader->Guid, pThread->TransStack[i]->pGuid)) { pThreadTrans = pThread->TransStack[i]; break; } i --; } if (i < 0) { pThreadTrans = FindTransByList(& pThread->TransListHead, &pMofInfo->Guid, (pThread->TransLevel >= 0) ? (pThread->TransLevel) : (0)); if (pThread->TransLevel < 0) { pThread->TransLevel = 0; pThread->TransStack[pThread->TransLevel] = pThreadTrans; pThread->TransLevel ++; }
} }
if (pMofData == NULL) { return; }
if (pMofData->PrevClockTime == 0) { pMofData->PrevClockTime = pHeader->TimeStamp.QuadPart; }
delta = (pHeader->TimeStamp.QuadPart - pMofData->PrevClockTime);
pMofData->TotalResponseTime += (delta * pMofData->InProgressCount) / 10000;
// Update the Clock
pMofData->PrevClockTime = pHeader->TimeStamp.QuadPart;
if ( (pHeader->Class.Type == EVENT_TRACE_TYPE_START) || (pHeader->Class.Type == EVENT_TRACE_TYPE_DC_START)) { if (pThread->TransLevel < 0) { pThread->TransLevel = 0; }
if (pThread->TransLevel == 0) { LONG lDelta;
lDelta = pHeader->KernelTime - pThread->KCPU_PrevTrans; if (lDelta > 0) { pThread->KCPU_NoTrans += lDelta; pThread->KCPU_PrevTrans = pHeader->KernelTime; } lDelta = pHeader->UserTime - pThread->UCPU_PrevTrans; if (lDelta > 0) { pThread->UCPU_NoTrans += lDelta; pThread->UCPU_PrevTrans = pHeader->UserTime; } } else { PTRANS_RECORD pTransPrev = pThread->TransStack[pThread->TransLevel - 1]; PMOF_INFO pMofInfoPrev = GetMofInfoHead(pTransPrev->pGuid); PMOF_DATA pMofDataPrev = NULL; ULONG DeltaCPU;
if (pMofInfoPrev != NULL) { pMofDataPrev = FindMofData(pMofInfoPrev, NULL); }
if (pMofDataPrev) { DeltaCPU = GetDeltaWithTimeWindow( TRUE, pThread, pThread->Time_PrevEvent, (ULONGLONG) pHeader->TimeStamp.QuadPart, pThread->KCPU_PrevEvent, pHeader->KernelTime); DeltaCPU = DeltaCPU * CurrentSystem.TimerResolution;
pTransPrev->KCpu += DeltaCPU; pMofDataPrev->KernelCPU += DeltaCPU; if (pMofDataPrev->MaxKCpu < 0) { pMofDataPrev->MaxKCpu = DeltaCPU; pMofDataPrev->MinKCpu = DeltaCPU; } if (DeltaCPU > (ULONG) pMofDataPrev->MaxKCpu) { pMofDataPrev->MaxKCpu = DeltaCPU; } if (DeltaCPU < (ULONG) pMofDataPrev->MinKCpu) { pMofDataPrev->MinKCpu = DeltaCPU; }
DeltaCPU = GetDeltaWithTimeWindow( FALSE, pThread, pThread->Time_PrevEvent, (ULONGLONG) pHeader->TimeStamp.QuadPart, pThread->UCPU_PrevEvent, pHeader->UserTime); DeltaCPU = DeltaCPU * CurrentSystem.TimerResolution;
pTransPrev->UCpu += DeltaCPU; pMofDataPrev->UserCPU += DeltaCPU; if (pMofDataPrev->MaxUCpu < 0) { pMofDataPrev->MaxUCpu = DeltaCPU; pMofDataPrev->MinUCpu = DeltaCPU; } if (DeltaCPU > (ULONG) pMofDataPrev->MaxUCpu) { pMofDataPrev->MaxUCpu = DeltaCPU; } if (DeltaCPU < (ULONG) pMofDataPrev->MinUCpu) { pMofDataPrev->MinUCpu = DeltaCPU; } } }
if( pThreadTrans != NULL ){ if( ! pThreadTrans->bStarted ){ pThreadTrans->bStarted = TRUE;
pMofData->InProgressCount ++;
if (pHeader->Class.Type == EVENT_TRACE_TYPE_START) { pThread->RefCount ++; pThreadTrans->RefCount ++; } else { pThreadTrans->RefCount1 ++; }
pThread->pMofData = pMofData;
pThread->TransStack[pThread->TransLevel] = pThreadTrans; pThread->TransLevel ++; } } pThread->Time_PrevEvent = (ULONGLONG) pHeader->TimeStamp.QuadPart; pThread->KCPU_PrevEvent = pHeader->KernelTime; pThread->UCPU_PrevEvent = pHeader->UserTime;
pThread->DeltaReadIO = pThread->ReadIO; pThread->DeltaWriteIO = pThread->WriteIO;
pThread->DeltaSend = pThread->SendCount; pThread->DeltaRecv = pThread->RecvCount; } else if ( (pHeader->Class.Type == EVENT_TRACE_TYPE_END) || (pHeader->Class.Type == EVENT_TRACE_TYPE_DC_END)) { ULONG DeltaCPU; BOOLEAN fSwitch = TRUE; if( pThreadTrans != NULL ){
if (pThreadTrans->bStarted){
PTRANS_RECORD pTransCurrent; PMOF_INFO pMofInfoCurrent; PMOF_DATA pMofDataCurrent; BOOLEAN fCharged = FALSE;
if (pThread->TransLevel <= 0) { pThread->TransLevel = 0; } else { do { pThread->TransLevel --; pTransCurrent = pThread->TransStack[pThread->TransLevel]; if (pTransCurrent->bStarted) { pTransCurrent->bStarted = FALSE; }
pMofInfoCurrent = GetMofInfoHead( pTransCurrent->pGuid ); pMofDataCurrent = NULL;
if (pMofInfoCurrent != NULL) { pMofDataCurrent = FindMofData(pMofInfoCurrent, NULL); }
if (!pMofDataCurrent) continue;
pMofDataCurrent->InProgressCount--;
if (pMofDataCurrent->InProgressCount < 0){ pMofDataCurrent->InProgressCount = 0; } pMofDataCurrent->CompleteCount++;
pMofDataCurrent->AverageResponseTime = (pMofDataCurrent->CompleteCount > 0) ? ( (LONG) pMofDataCurrent->TotalResponseTime / pMofDataCurrent->CompleteCount) : 0;
if (fCharged) continue;
DeltaCPU = GetDeltaWithTimeWindow( TRUE, pThread, pThread->Time_PrevEvent, (ULONGLONG) pHeader->TimeStamp.QuadPart, pThread->KCPU_PrevEvent, pHeader->KernelTime); DeltaCPU = DeltaCPU * CurrentSystem.TimerResolution;
pTransCurrent->KCpu += DeltaCPU; pMofDataCurrent->KernelCPU += DeltaCPU; if (pMofDataCurrent->MaxKCpu < 0) { pMofDataCurrent->MaxKCpu = DeltaCPU; pMofDataCurrent->MinKCpu = DeltaCPU; } if (DeltaCPU > (ULONG) pMofDataCurrent->MaxKCpu) { pMofDataCurrent->MaxKCpu = DeltaCPU; } if (DeltaCPU < (ULONG) pMofDataCurrent->MinKCpu) { pMofDataCurrent->MinKCpu = DeltaCPU; }
DeltaCPU = GetDeltaWithTimeWindow( FALSE, pThread, pThread->Time_PrevEvent, (ULONGLONG) pHeader->TimeStamp.QuadPart, pThread->UCPU_PrevEvent, pHeader->UserTime); DeltaCPU = DeltaCPU * CurrentSystem.TimerResolution;
pTransCurrent->UCpu += DeltaCPU; pMofDataCurrent->UserCPU += DeltaCPU; if(pMofDataCurrent->MaxUCpu < 0) { pMofDataCurrent->MaxUCpu = DeltaCPU; pMofDataCurrent->MinUCpu = DeltaCPU; } if (DeltaCPU > (ULONG) pMofDataCurrent->MaxUCpu) { pMofDataCurrent->MaxUCpu = DeltaCPU; } fCharged = TRUE; }while ( pThread->TransLevel > 0 && !IsEqualGUID(& pHeader->Guid, pTransCurrent->pGuid)); }
pThread->Time_PrevEvent = (ULONGLONG) pHeader->TimeStamp.QuadPart; pThread->KCPU_PrevEvent = pHeader->KernelTime; pThread->UCPU_PrevEvent = pHeader->UserTime; } else { DeltaCPU = GetDeltaWithTimeWindow( TRUE, pThread, (ULONGLONG) pHeader->TimeStamp.QuadPart, (ULONGLONG) pHeader->TimeStamp.QuadPart, pHeader->KernelTime, pHeader->KernelTime); DeltaCPU = DeltaCPU * CurrentSystem.TimerResolution;
pThreadTrans->KCpu += DeltaCPU; pMofData->KernelCPU += DeltaCPU; if (pMofData->MaxKCpu < 0) { pMofData->MaxKCpu = DeltaCPU; pMofData->MinKCpu = DeltaCPU; } if (DeltaCPU > (ULONG) pMofData->MaxKCpu) { pMofData->MaxKCpu = DeltaCPU; } if (DeltaCPU < (ULONG) pMofData->MinKCpu) { pMofData->MinKCpu = DeltaCPU; }
DeltaCPU = GetDeltaWithTimeWindow( FALSE, pThread, (ULONGLONG) pHeader->TimeStamp.QuadPart, (ULONGLONG) pHeader->TimeStamp.QuadPart, pHeader->UserTime, pHeader->UserTime); DeltaCPU = DeltaCPU * CurrentSystem.TimerResolution;
pThreadTrans->UCpu += DeltaCPU; pMofData->UserCPU += DeltaCPU; if(pMofData->MaxUCpu < 0) { pMofData->MaxUCpu = DeltaCPU; pMofData->MinUCpu = DeltaCPU; } if (DeltaCPU > (ULONG) pMofData->MaxUCpu) { pMofData->MaxUCpu = DeltaCPU; } if (DeltaCPU < (ULONG) pMofData->MinUCpu) { pMofData->MinUCpu = DeltaCPU; }
fSwitch = FALSE; } }
pMofData->ReadCount += (pThread->ReadIO - pThread->DeltaReadIO); pMofData->WriteCount += (pThread->WriteIO - pThread->DeltaWriteIO); pMofData->SendCount += (pThread->SendCount - pThread->DeltaSend); pMofData->RecvCount += (pThread->RecvCount - pThread->DeltaRecv); pThread->pMofData = NULL;
if (fSwitch && pThread->TransLevel <= 0) { LONG lDelta;
if (pThread->TransLevel < 0) { pThread->TransLevel = 0; } lDelta = pHeader->KernelTime - pThread->KCPU_PrevTrans; if (lDelta > 0) { pThread->KCPU_Trans += lDelta; pThread->KCPU_PrevTrans = pHeader->KernelTime; } lDelta = pHeader->UserTime - pThread->UCPU_PrevTrans; if (lDelta > 0) { pThread->UCPU_Trans += lDelta; pThread->UCPU_PrevTrans = pHeader->UserTime; } } }}
//
// This routine moves the temporary MOF_VERSION list
// into the VersionHeader list for this GUID (MofInfo)
//
voidFlushMofVersionList( PMOF_INFO pMofInfo, PLIST_ENTRY ListHead ){ PMOF_VERSION pMofVersion; PLIST_ENTRY Head = ListHead; PLIST_ENTRY Next = Head->Flink;
while( Head != Next ){ pMofVersion = CONTAINING_RECORD(Next, MOF_VERSION, Entry); Next = Next->Flink;
RemoveEntryList(&pMofVersion->Entry); if (pMofInfo != NULL) { InsertTailList( &pMofInfo->VersionHeader, &pMofVersion->Entry); } else { free(pMofVersion); //
// Really should not hit this case
//
/*
#if DBG
DbgPrint("TRACECTR: FlushMofVersionList. MofInfo ptr is NULL\n"); ASSERT (pMofInfo != NULL);#endif
*/ } }}
voidDumpMofVersionItem( PMOF_VERSION pMofVersion ){ PLIST_ENTRY Head = &pMofVersion->ItemHeader; PLIST_ENTRY Next = Head->Flink; PITEM_DESC pItem;
DbgPrint("MOF_VERSION: Version %d Level %d Type %d strType %ws\n", pMofVersion->Version, pMofVersion->Level, pMofVersion->TypeIndex, pMofVersion->strType);
while( Head != Next ){ pItem = CONTAINING_RECORD(Next, ITEM_DESC, Entry); Next = Next->Flink;
DbgPrint("Name %ws Size %d ItemType %d\n", pItem->strDescription, pItem->DataSize, pItem->ItemType);
} }
voidDumpMofList(){ PMOF_INFO pMofInfo; PLIST_ENTRY Head = &CurrentSystem.EventListHead; PLIST_ENTRY Next = Head->Flink;
while( Head != Next ){ pMofInfo = CONTAINING_RECORD(Next, MOF_INFO, Entry); Next = Next->Flink;
//
// Count the MOF Fields for this Guid and Type
//
DbgPrint("Name %ws KernelEvent %d\n", pMofInfo->strDescription, pMofInfo->bKernelEvent);
}}
PMOF_VERSIONGetGuids( GUID Guid, SHORT nVersion, CHAR nLevel, SHORT nType, BOOL bKernelEvent ){ if ( TraceContext->Flags & TRACE_USE_WBEM ){ return GetGuidsWBEM( Guid, nVersion, nLevel, nType, bKernelEvent ); }else{ return GetGuidsMofFiles( Guid, nVersion, nLevel, nType, bKernelEvent ); }}
HRESULTWbemConnect( IWbemServices** pWbemServices ){ IWbemLocator *pLocator = NULL;
BSTR bszNamespace = SysAllocString( L"root\\wmi" );
HRESULT hr = CoInitialize(0);
hr = CoCreateInstance( CLSID_WbemLocator, 0, CLSCTX_INPROC_SERVER, IID_IWbemLocator, (LPVOID *) &pLocator ); CHECK_HR( hr );
hr = pLocator->ConnectServer( bszNamespace, NULL, NULL, NULL, 0L, NULL, NULL, pWbemServices ); CHECK_HR( hr );
hr = CoSetProxyBlanket( *pWbemServices, RPC_C_AUTHN_WINNT, RPC_C_AUTHZ_NONE, NULL, RPC_C_AUTHN_LEVEL_PKT, RPC_C_IMP_LEVEL_IMPERSONATE, NULL, EOAC_NONE );
cleanup: SysFreeString( bszNamespace );
if( pLocator ){ pLocator->Release(); pLocator = NULL; } return hr;}
ULONG GetArraySize( IN IWbemQualifierSet *pQualSet ){ ULONG ArraySize = 1; VARIANT pVal; BSTR bszMaxLen; HRESULT hRes;
if (pQualSet == NULL){ return ArraySize; }
bszMaxLen = SysAllocString(L"MAX"); VariantInit(&pVal); hRes = pQualSet->Get(bszMaxLen, 0, &pVal, 0); SysFreeString(bszMaxLen); if (ERROR_SUCCESS == hRes && pVal.vt == VT_I4 ){ ArraySize = pVal.lVal; } VariantClear(&pVal); return ArraySize;}
ITEM_TYPEGetItemType( IN CIMTYPE_ENUMERATION CimType, IN IWbemQualifierSet *pQualSet ){ ITEM_TYPE Type = ItemUnknown;; VARIANT pVal; HRESULT hRes; BSTR bszQualName; WCHAR strFormat[10]; WCHAR strTermination[30]; WCHAR strTemp[30]; BOOLEAN IsPointer = FALSE;
strFormat[0] = '\0'; strTermination[0] = '\0'; strTemp[0] = '\0';
if (pQualSet == NULL) return ItemUnknown;
bszQualName = SysAllocString(L"format"); VariantInit(&pVal); hRes = pQualSet->Get(bszQualName, 0, &pVal, 0); SysFreeString(bszQualName); if (ERROR_SUCCESS == hRes && NULL != pVal.bstrVal) StringCchCopyW(strFormat, 10, pVal.bstrVal);
bszQualName = SysAllocString(L"StringTermination"); VariantClear(&pVal); hRes = pQualSet->Get(bszQualName, 0, &pVal, 0); SysFreeString(bszQualName); if (ERROR_SUCCESS == hRes && NULL != pVal.bstrVal) StringCchCopyW(strTermination, 30, pVal.bstrVal);
bszQualName = SysAllocString(L"pointer"); VariantClear(&pVal); hRes = pQualSet->Get(bszQualName, 0, &pVal, 0); SysFreeString(bszQualName); if (ERROR_SUCCESS == hRes) IsPointer = TRUE; bszQualName = SysAllocString(L"PointerType"); VariantClear(&pVal); hRes = pQualSet->Get(bszQualName, 0, &pVal, 0); SysFreeString(bszQualName); if (ERROR_SUCCESS == hRes) IsPointer = TRUE; // Major fix required to get rid of temp
bszQualName = SysAllocString(L"extension"); VariantClear(&pVal); hRes = pQualSet->Get(bszQualName, 0, &pVal, 0); SysFreeString(bszQualName); if (ERROR_SUCCESS == hRes && NULL != pVal.bstrVal) StringCchCopyW(strTemp, 30, pVal.bstrVal);
VariantClear(&pVal); CimType = (CIMTYPE_ENUMERATION)(CimType & (~CIM_FLAG_ARRAY));
switch (CimType) { case CIM_EMPTY: Type = ItemUnknown; break; case CIM_SINT8: Type = ItemCharShort; if (!_wcsicmp(strFormat, L"c")){ Type = ItemChar; } break; case CIM_UINT8: Type = ItemUChar; if (!_wcsicmp(strTemp, L"NoPrint")) { Type = ItemCharHidden; } break; case CIM_SINT16: Type = ItemShort; break; case CIM_UINT16: Type = ItemUShort; if (!_wcsicmp(strTemp, L"TDIAddrType")) { Type = ItemTDIAddr; } break; case CIM_SINT32: Type = ItemLong; break; case CIM_UINT32: Type = ItemULong; if (!_wcsicmp(strFormat, L"x")){ Type = ItemULongX; } break; case CIM_SINT64: Type = ItemLongLong; break; case CIM_UINT64: Type = ItemULongLong; break; case CIM_BOOLEAN: // ItemBool
Type = ItemBool; break; case CIM_STRING: if (!_wcsicmp(strTermination, L"NullTerminated")) { if (!_wcsicmp(strFormat, L"w")) Type = ItemWString; else Type = ItemString; } else if (!_wcsicmp(strTermination, L"Counted")) { if (!_wcsicmp(strFormat, L"w")) Type = ItemPWString; else Type = ItemPString; } else if (!_wcsicmp(strTermination, L"ReverseCounted")) { if (!_wcsicmp(strFormat, L"w")) Type = ItemDSWString; else Type = ItemDSString; } else if (!_wcsicmp(strTermination, L"NotCounted")) { Type = ItemNWString; }else{ Type = ItemString; } break; case CIM_CHAR16: // ItemWChar
Type = ItemWChar; break; // Major fix required for executing methods from WBEM
case CIM_OBJECT : if (!_wcsicmp(strTemp, L"Port")) Type = ItemPort; else if (!_wcsicmp(strTemp, L"SizeT")) Type = ItemSizeT; else if (!_wcsicmp(strTemp, L"RString")) Type = ItemRString; else if (!_wcsicmp(strTemp, L"RWString")) Type = ItemRWString; else if (!_wcsicmp(strTemp, L"IPAddr")) Type = ItemIPAddr; else if (!_wcsicmp(strTemp, L"Sid")) Type = ItemSid; else if (!_wcsicmp(strTemp, L"Guid")) Type = ItemGuid; else if (!_wcsicmp(strTemp, L"Variant")) Type = ItemVariant; else Type = ItemUnknown; break;
case CIM_REAL32: case CIM_REAL64: case CIM_DATETIME: case CIM_REFERENCE: case CIM_ILLEGAL: default: Type = ItemUnknown; break; }
if (IsPointer) Type = ItemPtr; return Type;}
PVALUEMAPGetValueMap( IWbemQualifierSet* pQualSet ){ VARIANT var; SAFEARRAY* saValues = NULL; SAFEARRAY* saValueMap = NULL; SAFEARRAY* saValueNumber = NULL; PVALUEMAP pValueMap = NULL;
HRESULT hr; DWORD dwValueType = VALUETYPE_INDEX;
if( pQualSet != NULL ){ hr = pQualSet->Get( L"ValueMap", 0, &var, NULL ); if( ERROR_SUCCESS == hr && (var.vt & VT_ARRAY) ){ saValueMap = var.parray; }
hr = pQualSet->Get( L"Values", 0, &var, NULL ); if( SUCCEEDED(hr) && (var.vt & VT_ARRAY) ){ saValues = var.parray; }
hr = pQualSet->Get( L"ValueType", 0, &var, NULL ); if( SUCCEEDED(hr) ){ if( _wcsicmp( var.bstrVal, L"index" ) == 0 ){ dwValueType = VALUETYPE_INDEX; } if( _wcsicmp( var.bstrVal, L"flag") == 0 ){ dwValueType = VALUETYPE_FLAG; } }
if( saValues != NULL && saValueMap != NULL ){ BSTR HUGEP *pValueMapData; BSTR HUGEP *pValuesData; LONG HUGEP *pValueNumberData;
LONG uMapBound, lMapBound; LONG uValuesBound, lValuesBound; SafeArrayGetUBound( saValueMap, 1, &uMapBound ); SafeArrayGetLBound( saValueMap, 1, &lMapBound ); SafeArrayAccessData( saValueMap, (void HUGEP **)&pValueMapData ); SafeArrayGetUBound( saValues, 1, &uValuesBound ); SafeArrayGetLBound( saValues, 1, &lValuesBound ); SafeArrayAccessData( saValues, (void HUGEP **)&pValuesData );
saValueNumber = SafeArrayCreateVector( VT_I4, 0, (uMapBound-lMapBound)+1 );
SafeArrayAccessData( saValueNumber, (void HUGEP **)&pValueNumberData );
for ( LONG i=lMapBound; i<=uMapBound; i++) {
if( i<lValuesBound || i>uValuesBound ){ pValueNumberData[i] = 0; }else{ pValueNumberData[i] = StringToNumber( pValueMapData[i] ); } }
SafeArrayUnaccessData( saValueMap ); SafeArrayUnaccessData( saValues ); SafeArrayUnaccessData( saValueNumber ); pValueMap = (PVALUEMAP)malloc( sizeof(VALUEMAP) ); if( NULL == pValueMap ){ SafeArrayDestroy( saValueMap ); SafeArrayDestroy( saValues ); SafeArrayDestroy( saValueNumber ); return NULL; }
InsertTailList( &g_ValueMapTable, &pValueMap->Entry);
pValueMap->dwValueType = dwValueType; pValueMap->saValueMap = saValueNumber; pValueMap->saValues = saValues;
SafeArrayDestroy( saValueMap ); return pValueMap;
}else if( saValues != NULL ){ pValueMap = (PVALUEMAP)malloc( sizeof(VALUEMAP) ); if( NULL == pValueMap ){ return NULL; }
InsertTailList( &g_ValueMapTable, &pValueMap->Entry);
pValueMap->dwValueType = VALUETYPE_INDEX; pValueMap->saValueMap = NULL; pValueMap->saValues = saValues;
return pValueMap; }
}
return NULL;}
PMOF_VERSIONGetPropertiesFromWBEM( IWbemClassObject *pTraceSubClasses, GUID Guid, SHORT nVersion, CHAR nLevel, SHORT nType, BOOL bKernelEvent){ IEnumWbemClassObject *pEnumTraceSubSubClasses = NULL; IWbemClassObject *pTraceSubSubClasses = NULL; IWbemQualifierSet *pQualSet = NULL;
PMOF_INFO pMofInfo = NULL; PMOF_VERSION pMofLookup = NULL, pMofVersion = NULL;
BSTR bszClassName = NULL; BSTR bszSubClassName = NULL; BSTR bszWmiDataId = NULL; BSTR bszEventType = NULL; BSTR bszEventTypeName = NULL; BSTR bszFriendlyName = NULL; BSTR bszPropName = NULL;
WCHAR strClassName[MAXSTR]; WCHAR strType[MAXSTR]; LONG pVarType; SHORT nEventType = EVENT_TYPE_DEFAULT;
LIST_ENTRY ListHead; HRESULT hRes;
VARIANT pVal; VARIANT pTypeVal; VARIANT pTypeNameVal; VARIANT pClassName; ULONG lEventTypeWbem; // when types are in an array.
ULONG HUGEP *pTypeData; BSTR HUGEP *pTypeNameData;
SAFEARRAY *PropArray = NULL; SAFEARRAY *TypeArray = NULL; SAFEARRAY *TypeNameArray = NULL;
long lLower, lUpper, lCount, IdIndex; long lTypeLower, lTypeUpper; long lTypeNameLower, lTypeNameUpper;
ULONG ArraySize;
ITEM_TYPE ItemType;
InitializeListHead(&ListHead);
VariantInit(&pVal); VariantInit(&pTypeVal); VariantInit(&pTypeNameVal); VariantInit(&pClassName);
pMofInfo = GetMofInfoHead( &Guid ); if( NULL == pMofInfo ){ return NULL; } pMofInfo->bKernelEvent = bKernelEvent;
bszClassName = SysAllocString(L"__CLASS"); bszWmiDataId = SysAllocString(L"WmiDataId"); bszEventType = SysAllocString(L"EventType"); bszEventTypeName = SysAllocString(L"EventTypeName"); bszFriendlyName = SysAllocString(L"DisplayName");
hRes = pTraceSubClasses->Get(bszClassName, // property name
0L, &pVal, // output to this variant
NULL, NULL); if (ERROR_SUCCESS == hRes){ if (pQualSet) { pQualSet->Release(); pQualSet = NULL; } // Get Qualifier Set to obtain the friendly name.
pTraceSubClasses->GetQualifierSet(&pQualSet); hRes = pQualSet->Get(bszFriendlyName, 0, &pClassName, 0); if (ERROR_SUCCESS == hRes && pClassName.bstrVal != NULL) { StringCchCopyW(strClassName, MAXSTR, pClassName.bstrVal); pMofInfo->strDescription = (LPWSTR)malloc((wcslen(strClassName) + 1) * sizeof(WCHAR)); if (NULL != pMofInfo->strDescription) { StringCchCopyW(pMofInfo->strDescription, wcslen(strClassName) + 1, strClassName); } }else{ strClassName[0] = L'\0'; } // Put Event Header
pMofVersion = GetNewMofVersion( EVENT_TYPE_DEFAULT, EVENT_VERSION_DEFAULT, EVENT_LEVEL_DEFAULT ); if (pMofVersion != NULL) { pMofLookup = pMofVersion; InsertTailList(&ListHead, &pMofVersion->Entry); } else{ goto cleanup; }
// Create an enumerator to find derived classes.
bszSubClassName = SysAllocString(pVal.bstrVal); hRes = pWbemServices->CreateClassEnum ( bszSubClassName, // class name
WBEM_FLAG_SHALLOW | WBEM_FLAG_USE_AMENDED_QUALIFIERS, // shallow search
NULL, &pEnumTraceSubSubClasses ); SysFreeString ( bszSubClassName ); if (ERROR_SUCCESS == hRes) { ULONG uReturnedSub = 1;
while(uReturnedSub == 1){ // For each event in the subclass
pTraceSubSubClasses = NULL; hRes = pEnumTraceSubSubClasses->Next((-1), // timeout in infinite seconds
1, // return just one instance
&pTraceSubSubClasses, // pointer to a Sub class
&uReturnedSub); // number obtained: one or zero
if (ERROR_SUCCESS == hRes && uReturnedSub == 1) { if (pQualSet) { pQualSet->Release(); pQualSet = NULL; } // Get Qualifier Set.
pTraceSubSubClasses->GetQualifierSet(&pQualSet); // Get Type number among Qualifiers
VariantClear(&pTypeVal); hRes = pQualSet->Get(bszEventType, 0, &pTypeVal, 0); if (ERROR_SUCCESS == hRes) { TypeArray = NULL; TypeNameArray = NULL; if (pTypeVal.vt & VT_ARRAY) { // EventType is an array
TypeArray = pTypeVal.parray; VariantClear(&pTypeNameVal); hRes = pQualSet->Get(bszEventTypeName, 0, &pTypeNameVal, 0); if ((ERROR_SUCCESS == hRes) && (pTypeNameVal.vt & VT_ARRAY)) { TypeNameArray = pTypeNameVal.parray; } if (TypeArray != NULL) { hRes = SafeArrayGetLBound(TypeArray, 1, &lTypeLower); if (ERROR_SUCCESS != hRes) { break; } hRes = SafeArrayGetUBound(TypeArray, 1, &lTypeUpper); if (ERROR_SUCCESS != hRes) { break; } if (lTypeUpper < 0) { break; } SafeArrayAccessData(TypeArray, (void HUGEP **)&pTypeData );
if (TypeNameArray != NULL) { hRes = SafeArrayGetLBound(TypeNameArray, 1, &lTypeNameLower); if (ERROR_SUCCESS != hRes) { break; } hRes = SafeArrayGetUBound(TypeNameArray, 1, &lTypeNameUpper); if (ERROR_SUCCESS != hRes) { break; } if (lTypeNameUpper < 0) break; SafeArrayAccessData(TypeNameArray, (void HUGEP **)&pTypeNameData ); }
for (lCount = lTypeLower; lCount <= lTypeUpper; lCount++) { lEventTypeWbem = pTypeData[lCount]; nEventType = (SHORT)lEventTypeWbem; pMofVersion = GetNewMofVersion(nEventType, nVersion, nLevel); if (pMofVersion != NULL) { InsertTailList(&ListHead, &pMofVersion->Entry); if (nType == nEventType) { // Type matched
pMofLookup = pMofVersion; } if (TypeNameArray != NULL) { if ((lCount >= lTypeNameLower) && (lCount <= lTypeNameUpper)) { pMofVersion->strType = (LPWSTR)malloc((wcslen(pTypeNameData[lCount]) + 1) * sizeof(WCHAR)); if (pMofVersion->strType != NULL){ StringCchCopyW(pMofVersion->strType, wcslen(pTypeNameData[lCount]) + 1, (LPWSTR)(pTypeNameData[lCount])); } } } } } SafeArrayUnaccessData(TypeArray); SafeArrayDestroy(TypeArray); VariantInit(&pTypeVal); if (TypeNameArray != NULL) { SafeArrayUnaccessData(TypeNameArray); SafeArrayDestroy(TypeNameArray); VariantInit(&pTypeNameVal); } } else { //
// If the Types or TypeName is not found, then bail
//
break; } } else { // EventType is scalar
hRes = VariantChangeType(&pTypeVal, &pTypeVal, 0, VT_I2); if (ERROR_SUCCESS == hRes) nEventType = (SHORT)V_I2(&pTypeVal); else nEventType = (SHORT)V_I4(&pTypeVal);
VariantClear(&pTypeNameVal); hRes = pQualSet->Get(bszEventTypeName, 0, &pTypeNameVal, 0); if (ERROR_SUCCESS == hRes) { StringCchCopyW(strType, MAXSTR, pTypeNameVal.bstrVal); } else{ strType[0] = '\0'; }
pMofVersion = GetNewMofVersion(nEventType, nVersion, nLevel); if (pMofVersion != NULL) { InsertTailList(&ListHead, &pMofVersion->Entry); if (nType == nEventType) { // Type matched
pMofLookup = pMofVersion; } pMofVersion->strType = (LPWSTR)malloc((wcslen(strType) + 1) * sizeof(WCHAR)); if (pMofVersion->strType != NULL){ StringCchCopyW(pMofVersion->strType, wcslen(strType) + 1, strType); } } }
// Get event layout
VariantClear(&pVal); IdIndex = 1; V_VT(&pVal) = VT_I4; V_I4(&pVal) = IdIndex; // For each property
PropArray = NULL; while (pTraceSubSubClasses->GetNames(bszWmiDataId, // only properties with WmiDataId qualifier
WBEM_FLAG_ONLY_IF_IDENTICAL, &pVal, // WmiDataId number starting from 1
&PropArray) == WBEM_NO_ERROR) {
hRes = SafeArrayGetLBound(PropArray, 1, &lLower); if (ERROR_SUCCESS != hRes) { break; } hRes = SafeArrayGetUBound(PropArray, 1, &lUpper); if (ERROR_SUCCESS != hRes) { break; } if (lUpper < 0) break; // This loop will iterate just once.
for (lCount = lLower; lCount <= lUpper; lCount++) { hRes = SafeArrayGetElement(PropArray, &lCount, &bszPropName); if (ERROR_SUCCESS != hRes) { break; } hRes = pTraceSubSubClasses->Get(bszPropName, // Property name
0L, NULL, &pVarType, // CIMTYPE of the property
NULL); if (ERROR_SUCCESS != hRes) { break; }
// Get the Qualifier set for the property
if (pQualSet) { pQualSet->Release(); pQualSet = NULL; } hRes = pTraceSubSubClasses->GetPropertyQualifierSet(bszPropName, &pQualSet);
if (ERROR_SUCCESS != hRes) { break; } ItemType = GetItemType((CIMTYPE_ENUMERATION)pVarType, pQualSet); if( pVarType & CIM_FLAG_ARRAY ){ ArraySize = GetArraySize(pQualSet); }else{ ArraySize = 1; } PVALUEMAP pValueMap = NULL;
pValueMap = GetValueMap( pQualSet );
AddMofInfo(&ListHead, bszPropName, ItemType, ArraySize, pValueMap ); }
SafeArrayDestroy(PropArray); PropArray = NULL; V_I4(&pVal) = ++IdIndex; } // end enumerating through WmiDataId
FlushMofVersionList(pMofInfo, &ListHead); } // if getting event type was successful
} // if enumeration returned a subclass successfully
} // end enumerating subclasses
} // if enumeration was created successfully
} // if getting class name was successful
cleanup: VariantClear(&pVal); VariantClear(&pTypeVal); VariantClear(&pClassName);
SysFreeString(bszClassName); SysFreeString(bszWmiDataId); SysFreeString(bszEventType); SysFreeString(bszEventTypeName); SysFreeString(bszFriendlyName); // Should not free bszPropName becuase it is already freed by SafeArrayDestroy
FlushMofVersionList(pMofInfo, &ListHead);
return pMofLookup;}
PMOF_VERSIONGetGuidsWBEM ( GUID Guid, SHORT nVersion, CHAR nLevel, SHORT nType, BOOL bKernelEvent ){ IEnumWbemClassObject *pEnumTraceSubClasses = NULL, *pEnumTraceSubSubClasses = NULL; IWbemClassObject *pTraceSubClasses = NULL, *pTraceSubSubClasses = NULL; IWbemQualifierSet *pQualSet = NULL;
BSTR bszInstance = NULL; BSTR bszPropertyName = NULL; BSTR bszSubClassName = NULL; BSTR bszGuid = NULL; BSTR bszVersion = NULL;
WCHAR strGuid[MAXGUIDSTR], strTargetGuid[MAXGUIDSTR]; HRESULT hRes;
VARIANT pVal; VARIANT pGuidVal; VARIANT pVersionVal;
UINT nCounter=0; BOOLEAN MatchFound; SHORT nEventVersion = EVENT_VERSION_DEFAULT;
PMOF_VERSION pMofLookup = NULL;
VariantInit(&pVal); VariantInit(&pGuidVal); VariantInit(&pVersionVal); if (NULL == pWbemServices) { hRes = WbemConnect( &pWbemServices ); CHECK_HR( hRes ); }
// Convert traget GUID to string for later comparison
CpdiGuidToString(strTargetGuid, MAXGUIDSTR, &Guid); bszInstance = SysAllocString(L"EventTrace"); bszPropertyName = SysAllocString(L"__CLASS"); bszGuid = SysAllocString(L"Guid"); bszVersion = SysAllocString(L"EventVersion"); pEnumTraceSubClasses = NULL;
// Get an enumerator for all classes under "EventTace".
hRes = pWbemServices->CreateClassEnum ( bszInstance, WBEM_FLAG_SHALLOW | WBEM_FLAG_USE_AMENDED_QUALIFIERS, NULL, &pEnumTraceSubClasses ); SysFreeString (bszInstance);
if (ERROR_SUCCESS == hRes) { ULONG uReturned = 1; MatchFound = FALSE; while (uReturned == 1) { pTraceSubClasses = NULL; // Get the next ClassObject.
hRes = pEnumTraceSubClasses->Next((-1), // timeout in infinite seconds
1, // return just one instance
&pTraceSubClasses, // pointer to Event Trace Sub Class
&uReturned); // number obtained: one or zero
if (ERROR_SUCCESS == hRes && (uReturned == 1)) { // Get the class name
hRes = pTraceSubClasses->Get(bszPropertyName, // property name
0L, &pVal, // output to this variant
NULL, NULL);
if (ERROR_SUCCESS == hRes){
bszSubClassName = SysAllocString(pVal.bstrVal); // Create an enumerator to find derived classes.
hRes = pWbemServices->CreateClassEnum ( bszSubClassName, WBEM_FLAG_SHALLOW | WBEM_FLAG_USE_AMENDED_QUALIFIERS, NULL, &pEnumTraceSubSubClasses ); SysFreeString ( bszSubClassName ); VariantClear(&pVal);
if (ERROR_SUCCESS == hRes) { ULONG uReturnedSub = 1; MatchFound = FALSE; while(uReturnedSub == 1){
pTraceSubSubClasses = NULL; // enumerate through the resultset.
hRes = pEnumTraceSubSubClasses->Next((-1), // timeout in infinite seconds
1, // return just one instance
&pTraceSubSubClasses, // pointer to a Sub class
&uReturnedSub); // number obtained: one or zero
if (ERROR_SUCCESS == hRes && uReturnedSub == 1) { // Get the subclass name
hRes = pTraceSubSubClasses->Get(bszPropertyName, // Class name
0L, &pVal, // output to this variant
NULL, NULL); VariantClear(&pVal);
if (ERROR_SUCCESS == hRes){
// Get Qualifier Set.
if (pQualSet) { pQualSet->Release(); pQualSet = NULL; } pTraceSubSubClasses->GetQualifierSet (&pQualSet );
// Get GUID among Qualifiers
hRes = pQualSet->Get(bszGuid, 0, &pGuidVal, 0);
if (ERROR_SUCCESS == hRes) { StringCchCopyW(strGuid, MAXGUIDSTR, (LPWSTR)V_BSTR(&pGuidVal)); VariantClear ( &pGuidVal ); if (!wcsstr(strGuid, L"{")) { WCHAR strTempGuid[MAXGUIDSTR]; StringCchCopyW(strTempGuid, MAXGUIDSTR, strGuid); StringCchPrintfW(strGuid, MAXGUIDSTR, L"{%ws}", strTempGuid); }
if (!_wcsicmp(strTargetGuid, strGuid)) { hRes = pQualSet->Get(bszVersion, 0, &pVersionVal, 0); if (ERROR_SUCCESS == hRes) { hRes = VariantChangeType(&pVersionVal, &pVersionVal, 0, VT_I2); if (ERROR_SUCCESS == hRes) nEventVersion = (SHORT)V_I2(&pVersionVal); else nEventVersion = (SHORT)V_I4(&pVersionVal); VariantClear(&pVersionVal);
if (nVersion == nEventVersion) { // Match is found.
// Now put all events in this subtree into the list
MatchFound = TRUE; pMofLookup = GetPropertiesFromWBEM( pTraceSubSubClasses, Guid, nVersion, nLevel, nType, bKernelEvent ); break; } } else {
// if there is no version number for this event
MatchFound = TRUE; //_tprintf(_T("Close Match Found: \t%s\t, version %d\n"), strGuid, nEventVersion);
pMofLookup = GetPropertiesFromWBEM( pTraceSubSubClasses, Guid, EVENT_VERSION_DEFAULT, nLevel, nType, bKernelEvent ); break; } } } } } } // end while enumerating sub classes
if (MatchFound) { break; } if (pEnumTraceSubSubClasses) { pEnumTraceSubSubClasses->Release(); pEnumTraceSubSubClasses = NULL; } } // if creating enumeration was successful
} // if getting class name was successful
} nCounter++; // if match is found, break out of the top level search
if (MatchFound) break; } // end while enumerating top classes
if( pEnumTraceSubClasses ){ pEnumTraceSubClasses->Release(); pEnumTraceSubClasses = NULL; } } // if creating enumeration for top level is successful
cleanup:
VariantClear(&pGuidVal); VariantClear(&pVersionVal);
SysFreeString(bszGuid); SysFreeString(bszPropertyName); SysFreeString(bszVersion); if (pEnumTraceSubClasses){ pEnumTraceSubClasses->Release(); pEnumTraceSubClasses = NULL; } if (pEnumTraceSubSubClasses){ pEnumTraceSubSubClasses->Release(); pEnumTraceSubSubClasses = NULL; } if (pQualSet) { pQualSet->Release(); pQualSet = NULL; }
return pMofLookup;}
PMOF_VERSIONGetGuidsMofFiles ( GUID Guid, SHORT nVersion, CHAR nLevel, SHORT nType, BOOL bKernelEvent ){ FILE *f = NULL; PMOF_VERSION pMofLookup = NULL; //
// If MofFileName is given, use it. Otherwise, look for
// the default file mofdata.guid
//
if (TraceContext->MofFileName != NULL) { f = _wfopen( TraceContext->MofFileName, L"r" ); if( f != NULL ){ pMofLookup = GetGuidsFile(f, Guid, nVersion, nLevel, nType, bKernelEvent); fclose(f); } }
if ((pMofLookup == NULL) && (TraceContext->DefMofFileName != NULL)) { f = _wfopen( TraceContext->DefMofFileName, L"r" ); if( f != NULL ){ pMofLookup = GetGuidsFile(f, Guid, nVersion, nLevel, nType, bKernelEvent); fclose(f); } }
return pMofLookup;}
PMOF_VERSIONGetGuidsFile( FILE *f, GUID Guid, SHORT nVersion, CHAR nLevel, SHORT nType, BOOL bKernelEvent ){ WCHAR line[MAXSTR]; WCHAR buffer[MAXSTR]; PMOF_INFO pMofInfo = NULL; PMOF_VERSION pMofLookup = NULL; PMOF_VERSION pMofVersion = NULL; UINT i; LPWSTR s; UINT typeCount = 0; BOOL bInInfo = FALSE; BOOL bInGuid = FALSE;
SHORT nTypeIndex; CHAR nLevelIndex = -1; SHORT nVersionIndex = -1; SHORT nMatchLevel = 0;
GUID guid;
LIST_ENTRY ListHead;
InitializeListHead( &ListHead );
//
// If MofFileName is given, use it. Otherwise, look for
// the default file mofdata.guid
//
while ( fgetws(line, MAXSTR, f) != NULL ) { UINT Index; if(line[0] == '/'){ continue; } if(line[0] == '{' && bInGuid ){ bInInfo = TRUE; } else if ( line[0] == '}' && bInGuid ){ bInInfo = FALSE; FlushMofVersionList( pMofInfo, &ListHead ); } else if( bInInfo && bInGuid ){ ITEM_TYPE type; LPWSTR strValue;
Index = 1; strValue = wcstok(line, L"\n\t\r,");
s = wcstok( NULL, L" \n\t\r,["); if(s != NULL && strValue != NULL ){ PWCHAR t;
while (*strValue == ' ') { // skip leading blanks
strValue++; } t = wcstok(NULL, L"]" );
if (t != NULL) { Index = _wtoi(t); }
if(! _wcsicmp(s,STR_ItemChar)) type = ItemChar; else if(! _wcsicmp(s,STR_ItemCharHidden)) type = ItemCharHidden; else if(! _wcsicmp(s,STR_ItemUChar)) type = ItemUChar; else if(! _wcsicmp(s,STR_ItemWChar)) type = ItemWChar; else if(! _wcsicmp(s,STR_ItemCharShort))type = ItemCharShort; else if(! _wcsicmp(s,STR_ItemCharSign)) type = ItemCharSign; else if(! _wcsicmp(s,STR_ItemShort)) type = ItemShort; else if(! _wcsicmp(s,STR_ItemUShort)) type = ItemUShort; else if(! _wcsicmp(s,STR_ItemLong)) type = ItemLong; else if(! _wcsicmp(s,STR_ItemULong)) type = ItemULong; else if(! _wcsicmp(s,STR_ItemULongX)) type = ItemULongX; else if(! _wcsicmp(s,STR_ItemLongLong)) type = ItemLongLong; else if(! _wcsicmp(s,STR_ItemULongLong)) type = ItemULongLong; else if(! _wcsicmp(s,STR_ItemString)) type = ItemString; else if(! _wcsicmp(s,STR_ItemWString)) type = ItemWString; else if(! _wcsicmp(s,STR_ItemRString)) type = ItemRString; else if(! _wcsicmp(s,STR_ItemRWString)) type = ItemRWString; else if(! _wcsicmp(s,STR_ItemPString)) type = ItemPString; else if(! _wcsicmp(s,STR_ItemMLString)) type = ItemMLString; else if(! _wcsicmp(s,STR_ItemNWString)) type = ItemNWString; else if(! _wcsicmp(s,STR_ItemPWString)) type = ItemPWString; else if(! _wcsicmp(s,STR_ItemDSString)) type = ItemDSString; else if(! _wcsicmp(s,STR_ItemDSWString)) type = ItemDSWString; else if(! _wcsicmp(s,STR_ItemSid)) type = ItemSid; else if(! _wcsicmp(s,STR_ItemChar4)) type = ItemChar4; else if(! _wcsicmp(s,STR_ItemIPAddr)) type = ItemIPAddr; else if(! _wcsicmp(s,STR_ItemTDIAddr)) type = ItemTDIAddr; else if(! _wcsicmp(s,STR_ItemPort)) type = ItemPort; else if(! _wcsicmp(s,STR_ItemPtr)) type = ItemPtr; else if(! _wcsicmp(s,STR_ItemSizeT)) type = ItemSizeT; else if(! _wcsicmp(s,STR_ItemGuid)) type = ItemGuid; else if(! _wcsicmp(s,STR_ItemOptArgs)) type = ItemOptArgs; else if(! _wcsicmp(s,STR_ItemCPUTime)) type = ItemCPUTime; else if(! _wcsicmp(s,STR_ItemVariant)) type = ItemVariant; else if(! _wcsicmp(s,STR_ItemBool)) type = ItemBool; else type = ItemUnknown;
AddMofInfo( &ListHead, strValue, (SHORT)type, Index, NULL ); } } else if( line[0] == '#' && bInGuid ){ LPWSTR strType; LPWSTR strValue;
s = wcstok( line, L" \t"); if( NULL == s ){ continue; }
if( line[1] == 'l' || line[1] == 'L' ){ // level
strValue = wcstok( NULL, L" \t\n\r" ); if( strValue != NULL ){ nLevelIndex = (CHAR)_wtoi( strValue ); }
}else if( line[1] == 'v' || line[1] == 'V' ){ // version
strValue = wcstok( NULL, L" \t\n\r" ); if( strValue != NULL ){ nVersionIndex = (SHORT)_wtoi( strValue ); } typeCount = 0;
}else if( line[1] == 't' || line[1] == 'T' ){ // type
SHORT nMatchCheck = 0;
strType = wcstok( NULL, L" \t\n\r" ); strValue = wcstok( NULL, L"\"\n,\r" );
if( strType && strValue ){ nTypeIndex = (SHORT)_wtoi( strValue ); }else{ continue; }
typeCount++; if (typeCount >= MAXTYPE) { //fwprintf(stderr, L"Warning: Too many types defined\n");
}
pMofVersion = GetNewMofVersion( nTypeIndex, nVersionIndex, nLevelIndex );
if( NULL != pMofVersion ){ InsertTailList( (&ListHead), &pMofVersion->Entry); pMofVersion->strType = (LPWSTR)malloc( (lstrlenW(strType)+1) * sizeof(WCHAR) ); if( NULL != pMofVersion->strType ){ StringCchCopyW( pMofVersion->strType, lstrlenW(strType)+1, strType ); }
if( nTypeIndex == nType ){ nMatchCheck = 1; if( nLevelIndex == nLevel ){ nMatchCheck++; } if( nVersionIndex == nVersion ){ nMatchCheck++; } }
if( nMatchCheck > nMatchLevel ){ nMatchLevel = nMatchCheck; pMofLookup = pMofVersion; } } } } else if ( (line[0] >= '0' && line[0] <= '9') || (line[0] >= 'a' && line[0] <= 'f') || (line[0] >= 'A' && line[0] <= 'F')) {
LPWSTR strName = NULL; bInGuid = FALSE;
typeCount = 0;
wcsncpy(buffer, line, 8); buffer[8] = 0; guid.Data1 = ahextoi(&buffer[0]); wcsncpy(buffer, &line[9], 4); buffer[4] = 0; guid.Data2 = (USHORT) ahextoi(&buffer[0]); wcsncpy(buffer, &line[14], 4); buffer[4] = 0; guid.Data3 = (USHORT) ahextoi(buffer); for (i=0; i<2; i++) { wcsncpy(buffer, &line[19 + (i*2)], 2); buffer[2] = 0; guid.Data4[i] = (UCHAR) ahextoi(buffer); } for (i=2; i<8; i++) { wcsncpy(buffer, &line[20 + (i*2)], 2); buffer[2] = 0; guid.Data4[i] = (UCHAR) ahextoi(buffer); } if( ! IsEqualGUID( &Guid, &guid ) ){ continue; }
s = &line[36];
strName = wcstok( s, L" \n\t\r" );
if( NULL == strName ){ // Must have a name for the Guid.
continue; } bInGuid = TRUE; FlushMofVersionList(pMofInfo, &ListHead);
pMofInfo = GetMofInfoHead(&Guid); if (pMofInfo == NULL) { return NULL; } pMofInfo->bKernelEvent = bKernelEvent; pMofInfo->strDescription = (LPWSTR)malloc((lstrlenW(strName)+1) * sizeof(WCHAR)); if( NULL != pMofInfo->strDescription ){ StringCchCopyW(pMofInfo->strDescription, lstrlenW(strName)+1, strName); }
pMofVersion = GetNewMofVersion( EVENT_TYPE_DEFAULT, EVENT_VERSION_DEFAULT, EVENT_LEVEL_DEFAULT );
if (pMofVersion == NULL) { return NULL; }
pMofLookup = pMofVersion; InsertTailList( (&ListHead), &pMofVersion->Entry); }
}
FlushMofVersionList(pMofInfo, &ListHead ); return pMofLookup;}
VOIDUpdateThreadPrintData( PPRINT_JOB_RECORD pJob, PEVENT_TRACE_HEADER pHeader, PTHREAD_RECORD pThread ){ unsigned long i = 0; BOOLEAN bFound = FALSE;
if ( (pJob == NULL) || (pHeader == NULL) || (pThread == NULL) ) { return; }
for (i = 0; i < pJob->NumberOfThreads; i++) { if (pJob->ThreadData[i].ThreadId == pHeader->ThreadId) { bFound = TRUE; break; } } if ((i < MAX_THREADS) && !bFound) { pJob->ThreadData[i].ThreadId = pHeader->ThreadId; pJob->NumberOfThreads++; bFound = TRUE; }
if (bFound) { //
// TODO: There is potential for double counting if the same thread
// came back and did more work for this job after having done work for an other
// job in between.
//
if (pJob->ThreadData[i].PrevKCPUTime > 0) pJob->ThreadData[i].KCPUTime += pHeader->KernelTime * CurrentSystem.TimerResolution - pJob->ThreadData[i].PrevKCPUTime; if (pJob->ThreadData[i].PrevUCPUTime > 0) pJob->ThreadData[i].UCPUTime += pHeader->UserTime * CurrentSystem.TimerResolution - pJob->ThreadData[i].PrevUCPUTime; if (pJob->ThreadData[i].PrevReadIO > 0) pJob->ThreadData[i].ReadIO += pThread->ReadIO - pJob->ThreadData[i].PrevReadIO; if (pJob->ThreadData[i].PrevWriteIO > 0) pJob->ThreadData[i].WriteIO += pThread->WriteIO - pJob->ThreadData[i].PrevWriteIO;
pJob->ThreadData[i].PrevKCPUTime = pHeader->KernelTime * CurrentSystem.TimerResolution; pJob->ThreadData[i].PrevUCPUTime = pHeader->UserTime * CurrentSystem.TimerResolution; pJob->ThreadData[i].PrevReadIO = pThread->ReadIO; pJob->ThreadData[i].PrevWriteIO = pThread->WriteIO; }}
VOIDPrintJobCallback( PEVENT_TRACE pEvent ){ PTHREAD_RECORD pThread; PEVENT_TRACE_HEADER pHeader; PMOF_INFO pMofInfo; ULONG JobId = 0; PPRINT_JOB_RECORD pJob;
if (pEvent == NULL) return; pHeader = (PEVENT_TRACE_HEADER)&pEvent->Header;
//
// Ignore Process/Thread Start/End transactions. Only go after
// User Defined Transactions.
//
pMofInfo = GetMofInfoHead( &pEvent->Header.Guid ); if (pMofInfo == NULL){ return; }
if (!IsEqualGUID(&pEvent->Header.Guid, &ThreadGuid)) GetMofData(pEvent, L"JobId", &JobId, sizeof(ULONG));
pThread = FindGlobalThreadById(pHeader->ThreadId, pEvent);
if (JobId == 0) { if (pThread == NULL) return; JobId = pThread->JobId; // if Current Job Id is 0, use the cached one.
} else { if (pThread != NULL) { if (JobId != pThread->JobId) { pJob = FindPrintJobRecord(pThread->JobId); UpdateThreadPrintData(pJob, pHeader, pThread); }
pThread->JobId = JobId; } }
if (JobId == 0) return; // To filter all th termination without print jobs.
pJob = FindPrintJobRecord(JobId); if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_SPL_SPOOLJOB) { if (pJob) { // A job id is being reused before it was deleted from the last
// use. We must have missed a delete event, so just through the old
// job away.
DeletePrintJobRecord(pJob, FALSE); } pJob = AddPrintJobRecord(JobId); if (pJob != NULL) { pJob->StartTime = pEvent->Header.TimeStamp.QuadPart; } }
if (pJob == NULL) // if a Start event is lost for this job, this could happen.
return;
UpdateThreadPrintData(pJob, pHeader, pThread);
// If you see any of these things then stop tracking resources on the
// thread.
if ((pEvent->Header.Class.Type == EVENT_TRACE_TYPE_SPL_ENDTRACKTHREAD) || (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_SPL_DELETEJOB) || (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_SPL_PAUSE) || (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_SPL_RESUME)) { if (pThread != NULL) pThread->JobId = 0; }
if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_SPL_PAUSE) { pJob->PauseStartTime = pEvent->Header.TimeStamp.QuadPart; } else if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_SPL_RESUME) { pJob->PauseTime += (pEvent->Header.TimeStamp.QuadPart - pJob->PauseStartTime) / 10000; pJob->PauseStartTime = 0; } else if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_SPL_PRINTJOB) { pJob->PrintJobTime = pEvent->Header.TimeStamp.QuadPart; } else if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_SPL_DELETEJOB) { unsigned long i; pJob->EndTime = pEvent->Header.TimeStamp.QuadPart; pJob->ResponseTime += (pEvent->Header.TimeStamp.QuadPart - pJob->StartTime) / 10000; // in msec
GetMofData(pEvent, L"JobSize", &pJob->JobSize, sizeof(ULONG)); GetMofData(pEvent, L"DataType", &pJob->DataType, sizeof(ULONG)); GetMofData(pEvent, L"Pages", &pJob->Pages, sizeof(ULONG)); GetMofData(pEvent, L"PagesPerSide", &pJob->PagesPerSide, sizeof(ULONG)); GetMofData(pEvent, L"FilesOpened", &pJob->FilesOpened, sizeof(SHORT));
pJob->KCPUTime = 0; pJob->UCPUTime = 0; pJob->ReadIO = 0; pJob->WriteIO = 0; for (i=0; i < pJob->NumberOfThreads; i++) { pJob->KCPUTime += pJob->ThreadData[i].KCPUTime; pJob->UCPUTime += pJob->ThreadData[i].UCPUTime; pJob->ReadIO += pJob->ThreadData[i].ReadIO; pJob->WriteIO += pJob->ThreadData[i].WriteIO;
} DeletePrintJobRecord(pJob, TRUE); } else if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_SPL_JOBRENDERED) { GetMofData(pEvent, L"GdiJobSize", &pJob->GdiJobSize, sizeof(ULONG)); GetMofData(pEvent, L"ICMMethod", &pJob->ICMMethod, sizeof(ULONG)); GetMofData(pEvent, L"Color", &pJob->Color, sizeof(SHORT)); GetMofData(pEvent, L"XRes", &pJob->XRes, sizeof(SHORT)); GetMofData(pEvent, L"YRes", &pJob->YRes, sizeof(SHORT)); GetMofData(pEvent, L"Quality", &pJob->Quality, sizeof(SHORT)); GetMofData(pEvent, L"Copies", &pJob->Copies, sizeof(SHORT)); GetMofData(pEvent, L"TTOption", &pJob->TTOption, sizeof(SHORT)); }}
VOIDUpdateThreadIisData( PHTTP_REQUEST_RECORD pReq, PEVENT_TRACE_HEADER pHeader, PTHREAD_RECORD pThread ){ unsigned long i = 0; BOOLEAN bFound = FALSE;
if ( (pReq == NULL) || (pHeader == NULL) || (pThread == NULL) ) { return; }
for (i = 0; i < pReq->NumberOfThreads; i++) { if (pReq->ThreadData[i].ThreadId == pHeader->ThreadId) { if (i != pReq->CurrentThreadIndex) { // This means the same thread worked on the same request multiple times after having done
// work for another job in between.
// This will result in double counting. We should set the previous time and exit.
pReq->ThreadData[i].PrevKCPUTime = pHeader->KernelTime * CurrentSystem.TimerResolution; pReq->ThreadData[i].PrevUCPUTime = pHeader->UserTime * CurrentSystem.TimerResolution; pReq->ThreadData[i].PrevReadIO = pThread->ReadIO; pReq->ThreadData[i].PrevWriteIO = pThread->WriteIO;
pReq->CurrentThreadIndex = i;
return; } else { bFound = TRUE; } break; } } if ((i < MAX_THREADS) && !bFound) { pReq->ThreadData[i].ThreadId = pHeader->ThreadId; pReq->NumberOfThreads++; bFound = TRUE; }
if (bFound) {
if (pHeader->KernelTime * CurrentSystem.TimerResolution < pReq->ThreadData[i].PrevKCPUTime) { pReq->ThreadData[i].PrevKCPUTime = pHeader->KernelTime * CurrentSystem.TimerResolution; } if (pHeader->UserTime * CurrentSystem.TimerResolution < pReq->ThreadData[i].PrevUCPUTime) { pReq->ThreadData[i].PrevUCPUTime = pHeader->UserTime * CurrentSystem.TimerResolution; }
// New for IIS Events
// Due to the hook placements, we needed to tweak which routine (UL, W3core, W3filter,
// ISAPI, ASP, CGI) we need to charge CPU time to.
if (pReq->ThreadData[i].PrevKCPUTime > 0) pReq->ThreadData[i].KCPUTime += pHeader->KernelTime * CurrentSystem.TimerResolution - pReq->ThreadData[i].PrevKCPUTime; if (pReq->ThreadData[i].PrevUCPUTime > 0) pReq->ThreadData[i].UCPUTime += pHeader->UserTime * CurrentSystem.TimerResolution - pReq->ThreadData[i].PrevUCPUTime; if (pReq->ThreadData[i].PrevReadIO > 0) pReq->ThreadData[i].ReadIO += pThread->ReadIO - pReq->ThreadData[i].PrevReadIO; if (pReq->ThreadData[i].PrevWriteIO > 0) pReq->ThreadData[i].WriteIO += pThread->WriteIO - pReq->ThreadData[i].PrevWriteIO;
if (IsEqualGUID(&pHeader->Guid, &UlGuid)) { if (pReq->ThreadData[i].PrevKCPUTime > 0) { pReq->ULCPUTime += pHeader->KernelTime * CurrentSystem.TimerResolution - pReq->ThreadData[i].PrevKCPUTime; } if (pReq->ThreadData[i].PrevUCPUTime > 0) { pReq->ULCPUTime += pHeader->UserTime * CurrentSystem.TimerResolution - pReq->ThreadData[i].PrevUCPUTime; } } else if (IsEqualGUID(&pHeader->Guid, &W3CoreGuid)) { if (pReq->ASPStartTime == 0 || pReq->ASPEndTime != 0) { if (pReq->ThreadData[i].PrevKCPUTime > 0) { pReq->W3CPUTime += pHeader->KernelTime * CurrentSystem.TimerResolution - pReq->ThreadData[i].PrevKCPUTime; } if (pReq->ThreadData[i].PrevUCPUTime > 0) { pReq->W3CPUTime += pHeader->UserTime * CurrentSystem.TimerResolution - pReq->ThreadData[i].PrevUCPUTime; } } else { if (pReq->ThreadData[i].PrevKCPUTime > 0) { pReq->ASPCPUTime += pHeader->KernelTime * CurrentSystem.TimerResolution - pReq->ThreadData[i].PrevKCPUTime; } if (pReq->ThreadData[i].PrevUCPUTime > 0) { pReq->ASPCPUTime += pHeader->UserTime * CurrentSystem.TimerResolution - pReq->ThreadData[i].PrevUCPUTime; } } } else if (IsEqualGUID(&pHeader->Guid, &W3FilterGuid)) { if (pReq->W3FilterVisits > 0) { if (pReq->ThreadData[i].PrevKCPUTime > 0) { pReq->W3FltrCPUTime += pHeader->KernelTime * CurrentSystem.TimerResolution - pReq->ThreadData[i].PrevKCPUTime; } if (pReq->ThreadData[i].PrevUCPUTime > 0) { pReq->W3FltrCPUTime += pHeader->UserTime * CurrentSystem.TimerResolution - pReq->ThreadData[i].PrevUCPUTime; } } else { if (pReq->ThreadData[i].PrevKCPUTime > 0) { pReq->W3CPUTime += pHeader->KernelTime * CurrentSystem.TimerResolution - pReq->ThreadData[i].PrevKCPUTime; } if (pReq->ThreadData[i].PrevUCPUTime > 0) { pReq->W3CPUTime += pHeader->UserTime * CurrentSystem.TimerResolution - pReq->ThreadData[i].PrevUCPUTime; } } } else if (IsEqualGUID(&pHeader->Guid, &W3CgiGuid)) { if (pReq->ThreadData[i].PrevKCPUTime > 0) { pReq->CGICPUTime += pHeader->KernelTime * CurrentSystem.TimerResolution - pReq->ThreadData[i].PrevKCPUTime; } if (pReq->ThreadData[i].PrevUCPUTime > 0) { pReq->CGICPUTime += pHeader->UserTime * CurrentSystem.TimerResolution - pReq->ThreadData[i].PrevUCPUTime; } } else if (IsEqualGUID(&pHeader->Guid, &W3IsapiGuid)) { if (pReq->ASPStartTime == 0 || pReq->ASPEndTime != 0) { if (pReq->ThreadData[i].PrevKCPUTime > 0) { pReq->ISAPICPUTime += pHeader->KernelTime * CurrentSystem.TimerResolution - pReq->ThreadData[i].PrevKCPUTime; } if (pReq->ThreadData[i].PrevUCPUTime > 0) { pReq->ISAPICPUTime += pHeader->UserTime * CurrentSystem.TimerResolution - pReq->ThreadData[i].PrevUCPUTime; } } else { if (pReq->ThreadData[i].PrevKCPUTime > 0) { pReq->ASPCPUTime += pHeader->KernelTime * CurrentSystem.TimerResolution - pReq->ThreadData[i].PrevKCPUTime; } if (pReq->ThreadData[i].PrevUCPUTime > 0) { pReq->ASPCPUTime += pHeader->UserTime * CurrentSystem.TimerResolution - pReq->ThreadData[i].PrevUCPUTime; } } } else if (IsEqualGUID(&pHeader->Guid, &IisAspGuid) || IsEqualGUID(&pHeader->Guid, &IisAspNetGuid) || IsEqualGUID(&pHeader->Guid, &IisCustomIsapiGuid)) { if (pReq->ASPStartTime == 0) { if (pReq->ISAPIStartTime == 0) { if (pReq->ThreadData[i].PrevKCPUTime > 0) { pReq->W3CPUTime += pHeader->KernelTime * CurrentSystem.TimerResolution - pReq->ThreadData[i].PrevKCPUTime; } if (pReq->ThreadData[i].PrevUCPUTime > 0) { pReq->W3CPUTime += pHeader->UserTime * CurrentSystem.TimerResolution - pReq->ThreadData[i].PrevUCPUTime; } } else { if (pReq->ThreadData[i].PrevKCPUTime > 0) { pReq->ISAPICPUTime += pHeader->KernelTime * CurrentSystem.TimerResolution - pReq->ThreadData[i].PrevKCPUTime; } if (pReq->ThreadData[i].PrevUCPUTime > 0) { pReq->ISAPICPUTime += pHeader->UserTime * CurrentSystem.TimerResolution - pReq->ThreadData[i].PrevUCPUTime; } } } else { if (pReq->ThreadData[i].PrevKCPUTime > 0) { pReq->ASPCPUTime += pHeader->KernelTime * CurrentSystem.TimerResolution - pReq->ThreadData[i].PrevKCPUTime; } if (pReq->ThreadData[i].PrevUCPUTime > 0) { pReq->ASPCPUTime += pHeader->UserTime * CurrentSystem.TimerResolution - pReq->ThreadData[i].PrevUCPUTime; } } }
pReq->ThreadData[i].PrevKCPUTime = pHeader->KernelTime * CurrentSystem.TimerResolution; pReq->ThreadData[i].PrevUCPUTime = pHeader->UserTime * CurrentSystem.TimerResolution; pReq->ThreadData[i].PrevReadIO = pThread->ReadIO; pReq->ThreadData[i].PrevWriteIO = pThread->WriteIO;
pReq->CurrentThreadIndex = i;
}#ifdef DBG
else { // MAX_THREADS (== 10) is reached.
TrctrDbgPrint(("TRACERPT Warning Req: %I64u MAX_THREADS reached.\n", pReq->RequestId)); }#endif
}
//
// This routine sums up CPU time and IO counts to HTTP_REQUEST_RECORD
// so that the request can be written to a file.
//
VOIDSumUpCPUTime( PHTTP_REQUEST_RECORD pReq ){ ULONG i; if (NULL == pReq) { return; } pReq->KCPUTime = 0; pReq->UCPUTime = 0; pReq->ReadIO = 0; pReq->WriteIO = 0; for (i = 0; i < pReq->NumberOfThreads; i++) { pReq->KCPUTime += pReq->ThreadData[i].KCPUTime; pReq->UCPUTime += pReq->ThreadData[i].UCPUTime; pReq->ReadIO += pReq->ThreadData[i].ReadIO; pReq->WriteIO += pReq->ThreadData[i].WriteIO; }}
PHTTP_REQUEST_RECORDGetBestAspRequest( ULONGLONG ConnId, BOOLEAN AspStart ){ PHTTP_REQUEST_RECORD pReq1, pReq2; pReq1 = FindHttpReqRecordByConId(ConnId, NULL); if (pReq1 == NULL) { return NULL; } pReq2 = FindHttpReqRecordByConId(ConnId, pReq1); if (pReq2 == NULL) { return pReq1; } if (AspStart) { if (pReq1->ASPStartTime == 0 && pReq2->ASPStartTime == 0) { return ((pReq1->ISAPIStartTime < pReq1->ISAPIStartTime) ? pReq1 : pReq2); } else if (pReq1->ASPStartTime != 0 && pReq2->ASPStartTime == 0) { return pReq2; } else if (pReq1->ASPStartTime == 0 && pReq2->ASPStartTime != 0) { return pReq1; } else { // both ASPStartTimes are non-zero.
DeleteHttpReqRecord(pReq1, FALSE); DeleteHttpReqRecord(pReq2, FALSE); return NULL; } } else { if (pReq1->ASPEndTime == 0 && pReq2->ASPEndTime == 0) { if (pReq1->ASPStartTime == 0 && pReq2->ASPStartTime != 0) { return pReq2; } else if (pReq1->ASPStartTime != 0 && pReq2->ASPStartTime == 0) { return pReq1; } else if (pReq1->ASPStartTime != 0 && pReq2->ASPStartTime != 0) { return ((pReq1->ASPStartTime < pReq1->ASPStartTime) ? pReq1 : pReq2); } else { // both ASPStartTimes are zero.
DeleteHttpReqRecord(pReq1, FALSE); DeleteHttpReqRecord(pReq2, FALSE); return NULL; } } else if (pReq1->ASPEndTime != 0 && pReq2->ASPEndTime == 0) { return pReq2; } else if (pReq1->ASPEndTime == 0 && pReq2->ASPEndTime != 0) { return pReq1; } else { // both ASPEndTimes are non-zero.
DeleteHttpReqRecord(pReq1, FALSE); DeleteHttpReqRecord(pReq2, FALSE); return NULL; } }}
VOIDIISEventCallback( PEVENT_TRACE pEvent ){ PTHREAD_RECORD pThread; PEVENT_TRACE_HEADER pHeader; PMOF_INFO pMofInfo; ULONGLONG RequestId = 0; ULONG IpAddr = 0; PHTTP_REQUEST_RECORD pReq = NULL;
if (pEvent == NULL) return; pHeader = (PEVENT_TRACE_HEADER)&pEvent->Header;
pMofInfo = GetMofInfoHead( &pEvent->Header.Guid ); if (pMofInfo == NULL){ return; }
if (CurrentSystem.IISStartTime == 0) { CurrentSystem.IISStartTime = pEvent->Header.TimeStamp.QuadPart; } CurrentSystem.IISEndTime = pEvent->Header.TimeStamp.QuadPart;
pThread = FindGlobalThreadById(pHeader->ThreadId, pEvent);
if (IsEqualGUID(&pEvent->Header.Guid, &IisAspGuid) || IsEqualGUID(&pEvent->Header.Guid, &IisAspNetGuid) || IsEqualGUID(&pEvent->Header.Guid, &IisCustomIsapiGuid)) { ULONG ConId32 = 0; ULONGLONG ConId64 = 0; BOOLEAN AspStart; if (PointerSize == 32) { GetMofData(pEvent, L"ConnID", &ConId32, 4); ConId64 = (ULONGLONG)ConId32; } else { GetMofData(pEvent, L"ConnID", &ConId64, 8); } AspStart = (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_IISASP_START); pReq = GetBestAspRequest(ConId64, AspStart); if (pReq != NULL) { RequestId = pReq->RequestId; if (pThread != NULL) { if (RequestId != pThread->IisReqId) { PHTTP_REQUEST_RECORD pThreadReq = FindHttpReqRecord(pThread->IisReqId); UpdateThreadIisData(pThreadReq, pHeader, pThread); } pThread->IisReqId = RequestId; } if (IsEqualGUID(&pEvent->Header.Guid, &IisAspNetGuid)) { pReq->IsapiExt = ISAPI_EXTENTION_ASP_NET; } else if (IsEqualGUID(&pEvent->Header.Guid, &IisCustomIsapiGuid)) { pReq->IsapiExt = ISAPI_EXTENTION_CUSTOM; } else { pReq->IsapiExt = ISAPI_EXTENTION_ASP; } } else { // ASP event with no previous RequestId. Exit.
return; } } else { // non-ASP events
if (IsEqualGUID(&pEvent->Header.Guid, &IisStrmFilterGuid) || IsEqualGUID(&pEvent->Header.Guid, &IisSslHandShakeGuid)) { // These events don't have request ID. We'll just use the request that this thread is working on.
if (pThread != NULL) { RequestId = pThread->IisReqId; } } else if (!IsEqualGUID(&pEvent->Header.Guid, &ThreadGuid)) { if ((IsEqualGUID(&pEvent->Header.Guid, &UlGuid)) && ((pEvent->Header.Class.Type == EVENT_TRACE_TYPE_UL_START) || (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_UL_PARSE) || (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_UL_DELIVER) || (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_UL_CACHEDEND))) { RequestId = 0; GetMofData(pEvent, L"RequestObj", &RequestId, (PointerSize / 8)); } else { GetMofData(pEvent, L"RequestId", &RequestId, sizeof(ULONGLONG)); } }
if (RequestId == 0) { if (pThread == NULL) { return; } RequestId = pThread->IisReqId; // if Current Request Id is 0, use the cached one.
} else { if (pThread != NULL) { if (RequestId != pThread->IisReqId) { pReq = FindHttpReqRecord(pThread->IisReqId); UpdateThreadIisData(pReq, pHeader, pThread); } pThread->IisReqId = RequestId; } }
if (RequestId == 0) return; // To filter all the termination without any useful IIS activity.
pReq = FindHttpReqRecord(RequestId); // If there no active request, look for it in the (almost finished) pending list.
if (pReq == NULL) { pReq = FindPendingHttpReqRecord(RequestId); } }
if (IsEqualGUID(&pEvent->Header.Guid, &UlGuid)) { if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_UL_START) { // struct needed for IPV6 address format.
struct { USHORT TdiAddrType; union { TDI_ADDRESS_IP RemoteAddrIn; TDI_ADDRESS_IP6 RemoteAddrIn6; }; } TdiAddress;
if (pReq != NULL) { // A request id is being reused before it was deleted from the last
// use. We must have missed a delete event, so just through the old
// request away.
EnterTracelibCritSection(); RemoveEntryList( &pReq->Entry ); LeaveTracelibCritSection(); DeleteHttpReqRecord(pReq, FALSE); IISRequestsDiscarded++; } RtlZeroMemory(&TdiAddress, sizeof(TdiAddress)); GetMofData(pEvent, L"AddressType", &TdiAddress, sizeof(TdiAddress)); pReq = AddHttpReqRecord(RequestId, TdiAddress.TdiAddrType, TdiAddress.RemoteAddrIn.in_addr, TdiAddress.RemoteAddrIn6.sin6_addr); if (pReq != NULL) { pReq->ULStartTime = pEvent->Header.TimeStamp.QuadPart; } return; } } // if a Start event is lost for this job, this could happen.
// We will not bother with transactions with missing
// Start or Parse.
if (pReq == NULL) { IISEventsDiscarded++; return; }
if (IsEqualGUID(&pEvent->Header.Guid, &UlGuid)) { if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_UL_PARSE) { ULONG URLSize = 0; PWCHAR URLStrTemp; PCHAR URLStr;
pReq->ULParseTime = pEvent->Header.TimeStamp.QuadPart; if (pReq->URL != NULL) { free (pReq->URL); } // Get URL
URLStrTemp = (PWCHAR)malloc(MAXSTR * sizeof(WCHAR)); if (URLStrTemp != NULL) { RtlZeroMemory(URLStrTemp, MAXSTR * sizeof(WCHAR)); URLSize = GetMofData(pEvent, L"Url", URLStrTemp, MAXSTR * sizeof(WCHAR)); if (URLSize > (MAXSTR * sizeof(WCHAR))) { free(URLStrTemp); // We need to allocate one more char so that GetMofDat() can put an ending NULL in it.
URLStrTemp = (PWCHAR)malloc(URLSize + sizeof(WCHAR)); if (URLStrTemp != NULL) { RtlZeroMemory(URLStrTemp, URLSize + sizeof(WCHAR)); GetMofData(pEvent, L"Url", URLStrTemp, URLSize); } else { return; } } } else { return; } // Save memory by just mallocing only the amount of space we need.
URLSize = wcslen(URLStrTemp); if (URLSize > 0) { URLStr = (PCHAR)malloc((URLSize + 1)); if (URLStr != NULL) { WideCharToMultiByte(CP_ACP, 0, URLStrTemp, URLSize, URLStr, (URLSize + 1), NULL, NULL); URLStr[URLSize] = '\0'; } pReq->URL = URLStr; } free(URLStrTemp); } else if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_UL_DELIVER) { ULONG SiteId; ULONGLONG NewRequestId = 0; PHTTP_REQUEST_RECORD pPendingReq;
// If the request is delivered to the user mode, no need to track it
// on the thread.
if (pThread != NULL) { pThread->IisReqId = 0; } // Update RequestId with the real one.
GetMofData(pEvent, L"RequestId", &NewRequestId, sizeof(ULONGLONG));
// There may be another (almost finished) request using the same RequestId.
// Put that request to the pending request list.
pPendingReq = FindHttpReqRecord(NewRequestId); if (pPendingReq != NULL) { EnterTracelibCritSection(); RemoveEntryList( &pPendingReq->Entry ); InsertHeadList( &CurrentSystem.PendingHttpReqListHead, &pPendingReq->Entry ); LeaveTracelibCritSection(); } pReq->RequestId = NewRequestId;
pReq->ULDeliverTime = pEvent->Header.TimeStamp.QuadPart; GetMofData(pEvent, L"SiteId", &SiteId, sizeof(ULONG)); pReq->SiteId = SiteId; } else if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_UL_RECVRESP || pEvent->Header.Class.Type == EVENT_TRACE_TYPE_UL_RECVBODY || pEvent->Header.Class.Type == EVENT_TRACE_TYPE_UL_FASTRESP) {
pReq->ULReceiveTime = pEvent->Header.TimeStamp.QuadPart; pReq->ULReceiveType = pEvent->Header.Class.Type; } else if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_UL_CACHEDEND || pEvent->Header.Class.Type == EVENT_TRACE_TYPE_UL_CACHEANDSEND || pEvent->Header.Class.Type == EVENT_TRACE_TYPE_UL_FASTSEND || pEvent->Header.Class.Type == EVENT_TRACE_TYPE_UL_ZEROSEND || pEvent->Header.Class.Type == EVENT_TRACE_TYPE_UL_SENDERROR || pEvent->Header.Class.Type == EVENT_TRACE_TYPE_UL_END) {
if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_UL_CACHEDEND) { GetMofData(pEvent, L"BytesSent", &(pReq->BytesSent), sizeof(ULONG)); GetMofData(pEvent, L"SiteId", &(pReq->SiteId), sizeof(ULONG)); pReq->HttpStatus = 200; } else { // This is UL End events for non-cached URL requests.
// If W3StartTime or ULReceiveTime is missing, look for a pending
// request with the same RequestId.
if (pReq->W3StartTime == 0 || pReq->ULReceiveTime == 0) { PHTTP_REQUEST_RECORD pPendingReq = FindPendingHttpReqRecord(RequestId); if (pPendingReq != NULL) { pReq = pPendingReq; } } GetMofData(pEvent, L"HttpStatus", &(pReq->HttpStatus), sizeof(USHORT)); } pReq->ULEndTime = pEvent->Header.TimeStamp.QuadPart; pReq->ULEndType = pEvent->Header.Class.Type; pReq->ULResponseTime = (pReq->ULEndTime - pReq->ULStartTime); // in msec
if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_UL_CACHEDEND) { UpdateThreadIisData(pReq, pHeader, pThread); SumUpCPUTime(pReq); DeleteHttpReqRecord(pReq, TRUE); return; } else if (pReq->ASPStartTime == 0) { if (pReq->W3EndTime != 0) { // Wait till W3 ends to get BytesSent
UpdateThreadIisData(pReq, pHeader, pThread); SumUpCPUTime(pReq); DeleteHttpReqRecord(pReq, TRUE); return; } } else { if (pReq->W3EndTime != 0 && pReq->ASPEndTime != 0) { // Wait till W3 ends to get BytesSent
UpdateThreadIisData(pReq, pHeader, pThread); SumUpCPUTime(pReq); DeleteHttpReqRecord(pReq, TRUE); return; } } } } else if (IsEqualGUID(&pEvent->Header.Guid, &W3CoreGuid)) { if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_W3CORE_START) { pReq->W3StartTime = pEvent->Header.TimeStamp.QuadPart; } else if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_W3CORE_FILEREQ || pEvent->Header.Class.Type == EVENT_TRACE_TYPE_W3CORE_CGIREQ || pEvent->Header.Class.Type == EVENT_TRACE_TYPE_W3CORE_ISAPIREQ || pEvent->Header.Class.Type == EVENT_TRACE_TYPE_W3CORE_OOPREQ) { pReq->W3ProcessType = pEvent->Header.Class.Type; pReq->FileReqTime = pEvent->Header.TimeStamp.QuadPart; } else if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_W3CORE_SENDBODY || pEvent->Header.Class.Type == EVENT_TRACE_TYPE_W3CORE_SENDRESP || pEvent->Header.Class.Type == EVENT_TRACE_TYPE_W3CORE_SENDENTITY || pEvent->Header.Class.Type == EVENT_TRACE_TYPE_W3CORE_SENDFILTER || pEvent->Header.Class.Type == EVENT_TRACE_TYPE_W3CORE_ERRSEND || pEvent->Header.Class.Type == EVENT_TRACE_TYPE_W3CORE_ERRSENDENT || pEvent->Header.Class.Type == EVENT_TRACE_TYPE_W3CORE_ERRSENDCTX || pEvent->Header.Class.Type == EVENT_TRACE_TYPE_W3CORE_ERRVECSEND || pEvent->Header.Class.Type == EVENT_TRACE_TYPE_W3CORE_VECTORSEND || pEvent->Header.Class.Type == EVENT_TRACE_TYPE_W3CORE_END) { // This is W3 End events for non-cached URL requests.
// If W3StartTime or ULReceiveTime is missing, look for a pending
// request with the same RequestId.
if (pReq->W3StartTime == 0 || pReq->ULReceiveTime == 0) { PHTTP_REQUEST_RECORD pPendingReq = FindPendingHttpReqRecord(RequestId); if (pPendingReq != NULL) { pReq = pPendingReq; } } GetMofData(pEvent, L"BytesSent", &(pReq->BytesSent), sizeof(ULONG)); pReq->W3EndTime = pEvent->Header.TimeStamp.QuadPart; pReq->W3EndType = pEvent->Header.Class.Type; if (pReq->ASPStartTime != 0) { if (pReq->ULEndTime != 0 && pReq->ASPEndTime != 0) { UpdateThreadIisData(pReq, pHeader, pThread); SumUpCPUTime(pReq); DeleteHttpReqRecord(pReq, TRUE); return; } } else { if (pReq->ULEndTime != 0) { UpdateThreadIisData(pReq, pHeader, pThread); SumUpCPUTime(pReq); DeleteHttpReqRecord(pReq, TRUE); return; } } } } else if (IsEqualGUID(&pEvent->Header.Guid, &W3FilterGuid)) { if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_W3FILTER_START) { if (pReq->W3FilterStartTime == 0) { pReq->W3FilterStartTime = pEvent->Header.TimeStamp.QuadPart; pReq->W3FilterVisits++; } else { pReq->W3FilterStartTime = pEvent->Header.TimeStamp.QuadPart; } } else if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_W3FILTER_END) { if (pReq->W3FilterStartTime != 0) { pReq->W3FilterResponseTime += pEvent->Header.TimeStamp.QuadPart - pReq->W3FilterStartTime; pReq->W3FilterStartTime = 0; } } } else if (IsEqualGUID(&pEvent->Header.Guid, &W3CgiGuid)) { if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_W3CGI_START) { pReq->W3ProcessType = EVENT_TRACE_TYPE_W3CORE_CGIREQ; pReq->CGIStartTime = pEvent->Header.TimeStamp.QuadPart; } else if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_W3CGI_END) { pReq->CGIEndTime = pEvent->Header.TimeStamp.QuadPart; } } else if (IsEqualGUID(&pEvent->Header.Guid, &W3IsapiGuid)) { if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_W3ISAPI_START) { ULONG ConId32 = 0; ULONGLONG ConId64 = 0; pReq->W3ProcessType = EVENT_TRACE_TYPE_W3CORE_ISAPIREQ; if (PointerSize == 32) { GetMofData(pEvent, L"connID", &ConId32, 4); ConId64 = (ULONGLONG)ConId32; } else { GetMofData(pEvent, L"connID", &ConId64, 8); } pReq->ConId = ConId64; pReq->ISAPIStartTime = pEvent->Header.TimeStamp.QuadPart; } else if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_W3ISAPI_SENDHDR || pEvent->Header.Class.Type == EVENT_TRACE_TYPE_W3ISAPI_SENDHDREX || pEvent->Header.Class.Type == EVENT_TRACE_TYPE_W3ISAPI_VECTORSEND || pEvent->Header.Class.Type == EVENT_TRACE_TYPE_W3ISAPI_ERRORSEND || pEvent->Header.Class.Type == EVENT_TRACE_TYPE_W3ISAPI_SSFSEND || pEvent->Header.Class.Type == EVENT_TRACE_TYPE_W3ISAPI_SSDERROR || pEvent->Header.Class.Type == EVENT_TRACE_TYPE_W3ISAPI_END) { pReq->ISAPIEndType = pEvent->Header.Class.Type; pReq->ISAPIEndTime = pEvent->Header.TimeStamp.QuadPart; } } else if (IsEqualGUID(&pEvent->Header.Guid, &IisStrmFilterGuid)) { if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_IISSTRMFILTER_START) { if (pReq->StrmFltrResponseTime == 0) { pReq->StrmFltrResponseTime = pEvent->Header.TimeStamp.QuadPart; } } else if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_IISSTRMFILTER_END) { if (pReq->StrmFltrResponseTime != 0 && (ULONGLONG)(pEvent->Header.TimeStamp.QuadPart) > pReq->StrmFltrResponseTime) { pReq->StrmFltrResponseTime = pEvent->Header.TimeStamp.QuadPart - pReq->StrmFltrResponseTime; } else { pReq->StrmFltrResponseTime = 0; } } } else if (IsEqualGUID(&pEvent->Header.Guid, &IisSslHandShakeGuid)) { if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_IISSSLHANDLESHAKE_START) { if (pReq->SSLResponseTime == 0) { pReq->SSLResponseTime = pEvent->Header.TimeStamp.QuadPart; } } else if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_IISSSLHANDLESHAKE_END) { if (pReq->SSLResponseTime != 0 && (ULONGLONG)(pEvent->Header.TimeStamp.QuadPart) > pReq->SSLResponseTime) { pReq->SSLResponseTime = pEvent->Header.TimeStamp.QuadPart - pReq->SSLResponseTime; } else { pReq->SSLResponseTime = 0; } } } else if (IsEqualGUID(&pEvent->Header.Guid, &IisAspGuid) || IsEqualGUID(&pEvent->Header.Guid, &IisAspNetGuid) || IsEqualGUID(&pEvent->Header.Guid, &IisCustomIsapiGuid)) { if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_IISASP_START) { pReq->ASPStartTime = pEvent->Header.TimeStamp.QuadPart; } else if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_IISASP_END) { pReq->ASPEndTime = pEvent->Header.TimeStamp.QuadPart; if (pReq->ULEndTime != 0 && pReq->W3EndTime != 0) { UpdateThreadIisData(pReq, pHeader, pThread); SumUpCPUTime(pReq); DeleteHttpReqRecord(pReq, TRUE); return; } } } // Finally, charge CPU time on on-going requests.
UpdateThreadIisData(pReq, pHeader, pThread);
}
VOIDGeneralEventCallback( PEVENT_TRACE pEvent ){ PTHREAD_RECORD pThread = NULL;
if ((pEvent == NULL) || (TraceContext == NULL)) { return; }
CurrentSystem.LastEventTime = (ULONGLONG) pEvent->Header.TimeStamp.QuadPart;
if (XPorHigher) { // If the ThreadId is -1 or the FieldTypeFlags in the event
// shows there is no CPU Time, ignore the event. This can happen
// when PERFINFO headers are found in kernel data.
//
// However, we exclude FileIo events from this because we need
// those events. Later on, we may exclude network events as well.
if (!IsEqualGUID(&pEvent->Header.Guid, &FileIoGuid)) {
if ( (pEvent->Header.ThreadId == -1) || (pEvent->Header.FieldTypeFlags & EVENT_TRACE_USE_NOCPUTIME) ) { if (TraceContext->Flags & (TRACE_DUMP|TRACE_SUMMARY)) { DumpEvent(pEvent); } return; } } }
if (IsEqualGUID(&pEvent->Header.Guid, &EventTraceGuid)) { LogHeaderCallback(pEvent); }
//
// Notes: This code is here to fix up the Event Record for the
// Idle Threads. Since Idle threads are not guaranteed to have
// Cid initialized, we could end up with bogus thread Ids.
//
// Assumption: In DC_START records, the first process record must
// be the idle process followed by idle threads.
//
if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_DC_START) { if (bCaptureBogusThreads) { //
// Here we will convert the next N threads into idle threads
// N = Number of Processors.
if (IsEqualGUID(&pEvent->Header.Guid, &ThreadGuid)) { if (pEvent->Header.ThreadId != 0) { PULONG Ptr; BogusThreads[BogusCount++] = pEvent->Header.ThreadId; pEvent->Header.ThreadId = 0; //
// Assumption: The first two ULONGs are the
// ThreadId and ProcessId in this record. If that changes
// this will corrupt memory!
//
Ptr = (PULONG)pEvent->MofData; *Ptr = 0; Ptr++; *Ptr = 0; } } //
// Once all the idle threads are seen, no need to capture anymore
//
if (IdleThreadCount++ == NumProc) bCaptureBogusThreads = FALSE; } } else { //
// This is the TimeConsuming Part. We need to do this only if
// we found bogus threads earlier.
//
if (BogusCount > 0) { ULONG i; for (i=0; i < BogusCount; i++) { if (pEvent->Header.ThreadId == BogusThreads[i]) { pEvent->Header.ThreadId = 0;
//
// If DC_END records also fix up the Mof for Thread End
//
if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_DC_END) { PULONG Ptr;
Ptr = (PULONG)pEvent->MofData; *Ptr = 0; Ptr++; *Ptr = 0; } } } } }
if (CurrentSystem.fNoEndTime && CurrentSystem.EndTime < (ULONGLONG) pEvent->Header.TimeStamp.QuadPart) { CurrentSystem.EndTime = pEvent->Header.TimeStamp.QuadPart; if (fDSOnly && CurrentSystem.EndTime > DSEndTime) { CurrentSystem.EndTime = DSEndTime; } }
//
// After the above code we should not see any threadId's over 64K
//
/*
#if DBG
if (pEvent->Header.ThreadId > 65536) DbgPrint("%d: Bad ThreadId %x Found\n", EventCount+1, pEvent->Header.ThreadId);#endif
*/
//
// Dump the event in csv file, if required.
//
if (TraceContext->Flags & (TRACE_DUMP|TRACE_SUMMARY)) { DumpEvent(pEvent); } else { PMOF_INFO pMofInfo; PMOF_VERSION pMofVersion = NULL; pMofInfo = GetMofInfoHead( &pEvent->Header.Guid ); if (pMofInfo == NULL){ return; } pMofInfo->EventCount++;
pMofVersion = GetMofVersion(pMofInfo, pEvent->Header.Class.Type, pEvent->Header.Class.Version, pEvent->Header.Class.Level ); }
if ( (TraceContext->Flags & TRACE_REDUCE) == 0 ) { return; } //
// TODO: This may prevent DiskIO write events and TCP receive events to
// get ignored
//
if (pEvent->Header.ThreadId == 0) { if ( (pEvent->Header.Class.Type != EVENT_TRACE_TYPE_START) && (pEvent->Header.Class.Type != EVENT_TRACE_TYPE_DC_START) && (pEvent->Header.Class.Type != EVENT_TRACE_TYPE_END) && (pEvent->Header.Class.Type != EVENT_TRACE_TYPE_DC_END) ) { EventCount++; return; } }
if (!IsEqualGUID(&pEvent->Header.Guid, &FileIoGuid) && !IsEqualGUID(&pEvent->Header.Guid, &TcpIpGuid) && !IsEqualGUID(&pEvent->Header.Guid, &UdpIpGuid)) { // FileIo events and network events have Perf Header with ThreadId == -1
// No need to add this bogus thread
pThread = FindGlobalThreadById(pEvent->Header.ThreadId, pEvent); }
EventCount ++;
if (IsEqualGUID(&pEvent->Header.Guid, &ProcessGuid)) { AdjustThreadTime(pEvent, pThread); ProcessCallback(pEvent); } else if (IsEqualGUID(&pEvent->Header.Guid, &ThreadGuid)) { if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_START) { AdjustThreadTime(pEvent, pThread); } ThreadCallback(pEvent); } else if (pEvent->Header.ThreadId != 0) { if (!IsEqualGUID(&pEvent->Header.Guid, &FileIoGuid) && !IsEqualGUID(&pEvent->Header.Guid, &TcpIpGuid) && !IsEqualGUID(&pEvent->Header.Guid, &UdpIpGuid)) { AdjustThreadTime(pEvent, pThread); }
if (IsEqualGUID(&pEvent->Header.Guid, &DiskIoGuid)) { DiskIoCallback(pEvent, pThread); } else if (IsEqualGUID(&pEvent->Header.Guid, &FileIoGuid)) { // No need to do callbacks on file rundown events.
if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_FILEIO_NAME) { HotFileCallback(pEvent); } } else if (IsEqualGUID(&pEvent->Header.Guid, &ImageLoadGuid)) { ModuleLoadCallback(pEvent); } else if (IsEqualGUID(&pEvent->Header.Guid, &TcpIpGuid)) { TcpIpCallback(pEvent, pThread); } else if (IsEqualGUID(&pEvent->Header.Guid, &UdpIpGuid)) { TcpIpCallback(pEvent, pThread); } else if (IsEqualGUID(&pEvent->Header.Guid, &PageFaultGuid)) { PageFaultCallback(pEvent, pThread); } else if (IsEqualGUID(&pEvent->Header.Guid, &EventTraceConfigGuid)) { //
// We only need Logical Disk events for now.
//
if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_CONFIG_LOGICALDISK) { LogDriveCallback(pEvent); } else if (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_CONFIG_CPU) { CpuCallback(pEvent); } } else if (IsEqualGUID(&pEvent->Header.Guid, &UlGuid) || IsEqualGUID(&pEvent->Header.Guid, &W3CoreGuid) || IsEqualGUID(&pEvent->Header.Guid, &W3FilterGuid) || IsEqualGUID(&pEvent->Header.Guid, &W3CgiGuid) || IsEqualGUID(&pEvent->Header.Guid, &W3IsapiGuid) || IsEqualGUID(&pEvent->Header.Guid, &IisStrmFilterGuid) || IsEqualGUID(&pEvent->Header.Guid, &IisSslHandShakeGuid) || IsEqualGUID(&pEvent->Header.Guid, &IisAspGuid) || IsEqualGUID(&pEvent->Header.Guid, &IisAspNetGuid) || IsEqualGUID(&pEvent->Header.Guid, &IisCustomIsapiGuid)) { if (IsEqualGUID(&pEvent->Header.Guid, &UlGuid)) { bIISEvents = TRUE; } if (bIISEvents) { IISEventCallback(pEvent); } //
// Cannot use EventCallBack() to compute the response time becase
// one transaction goes through different Start/Stop through different
// events.
//
} else { //
// This is a hack specific to Print Servers.
// Need to come up with a general solution. MKR.
//
if (IsEqualGUID(&pEvent->Header.Guid, &PrintJobGuid) || IsEqualGUID(&pEvent->Header.Guid, &RenderedJobGuid)) { PrintJobCallback(pEvent); }
EventCallback(pEvent, pThread); } }}
ULONG ahextoi( WCHAR *s){ int len; ULONG num, base, hex;
len = lstrlenW(s); hex = 0; base = 1; num = 0; while (--len >= 0) { if ( (s[len] == 'x' || s[len] == 'X') && (s[len-1] == '0') ) break; if (s[len] >= '0' && s[len] <= '9') num = s[len] - '0'; else if (s[len] >= 'a' && s[len] <= 'f') num = (s[len] - 'a') + 10; else if (s[len] >= 'A' && s[len] <= 'F') num = (s[len] - 'A') + 10; else continue;
hex += num * base; base = base * 16; } return hex;}
ULONG StringToNumber( LPWSTR sz ){ if( NULL == sz ){ return 0; }
if( wcsstr( sz, L"x" ) || wcsstr( sz, L"X" ) ){ return ahextoi( sz ); }else{ return _wtol( sz ); }}
void AnsiToUnicode(PCHAR str, PWCHAR wstr){ int len, i; PUCHAR AnsiChar;
if (str == NULL || wstr == NULL) return;
len = strlen(str); for (i=0; i<len; i++) { AnsiChar = (PUCHAR) &str[i]; wstr[i] = (WCHAR) RtlAnsiCharToUnicodeChar(&AnsiChar); } wstr[len] = 0;}
voidPrintMapValue( PVALUEMAP pValueMap, DWORD dwValue ){
//
// Function assumes TraceContext->hDumpFile
// is open and valid
//
BOOL bFirst = TRUE; BOOL bDone = FALSE;
LONG HUGEP *pValueMapData; BSTR HUGEP *pValuesData;
LONG uMapBound, lMapBound; LONG uValuesBound, lValuesBound;
if( NULL != pValueMap->saValueMap ){ SafeArrayGetUBound( pValueMap->saValueMap, 1, &uMapBound ); SafeArrayGetLBound( pValueMap->saValueMap, 1, &lMapBound ); SafeArrayAccessData( pValueMap->saValueMap, (void HUGEP **)&pValueMapData ); }
if( NULL != pValueMap->saValues ){ SafeArrayGetUBound( pValueMap->saValues, 1, &uValuesBound ); SafeArrayGetLBound( pValueMap->saValues, 1, &lValuesBound ); SafeArrayAccessData( pValueMap->saValues, (void HUGEP **)&pValuesData ); }
if( NULL != pValueMap->saValues && NULL != pValueMap->saValueMap ){ for ( LONG i=lMapBound; i<=uMapBound && !bDone; i++) {
switch( pValueMap->dwValueType ){ case VALUETYPE_INDEX: if( dwValue == pValueMapData[i] ){ fwprintf( TraceContext->hDumpFile, L"\"%ws\", ", pValuesData[i] ); bDone = TRUE; } break; case VALUETYPE_FLAG: if( (dwValue & pValueMapData[i]) == pValueMapData[i] ){ if( bFirst ){ fwprintf( TraceContext->hDumpFile, L"\"%ws", pValuesData[i] ); bFirst = FALSE; }else{ fwprintf( TraceContext->hDumpFile, L"|%ws", pValuesData[i] ); } } break; } } }else if( NULL != pValueMap->saValues ){ if( (LONG)dwValue >= lValuesBound && (LONG)dwValue <= uValuesBound ){ fwprintf( TraceContext->hDumpFile, L"\"%ws\", ", pValuesData[dwValue] ); bDone = TRUE; } }
if( !bFirst && !bDone ){ //
// Flags were found; need to end the quotes
//
fwprintf( TraceContext->hDumpFile, L"\", " ); }
if( bFirst && !bDone ){ //
// No values mapped; just print the DWORD
//
fwprintf( TraceContext->hDumpFile, L"%d, ", dwValue ); }
if( NULL != pValueMap->saValueMap ){ SafeArrayUnaccessData( pValueMap->saValueMap ); } if( NULL != pValueMap->saValues ){ SafeArrayUnaccessData( pValueMap->saValues ); }}
#define PRINTVALUE( s, v ) \
if( NULL == pItem->pValueMap ){ \ fwprintf(DumpFile, s, v); \ }else{ \ PrintMapValue( pItem->pValueMap, (DWORD)v ); \ }
voidWINAPIDumpEvent( PEVENT_TRACE pEvent ){ PEVENT_TRACE_HEADER pHeader; ULONG i; PITEM_DESC pItem; PCHAR str; PWCHAR wstr; PCHAR ptr; ULONG ulongword; LONG longword; USHORT ushortword; SHORT shortword; PMOF_INFO pMofInfo; PMOF_VERSION pMofVersion; PLIST_ENTRY Head, Next; char iChar; WCHAR iwChar; ULONG MofDataUsed; FILE* DumpFile = NULL;
TotalEventCount++;
if (pEvent == NULL) { return; }
pHeader = (PEVENT_TRACE_HEADER) &pEvent->Header;
if (MofData == NULL) { MofLength = pEvent->MofLength + sizeof(UNICODE_NULL); MofData = (LPSTR)malloc(MofLength); } else if ((pEvent->MofLength + sizeof(UNICODE_NULL)) > MofLength) { free(MofData); MofLength = pEvent->MofLength + sizeof(UNICODE_NULL); MofData = (LPSTR)malloc(MofLength); }
if (MofData == NULL) { return; } if ((pEvent->MofData == NULL) && (0 != pEvent->MofLength)) { return; }
if (pEvent->MofData != NULL) { RtlCopyMemory(MofData, pEvent->MofData, pEvent->MofLength); }
MofData[pEvent->MofLength] = 0; MofData[pEvent->MofLength+1] = 0; ptr = MofData; MofDataUsed = 0;
pMofInfo = GetMofInfoHead( &pEvent->Header.Guid );
if (pMofInfo == NULL) { return; } pMofInfo->EventCount++;
pMofVersion = GetMofVersion(pMofInfo, pEvent->Header.Class.Type, pEvent->Header.Class.Version, pEvent->Header.Class.Level );
if( NULL == pMofVersion ){ return; }
pMofVersion->EventCountByType++;
if( !(TraceContext->Flags & TRACE_DUMP) ){ return; }
DumpFile = TraceContext->hDumpFile; str = (PCHAR)malloc(MOFSTR); if (str == NULL) { return; } wstr = (PWCHAR)malloc(MOFWSTR * sizeof(WCHAR)); if (wstr == NULL) { free(str); return; }
if( pMofInfo->strDescription != NULL ){ fwprintf( DumpFile, L"%12s, ", pMofInfo->strDescription ); }else{ fwprintf( DumpFile, L"%12s, ", CpdiGuidToString( wstr, MOFWSTR, &pMofInfo->Guid ) ); }
if(pMofVersion->strType != NULL && wcslen(pMofVersion->strType) ){ fwprintf( DumpFile, L"%10s, ", pMofVersion->strType ); }else{ fwprintf( DumpFile, L"%10d, ", pEvent->Header.Class.Type ); }
if( TraceContext->Flags & TRACE_EXTENDED_FMT ){ fwprintf( DumpFile, L"%8d,%8d,%8d, ", pEvent->Header.Class.Type, pEvent->Header.Class.Level, pEvent->Header.Class.Version ); }
// Thread ID
fwprintf( DumpFile, L"0x%08X, ", pHeader->ThreadId ); // System Time
fwprintf( DumpFile, L"%20I64u, ", pHeader->TimeStamp.QuadPart);
if( g_bUserMode == FALSE ){ // Kernel Time
fwprintf(DumpFile, L"%10lu, ", pHeader->KernelTime * TimerResolution);
// User Time
fwprintf(DumpFile, L"%10lu, ", pHeader->UserTime * TimerResolution); }else{ // processor Time
fwprintf(DumpFile, L"%I64u, ", pHeader->ProcessorTime); }
Head = &pMofVersion->ItemHeader; Next = Head->Flink;
if ((Head == Next) && (pEvent->MofLength > 0)) { fwprintf(DumpFile, L"DataSize=%d, ", pEvent->MofLength); }
while (Head != Next) { pItem = CONTAINING_RECORD(Next, ITEM_DESC, Entry); Next = Next->Flink;
MofDataUsed = (ULONG) (ptr - MofData); if (MofDataUsed >= pEvent->MofLength){ break; }
switch (pItem->ItemType) { case ItemChar: case ItemUChar: if( NULL == pItem->pValueMap ){ fwprintf(DumpFile, L"\"" ); for (i = 0; i < pItem->ArraySize; i++){ iChar = *((PCHAR) ptr); if (iChar != '\0') { fwprintf(DumpFile, L"%c", iChar); } ptr += sizeof(CHAR); } fwprintf(DumpFile, L"\", " ); }else{ iChar = *((PCHAR) ptr); PrintMapValue( pItem->pValueMap, (DWORD)iChar ); ptr += sizeof(CHAR); } break; case ItemCharHidden: ptr += sizeof(CHAR) * pItem->ArraySize; break; case ItemWChar: if( NULL == pItem->pValueMap ){ fwprintf(DumpFile, L"\"" ); for(i = 0; i < pItem->ArraySize; i++){ iwChar = *((PWCHAR) ptr); if (iwChar != '\0') { fwprintf(DumpFile, L"%wc", iwChar); } ptr += sizeof(WCHAR); } fwprintf(DumpFile, L"\", "); }else{ iwChar = *((PWCHAR) ptr); PrintMapValue( pItem->pValueMap, (DWORD)iwChar ); ptr += sizeof(WCHAR); } break; case ItemCharSign: { char sign[5]; RtlCopyMemory(&sign[0], ptr, sizeof(CHAR) * 2); sign[2] = '\0'; StringCchCopyA(str, MOFSTR, sign); MultiByteToWideChar(CP_ACP, 0, str, -1, wstr, MOFWSTR); fwprintf(DumpFile, L"\"%ws\", ", wstr); ptr += sizeof(CHAR) * 2; break; }
case ItemCharShort: iChar = *((PCHAR) ptr); PRINTVALUE( L"%d, ", iChar ); ptr += sizeof(CHAR); break;
case ItemShort: RtlCopyMemory(&shortword, ptr, sizeof(SHORT)); PRINTVALUE( L"%6d, ", shortword); ptr += sizeof (SHORT); break;
case ItemUShort: RtlCopyMemory(&ushortword, ptr, sizeof(USHORT)); PRINTVALUE( L"%6u, ", ushortword ); ptr += sizeof (USHORT); break;
case ItemLong: RtlCopyMemory(&longword, ptr, sizeof(LONG)); PRINTVALUE( L"%8d, ", longword ); ptr += sizeof (LONG); break;
case ItemULong: RtlCopyMemory(&ulongword, ptr, sizeof(ULONG)); PRINTVALUE( L"%8lu, ", ulongword); ptr += sizeof (ULONG); break;
case ItemULongX: RtlCopyMemory(&ulongword, ptr, sizeof(ULONG)); PRINTVALUE( L"0x%08X, ", ulongword); ptr += sizeof (ULONG); break;
case ItemPtr : { unsigned __int64 pointer; if (PointerSize == 64) { RtlCopyMemory(&pointer, ptr, PointerSize / 8); fwprintf(DumpFile, L"0x%08X, ", pointer); ptr += PointerSize / 8; } else { // assumes 32 bit otherwise
RtlCopyMemory(&ulongword, ptr, sizeof(ULONG)); fwprintf(DumpFile, L"0x%08X, ", ulongword); ptr += sizeof(ULONG); } break; } case ItemSizeT : { unsigned __int64 pointer; if (PointerSize == 64) { RtlCopyMemory(&pointer, ptr, PointerSize / 8); fwprintf(DumpFile, L"%16I64d, ", pointer); ptr += PointerSize / 8; } else { // assumes 32 bit otherwise
RtlCopyMemory(&ulongword, ptr, sizeof(ULONG)); fwprintf(DumpFile, L"%8d, ", ulongword); ptr += sizeof(ULONG); } break; }
case ItemIPAddr: { RtlCopyMemory(&ulongword, ptr, sizeof(ULONG));
// Convert it to readable form
//
fwprintf(DumpFile, L"%03d.%03d.%03d.%03d, ", (ulongword >> 0) & 0xff, (ulongword >> 8) & 0xff, (ulongword >> 16) & 0xff, (ulongword >> 24) & 0xff); ptr += sizeof (ULONG); break; }
case ItemTDIAddr: { WCHAR ipAddrBuffer[MAX_ADDRESS_LENGTH]; PWCHAR pszW = &ipAddrBuffer[0]; PTDI_ADDRESS_IP pIPv4Address; PTDI_ADDRESS_IP6 pIPv6Address;
RtlCopyMemory(&ushortword, ptr, sizeof(USHORT)); ptr += sizeof (USHORT);
pIPv4Address = ((PTDI_ADDRESS_IP) ptr); pIPv6Address = ((PTDI_ADDRESS_IP6) ptr);
// Right now, we only recognize PV4 and PV6
DecodeIpAddressW( ushortword, &pIPv4Address->in_addr, &pIPv6Address->sin6_addr[0], pszW );
// Convert it to readable form
//
fwprintf(DumpFile, L"%ws, ", ipAddrBuffer); ptr = MofData + pEvent->MofLength; // ItemTDIAddr can only be the last member
break; }
case ItemPort: { RtlCopyMemory(&ushortword, ptr, sizeof(USHORT)); fwprintf(DumpFile, L"%u, ", NTOHS(ushortword)); ptr += sizeof (USHORT); break; }
case ItemLongLong: { LONGLONG n64; RtlCopyMemory(&n64, ptr, sizeof(LONGLONG)); ptr += sizeof(LONGLONG); fwprintf(DumpFile, L"%16I64d, ", n64); break; }
case ItemULongLong: { ULONGLONG n64; RtlCopyMemory(&n64, ptr, sizeof(ULONGLONG)); ptr += sizeof(ULONGLONG); fwprintf(DumpFile, L"%16I64u, ", n64); break; }
case ItemString: case ItemRString: { USHORT pLen = (USHORT)strlen((CHAR*) ptr);
if (pLen > 0) { StringCchCopyA(str, MOFSTR, ptr); if (pItem->ItemType == ItemRString) { reduceA(str); } str[pLen] = '\0'; for (i= pLen - 1; i > 0; i--) { if (str[i] == 0xFF) { str[i] = 0; } else break; } MultiByteToWideChar(CP_ACP, 0, str, -1, wstr, MOFWSTR); fwprintf(DumpFile, L"\"%ws\", ", wstr); } ptr += (pLen + 1); break; } case ItemRWString: case ItemWString: { USHORT pLen = 0;
if (*(WCHAR *) ptr) { if (pItem->ItemType == ItemRWString) { reduceW((WCHAR *) ptr); } pLen = ((lstrlenW((WCHAR*)ptr) + 1) * sizeof(WCHAR)); RtlCopyMemory(wstr, ptr, pLen); wstr[(pLen / sizeof(WCHAR))] = L'\0';
for (i = (pLen/sizeof(WCHAR)) - 1; i > 0; i--) { if (((USHORT) wstr[i] == (USHORT) 0xFFFF)) { wstr[i] = (USHORT) 0; } else break; }
fwprintf(DumpFile, L"\"%ws\", ", wstr); } ptr += pLen;
break; }
case ItemDSString: // Counted String
{ USHORT pLen = (USHORT)(256 * ((USHORT) * ptr) + ((USHORT) * (ptr + 1))); ptr += sizeof(USHORT); if (pLen > (pEvent->MofLength - MofDataUsed - 1)) { pLen = (USHORT) (pEvent->MofLength - MofDataUsed - 1); } if (pLen > 0) { StringCchCopyA(str, MOFSTR, ptr); MultiByteToWideChar(CP_ACP, 0, str, -1, wstr, MOFWSTR); replaceNLW(wstr); fwprintf(DumpFile, L"\"%ws\", ", wstr); } ptr += (pLen + 1); break; }
case ItemPString: // Counted String
{ USHORT pLen; RtlCopyMemory(&pLen, ptr, sizeof(USHORT)); ptr += sizeof(USHORT);
if (pLen > (pEvent->MofLength - MofDataUsed)) { pLen = (USHORT) (pEvent->MofLength - MofDataUsed); }
if (pLen > MOFSTR * sizeof(CHAR)) { pLen = MOFSTR * sizeof(CHAR); } if (pLen > 0) { RtlCopyMemory(str, ptr, pLen); str[pLen] = '\0'; MultiByteToWideChar(CP_ACP, 0, str, -1, wstr, MOFWSTR); fwprintf(DumpFile, L"\"%ws\", ", wstr); } ptr += pLen; break; }
case ItemDSWString: // DS Counted Wide Strings
case ItemPWString: // Counted Wide Strings
{ USHORT pLen; if (pItem->ItemType == ItemDSWString) { pLen = (USHORT)(256 * ((USHORT) * ptr) + ((USHORT) * (ptr + 1))); } else { RtlCopyMemory(&pLen, ptr, sizeof(USHORT)); } ptr += sizeof(USHORT);
if (pLen > (pEvent->MofLength - MofDataUsed)) { pLen = (USHORT) (pEvent->MofLength - MofDataUsed); }
if (pLen > MOFWSTR * sizeof(WCHAR)) { pLen = MOFWSTR * sizeof(WCHAR); } if (pLen > 0) { RtlCopyMemory(wstr, ptr, pLen); wstr[pLen / sizeof(WCHAR)] = L'\0'; if (pItem->ItemType == ItemDSWString) { replaceNLW(wstr); } fwprintf(DumpFile, L"\"%ws\", ", wstr); } ptr += pLen; break; }
case ItemNWString: // Non Null Terminated String
{ USHORT Size;
Size = (USHORT)(pEvent->MofLength - (ULONG)(ptr - MofData)); if( Size > MOFSTR ) { Size = MOFSTR; } if (Size > 0) { RtlCopyMemory(wstr, ptr, Size); wstr[Size / sizeof(WCHAR)] = '\0'; fwprintf(DumpFile, L"\"%ws\", ", wstr); } ptr += Size; break; }
case ItemMLString: // Multi Line String
{ USHORT pLen; char * src, * dest; BOOL inQ = FALSE; BOOL skip = FALSE; UINT lineCount = 0;
ptr += sizeof(UCHAR) * 2; pLen = (USHORT)strlen(ptr); if (pLen > 0) { src = ptr; dest = str; while (* src != '\0'){ if (* src == '\n'){ if (!lineCount){ * dest++ = ' '; } lineCount++; }else if (* src == '\"'){ if (inQ){ char strCount[32]; char * cpy;
StringCchPrintfA(strCount, 32, "{%dx}", lineCount); cpy = & strCount[0]; while (* cpy != '\0'){ * dest ++ = * cpy ++; } } inQ = !inQ; }else if (!skip){ *dest++ = *src; } skip = (lineCount > 1 && inQ); src++; } *dest = '\0'; MultiByteToWideChar(CP_ACP, 0, str, -1, wstr, MOFWSTR); fwprintf(DumpFile, L"\"%ws\", ", wstr); } ptr += (pLen); break; }
case ItemSid: { WCHAR UserName[64]; WCHAR Domain[64]; WCHAR FullName[256]; ULONG asize = 0; ULONG bsize = 0; ULONG SidMarker; SID_NAME_USE Se; ULONG nSidLength;
RtlCopyMemory(&SidMarker, ptr, sizeof(ULONG)); if (SidMarker == 0){ ptr += 4; fwprintf(DumpFile, L"0, "); } else { if (PointerSize == 64) { ptr += 16; // skip the TOKEN_USER structure
} else { ptr += 8; // skip the TOKEN_USER structure
} nSidLength = 8 + (4*ptr[1]);
asize = 64; bsize = 64; if (LookupAccountSidW( NULL, (PSID) ptr, (LPWSTR) & UserName[0], & asize, (LPWSTR) & Domain[0], & bsize, & Se)) { LPWSTR pFullName = &FullName[0]; StringCchPrintfW(pFullName, 256, L"\\\\%s\\%s", Domain, UserName); asize = (ULONG) lstrlenW(pFullName); if (asize > 0){ fwprintf(DumpFile, L"\"%s\", ", pFullName); } } else { fwprintf(DumpFile, L"\"System\", " ); } SetLastError( ERROR_SUCCESS ); ptr += nSidLength; } break; }
case ItemChar4: fwprintf(DumpFile, L"%c%c%c%c, ", *ptr, ptr[1], ptr[2], ptr[3]); ptr += 4 * sizeof(CHAR); break;
case ItemGuid: { WCHAR s[MAXGUIDSTR]; fwprintf(DumpFile, L"%s, ", CpdiGuidToString(&s[0], MAXGUIDSTR, (LPGUID)ptr)); ptr += sizeof(GUID); break; }
case ItemCPUTime: { RtlCopyMemory(&ulongword, ptr, sizeof(ULONG)); fwprintf(DumpFile, L"%8lu, ", ulongword * TimerResolution); ptr += sizeof (ULONG); break; }
case ItemOptArgs: { DWORD dwOptArgs = * ((PLONG) ptr); DWORD dwMofLen = pEvent->MofLength + sizeof(UNICODE_NULL); DWORD dwMofUsed = MofDataUsed + sizeof(DWORD); DWORD dwType; LPWSTR wszString; LPSTR aszString; LONG lValue32; LONGLONG lValue64;
ptr += sizeof(LONG); for (i = 0; i < 8; i ++) { if (dwMofUsed > dwMofLen) { break; } dwType = (dwOptArgs >> (i * 4)) & 0x0000000F; switch (dwType) { case 0: // LONG
dwMofUsed += sizeof(LONG); if (dwMofUsed <= dwMofLen) { RtlCopyMemory(&lValue32, ptr, sizeof(LONG)); ptr += sizeof(LONG); PRINTVALUE( L"%d,", lValue32); } break;
case 1: // WSTR
wszString = (LPWSTR) ptr; dwMofUsed += sizeof(WCHAR) * (lstrlenW(wszString) + 1); if (dwMofUsed <= dwMofLen) { fwprintf(DumpFile, L"\"%ws\",", wszString); ptr += sizeof(WCHAR) * (lstrlenW(wszString) + 1); } break;
case 2: // STR
aszString = (LPSTR) ptr; dwMofUsed += sizeof(CHAR) * (lstrlenA(aszString) + 1); if (dwMofUsed <= dwMofLen) { MultiByteToWideChar(CP_ACP, 0, aszString, -1, wstr, MOFWSTR); fwprintf(DumpFile, L"\"%ws\", ", wstr); ptr += sizeof(CHAR) * (lstrlenA(aszString) + 1); } break;
case 3: // LONG64
dwMofUsed += sizeof(LONGLONG); if (dwMofUsed <= dwMofLen) { RtlCopyMemory(&lValue64, ptr, sizeof(LONGLONG)); ptr += sizeof(LONGLONG); fwprintf(DumpFile, L"%I64d,", lValue64); } break;
case 4: // LONGX
dwMofUsed += sizeof(LONG); if (dwMofUsed <= dwMofLen) { RtlCopyMemory(&lValue32, ptr, sizeof(LONG)); ptr += sizeof(LONG); fwprintf(DumpFile, L"0x%08X,", lValue32); } break;
case 5: // LONGLONGX
dwMofUsed += sizeof(LONGLONG); if (dwMofUsed <= dwMofLen) { RtlCopyMemory(&lValue64, ptr, sizeof(LONGLONG)); ptr += sizeof(LONGLONG); fwprintf(DumpFile, L"0x%016I64X,", lValue64); } break; } } break; }
case ItemVariant: { //
// Variable Size. First ULONG gives the sizee and the rest is blob
//
RtlCopyMemory(&ulongword, ptr, sizeof(ULONG)); ptr += sizeof(ULONG);
fwprintf(DumpFile, L"DataSize=%d, ", ulongword);
// No need to dump the contents of the Blob itself.
ptr += ulongword; break; } case ItemBool: { BOOL Flag; RtlCopyMemory(&Flag, ptr, sizeof(BOOL)); fwprintf(DumpFile, L"%5s, " , (Flag) ? L"TRUE" : L"FALSE" ); ptr += sizeof(BOOL); break; }
default: ptr += sizeof (int); } }
//Instance ID, Parent Instance ID
fwprintf(DumpFile, L"%d, %d\n", pEvent->InstanceId, pEvent->ParentInstanceId );
free(str); free(wstr);}
#ifdef __cplusplus
}#endif
|
