archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 7b07a90fc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b07a90fc1'
${ noResults }
windows-server-2003/sdktools/trace/tracectr/mergetl.c

745 lines
23 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) Microsoft Corporation. All rights reserved.
  5. Module Name:
  7. mergetl.c
  9. Abstract:
  11. Converts multiple ETL files into a single ordered ETL files.
  13. Author:
  15. Melur Raghuraman (Mraghu) 9-Dec-2000
  17. Revision History:
  20. --*/
  22. #include <stdlib.h>
  23. #include <stdio.h>
  24. #include <nt.h>
  25. #include <ntrtl.h>
  26. #include <nturtl.h>
  27. #include <windows.h>
  28. #include <shellapi.h>
  29. #include <wmistr.h>
  30. #include <objbase.h>
  31. #include <initguid.h>
  32. #include <wmium.h>
  33. #include <ntwmi.h>
  34. #include <wmiumkm.h>
  35. #include <evntrace.h>
  36. #include "cpdata.h"
  37. #include "tracectr.h"
  40. #define MAXSTR 1024
  41. #define LOGGER_NAME L"{28ad2447-105b-4fe2-9599-e59b2aa9a634}"
  42. #define LOGGER_NAME_SIZE 38
  44. #define MAX_RETRY_COUNT 10
  46. #define ETW_PROC_MISMATCH 0x00000001
  47. #define ETW_MACHINE_MISMATCH 0x00000002
  48. #define ETW_CLOCK_MISMATCH 0x00000004
  49. #define ETW_BOOTTIME_MISMATCH 0x00000008
  50. #define ETW_VERSION_MISMATCH 0x00000010
  51. #define ETW_POINTER_MISMATCH 0x00000020
  53. TRACEHANDLE LoggerHandle;
  54. ULONG TotalRelogBuffersRead = 0;
  55. ULONG TotalRelogEventsRead = 0;
  56. ULONG FailedEvents=0;
  57. ULONG NumHdrProcessed = 0;
  59. GUID TransactionGuid =
  60. {0xab8bb8a1, 0x3d98, 0x430c, 0x92, 0xb0, 0x78, 0x8f, 0x1d, 0x3f, 0x6e, 0x94};
  61. GUID ControlGuid[2] =
  62. {
  63. {0x42ae6427, 0xb741, 0x4e69, 0xb3, 0x95, 0x38, 0x33, 0x9b, 0xb9, 0x91, 0x80},
  64. {0xb9e2c2d6, 0x95fb, 0x4841, 0xa3, 0x73, 0xad, 0x67, 0x2b, 0x67, 0xb6, 0xc1}
  65. };
  67. typedef struct _USER_MOF_EVENT {
  68. EVENT_TRACE_HEADER Header;
  69. MOF_FIELD mofData;
  70. } USER_MOF_EVENT, *PUSER_MOF_EVENT;
  72. PSYSTEM_TRACE_HEADER MergedSystemTraceHeader;
  73. PTRACE_LOGFILE_HEADER MergedLogFileHeader;
  74. ULONG HeaderMisMatch = 0;
  76. TRACE_GUID_REGISTRATION TraceGuidReg[] =
  77. {
  78. { (LPGUID)&TransactionGuid,
  79. NULL
  80. }
  81. };
  84. TRACEHANDLE RegistrationHandle[2];
  87. ULONG InitializeTrace();
  89. ULONG
  90. ControlCallback(
  91. IN WMIDPREQUESTCODE RequestCode,
  92. IN PVOID Context,
  93. IN OUT ULONG *InOutBufferSize,
  94. IN OUT PVOID Buffer
  95. );
  97. void
  98. WINAPI
  99. EtwDumpEvent(
  100. PEVENT_TRACE pEvent
  101. );
  103. void
  104. WINAPI
  105. EtwProcessLogHeader(
  106. PEVENT_TRACE pEvent
  107. );
  109. ULONG
  110. WINAPI
  111. TerminateOnBufferCallback(
  112. PEVENT_TRACE_LOGFILE pLog
  113. );
  115. ULONG
  116. WINAPI
  117. BufferCallback(
  118. PEVENT_TRACE_LOGFILE pLog
  119. );
  122. USER_MOF_EVENT UserMofEvent;
  124. BOOLEAN bLoggerStarted = FALSE;
  125. PEVENT_TRACE_LOGFILE pLogFile=NULL;
  127. PEVENT_TRACE_LOGFILE EvmFile[MAXLOGGERS];
  129. ULONG LogFileCount = 0;
  130. PEVENT_TRACE_PROPERTIES pLoggerInfo = NULL;
  131. ULONG LoggerInfoSize = 0;
  133. ULONG DifferentPointer = FALSE;
  135. int EtwRelogEtl(
  136. IN OUT PTRACE_CONTEXT_BLOCK TraceContext,
  137. OUT PULONG pMergedEventsLost
  138. )
  139. {
  140. ULONG Status=ERROR_SUCCESS;
  141. ULONG i, j;
  142. TRACEHANDLE HandleArray[MAXLOGGERS];
  143. ULONG SizeNeeded = 0;
  144. LPTSTR LoggerName;
  145. LPTSTR LogFileName;
  147. //
  148. // Allocate Storage for the MergedSystemTraceHeader
  149. //
  151. LoggerInfoSize = sizeof(SYSTEM_TRACE_HEADER) +
  152. sizeof(TRACE_LOGFILE_HEADER) +
  153. MAXSTR * sizeof(WCHAR) +
  154. (LOGGER_NAME_SIZE + 1) * sizeof(WCHAR);
  156. SizeNeeded = sizeof(EVENT_TRACE_PROPERTIES) +
  157. 2 * MAXSTR * sizeof(WCHAR) +
  158. LoggerInfoSize;
  160. // Need to allocate more to consider different pointer size case
  161. pLoggerInfo = (PEVENT_TRACE_PROPERTIES) malloc(SizeNeeded + 8);
  162. if (pLoggerInfo == NULL) {
  163. Status = ERROR_OUTOFMEMORY;
  164. goto cleanup;
  165. }
  167. RtlZeroMemory(pLoggerInfo, SizeNeeded + 8);
  169. pLoggerInfo->Wnode.BufferSize = SizeNeeded;
  170. pLoggerInfo->Wnode.Flags = WNODE_FLAG_TRACED_GUID;
  171. //
  172. // The relogged file contains a standard time stamp format.
  173. //
  174. pLoggerInfo->LoggerNameOffset = sizeof(EVENT_TRACE_PROPERTIES) + LoggerInfoSize;
  176. pLoggerInfo->LogFileNameOffset = pLoggerInfo->LoggerNameOffset + MAXSTR * sizeof(WCHAR);
  177. pLoggerInfo->LogFileMode = (EVENT_TRACE_PRIVATE_LOGGER_MODE |
  178. EVENT_TRACE_RELOG_MODE |
  179. EVENT_TRACE_FILE_MODE_SEQUENTIAL
  180. );
  181. pLoggerInfo->MinimumBuffers = 2;
  182. pLoggerInfo->MaximumBuffers = 50;
  184. LoggerName = (LPTSTR)((char*)pLoggerInfo + pLoggerInfo->LoggerNameOffset);
  185. LogFileName = (LPTSTR)((char*)pLoggerInfo + pLoggerInfo->LogFileNameOffset);
  186. StringCchCopyW(LoggerName, MAXSTR, LOGGER_NAME);
  188. Status = UuidCreate(&ControlGuid[0]);
  190. if (Status != ERROR_SUCCESS) {
  191. goto cleanup;
  192. }
  194. pLoggerInfo->Wnode.Guid = ControlGuid[0];
  196. if ( wcslen(TraceContext->MergeFileName) > 0 ) {
  197. StringCchCopyW(LogFileName, MAXSTR, TraceContext->MergeFileName);
  198. }
  200. MergedSystemTraceHeader = (PSYSTEM_TRACE_HEADER) ((PUCHAR) pLoggerInfo +
  201. sizeof(EVENT_TRACE_PROPERTIES));
  203. MergedLogFileHeader = (PTRACE_LOGFILE_HEADER) (
  204. (PUCHAR)MergedSystemTraceHeader +
  205. sizeof(SYSTEM_TRACE_HEADER));
  207. LogFileCount = 0;
  209. for (i = 0; i < TraceContext->LogFileCount; i++) {
  210. pLogFile = malloc(sizeof(EVENT_TRACE_LOGFILE));
  211. if (pLogFile == NULL) {
  212. Status = ERROR_OUTOFMEMORY;
  213. goto cleanup;
  214. }
  215. RtlZeroMemory(pLogFile, sizeof(EVENT_TRACE_LOGFILE));
  216. EvmFile[i] = pLogFile;
  217. pLogFile->LogFileName = TraceContext->LogFileName[i];
  218. EvmFile[i]->EventCallback = (PEVENT_CALLBACK) &EtwProcessLogHeader;
  219. EvmFile[i]->BufferCallback = TerminateOnBufferCallback;
  220. LogFileCount++;
  221. }
  223. if (LogFileCount == 0) {
  224. Status = ERROR_INVALID_PARAMETER;
  225. goto cleanup;
  226. }
  228. //
  229. // Initialize Trace
  230. //
  232. Status = InitializeTrace();
  233. if (Status != ERROR_SUCCESS) {
  234. goto cleanup;
  235. }
  236. //
  237. // Set up the Relog Event
  238. //
  240. RtlZeroMemory(&UserMofEvent, sizeof(UserMofEvent));
  241. UserMofEvent.Header.Size = sizeof(UserMofEvent);
  242. UserMofEvent.Header.Flags = WNODE_FLAG_TRACED_GUID | WNODE_FLAG_USE_MOF_PTR;
  245. for (i = 0; i < LogFileCount; i++) {
  246. TRACEHANDLE x;
  248. EvmFile[i]->LogfileHeader.ReservedFlags |= EVENT_TRACE_GET_RAWEVENT;
  250. x = OpenTrace(EvmFile[i]);
  251. HandleArray[i] = x;
  252. if (HandleArray[i] == (TRACEHANDLE)INVALID_HANDLE_VALUE) {
  253. Status = GetLastError();
  254. for (j = 0; j < i; j++)
  255. CloseTrace(HandleArray[j]);
  256. goto cleanup;
  257. }
  258. Status = ProcessTrace(&x, 1, NULL, NULL);
  259. }
  261. for (j = 0; j < LogFileCount; j++){
  262. Status = CloseTrace(HandleArray[j]);
  263. }
  266. if (HeaderMisMatch) {
  267. if (HeaderMisMatch & ETW_CLOCK_MISMATCH) {
  268. Status = ERROR_INVALID_TIME;
  269. }
  270. else if (HeaderMisMatch & ETW_PROC_MISMATCH || HeaderMisMatch & ETW_POINTER_MISMATCH)
  271. Status = ERROR_INVALID_DATA;
  273. goto cleanup;
  274. }
  276. if ( (MergedLogFileHeader->BufferSize == 0) ||
  277. (MergedLogFileHeader->NumberOfProcessors == 0) ) {
  278. goto cleanup;
  279. }
  282. //
  283. // We are past the Error checks. Go ahead and Allocate
  284. // Storage to Start a logger
  285. //
  287. pLoggerInfo->Wnode.ClientContext = MergedLogFileHeader->ReservedFlags;
  288. pLoggerInfo->Wnode.ProviderId = MergedLogFileHeader->NumberOfProcessors;
  289. pLoggerInfo->BufferSize = MergedLogFileHeader->BufferSize / 1024;
  291. //
  292. // We are Past the Error Checks. Go ahead and redo ProcessTrace
  293. //
  295. for (i = 0; i < TraceContext->LogFileCount; i++) {
  296. TRACEHANDLE x;
  297. EvmFile[i]->EventCallback = (PEVENT_CALLBACK) &EtwDumpEvent;
  298. EvmFile[i]->BufferCallback = BufferCallback;
  300. EvmFile[i]->LogfileHeader.ReservedFlags |= EVENT_TRACE_GET_RAWEVENT;
  302. x = OpenTrace(EvmFile[i]);
  303. HandleArray[i] = x;
  304. if (HandleArray[i] == 0) {
  305. Status = GetLastError();
  306. for (j = 0; j < i; j++)
  307. CloseTrace(HandleArray[j]);
  308. goto cleanup;
  309. }
  310. }
  312. Status = ProcessTrace(
  313. HandleArray,
  314. LogFileCount,
  315. NULL,
  316. NULL
  317. );
  319. for (j = 0; j < LogFileCount; j++){
  320. Status = CloseTrace(HandleArray[j]);
  321. }
  323. //
  324. // Need to Stop Trace
  325. //
  326. if (bLoggerStarted) {
  327. RtlZeroMemory(pLoggerInfo, SizeNeeded);
  328. pLoggerInfo->Wnode.BufferSize = sizeof(EVENT_TRACE_PROPERTIES) + 2 * MAXSTR * sizeof(WCHAR);
  329. pLoggerInfo->Wnode.Guid = ControlGuid[0];
  330. pLoggerInfo->Wnode.Flags = WNODE_FLAG_TRACED_GUID;
  331. pLoggerInfo->LoggerNameOffset = sizeof(EVENT_TRACE_PROPERTIES);
  332. pLoggerInfo->LogFileNameOffset = pLoggerInfo->LoggerNameOffset + MAXSTR * sizeof(WCHAR);
  333. pLoggerInfo->LogFileMode = (EVENT_TRACE_PRIVATE_LOGGER_MODE |
  334. EVENT_TRACE_RELOG_MODE |
  335. EVENT_TRACE_FILE_MODE_SEQUENTIAL
  336. );
  337. Status = ControlTrace(LoggerHandle, LoggerName, pLoggerInfo, EVENT_TRACE_CONTROL_STOP);
  338. }
  340. //
  341. // We need to cleanup and reset properly to allow this library
  342. // to be used by perf tools
  343. //
  345. bLoggerStarted = FALSE;
  347. Status = UnregisterTraceGuids(RegistrationHandle[0]);
  349. cleanup:
  350. if (NULL != pMergedEventsLost) {
  351. *pMergedEventsLost = FailedEvents;
  352. }
  354. for (i = 0; i < LogFileCount; i ++){
  355. if (EvmFile[i] != NULL)
  356. free(EvmFile[i]);
  357. }
  358. if (pLoggerInfo != NULL)
  359. free (pLoggerInfo);
  361. return Status;
  362. }
  365. void
  366. WINAPI
  367. EtwProcessLogHeader(
  368. PEVENT_TRACE pEvent
  369. )
  370. /*++
  372. Routine Description:
  374. This routine checks to see if the pEvent is a LOGFILE_HEADER
  375. and if so captures the information on the logfile for validation.
  377. The following checks are performed.
  378. 1. Files must be from the same machine. (Verified using machine name)
  379. 2. If different buffersizes are used, largest buffer size is
  380. selected for relogging.
  381. 3. The StartTime and StopTime are the outer most from the files.
  382. 4. The CPUClock type must be the same for all files. If different
  383. clock types are used, then the files will be rejected.
  385. The routine assumes that the first Event Callback from each file is the
  386. LogFileHeader callback.
  388. Other Issues that could result in a not so useful merged logfile are:
  389. 1. Multiple RunDown records when kernel logfiles are merged.
  390. 2. Multiple SystemConfig records when kernel logfiles are merged
  391. 3. Multiple and conflicting GUidMap records when Application logfiles are merged.
  392. 4. ReLogging 32 bit data in 64 bit system
  395. Arguments:
  398. Return Value:
  400. None.
  401. --*/
  402. {
  403. ULONG NumProc;
  405. if( IsEqualGUID(&pEvent->Header.Guid, &EventTraceGuid) &&
  406. pEvent->Header.Class.Type == EVENT_TRACE_TYPE_INFO ) {
  408. PSYSTEM_TRACE_HEADER pSysHeader;
  409. PTRACE_LOGFILE_HEADER head = (PTRACE_LOGFILE_HEADER)((PUCHAR)pEvent->MofData + sizeof(SYSTEM_TRACE_HEADER) );
  410. ULONG BufferSize = head->BufferSize;
  411. pSysHeader = (PSYSTEM_TRACE_HEADER) pEvent->MofData;
  413. if (MergedSystemTraceHeader->Packet.Size == 0) {
  414. ULONG HeaderSize;
  415. LPTSTR LoggerName;
  416. ULONG SizeToCopy = sizeof(SYSTEM_TRACE_HEADER) +
  417. sizeof(TRACE_LOGFILE_HEADER);
  418. if (4 == head->PointerSize && 8 == sizeof(PVOID) ||
  419. 8 == head->PointerSize && 4 == sizeof(PVOID)) {
  420. DifferentPointer = TRUE;
  421. if (4 == sizeof(PVOID)) {
  422. SizeToCopy += 8;
  423. pLoggerInfo->Wnode.BufferSize += 8;
  424. }
  425. else if (8 == sizeof(PVOID)) {
  426. SizeToCopy -= 8;
  427. pLoggerInfo->Wnode.BufferSize -= 8;
  428. }
  429. }
  430. RtlCopyMemory(MergedSystemTraceHeader, pSysHeader, SizeToCopy);
  431. HeaderSize = SizeToCopy +
  432. MAXSTR * sizeof(WCHAR) +
  433. (LOGGER_NAME_SIZE + 1) * sizeof(WCHAR);
  434. MergedSystemTraceHeader->Packet.Size = (USHORT)HeaderSize;
  435. //
  436. // Copy the LoggerName and the LogFileName
  437. //
  439. LoggerName = (PWCHAR)((PUCHAR)MergedSystemTraceHeader + SizeToCopy);
  441. StringCchCopyW(LoggerName, (LOGGER_NAME_SIZE + 1), LOGGER_NAME);
  444. }
  445. else {
  446. //
  447. // Sum up Events Lost from each file
  448. //
  449. MergedLogFileHeader->EventsLost += head->EventsLost;
  450. if (DifferentPointer && 4 == sizeof(PVOID)) {
  451. ULONG CurrentBuffersLost, MoreBuffersLost;
  452. RtlCopyMemory(&CurrentBuffersLost,
  453. (PUCHAR)MergedLogFileHeader + FIELD_OFFSET(TRACE_LOGFILE_HEADER, BuffersLost) + 8,
  454. sizeof(ULONG));
  455. RtlCopyMemory(&MoreBuffersLost,
  456. (PUCHAR)head + FIELD_OFFSET(TRACE_LOGFILE_HEADER, BuffersLost) + 8,
  457. sizeof(ULONG));
  458. CurrentBuffersLost += MoreBuffersLost;
  459. RtlCopyMemory((PUCHAR)MergedLogFileHeader + FIELD_OFFSET(TRACE_LOGFILE_HEADER, BuffersLost) + 8,
  460. &CurrentBuffersLost,
  461. sizeof(ULONG));
  462. }
  463. else if (DifferentPointer && 8 == sizeof(PVOID)) {
  464. ULONG CurrentBuffersLost, MoreBuffersLost;
  465. RtlCopyMemory(&CurrentBuffersLost,
  466. (PUCHAR)MergedLogFileHeader + FIELD_OFFSET(TRACE_LOGFILE_HEADER, BuffersLost) - 8,
  467. sizeof(ULONG));
  468. RtlCopyMemory(&MoreBuffersLost,
  469. (PUCHAR)head + FIELD_OFFSET(TRACE_LOGFILE_HEADER, BuffersLost) - 8,
  470. sizeof(ULONG));
  471. CurrentBuffersLost += MoreBuffersLost;
  472. RtlCopyMemory((PUCHAR)MergedLogFileHeader + FIELD_OFFSET(TRACE_LOGFILE_HEADER, BuffersLost) - 8,
  473. &CurrentBuffersLost,
  474. sizeof(ULONG));
  475. }
  476. else {
  477. MergedLogFileHeader->BuffersLost += head->BuffersLost;
  478. }
  479. }
  481. //
  482. // Pick up the Largest BufferSize
  483. //
  485. if (BufferSize > MergedLogFileHeader->BufferSize) {
  486. MergedLogFileHeader->BufferSize = BufferSize;
  487. }
  489. //
  490. // Verify the NumberOfProcessors
  491. //
  493. NumProc = head->NumberOfProcessors;
  495. if ( MergedLogFileHeader->NumberOfProcessors != NumProc) {
  496. HeaderMisMatch |= ETW_PROC_MISMATCH;
  497. }
  499. //
  500. // Pick up the Earliest StartTime (always in SystemTime)
  501. //
  502. if (DifferentPointer && 4 == sizeof(PVOID)) {
  503. LARGE_INTEGER CurrentStartTime, NewStartTime;
  504. RtlCopyMemory(&CurrentStartTime,
  505. (PUCHAR)MergedLogFileHeader + FIELD_OFFSET(TRACE_LOGFILE_HEADER, StartTime) + 8,
  506. sizeof(LARGE_INTEGER));
  507. RtlCopyMemory(&NewStartTime,
  508. (PUCHAR)head+ FIELD_OFFSET(TRACE_LOGFILE_HEADER, StartTime) + 8,
  509. sizeof(LARGE_INTEGER));
  510. if (CurrentStartTime.QuadPart > NewStartTime.QuadPart) {
  511. RtlCopyMemory((PUCHAR)MergedLogFileHeader + FIELD_OFFSET(TRACE_LOGFILE_HEADER, StartTime) + 8,
  512. &NewStartTime,
  513. sizeof(LARGE_INTEGER));
  514. }
  515. }
  516. else if (DifferentPointer && 8 == sizeof(PVOID)) {
  517. LARGE_INTEGER CurrentStartTime, NewStartTime;
  518. RtlCopyMemory(&CurrentStartTime,
  519. (PUCHAR)MergedLogFileHeader + FIELD_OFFSET(TRACE_LOGFILE_HEADER, StartTime) - 8,
  520. sizeof(LARGE_INTEGER));
  521. RtlCopyMemory(&NewStartTime,
  522. (PUCHAR)head+ FIELD_OFFSET(TRACE_LOGFILE_HEADER, StartTime) - 8,
  523. sizeof(LARGE_INTEGER));
  524. if (CurrentStartTime.QuadPart > NewStartTime.QuadPart) {
  525. RtlCopyMemory((PUCHAR)MergedLogFileHeader + FIELD_OFFSET(TRACE_LOGFILE_HEADER, StartTime) - 8,
  526. &NewStartTime,
  527. sizeof(LARGE_INTEGER));
  528. }
  529. }
  530. else {
  531. if (MergedLogFileHeader->StartTime.QuadPart > head->StartTime.QuadPart) {
  532. MergedLogFileHeader->StartTime.QuadPart = head->StartTime.QuadPart;
  533. }
  534. }
  536. //
  537. // Pick up the latest EndTime
  538. //
  539. if (MergedLogFileHeader->EndTime.QuadPart < head->EndTime.QuadPart) {
  540. MergedLogFileHeader->EndTime.QuadPart = head->EndTime.QuadPart;
  541. }
  543. //
  544. // This StartPerfClock is in the ClockType used.
  545. //
  546. if (pSysHeader->SystemTime.QuadPart < MergedSystemTraceHeader->SystemTime.QuadPart) {
  547. MergedSystemTraceHeader->SystemTime = pSysHeader->SystemTime;
  548. }
  550. //
  551. // Verify the pointer size
  552. //
  553. if (MergedLogFileHeader->PointerSize != head->PointerSize) {
  554. HeaderMisMatch |= ETW_POINTER_MISMATCH;
  555. }
  557. //
  558. // Verify the Clock Type
  559. //
  560. if (DifferentPointer && 4 == sizeof(PVOID)) {
  561. if (RtlCompareMemory((PUCHAR)MergedLogFileHeader + FIELD_OFFSET(TRACE_LOGFILE_HEADER, ReservedFlags) + 8,
  562. (PUCHAR)head + FIELD_OFFSET(TRACE_LOGFILE_HEADER, ReservedFlags) + 8,
  563. sizeof(ULONG)) != sizeof(ULONG)) {
  564. HeaderMisMatch |= ETW_CLOCK_MISMATCH;
  565. }
  566. if (RtlCompareMemory((PUCHAR)MergedLogFileHeader + FIELD_OFFSET(TRACE_LOGFILE_HEADER, PerfFreq) + 8,
  567. (PUCHAR)head + FIELD_OFFSET(TRACE_LOGFILE_HEADER, PerfFreq) + 8,
  568. sizeof(LARGE_INTEGER)) != sizeof(LARGE_INTEGER)) {
  569. HeaderMisMatch |= ETW_MACHINE_MISMATCH;
  570. }
  571. }
  572. else if (DifferentPointer && 8 == sizeof(PVOID)) {
  573. if (RtlCompareMemory((PUCHAR)MergedLogFileHeader + FIELD_OFFSET(TRACE_LOGFILE_HEADER, ReservedFlags) - 8,
  574. (PUCHAR)head + FIELD_OFFSET(TRACE_LOGFILE_HEADER, ReservedFlags) - 8,
  575. sizeof(ULONG)) != sizeof(ULONG)) {
  576. HeaderMisMatch |= ETW_CLOCK_MISMATCH;
  577. }
  578. if (RtlCompareMemory((PUCHAR)MergedLogFileHeader + FIELD_OFFSET(TRACE_LOGFILE_HEADER, PerfFreq) - 8,
  579. (PUCHAR)head + FIELD_OFFSET(TRACE_LOGFILE_HEADER, PerfFreq) - 8,
  580. sizeof(LARGE_INTEGER)) != sizeof(LARGE_INTEGER)) {
  581. HeaderMisMatch |= ETW_MACHINE_MISMATCH;
  582. }
  583. }
  584. else {
  585. if (head->ReservedFlags != MergedLogFileHeader->ReservedFlags) {
  586. HeaderMisMatch |= ETW_CLOCK_MISMATCH;
  587. }
  588. if (head->PerfFreq.QuadPart != MergedLogFileHeader->PerfFreq.QuadPart) {
  589. HeaderMisMatch |= ETW_MACHINE_MISMATCH;
  590. }
  591. }
  593. //
  594. // Verify Machine Name
  595. //
  597. // CPU Name is in the CPU Configuration record
  598. // which can be version dependent and found only on Kernel Logger
  600. //
  601. // Verify Build Number
  602. //
  603. // if (head->ProviderVersion != MergedLogFileHeader->ProviderVersion) {
  604. // HeaderMisMatch |= ETW_VERSION_MISMATCH;
  605. // }
  607. //
  608. // Boot Time Verification?
  609. //
  610. // if (head->BootTime.QuadPart != MergedLogFileHeader->BootTime.QuadPart) {
  611. // HeaderMisMatch |= ETW_BOOTTIME_MISMATCH;
  612. // }
  614. //
  615. // Sum up Events Lost from each file
  616. //
  618. NumHdrProcessed++;
  620. }
  621. }
  623. void
  624. WINAPI
  625. EtwDumpEvent(
  626. PEVENT_TRACE pEvent
  627. )
  628. {
  629. PEVENT_TRACE_HEADER pHeader;
  630. ULONG Status = ERROR_SUCCESS;
  631. ULONG CachedFlags;
  632. USHORT CachedSize;
  633. ULONG RetryCount = 0;
  635. if (pEvent == NULL) {
  636. return;
  637. }
  639. TotalRelogEventsRead++;
  641. if (!bLoggerStarted) {
  642. Status = StartTraceW(&LoggerHandle, LOGGER_NAME, pLoggerInfo);
  644. if (Status != ERROR_SUCCESS) {
  645. return;
  646. }
  647. bLoggerStarted = TRUE;
  649. }
  651. pHeader = (PEVENT_TRACE_HEADER)pEvent->MofData;
  653. //
  654. // Ignore LogFileHeader Events
  655. //
  656. if( IsEqualGUID(&pEvent->Header.Guid, &EventTraceGuid) &&
  657. pEvent->Header.Class.Type == EVENT_TRACE_TYPE_INFO ) {
  658. return;
  659. }
  661. CachedSize = pEvent->Header.Size;
  662. CachedFlags = pEvent->Header.Flags;
  664. pEvent->Header.Size = sizeof(EVENT_TRACE);
  665. pEvent->Header.Flags |= (WNODE_FLAG_TRACED_GUID | WNODE_FLAG_NO_HEADER);
  667. do {
  668. Status = TraceEvent(LoggerHandle, (PEVENT_TRACE_HEADER)pEvent );
  669. if ((Status == ERROR_NOT_ENOUGH_MEMORY || Status == ERROR_OUTOFMEMORY) &&
  670. (RetryCount++ < MAX_RETRY_COUNT)) {
  671. _sleep(500); // Sleep for half a second.
  672. }
  673. else {
  674. break;
  675. }
  676. } while (TRUE);
  678. if (Status != ERROR_SUCCESS) {
  679. FailedEvents++;
  680. }
  682. //
  683. // Restore Cached values
  684. //
  685. pEvent->Header.Size = CachedSize;
  686. pEvent->Header.Flags = CachedFlags;
  687. }
  690. ULONG InitializeTrace(
  691. )
  692. {
  693. ULONG Status;
  695. Status = RegisterTraceGuids(
  696. (WMIDPREQUEST)ControlCallback,
  697. NULL,
  698. (LPCGUID)&ControlGuid[0],
  699. 1,
  700. &TraceGuidReg[0],
  701. NULL,
  702. NULL,
  703. &RegistrationHandle[0]
  704. );
  706. return(Status);
  707. }
  709. ULONG
  710. ControlCallback(
  711. IN WMIDPREQUESTCODE RequestCode,
  712. IN PVOID Context,
  713. IN OUT ULONG *InOutBufferSize,
  714. IN OUT PVOID Buffer
  715. )
  716. {
  718. return ERROR_SUCCESS;
  720. }
  724. ULONG
  725. WINAPI
  726. TerminateOnBufferCallback(
  727. PEVENT_TRACE_LOGFILE pLog
  728. )
  729. {
  730. if (LogFileCount == NumHdrProcessed)
  731. return (FALSE); // Terminate ProcessTrace on First BufferCallback
  732. else
  733. return (TRUE);
  734. }
  736. ULONG
  737. WINAPI
  738. BufferCallback(
  739. PEVENT_TRACE_LOGFILE pLog
  740. )
  741. {
  742. TotalRelogBuffersRead++;
  743. return (TRUE);
  744. }