|
|
/*++
Copyright (c) Microsoft Corporation. All rights reserved.
Module Name:
tracedc.c
Abstract:
Basic data consumer APIs to process trace data directly from buffers.
Author:
15-Sep-1997 JeePang
Revision History:
18-Apr-2001 insungp
Added asynchronopus IO for reading log files. Also replaced WmiGetFirstTraceOffset() calls with sizeof(WMI_BUFFER_HEADER).
--*/
#ifndef MEMPHIS
#include "wmiump.h"
#include "traceump.h"
#include "evntrace.h"
#include "tracelib.h"
#define MAXSTR 1024
extern ULONG WmiTraceAlignment;
#ifdef DBG
voidWmipDumpEvent( PEVENT_TRACE pEvent );voidWmipDumpGuid( LPGUID );
voidWmipDumpCallbacks();#endif
#define KERNEL_LOGGER_CAPTION TEXT("NT Kernel Logger")
#define DEFAULT_LOG_BUFFER_SIZE 1024
#define MAXBUFFERS 1024
#define MINBUFFERS 8
#define MAX_KERNEL_TRACE_EVENTS 22 // Look at \nt\base\published\ntwmi.w for the event groups
#define TRACE_HEADER_SYSTEM32 TRACE_HEADER_FLAG | TRACE_HEADER_EVENT_TRACE \
| (TRACE_HEADER_TYPE_SYSTEM32 << 16)#define TRACE_HEADER_SYSTEM64 TRACE_HEADER_FLAG | TRACE_HEADER_EVENT_TRACE \
| (TRACE_HEADER_TYPE_SYSTEM64 << 16)#define TRACE_HEADER_FULL TRACE_HEADER_FLAG | TRACE_HEADER_EVENT_TRACE \
| (TRACE_HEADER_TYPE_FULL_HEADER << 16)#define TRACE_HEADER_INSTANCE TRACE_HEADER_FLAG | TRACE_HEADER_EVENT_TRACE \
| (TRACE_HEADER_TYPE_INSTANCE << 16)
#define DEFAULT_REALTIME_BUFFER_SIZE 32768
#define MAXBUFFERS 1024
#define MINBUFFERS 8
//
// If the tracelog instance is a realtime data feed instead of from a
// tracefile, TRACELOG_REALTIME_CONTEXT is used to maintain the real time
// buffers in a buffer pool.
//
typedef struct _TRACE_BUFFER_SPACE { ULONG Reserved; // amount of memory reserved
ULONG Committed; PVOID Space; LIST_ENTRY FreeListHead;} TRACE_BUFFER_SPACE, *PTRACE_BUFFER_SPACE;
typedef struct _TRACELOG_REALTIME_CONTEXT { ULONG BuffersProduced; // Number of Buffers to read
ULONG BufferOverflow; // Number of Buffers missed by the consumer
GUID InstanceGuid; // Logger Instance Guid
HANDLE MoreDataEvent; // Event to signal there is more data in this stream
PTRACE_BUFFER_SPACE WmipTraceBufferSpace; PWNODE_HEADER RealTimeBufferPool[MAXBUFFERS];} TRACELOG_REALTIME_CONTEXT, *PTRACELOG_REALTIME_CONTEXT;
//
// RealTime Free Buffer Pool is chained up as TRACE_BUFFER_HEADER
//
typedef struct _TRACE_BUFFER_HEADER { WNODE_HEADER Wnode; LIST_ENTRY Entry;} TRACE_BUFFER_HEADER, *PTRACE_BUFFER_HEADER;
typedef struct _TRACERT_BUFFER_LIST_ENTRY { ULONG Size; LIST_ENTRY Entry; LIST_ENTRY BufferListHead;} TRACERT_BUFFER_LIST_ENTRY, *PTRACERT_BUFFER_LIST_ENTRY;
//
// This TraceHandleListHeadPtr should be the only real global
// for ProcessTrace to be multithreaded
//
PLIST_ENTRY TraceHandleListHeadPtr = NULL;
//
// For kernel events we map the Grouptype to Guid transparently to the caller.
// The mapping between GroupType and Guid is maintained by this structure.
//
typedef struct _TRACE_GUID_MAP { // used to map GroupType to Guid
ULONG GroupType; // Group & Type
GUID Guid; // Guid
} TRACE_GUID_MAP, *PTRACE_GUID_MAP;
PTRACE_GUID_MAP EventMapList = NULL; // Array mapping the Grouptype to Guids
typedef struct _EVENT_GUID_MAP { LIST_ENTRY Entry; ULONGLONG GuidHandle; GUID Guid;} EVENT_GUID_MAP, *PEVENT_GUID_MAP;
// List of Registered callbacks. One callback per Guid Only.
PLIST_ENTRY EventCallbackListHead = NULL;
typedef struct _EVENT_TRACE_CALLBACK { LIST_ENTRY Entry; GUID Guid; PEVENT_CALLBACK CallbackRoutine;} EVENT_TRACE_CALLBACK, *PEVENT_TRACE_CALLBACK;
#define MAX_TRACE_BUFFER_CACHE_SIZE 29
typedef struct _TRACE_BUFFER_CACHE_ENTRY { LONG Index; PVOID Buffer;} TRACE_BUFFER_CACHE_ENTRY, *PTRACE_BUFFER_CACHE_ENTRY;
struct _TRACE_BUFFER_LIST_ENTRY;
typedef struct _TRACE_BUFFER_LIST_ENTRY { struct _TRACE_BUFFER_LIST_ENTRY *Next; LONG FileOffset; // Offset in File of this Buffer
ULONG BufferOffset; // Offset in Buffer for the current event
ULONG Flags; // Flags on status of this buffer
ULONG EventSize; ULONG ClientContext; // Alignment, ProcessorNumber
ULONG TraceType; // Current Event Type
EVENT_TRACE Event; // CurrentEvent of this Buffer
} TRACE_BUFFER_LIST_ENTRY, *PTRACE_BUFFER_LIST_ENTRY;
typedef struct _TRACELOG_CONTEXT { LIST_ENTRY Entry; // Keeps track of storage allocations.
// Fields from HandleListEntry
EVENT_TRACE_LOGFILEW Logfile;
TRACEHANDLE TraceHandle; ULONG ConversionFlags; // Flags indicating event processing options
LONG BufferBeingRead; OVERLAPPED AsynchRead;
//
// Fields Below this will be reset upon ProcessTrace exit.
//
BOOLEAN fProcessed; USHORT LoggerId; // Logger Id of this DataFeed.
UCHAR IsRealTime; // Flag to tell if this feed is RT.
UCHAR fGuidMapRead;
LIST_ENTRY GuidMapListHead; // This is LogFile specific property
//
// For using PerfClock, we need to save startTime, Freq
//
ULONG UsePerfClock; ULONG CpuSpeedInMHz; LARGE_INTEGER PerfFreq; // Frequency from the LogFile
LARGE_INTEGER StartTime; // Start Wall clock time
LARGE_INTEGER StartPerfClock; // Start PerfClock value
union { HANDLE Handle; // NT handle to logfile
PTRACELOG_REALTIME_CONTEXT RealTimeCxt; // Ptr to Real Time Context
};
ULONG EndOfFile; // Flag to show whether this stream is still active.
ULONG BufferSize; ULONG BufferCount; ULONG InitialSize; ULONG StartBuffer;
PTRACE_BUFFER_LIST_ENTRY Root; PTRACE_BUFFER_LIST_ENTRY BufferList; PVOID BufferCacheSpace; TRACE_BUFFER_CACHE_ENTRY BufferCache[MAX_TRACE_BUFFER_CACHE_SIZE];
} TRACELOG_CONTEXT, *PTRACELOG_CONTEXT;
//
// this structure is used only by WmipGetBuffersWrittenFromQuery() and
// WmipCheckForRealTimeLoggers()
//
typedef struct _ETW_QUERY_PROPERTIES { EVENT_TRACE_PROPERTIES TraceProp; WCHAR LoggerName[MAXSTR]; WCHAR LogFileName[MAXSTR];} ETW_QUERY_PROPERTIES, *PETW_QUERY_PROPERTIES;
ETW_QUERY_PROPERTIES Properties;
ULONGWmipConvertEnumToTraceType( WMI_HEADER_TYPE eTraceType );
WMI_HEADER_TYPEWmipConvertTraceTypeToEnum( ULONG TraceType );
ULONGWmipCheckForRealTimeLoggers( PEVENT_TRACE_LOGFILEW *Logfiles, ULONG LogfileCount, ULONG Unicode);
ULONGWmipLookforRealTimeBuffers( PEVENT_TRACE_LOGFILEW logfile );ULONGWmipRealTimeCallback( IN PWNODE_HEADER Wnode, IN ULONG_PTR Context );voidWmipFreeRealTimeContext( PTRACELOG_REALTIME_CONTEXT RTCxt );
ULONGWmipSetupRealTimeContext( PTRACEHANDLE HandleArray, PEVENT_TRACE_LOGFILEW *Logfiles, ULONG LogfileCount );
PVOIDWmipAllocTraceBuffer( PTRACELOG_REALTIME_CONTEXT RTCxt, ULONG BufferSize );
VOIDWmipFreeTraceBuffer( PTRACELOG_REALTIME_CONTEXT RTCxt, PVOID Buffer );
ULONGWmipProcessRealTimeTraces( PTRACEHANDLE HandleArray, PEVENT_TRACE_LOGFILEW *Logfiles, ULONG LogfileCount, LONGLONG StartTime, LONGLONG EndTime, ULONG Unicode );
//
// Routines used in this file only
//
ULONGWmipDoEventCallbacks( PEVENT_TRACE_LOGFILEW logfile, PEVENT_TRACE pEvent );
ULONGWmipCreateGuidMapping(void);
LPGUIDWmipGuidMapHandleToGuid( PLIST_ENTRY GuidMapListHeadPtr, ULONGLONG GuidHandle );
voidWmipCleanupGuidMapList( PLIST_ENTRY GuidMapListHeadPtr );
voidWmipCleanupTraceLog( PTRACELOG_CONTEXT pEntry );
VOIDWmipGuidMapCallback( PLIST_ENTRY GuidMapListHeadPtr, PEVENT_TRACE pEvent );
ULONGWmipProcessGuidMaps( PEVENT_TRACE_LOGFILEW *Logfiles, ULONG LogfileCount, ULONG Unicode );
PEVENT_TRACE_CALLBACKWmipGetCallbackRoutine( LPGUID pGuid );
VOID WmipFreeCallbackList();
ULONGWmipProcessLogHeader( PTRACEHANDLE HandleArray, PEVENT_TRACE_LOGFILEW *Logfiles, ULONG LogfileCount, ULONG Unicode, ULONG bFree );
ULONGWmipProcessTraceLog( PTRACEHANDLE HandleArray, PEVENT_TRACE_LOGFILEW *Logfiles, ULONG LogfileCount, LONGLONG StartTime, LONGLONG EndTime, ULONG Unicode );
ULONGWmipParseTraceEvent( IN PTRACELOG_CONTEXT pContext, IN PVOID LogBuffer, IN ULONG Offset, IN WMI_HEADER_TYPE HeaderType, IN OUT PVOID EventInfo, IN ULONG EventInfoSize );
ULONGWmipGetBuffersWrittenFromQuery( LPWSTR LoggerName );
VOIDWmipCopyLogHeader ( IN PTRACE_LOGFILE_HEADER pLogFileHeader, IN PVOID MofData, IN ULONG MofLength, IN PWCHAR *LoggerName, IN PWCHAR *LogFileName, IN ULONG Unicode );
VOIDWmipInsertBuffer ( PTRACE_BUFFER_LIST_ENTRY *Root, PTRACE_BUFFER_LIST_ENTRY NewEntry )/*++
Routine Description: This routine inserts a buffer in a sorted list. The insertion is done based on the timestamp of the BufferHeader. If two buffers have the same timestamp, then the BufferIndex is used to resolve the tie.
Arguments: Root - Pointer to the root of the LIST NewEntry - Entry being inserted
Returned Value:
None
--*/{ PTRACE_BUFFER_LIST_ENTRY Current, Prev; //
// If List is empty, make the new entry the Root and return.
//
if (NewEntry == NULL) { return; }
if (*Root == NULL) { *Root = NewEntry; NewEntry->Next = NULL; return; }
//
// Traverse the list and insert the NewEntry in order
//
Prev = NULL; Current = *Root;
while (Current != NULL) { if ((ULONGLONG)NewEntry->Event.Header.TimeStamp.QuadPart < (ULONGLONG)Current->Event.Header.TimeStamp.QuadPart) { if (Prev != NULL) { Prev->Next = NewEntry; } else { *Root = NewEntry; } NewEntry->Next = Current; return; } else if ((ULONGLONG)NewEntry->Event.Header.TimeStamp.QuadPart == (ULONGLONG)Current->Event.Header.TimeStamp.QuadPart) { if (NewEntry->FileOffset < Current->FileOffset) { if (Prev != NULL) { Prev->Next = NewEntry; } else { *Root = NewEntry; } NewEntry->Next = Current; return; } } Prev = Current; Current = Current->Next; }
if (Prev != NULL) { Prev->Next = NewEntry; NewEntry->Next = NULL; }#if DBG
else { WmipAssert(Prev != NULL); }#endif
return;}
PTRACE_BUFFER_LIST_ENTRYWmipRemoveBuffer( PTRACE_BUFFER_LIST_ENTRY *Root ){ PTRACE_BUFFER_LIST_ENTRY OldEntry = *Root;
if (OldEntry == NULL) return NULL; *Root = OldEntry->Next; OldEntry->Next = NULL; return OldEntry;}
PVOIDWmipGetCurrentBuffer( PTRACELOG_CONTEXT pContext, PTRACE_BUFFER_LIST_ENTRY Current ){ NTSTATUS Status;
LONG FileOffset = (ULONG)Current->FileOffset; ULONG nBytesRead; LONG TableIndex;
HANDLE hFile = pContext->Handle; ULONG BufferSize = pContext->BufferSize; PVOID pBuffer; ULONGLONG Offset;
DWORD BytesTransffered;
//
// Look for the buffer in cache.
//
TableIndex = FileOffset % MAX_TRACE_BUFFER_CACHE_SIZE;
if (pContext->BufferCache[TableIndex].Index == FileOffset) { //
// Check whether the buffer we want is still being read.
// If so, we need to wait for it to finish.
//
if (pContext->BufferBeingRead == FileOffset) { if (GetOverlappedResult(hFile, &pContext->AsynchRead, &BytesTransffered, TRUE)) { pContext->BufferBeingRead = -1; } else { // getting the result failed
return NULL; } } return pContext->BufferCache[TableIndex].Buffer; }
//
// Do a synch read for the buffer we need. We still need to make sure the previous read
// has completed.
//
pBuffer = pContext->BufferCache[TableIndex].Buffer; Offset = FileOffset * BufferSize; if (pContext->BufferBeingRead != -1) { if (!GetOverlappedResult(hFile, &pContext->AsynchRead, &BytesTransffered, TRUE) && GetLastError() != ERROR_HANDLE_EOF) { WmipDebugPrint(("GetOverlappedResult failed with Status %d in GetCurrentBuffer\n", GetLastError())); // cannot determine the status of the previous read
return NULL; } } pContext->AsynchRead.Offset = (DWORD)(Offset & 0xFFFFFFFF); pContext->AsynchRead.OffsetHigh = (DWORD)(Offset >> 32); Status = WmipSynchReadFile(hFile, (LPVOID)pBuffer, BufferSize, &nBytesRead, &pContext->AsynchRead); pContext->BufferBeingRead = -1; if (nBytesRead == 0) { return NULL; } //
// Update the cache entry with the one just read in
//
pContext->BufferCache[TableIndex].Index = FileOffset;
//
// We need to account for event alignments when backtracking to get the MofPtr.
// (BufferOffset - EventSize) backtracks to the start of the current event.
// Add EventHeaderSize and Subtract the MofLength gives the MofPtr.
//
if (pContext->ConversionFlags & EVENT_TRACE_GET_RAWEVENT) { Current->Event.MofData = ((PUCHAR)pBuffer + Current->BufferOffset - Current->EventSize); if (pContext->UsePerfClock == EVENT_TRACE_CLOCK_PERFCOUNTER) {
//
// Need to override the timestamp with SystemTime
//
switch(Current->TraceType) { case TRACE_HEADER_TYPE_PERFINFO32: case TRACE_HEADER_TYPE_PERFINFO64: { PPERFINFO_TRACE_HEADER pPerf = (PPERFINFO_TRACE_HEADER)Current->Event.MofData; pPerf->SystemTime = Current->Event.Header.TimeStamp; break; } case TRACE_HEADER_TYPE_SYSTEM32: { PSYSTEM_TRACE_HEADER pSystemHeader32 = (PSYSTEM_TRACE_HEADER) Current->Event.MofData; pSystemHeader32->SystemTime = Current->Event.Header.TimeStamp; break; } case TRACE_HEADER_TYPE_SYSTEM64: { PSYSTEM_TRACE_HEADER pSystemHeader64 = (PSYSTEM_TRACE_HEADER) Current->Event.MofData; pSystemHeader64->SystemTime = Current->Event.Header.TimeStamp; break; } case TRACE_HEADER_TYPE_FULL_HEADER: { PEVENT_TRACE_HEADER pWnodeHeader = (PEVENT_TRACE_HEADER) Current->Event.MofData; pWnodeHeader->TimeStamp = Current->Event.Header.TimeStamp; break; } case TRACE_HEADER_TYPE_INSTANCE: { PEVENT_INSTANCE_HEADER pInstanceHeader = (PEVENT_INSTANCE_HEADER) Current->Event.MofData; pInstanceHeader->TimeStamp = Current->Event.Header.TimeStamp; break; } case TRACE_HEADER_TYPE_TIMED: { PTIMED_TRACE_HEADER pTimedHeader = (PTIMED_TRACE_HEADER) Current->Event.MofData; pTimedHeader->TimeStamp = Current->Event.Header.TimeStamp; break; } case TRACE_HEADER_TYPE_WNODE_HEADER: case TRACE_HEADER_TYPE_MESSAGE: { break; } } } } else {
//
// When The FileOffset is 0 (First Buffer) and the EventType is
// LOGFILE_HEADER
//
if ( (FileOffset == 0) && ((Current->BufferOffset - Current->EventSize) == sizeof(WMI_BUFFER_HEADER)) ) { Current->Event.MofData = (PVOID)&pContext->Logfile.LogfileHeader; } else { Current->Event.MofData = ((PUCHAR)pBuffer + Current->BufferOffset - Current->EventSize + Current->Event.Header.Size - Current->Event.MofLength ); } }
return pBuffer;}
PTRACELOG_CONTEXTWmipAllocateTraceHandle(){ PLIST_ENTRY Next, Head; PTRACELOG_CONTEXT NewHandleEntry, pEntry;
WmipEnterPMCritSection();
if (TraceHandleListHeadPtr == NULL) { TraceHandleListHeadPtr = WmipAlloc(sizeof(LIST_ENTRY)); if (TraceHandleListHeadPtr == NULL) { WmipSetDosError(ERROR_OUTOFMEMORY); WmipLeavePMCritSection(); return NULL; } InitializeListHead(TraceHandleListHeadPtr); }
NewHandleEntry = WmipAlloc(sizeof(TRACELOG_CONTEXT)); if (NewHandleEntry == NULL) { WmipSetDosError(ERROR_OUTOFMEMORY); WmipLeavePMCritSection(); return NULL; }
RtlZeroMemory(NewHandleEntry, sizeof(TRACELOG_CONTEXT));
// AsynchRead initialization
NewHandleEntry->BufferBeingRead = -1; NewHandleEntry->AsynchRead.hEvent = CreateEvent(NULL, TRUE, TRUE, NULL); if (NewHandleEntry->AsynchRead.hEvent == NULL) { WmipFree(NewHandleEntry); WmipLeavePMCritSection(); return NULL; }
InitializeListHead(&NewHandleEntry->GuidMapListHead); Head = TraceHandleListHeadPtr; Next = Head->Flink; if (Next == Head) { NewHandleEntry->TraceHandle = 1; InsertTailList(Head, &NewHandleEntry->Entry); WmipLeavePMCritSection(); return NewHandleEntry; }
while (Next != Head) { pEntry = CONTAINING_RECORD( Next, TRACELOG_CONTEXT, Entry ); Next = Next->Flink; NewHandleEntry->TraceHandle++; if (NewHandleEntry->TraceHandle < pEntry->TraceHandle) { InsertTailList(&pEntry->Entry, &NewHandleEntry->Entry); WmipLeavePMCritSection(); return NewHandleEntry; } } //
// TODO: Need to optimize this case out first before searching...
//
NewHandleEntry->TraceHandle++; InsertTailList(Head, &NewHandleEntry->Entry); WmipLeavePMCritSection(); return NewHandleEntry;
}
PTRACELOG_CONTEXTWmipLookupTraceHandle( TRACEHANDLE TraceHandle ){ PLIST_ENTRY Head, Next; PTRACELOG_CONTEXT pEntry;
WmipEnterPMCritSection(); Head = TraceHandleListHeadPtr;
if (Head == NULL) { WmipLeavePMCritSection(); return NULL; } Next = Head->Flink; while (Next != Head) { pEntry = CONTAINING_RECORD( Next, TRACELOG_CONTEXT, Entry ); Next = Next->Flink;
if (TraceHandle == pEntry->TraceHandle) { WmipLeavePMCritSection(); return pEntry; } } WmipLeavePMCritSection(); return NULL;}
ULONGWmipFreeTraceHandle( TRACEHANDLE TraceHandle ){ PLIST_ENTRY Head, Next; PTRACELOG_CONTEXT pEntry;
WmipEnterPMCritSection();
Head = TraceHandleListHeadPtr; if (Head == NULL) { WmipLeavePMCritSection(); return ERROR_INVALID_HANDLE; } Next = Head->Flink;
while (Next != Head) { pEntry = CONTAINING_RECORD( Next, TRACELOG_CONTEXT, Entry ); Next = Next->Flink; if (TraceHandle == pEntry->TraceHandle) {
if (pEntry->fProcessed == TRUE) { WmipLeavePMCritSection(); return ERROR_BUSY; }
RemoveEntryList(&pEntry->Entry);
// Free pEntry memory
//
if (pEntry->Logfile.LogFileName != NULL) { WmipFree(pEntry->Logfile.LogFileName); } if (pEntry->Logfile.LoggerName != NULL) { WmipFree(pEntry->Logfile.LoggerName); } CloseHandle(pEntry->AsynchRead.hEvent); WmipFree(pEntry);
//
// If the handle list is empty, then delete it.
//
if (Head == Head->Flink) { WmipFree(TraceHandleListHeadPtr); TraceHandleListHeadPtr = NULL; } WmipLeavePMCritSection(); return ERROR_SUCCESS; } } WmipLeavePMCritSection(); return ERROR_INVALID_HANDLE;}
ULONGWMIAPIWmipCreateGuidMapping(void)/*++
Routine Description: This routine is used to create the mapping array between GroupTypes and Guid for kernel events.
Arguments: None.
Returned Value:
None
--*/{ ULONG i = 0; ULONG listsize;
if (EventMapList == NULL) { listsize = sizeof(TRACE_GUID_MAP) * MAX_KERNEL_TRACE_EVENTS; EventMapList = (PTRACE_GUID_MAP) HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, listsize); if (EventMapList == NULL) { return WmipSetDosError(ERROR_OUTOFMEMORY); }
EventMapList[i].GroupType = EVENT_TRACE_GROUP_IO; RtlCopyMemory(&EventMapList[i++].Guid,&DiskIoGuid, sizeof(GUID)); EventMapList[i].GroupType = EVENT_TRACE_GROUP_FILE; RtlCopyMemory(&EventMapList[i++].Guid, &FileIoGuid, sizeof(GUID)); EventMapList[i].GroupType = EVENT_TRACE_GROUP_TCPIP; RtlCopyMemory(&EventMapList[i++].Guid, &TcpIpGuid, sizeof(GUID)); EventMapList[i].GroupType = EVENT_TRACE_GROUP_UDPIP; RtlCopyMemory(&EventMapList[i++].Guid, &UdpIpGuid, sizeof(GUID)); EventMapList[i].GroupType = EVENT_TRACE_GROUP_THREAD; RtlCopyMemory(&EventMapList[i++].Guid, &ThreadGuid, sizeof(GUID)); EventMapList[i].GroupType = EVENT_TRACE_GROUP_PROCESS; RtlCopyMemory(&EventMapList[i++].Guid, &ProcessGuid, sizeof(GUID)); EventMapList[i].GroupType = EVENT_TRACE_GROUP_MEMORY; RtlCopyMemory(&EventMapList[i++].Guid, &PageFaultGuid, sizeof(GUID)); EventMapList[i].GroupType = EVENT_TRACE_GROUP_HEADER; RtlCopyMemory(&EventMapList[i++].Guid, &EventTraceGuid, sizeof(GUID)); EventMapList[i].GroupType = EVENT_TRACE_GROUP_PROCESS + EVENT_TRACE_TYPE_LOAD; RtlCopyMemory(&EventMapList[i++].Guid, &ImageLoadGuid, sizeof(GUID)); EventMapList[i].GroupType = EVENT_TRACE_GROUP_REGISTRY; RtlCopyMemory(&EventMapList[i++].Guid, &RegistryGuid, sizeof(GUID)); EventMapList[i].GroupType = EVENT_TRACE_GROUP_DBGPRINT; RtlCopyMemory(&EventMapList[i++].Guid, &DbgPrintGuid, sizeof(GUID)); EventMapList[i].GroupType = EVENT_TRACE_GROUP_CONFIG; RtlCopyMemory(&EventMapList[i++].Guid, &EventTraceConfigGuid, sizeof(GUID)); EventMapList[i].GroupType = EVENT_TRACE_GROUP_POOL; RtlCopyMemory(&EventMapList[i++].Guid, &PoolGuid, sizeof(GUID)); EventMapList[i].GroupType = EVENT_TRACE_GROUP_PERFINFO; RtlCopyMemory(&EventMapList[i++].Guid, &PerfinfoGuid, sizeof(GUID)); EventMapList[i].GroupType = EVENT_TRACE_GROUP_HEAP; RtlCopyMemory(&EventMapList[i++].Guid, &HeapGuid, sizeof(GUID)); EventMapList[i].GroupType = EVENT_TRACE_GROUP_OBJECT; RtlCopyMemory(&EventMapList[i++].Guid, &ObjectGuid, sizeof(GUID)); EventMapList[i].GroupType = EVENT_TRACE_GROUP_MODBOUND; RtlCopyMemory(&EventMapList[i++].Guid, &ModBoundGuid, sizeof(GUID)); EventMapList[i].GroupType = EVENT_TRACE_GROUP_DPC; RtlCopyMemory(&EventMapList[i++].Guid, &DpcGuid, sizeof(GUID)); EventMapList[i].GroupType = EVENT_TRACE_GROUP_POWER; RtlCopyMemory(&EventMapList[i++].Guid, &PowerGuid, sizeof(GUID)); EventMapList[i].GroupType = EVENT_TRACE_GROUP_CRITSEC; RtlCopyMemory(&EventMapList[i++].Guid, &CritSecGuid, sizeof(GUID)); } return WmipSetDosError(ERROR_SUCCESS);}
LPGUIDWmipGuidMapHandleToGuid( PLIST_ENTRY GuidMapListHeadPtr, ULONGLONG GuidHandle ){ PLIST_ENTRY Next, Head; PEVENT_GUID_MAP GuidMap; ULONG retry_count=0;
retry: WmipEnterPMCritSection(); Head = GuidMapListHeadPtr; Next = Head->Flink; while (Next != Head) { GuidMap = CONTAINING_RECORD( Next, EVENT_GUID_MAP, Entry ); if (GuidMap->GuidHandle == GuidHandle) { WmipLeavePMCritSection(); return (&GuidMap->Guid); } Next = Next->Flink; } WmipLeavePMCritSection();
//
// At this point, assume that this is realtime feed and
// and try to dumpout guids and try again.
if ((WmipDumpGuidMaps(NULL, GuidMapListHeadPtr, TRUE) > 0) && (retry_count++ < 1)) { goto retry; } return NULL;}
ULONGWmipAddGuidHandleToGuidMapList( IN PLIST_ENTRY GuidMapListHeadPtr, IN ULONGLONG GuidHandle, IN LPGUID Guid ){ PEVENT_GUID_MAP GuidMap;
if (GuidMapListHeadPtr != NULL) { GuidMap = WmipAlloc(sizeof(EVENT_GUID_MAP)); if (GuidMap == NULL) return WmipSetDosError(ERROR_OUTOFMEMORY);
RtlZeroMemory(GuidMap, sizeof(EVENT_GUID_MAP));
GuidMap->GuidHandle = GuidHandle; GuidMap->Guid = *Guid; WmipEnterPMCritSection(); InsertTailList(GuidMapListHeadPtr, &GuidMap->Entry); WmipLeavePMCritSection(); } return WmipSetDosError(ERROR_SUCCESS);}
voidWmipCleanupGuidMapList( PLIST_ENTRY GuidMapListHeadPtr ){ PLIST_ENTRY Next, Head; PEVENT_GUID_MAP GuidMap; WmipEnterPMCritSection(); if (GuidMapListHeadPtr != NULL) {
Head = GuidMapListHeadPtr; Next = Head->Flink; while (Next != Head) { GuidMap = CONTAINING_RECORD( Next, EVENT_GUID_MAP, Entry ); Next = Next->Flink; RemoveEntryList(&GuidMap->Entry); WmipFree(GuidMap); } GuidMapListHeadPtr = NULL; } WmipLeavePMCritSection();}
LPGUIDWmipGroupTypeToGuid( ULONG GroupType )/*++
Routine Description: This routine returns the GUID corresponding to a given GroupType. The mapping is static and is defined by the kernel provider.
Arguments: GroupType The GroupType of the kernel event.
Returned Value:
Pointer to the GUID representing the given GroupType.
--*/{ ULONG i; for (i = 0; i < MAX_KERNEL_TRACE_EVENTS; i++) { if (EventMapList[i].GroupType == GroupType) return (&EventMapList[i].Guid); } return NULL;}
VOIDWmipFreeCallbackList()/*++
Routine Description: This routine removes all event callbacks and frees the storage.
Arguments: None
Returned Value:
None.
--*/{ PLIST_ENTRY Next, Head; PEVENT_TRACE_CALLBACK EventCb;
if (EventCallbackListHead == NULL) return; WmipEnterPMCritSection();
Head = EventCallbackListHead; Next = Head->Flink; while (Next != Head) { EventCb = CONTAINING_RECORD( Next, EVENT_TRACE_CALLBACK, Entry ); Next = Next->Flink; RemoveEntryList(&EventCb->Entry); WmipFree(EventCb); }
WmipFree(EventCallbackListHead); EventCallbackListHead = NULL;
WmipLeavePMCritSection();}
PEVENT_TRACE_CALLBACKWmipGetCallbackRoutine( LPGUID pGuid )/*++
Routine Description: This routine returns the callback function for a given Guid. If no callback was registered for the Guid, returns NULL.
Arguments: pGuid pointer to the Guid.
Returned Value:
Event Trace Callback Function.
--*/{ PLIST_ENTRY head, next; PEVENT_TRACE_CALLBACK pEventCb = NULL;
if (pGuid == NULL) return NULL;
WmipEnterPMCritSection();
if (EventCallbackListHead == NULL) { WmipLeavePMCritSection(); return NULL; }
head = EventCallbackListHead; next = head->Flink; while (next != head) { pEventCb = CONTAINING_RECORD( next, EVENT_TRACE_CALLBACK, Entry); if (IsEqualGUID(pGuid, &pEventCb->Guid)) { WmipLeavePMCritSection(); return (pEventCb); } next = next->Flink; }
WmipLeavePMCritSection(); return NULL; }
ULONG WMIAPISetTraceCallback( IN LPCGUID pGuid, IN PEVENT_CALLBACK EventCallback )/*++
Routine Description:
This routine is used to wire a callback function for Guid. The callback function is called when an Event with this Guid is found in the subsequent ProcessTraceLog Call.
Arguments:
pGuid Pointer to the Guid.
func Callback Function Address.
Return Value: ERROR_SUCCESS Callback function is wired
--*/{ PEVENT_TRACE_CALLBACK pEventCb; PLIST_ENTRY head, next; GUID FilterGuid; ULONG Checksum; ULONG Status;
WmipInitProcessHeap(); if ((pGuid == NULL) || (EventCallback == NULL) || (EventCallback == (PEVENT_CALLBACK) -1 ) ) { return WmipSetDosError(ERROR_INVALID_PARAMETER); }
//
// Capture the Guid first
//
try { FilterGuid = *pGuid; Checksum = *((PULONG)EventCallback); if (Checksum) { Status = Checksum; } } except (EXCEPTION_EXECUTE_HANDLER) { return WmipSetDosError(ERROR_NOACCESS); }
WmipEnterPMCritSection();
if (EventCallbackListHead == NULL) { EventCallbackListHead = (PLIST_ENTRY) WmipAlloc(sizeof(LIST_ENTRY)); if (EventCallbackListHead == NULL) { WmipLeavePMCritSection(); return WmipSetDosError(ERROR_OUTOFMEMORY); } InitializeListHead(EventCallbackListHead); }
//
// If there is a callback wired for this Guid, simply update the function.
//
head = EventCallbackListHead; next = head->Flink; while (next != head) { pEventCb = CONTAINING_RECORD( next, EVENT_TRACE_CALLBACK, Entry); if (IsEqualGUID(&FilterGuid, &pEventCb->Guid)) { pEventCb->CallbackRoutine = EventCallback; WmipLeavePMCritSection(); return WmipSetDosError(ERROR_SUCCESS); } next = next->Flink; }
//
// Create a new entry in the EventCallbackList for this Guid.
//
pEventCb = (PEVENT_TRACE_CALLBACK) WmipAlloc (sizeof(EVENT_TRACE_CALLBACK)); if (pEventCb == NULL) { WmipLeavePMCritSection(); return WmipSetDosError(ERROR_OUTOFMEMORY); } RtlZeroMemory(pEventCb, sizeof(EVENT_TRACE_CALLBACK)); pEventCb->Guid = FilterGuid; pEventCb->CallbackRoutine = EventCallback;
InsertTailList(EventCallbackListHead, &pEventCb->Entry);
WmipLeavePMCritSection(); Status = ERROR_SUCCESS; return WmipSetDosError(Status); }
ULONGWMIAPIRemoveTraceCallback( IN LPCGUID pGuid )/*++
Routine Description:
This routine removes a callback function for a given Guid.
Arguments:
pGuid Pointer to the Guid for which the callback routine needs to be deleted.
Return Value:
ERROR_SUCCESS Successfully deleted the callback routine. ERROR_INVALID_PARAMETER Could not find any callbacks for the Guid. --*/{ PLIST_ENTRY next, head; PEVENT_TRACE_CALLBACK EventCb; GUID RemoveGuid; ULONG errorCode;#ifdef DBG
CHAR GuidStr[64];#endif
WmipInitProcessHeap(); if ((pGuid == NULL) || (EventCallbackListHead == NULL)) return WmipSetDosError(ERROR_INVALID_PARAMETER);
//
// Capture the Guid into a local variable first
//
try { RemoveGuid = *pGuid; } except (EXCEPTION_EXECUTE_HANDLER) { return WmipSetDosError(ERROR_NOACCESS); }
errorCode = ERROR_WMI_GUID_NOT_FOUND;
WmipEnterPMCritSection();
head = EventCallbackListHead; next = head->Flink; while (next != head) { EventCb = CONTAINING_RECORD( next, EVENT_TRACE_CALLBACK, Entry); next = next->Flink; if (IsEqualGUID(&EventCb->Guid, &RemoveGuid)) { RemoveEntryList(&EventCb->Entry); WmipFree(EventCb); errorCode = ERROR_SUCCESS; } }
WmipLeavePMCritSection(); return WmipSetDosError(errorCode);}
#ifdef DBG
voidWmipDumpEvent( PEVENT_TRACE pEvent ){ DbgPrint("\tSize %d\n", pEvent->Header.Size); DbgPrint("\tThreadId %X\n", pEvent->Header.ThreadId); DbgPrint("\tTime Stamp %I64u\n", pEvent->Header.TimeStamp.QuadPart);}
voidWmipDumpGuid( LPGUID pGuid ){ DbgPrint("Guid=%x,%x,%x,\n\t{%x,%x,%x,%x,%x,%x,%x}\n", pGuid->Data1, pGuid->Data2, pGuid->Data3, pGuid->Data4[0], pGuid->Data4[1], pGuid->Data4[2], pGuid->Data4[3], pGuid->Data4[5], pGuid->Data4[6], pGuid->Data4[7], pGuid->Data4[8]);}
void WmipDumpCallbacks(){ PLIST_ENTRY next, head; PEVENT_TRACE_CALLBACK EventCb;
if (EventCallbackListHead == NULL) return; WmipEnterPMCritSection(); head = EventCallbackListHead; next = head->Flink; while (next != head) { EventCb = CONTAINING_RECORD(next, EVENT_TRACE_CALLBACK, Entry); WmipDumpGuid(&EventCb->Guid); next = next->Flink; } WmipLeavePMCritSection();}
#endif
VOIDWmipCalculateCurrentTime ( OUT PLARGE_INTEGER DestTime, IN PLARGE_INTEGER TimeValue, IN PTRACELOG_CONTEXT pContext ){ ULONG64 StartPerfClock; ULONG64 CurrentTime, TimeStamp; ULONG64 Delta; double dDelta;
if (pContext == NULL) { Move64(TimeValue, DestTime); return; }
if (pContext->ConversionFlags & EVENT_TRACE_GET_RAWEVENT) { Move64(TimeValue, DestTime); return; }
Move64(TimeValue, (PLARGE_INTEGER) &TimeStamp);
if ((pContext->UsePerfClock == EVENT_TRACE_CLOCK_SYSTEMTIME) || (pContext->UsePerfClock == EVENT_TRACE_CLOCK_RAW)) { //
// System time, just return the time stamp.
//
Move64(TimeValue, DestTime); return; } else if (pContext->UsePerfClock == EVENT_TRACE_CLOCK_PERFCOUNTER) { if (pContext->PerfFreq.QuadPart == 0) { Move64(TimeValue, DestTime); return; } StartPerfClock = pContext->StartPerfClock.QuadPart; if (TimeStamp > StartPerfClock) { Delta = (TimeStamp - StartPerfClock); dDelta = ((double) Delta) * (10000000.0 / (double)pContext->PerfFreq.QuadPart); Delta = (ULONG64)dDelta; CurrentTime = pContext->StartTime.QuadPart + Delta; } else { Delta = StartPerfClock - TimeStamp; dDelta = ((double) Delta) * (10000000.0 / (double)pContext->PerfFreq.QuadPart); Delta = (ULONG64)dDelta; CurrentTime = pContext->StartTime.QuadPart - Delta; } Move64((PLARGE_INTEGER) &CurrentTime, DestTime); return; } else { if (pContext->CpuSpeedInMHz == 0) { Move64(TimeValue, DestTime); return; } StartPerfClock = pContext->StartPerfClock.QuadPart; if (TimeStamp > StartPerfClock) { Delta = (TimeStamp - StartPerfClock); dDelta = ((double) Delta) * (10.0 / (double)pContext->CpuSpeedInMHz); Delta = (ULONG64)dDelta; CurrentTime = pContext->StartTime.QuadPart + Delta; } else { Delta = StartPerfClock - TimeStamp; dDelta = ((double) Delta) * (10.0 / (double)pContext->CpuSpeedInMHz); Delta = (ULONG64)dDelta; CurrentTime = pContext->StartTime.QuadPart - Delta; } Move64((PLARGE_INTEGER) &CurrentTime, DestTime); return; }
}
ULONGWmipCopyCurrentEvent( PTRACELOG_CONTEXT pContext, PVOID pHeader, PEVENT_TRACE pEvent, ULONG TraceType, PWMI_BUFFER_HEADER LogBuffer )/*++
Routine Description: This routine copies the Current Event from the logfile buffer stream to the CurrentEvent structure provided by the caller. The routine takes care of the differences between kernel event and user events by mapping all events uniformly to the EVENT_TRACE_HEADER structure.
Arguments: pHeader Pointer to the datablock in the input stream (logfile). pEvent Current Event to which the data is copied. TraceType Enum indicating the header type. LogBuffer The buffer
Returned Value:
Status indicating success or failure.
--*/{ PEVENT_TRACE_HEADER pWnode; PEVENT_TRACE_HEADER pWnodeHeader; ULONG nGroupType; LPGUID pGuid; ULONG UsePerfClock = 0; ULONG UseBasePtr = 0; ULONG PrivateLogger=0;
if (pHeader == NULL || pEvent == NULL) return WmipSetDosError(ERROR_INVALID_PARAMETER);
if (pContext != NULL) { UsePerfClock = pContext->UsePerfClock; UseBasePtr = pContext->ConversionFlags & EVENT_TRACE_GET_RAWEVENT; PrivateLogger = (pContext->Logfile.LogFileMode & EVENT_TRACE_PRIVATE_LOGGER_MODE); }
switch(TraceType) { //
// ISSUE: Need to split the two so we can process cross platform.
// shsiao 03/22/2000
//
case TRACE_HEADER_TYPE_PERFINFO32: case TRACE_HEADER_TYPE_PERFINFO64: { PPERFINFO_TRACE_HEADER pPerfHeader; pPerfHeader = (PPERFINFO_TRACE_HEADER) pHeader; nGroupType = pPerfHeader->Packet.Group << 8; if ((nGroupType == EVENT_TRACE_GROUP_PROCESS) && (pPerfHeader->Packet.Type == EVENT_TRACE_TYPE_LOAD)) { nGroupType += pPerfHeader->Packet.Type; } RtlZeroMemory(pEvent, sizeof(EVENT_TRACE)); pWnode = (PEVENT_TRACE_HEADER) &pEvent->Header;
pGuid = WmipGroupTypeToGuid(nGroupType); if (pGuid != NULL) RtlCopyMemory(&pWnode->Guid, pGuid, sizeof(GUID));
pWnode->Size = pPerfHeader->Packet.Size; pWnode->Class.Type = pPerfHeader->Packet.Type; pWnode->Class.Version = pPerfHeader->Version;
WmipCalculateCurrentTime( &pWnode->TimeStamp, &pPerfHeader->SystemTime, pContext );
//
// PERFINFO headers does not have ThreadId or CPU Times
//
if( LogBuffer->Flags & WNODE_FLAG_THREAD_BUFFER ){
pWnode->ThreadId = LogBuffer->CurrentOffset;
} else {
pWnode->ProcessId = -1; pWnode->ThreadId = -1;
}
if (UseBasePtr) { pEvent->MofData = (PVOID) pHeader; pEvent->MofLength = pWnode->Size; //
// Override the Timestamp with SystemTime from PERFCounter.
// If rdtsc is used no conversion is done.
//
if (UsePerfClock == EVENT_TRACE_CLOCK_PERFCOUNTER) { pPerfHeader->SystemTime = pWnode->TimeStamp; } } else if (pWnode->Size > FIELD_OFFSET(PERFINFO_TRACE_HEADER, Data)) { pEvent->MofData = (PVOID) ((char*) pHeader + FIELD_OFFSET(PERFINFO_TRACE_HEADER, Data)); pEvent->MofLength = pWnode->Size - FIELD_OFFSET(PERFINFO_TRACE_HEADER, Data); } pEvent->Header.FieldTypeFlags = EVENT_TRACE_USE_NOCPUTIME; break; } case TRACE_HEADER_TYPE_SYSTEM32: { PSYSTEM_TRACE_HEADER pSystemHeader32; pSystemHeader32 = (PSYSTEM_TRACE_HEADER) pHeader; nGroupType = pSystemHeader32->Packet.Group << 8; if ((nGroupType == EVENT_TRACE_GROUP_PROCESS) && (pSystemHeader32->Packet.Type == EVENT_TRACE_TYPE_LOAD)) { nGroupType += pSystemHeader32->Packet.Type; } RtlZeroMemory(pEvent, sizeof(EVENT_TRACE)); pWnode = (PEVENT_TRACE_HEADER) &pEvent->Header; pGuid = WmipGroupTypeToGuid(nGroupType); if (pGuid != NULL) RtlCopyMemory(&pWnode->Guid, pGuid, sizeof(GUID)); pWnode->Size = pSystemHeader32->Packet.Size; pWnode->ThreadId = pSystemHeader32->ThreadId; pWnode->ProcessId = pSystemHeader32->ProcessId; pWnode->KernelTime = pSystemHeader32->KernelTime; pWnode->UserTime = pSystemHeader32->UserTime; pWnode->Class.Type = pSystemHeader32->Packet.Type; pWnode->Class.Version = pSystemHeader32->Version;
WmipCalculateCurrentTime( &pWnode->TimeStamp, &pSystemHeader32->SystemTime, pContext );
if (UseBasePtr) { pEvent->MofData = (PVOID) pHeader; pEvent->MofLength = pWnode->Size; if (UsePerfClock == EVENT_TRACE_CLOCK_PERFCOUNTER) { pSystemHeader32->SystemTime = pWnode->TimeStamp; } } else { pWnode->FieldTypeFlags = 0; if (pWnode->Size > sizeof(SYSTEM_TRACE_HEADER)) { pEvent->MofData = (PVOID) ((char*) pHeader + sizeof(SYSTEM_TRACE_HEADER)); pEvent->MofLength = pWnode->Size - sizeof(SYSTEM_TRACE_HEADER); } } break; } case TRACE_HEADER_TYPE_SYSTEM64: { PSYSTEM_TRACE_HEADER pSystemHeader64; pSystemHeader64 = (PSYSTEM_TRACE_HEADER) pHeader;
nGroupType = pSystemHeader64->Packet.Group << 8; if ((nGroupType == EVENT_TRACE_GROUP_PROCESS) && (pSystemHeader64->Packet.Type == EVENT_TRACE_TYPE_LOAD)) { nGroupType += pSystemHeader64->Packet.Type; } RtlZeroMemory(pEvent, sizeof(EVENT_TRACE)); pWnode = (PEVENT_TRACE_HEADER) &pEvent->Header; pGuid = WmipGroupTypeToGuid(nGroupType); if (pGuid != NULL) RtlCopyMemory(&pWnode->Guid, pGuid, sizeof(GUID)); pWnode->Size = pSystemHeader64->Packet.Size; pWnode->ThreadId = pSystemHeader64->ThreadId; pWnode->ProcessId = pSystemHeader64->ProcessId; pWnode->KernelTime = pSystemHeader64->KernelTime; pWnode->UserTime = pSystemHeader64->UserTime; pWnode->Class.Type = pSystemHeader64->Packet.Type; pWnode->Class.Version = pSystemHeader64->Version;
WmipCalculateCurrentTime( &pWnode->TimeStamp, &pSystemHeader64->SystemTime, pContext );
if (UseBasePtr) { pEvent->MofData = (PVOID) pHeader; pEvent->MofLength = pWnode->Size; if (UsePerfClock == EVENT_TRACE_CLOCK_PERFCOUNTER) { pSystemHeader64->SystemTime = pWnode->TimeStamp; } } else { pWnode->FieldTypeFlags = 0; if (pWnode->Size > sizeof(SYSTEM_TRACE_HEADER)) {
pEvent->MofData = (PVOID) ((char*) pHeader + sizeof(SYSTEM_TRACE_HEADER)); pEvent->MofLength = pWnode->Size - sizeof(SYSTEM_TRACE_HEADER); } } break; } case TRACE_HEADER_TYPE_FULL_HEADER: { pWnodeHeader = (PEVENT_TRACE_HEADER) pHeader; RtlZeroMemory(pEvent, sizeof(EVENT_TRACE)); pWnode = (PEVENT_TRACE_HEADER) &pEvent->Header; RtlCopyMemory(pWnode, pWnodeHeader, sizeof(EVENT_TRACE_HEADER) ); WmipCalculateCurrentTime( &pWnode->TimeStamp, &pWnodeHeader->TimeStamp, pContext );
if (UseBasePtr) { pEvent->Header.Size = pWnodeHeader->Size; pEvent->MofData = (PVOID)pHeader; pEvent->MofLength = pWnodeHeader->Size; if (UsePerfClock == EVENT_TRACE_CLOCK_PERFCOUNTER) { pWnodeHeader->TimeStamp = pWnode->TimeStamp; } } else { //
// If the data came from Process Private Logger, then
// mark the ProcessorTime field as valid
//
pEvent->Header.FieldTypeFlags = (PrivateLogger) ? EVENT_TRACE_USE_PROCTIME : 0;
if (pWnodeHeader->Size > sizeof(EVENT_TRACE_HEADER)) {
pEvent->MofData = (PVOID) ((char*)pWnodeHeader + sizeof(EVENT_TRACE_HEADER)); pEvent->MofLength = pWnodeHeader->Size - sizeof(EVENT_TRACE_HEADER); } } break; } case TRACE_HEADER_TYPE_INSTANCE: { PEVENT_INSTANCE_HEADER pInstanceHeader; pInstanceHeader = (PEVENT_INSTANCE_HEADER) pHeader; RtlZeroMemory(pEvent, sizeof(EVENT_TRACE)); pWnode = (PEVENT_TRACE_HEADER) &pEvent->Header; RtlCopyMemory(pWnode, pInstanceHeader, sizeof(EVENT_INSTANCE_HEADER) ); WmipCalculateCurrentTime( &pWnode->TimeStamp, &pInstanceHeader->TimeStamp, pContext );
pEvent->InstanceId = pInstanceHeader->InstanceId; pEvent->ParentInstanceId = pInstanceHeader->ParentInstanceId;
pGuid = WmipGuidMapHandleToGuid(&pContext->GuidMapListHead, pInstanceHeader->RegHandle); if (pGuid != NULL) { pEvent->Header.Guid = *pGuid; } else { RtlZeroMemory(&pEvent->Header.Guid, sizeof(GUID)); }
if (pInstanceHeader->ParentRegHandle != (ULONGLONG)0) { pGuid = WmipGuidMapHandleToGuid( &pContext->GuidMapListHead, pInstanceHeader->ParentRegHandle); if (pGuid != NULL) { pEvent->ParentGuid = *pGuid; }#ifdef DBG
else { WmipAssert(pGuid != NULL); }#endif
}
if (UseBasePtr) { pEvent->Header.Size = pInstanceHeader->Size; pEvent->MofData = (PVOID)pHeader; pEvent->MofLength = pInstanceHeader->Size; if (UsePerfClock == EVENT_TRACE_CLOCK_PERFCOUNTER) { pInstanceHeader->TimeStamp = pWnode->TimeStamp; } } else { pEvent->Header.FieldTypeFlags = (PrivateLogger) ? EVENT_TRACE_USE_PROCTIME : 0; if (pInstanceHeader->Size > sizeof(EVENT_INSTANCE_HEADER)) {
pEvent->MofData = (PVOID) ((char*)pInstanceHeader + sizeof(EVENT_INSTANCE_HEADER)); pEvent->MofLength = pInstanceHeader->Size - sizeof(EVENT_INSTANCE_HEADER); } } break; } case TRACE_HEADER_TYPE_TIMED: { PTIMED_TRACE_HEADER pTimedHeader; pTimedHeader = (PTIMED_TRACE_HEADER) pHeader;
RtlZeroMemory(pEvent, sizeof(EVENT_TRACE)); pWnode = (PEVENT_TRACE_HEADER) &pEvent->Header; pWnode->Size = pTimedHeader->Size; pWnode->Version = pTimedHeader->EventId; WmipCalculateCurrentTime( &pWnode->TimeStamp, &pTimedHeader->TimeStamp, pContext );
pWnode->ThreadId = -1; pWnode->ProcessId = -1;
if (UseBasePtr) { pEvent->MofData = (PVOID)pHeader; pEvent->MofLength = pTimedHeader->Size; if (UsePerfClock == EVENT_TRACE_CLOCK_PERFCOUNTER) { pTimedHeader->TimeStamp = pWnode->TimeStamp; } } else if (pWnode->Size > sizeof(TIMED_TRACE_HEADER)) {
pEvent->MofData = (PVOID) ((char*) pHeader + sizeof(TIMED_TRACE_HEADER)); pEvent->MofLength = pWnode->Size - sizeof(TIMED_TRACE_HEADER); } pEvent->Header.FieldTypeFlags = EVENT_TRACE_USE_NOCPUTIME; break; } case TRACE_HEADER_TYPE_WNODE_HEADER: { PWNODE_HEADER pWnode = (PWNODE_HEADER) pHeader; RtlZeroMemory(pEvent, sizeof(EVENT_TRACE)); RtlCopyMemory(&pEvent->Header, pWnode, sizeof(WNODE_HEADER)); pEvent->MofData = (PVOID) pWnode; pEvent->MofLength = pWnode->BufferSize; break; } case TRACE_HEADER_TYPE_MESSAGE: { PMESSAGE_TRACE pMsg = (PMESSAGE_TRACE) pHeader ; RtlZeroMemory(pEvent, sizeof(EVENT_TRACE)); RtlCopyMemory(&pEvent->Header, pMsg, sizeof(MESSAGE_TRACE_HEADER)) ; if (UseBasePtr) { pEvent->MofData = (PVOID)pHeader; pEvent->MofLength = pMsg->MessageHeader.Size; } else { pEvent->MofData = (PVOID)&(pMsg->Data) ; pEvent->MofLength = pMsg->MessageHeader.Size - sizeof(MESSAGE_TRACE_HEADER) ; } break; } default: // Assumed to be REAL WNODE
break; }
return WmipSetDosError(ERROR_SUCCESS);}
ULONG WmipGetNextEventOffsetType( PUCHAR pBuffer, ULONG Offset, PULONG RetSize ){ ULONG nSize; ULONG TraceMarker; ULONG TraceType = 0;
PWMI_BUFFER_HEADER Header = (PWMI_BUFFER_HEADER)pBuffer;
ULONG Alignment = Header->ClientContext.Alignment; ULONG BufferSize = Header->Wnode.BufferSize;
*RetSize = 0;
//
// Check for end of buffer (w/o End of Buffer Marker case...)
//
if ( Offset >= (BufferSize - sizeof(long)) ){ return 0; }
TraceMarker = *((PULONG)(pBuffer + Offset));
if (TraceMarker == 0xFFFFFFFF) { return 0; }
if (TraceMarker & TRACE_HEADER_FLAG) { //
// If the first bit is set, then it is either TRACE or PERF record.
//
if (TraceMarker & TRACE_HEADER_EVENT_TRACE) { // One of Ours.
TraceType = (TraceMarker & TRACE_HEADER_ENUM_MASK) >> 16; switch(TraceType) { //
// ISSUE: Need to split the two so we can process cross platform.
// shsiao 03/22/2000
//
case TRACE_HEADER_TYPE_PERFINFO32: case TRACE_HEADER_TYPE_PERFINFO64: { PUSHORT Size; Size = (PUSHORT) (pBuffer + Offset + sizeof(ULONG)); nSize = *Size; break; } case TRACE_HEADER_TYPE_SYSTEM32: case TRACE_HEADER_TYPE_SYSTEM64: { PUSHORT Size; Size = (PUSHORT) (pBuffer + Offset + sizeof(ULONG)); nSize = *Size; break; } case TRACE_HEADER_TYPE_FULL_HEADER: case TRACE_HEADER_TYPE_INSTANCE: { PUSHORT Size; Size = (PUSHORT)(pBuffer + Offset); nSize = *Size; break; } default: { return 0; } }
}
else if ((TraceMarker & TRACE_HEADER_ULONG32_TIME) == TRACE_HEADER_ULONG32_TIME) { PUSHORT Size; Size = (PUSHORT) (pBuffer + Offset); nSize = *Size; TraceType = TRACE_HEADER_TYPE_TIMED; } else if ((TraceMarker & TRACE_HEADER_ULONG32) == TRACE_HEADER_ULONG32) { PUSHORT Size; Size = (PUSHORT) (pBuffer + Offset); nSize = *Size; TraceType = TRACE_HEADER_TYPE_ULONG32; } else if ((TraceMarker & TRACE_MESSAGE) == TRACE_MESSAGE) { PUSHORT Size; Size = (PUSHORT) (pBuffer + Offset) ; nSize = *Size; TraceType = TRACE_HEADER_TYPE_MESSAGE; } else { return 0; } } else { // Must be WNODE_HEADER
PUSHORT Size; Size = (PUSHORT) (pBuffer + Offset); nSize = *Size; TraceType = TRACE_HEADER_TYPE_WNODE_HEADER; } //
// Check for End Of Buffer Marker
//
if (nSize == 0xFFFFFFFF) { return 0; }
//
// Check for larger than BufferSize
//
if (nSize >= BufferSize) { return 0; } if (Alignment != 0) { nSize = (ULONG) ALIGN_TO_POWER2(nSize, Alignment); }
*RetSize = nSize;
return TraceType;}
ULONGWmipReadGuidMapRecords( PEVENT_TRACE_LOGFILEW logfile, PVOID pBuffer, BOOLEAN bLogFileHeader ){ PEVENT_TRACE pEvent; EVENT_TRACE EventTrace; ULONG BufferSize; ULONG Status; WMI_HEADER_TYPE HeaderType = WMIHT_NONE; ULONG Size; ULONG Offset; PTRACELOG_CONTEXT pContext = logfile->Context;
Offset = sizeof(WMI_BUFFER_HEADER);
while (TRUE) { pEvent = &EventTrace; RtlZeroMemory(pEvent, sizeof(EVENT_TRACE) ); HeaderType = WmiGetTraceHeader(pBuffer, Offset, &Size); if ( (HeaderType == WMIHT_NONE) || (HeaderType == WMIHT_WNODE) || (Size == 0) ) { break; } Status = WmipParseTraceEvent(pContext, pBuffer, Offset, HeaderType, pEvent, sizeof(EVENT_TRACE)); Offset += Size;
if (IsEqualGUID(&pEvent->Header.Guid, &EventTraceGuid) && (pEvent->Header.Class.Type == EVENT_TRACE_TYPE_GUIDMAP)) { WmipGuidMapCallback(&pContext->GuidMapListHead, pEvent); //
// If we are processing the events in raw base pointer mode,
// we fire callbacks for guid maps also. Note that only the
// GuidMaps at the start of the file are triggered. The ones at the
// end are ignored. This is because the time order needs to be
// preserved when firing callbacks to the user.
//
if (bLogFileHeader && (pContext->ConversionFlags & EVENT_TRACE_GET_RAWEVENT)) { Status = WmipDoEventCallbacks( logfile, pEvent); if (Status != ERROR_SUCCESS) { break; } }
} else { if (bLogFileHeader) { Status = WmipDoEventCallbacks( logfile, pEvent); if (Status != ERROR_SUCCESS) { break; } } else { return ERROR_INVALID_DATA; } } } return ERROR_SUCCESS;}
ULONGWmipProcessGuidMaps( PEVENT_TRACE_LOGFILEW *Logfiles, ULONG LogfileCount, ULONG Unicode ){ long i; NTSTATUS Status; PTRACELOG_CONTEXT pContext; PEVENT_TRACE_LOGFILEW logfile; ULONG BuffersWritten; ULONG BufferSize, nBytesRead; ULONGLONG SizeWritten, ReadPosition; PVOID pBuffer;
for (i=0; i<(long)LogfileCount; i++) {
logfile = Logfiles[i]; if (Logfiles[i]->LogFileMode & EVENT_TRACE_REAL_TIME_MODE) { continue; }
if (logfile->IsKernelTrace) { continue; }
pContext = (PTRACELOG_CONTEXT) logfile->Context; if (pContext == NULL) { continue; }
//
// We now start reading the GuidMaps at the end of file.
//
if (!(Logfiles[i]->LogFileMode & EVENT_TRACE_FILE_MODE_CIRCULAR)) { pContext->fGuidMapRead = FALSE; }
BuffersWritten = logfile->LogfileHeader.BuffersWritten; BufferSize = pContext->BufferSize; SizeWritten = BuffersWritten * BufferSize;
if (Logfiles[i]->LogFileMode & EVENT_TRACE_FILE_MODE_CIRCULAR) { ULONGLONG maxFileSize = (logfile->LogfileHeader.MaximumFileSize * 1024 * 1024); if ( (maxFileSize > 0) && (SizeWritten > maxFileSize) ) { SizeWritten = maxFileSize; } }
pBuffer = WmipAlloc(BufferSize); if (pBuffer == NULL) { return WmipSetDosError(ERROR_OUTOFMEMORY); }
RtlZeroMemory(pBuffer, BufferSize);
ReadPosition = SizeWritten; while (TRUE) { if (!GetOverlappedResult(pContext->Handle, &pContext->AsynchRead, &nBytesRead, TRUE) && GetLastError() != ERROR_HANDLE_EOF) { WmipDebugPrint(("GetOverlappedResult failed with Status %d in ProcessGuidMaps\n", GetLastError())); break; } pContext->AsynchRead.Offset = (DWORD)(ReadPosition & 0xFFFFFFFF); pContext->AsynchRead.OffsetHigh = (DWORD)(ReadPosition >> 32); Status = WmipSynchReadFile(pContext->Handle, (LPVOID)pBuffer, BufferSize, &nBytesRead, &pContext->AsynchRead); if (nBytesRead == 0) { break; } Status = WmipReadGuidMapRecords(Logfiles[i], pBuffer, FALSE); if (Status != ERROR_SUCCESS) { break;// WmipFree(pBuffer);
// return Status;
} ReadPosition += BufferSize; }
//
// End of File was reached. Now set the File Pointer back to
// the top of the file and process it.
pContext->StartBuffer = 0; ReadPosition = 0; while (TRUE) { BOOLEAN bLogFileHeader; if (!GetOverlappedResult(pContext->Handle, &pContext->AsynchRead, &nBytesRead, TRUE) && GetLastError() != ERROR_HANDLE_EOF) { WmipDebugPrint(("GetOverlappedResult failed with Status %d in ProcessGuidMaps\n", GetLastError())); break; } pContext->AsynchRead.Offset = (DWORD)(ReadPosition & 0xFFFFFFFF); pContext->AsynchRead.OffsetHigh = (DWORD)(ReadPosition >> 32); Status = WmipSynchReadFile(pContext->Handle, (LPVOID)pBuffer, BufferSize, &nBytesRead, &pContext->AsynchRead); if (nBytesRead == 0) { break; } bLogFileHeader = (pContext->StartBuffer == 0); Status = WmipReadGuidMapRecords(Logfiles[i], pBuffer, bLogFileHeader ); if (Status != ERROR_SUCCESS){ break; } pContext->StartBuffer++; ReadPosition += BufferSize; }
WmipFree(pBuffer); } return ERROR_SUCCESS;}
ULONGWmipGetBuffersWrittenFromQuery( LPWSTR LoggerName )/*++
Routine Description: This routine returns the number of buffers written by querying a logger. In case of an array of LogFiles, this routine should be called individually for each one.
Arguments: LogFile - pointer to EVENT_TRACE_LOGFILEW under consideration Unicode - whether the logger name is in unicode or not
Returned Value:
The number of buffers written.
--*/{ TRACEHANDLE LoggerHandle = 0; ULONG Status; RtlZeroMemory(&Properties, sizeof(Properties)); Properties.TraceProp.Wnode.BufferSize = sizeof(Properties);
Status = ControlTraceW(LoggerHandle, LoggerName, &Properties.TraceProp, EVENT_TRACE_CONTROL_QUERY);
if (Status == ERROR_SUCCESS) { return Properties.TraceProp.BuffersWritten; } else { SetLastError(Status); return 0; }}
VOIDWmipCopyLogHeader ( IN PTRACE_LOGFILE_HEADER pOutHeader, IN PVOID MofData, IN ULONG MofLength, IN PWCHAR *LoggerName, IN PWCHAR *LogFileName, IN ULONG Unicode ){ PUCHAR Src, Dest;
PTRACE_LOGFILE_HEADER pInHeader; ULONG PointerSize; ULONG SizeToCopy; ULONG Offset;
pInHeader = (PTRACE_LOGFILE_HEADER) MofData; PointerSize = pInHeader->PointerSize; // This is the PointerSize in File
if ( (PointerSize != 4) && (PointerSize != 8) ) {#ifdef DBG
WmipDebugPrint(("WMI: Invalid PointerSize in File %d\n",PointerSize));#endif
return; }
//
// We have Two pointers (LPWSTR) in the middle of the LOGFILE_HEADER
// structure. So We copy upto the Pointer Fields first, skip over
// the pointers and copy the remaining stuff. We come back and fixup
// the pointers appropriately.
//
SizeToCopy = FIELD_OFFSET(TRACE_LOGFILE_HEADER, LoggerName);
RtlCopyMemory(pOutHeader, pInHeader, SizeToCopy);
//
// Skip over the Troublesome pointers in both Src and Dest
//
Dest = (PUCHAR)pOutHeader + SizeToCopy + 2 * sizeof(LPWSTR);
Src = (PUCHAR)pInHeader + SizeToCopy + 2 * PointerSize;
//
// Copy the Remaining fields at the tail end of the LOGFILE_HEADER
//
SizeToCopy = sizeof(TRACE_LOGFILE_HEADER) - FIELD_OFFSET(TRACE_LOGFILE_HEADER, TimeZone);
RtlCopyMemory(Dest, Src, SizeToCopy);
//
// Adjust the pointer fields now
//
Offset = sizeof(TRACE_LOGFILE_HEADER) - 2 * sizeof(LPWSTR) + 2 * PointerSize;
*LoggerName = (PWCHAR) ((PUCHAR)pInHeader + Offset); pOutHeader->LoggerName = *LoggerName;
}
ULONGWmipProcessLogHeader( PTRACEHANDLE HandleArray, PEVENT_TRACE_LOGFILEW *Logfiles, ULONG LogfileCount, ULONG Unicode, ULONG bFree )/*++
Routine Description: This routine processes the header of an array of logfiles.
Arguments:
LogFile Array of Logfiles being processed. LogFileCount Number of Logfiles in the Array. Unicode Unicode Flag.
Returned Value:
Status Code.
--*/{ HANDLE hFile; PTRACELOG_CONTEXT pContext = NULL; PVOID pBuffer; PEVENT_TRACE pEvent; long i; WMI_HEADER_TYPE HeaderType = WMIHT_NONE; ULONG Size; ULONG Offset; LPWSTR loggerName, logFileName; ULONG BufferSize, nBytesRead; PTRACE_LOGFILE_HEADER logfileHeader; ULONG Status = ERROR_SUCCESS;
//
// Open the Log File for shared Read
//
BufferSize = DEFAULT_LOG_BUFFER_SIZE; // Log file header must be smaller than 1K
pBuffer = WmipAlloc(BufferSize); if (pBuffer == NULL) { return WmipSetDosError(ERROR_OUTOFMEMORY); }
for (i=0; i<(long)LogfileCount; i++) { EVENT_TRACE EventTrace; ULONG SavedConversionFlags; OVERLAPPED LogHeaderOverlapped; //
// Caller can pass in Flags to fetch the timestamps in raw mode.
// Since LogFileHeader gets overwritten from with data from the logfile
// we need to save the passed in value here.
//
SavedConversionFlags = Logfiles[i]->LogfileHeader.ReservedFlags; if (Unicode) { hFile = CreateFileW( (LPWSTR) Logfiles[i]->LogFileName, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERLAPPED, NULL ); } else { hFile = CreateFileA( (LPSTR) Logfiles[i]->LogFileName, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL | FILE_FLAG_OVERLAPPED, NULL ); }
if (hFile == INVALID_HANDLE_VALUE) { Status = WmipSetDosError(ERROR_BAD_PATHNAME); break; }
BufferSize = DEFAULT_LOG_BUFFER_SIZE; RtlZeroMemory(pBuffer, BufferSize);
LogHeaderOverlapped.hEvent = CreateEvent(NULL, TRUE, TRUE, NULL); if (LogHeaderOverlapped.hEvent == NULL) { // cannot create event for file read
break; } LogHeaderOverlapped.Offset = 0; LogHeaderOverlapped.OffsetHigh = 0; Status = WmipSynchReadFile(hFile, (LPVOID)pBuffer, BufferSize, &nBytesRead, &LogHeaderOverlapped); if (nBytesRead == 0) { NtClose(hFile); Status = WmipSetDosError(ERROR_FILE_CORRUPT); break; } CloseHandle(LogHeaderOverlapped.hEvent);
Offset = sizeof(WMI_BUFFER_HEADER);
pEvent = &EventTrace; RtlZeroMemory(pEvent, sizeof(EVENT_TRACE) ); HeaderType = WmiGetTraceHeader(pBuffer, Offset, &Size); if ( (HeaderType == WMIHT_NONE) || (HeaderType == WMIHT_WNODE) || (Size == 0) ) { NtClose(hFile); Status = WmipSetDosError(ERROR_FILE_CORRUPT); break; } Status = WmipParseTraceEvent(NULL, pBuffer, Offset, HeaderType, pEvent, sizeof(EVENT_TRACE));
//
// Set up the header structure properly
//
if ((Status == ERROR_SUCCESS) && (pEvent->MofLength > 0)) { ULONG PointerSize;
logfileHeader = &Logfiles[i]->LogfileHeader;
//
// We are relying on the fact that the PointerSize field
// will not shift between platforms.
//
PointerSize = ((PTRACE_LOGFILE_HEADER)(pEvent->MofData))->PointerSize;
if (PointerSize == sizeof(PUCHAR) ) {
RtlCopyMemory(&Logfiles[i]->LogfileHeader, pEvent->MofData, sizeof(TRACE_LOGFILE_HEADER)); loggerName = (LPWSTR) ( (char*)pEvent->MofData + sizeof(TRACE_LOGFILE_HEADER) );
// logFileName = (LPWSTR) ( (char*)pEvent->MofData +
// sizeof(TRACE_LOGFILE_HEADER) +
// sizeof(WCHAR)* wcslen(loggerName));
} else {
//
// Ugly thunking going on here. Close your eyes...
//
WmipCopyLogHeader(&Logfiles[i]->LogfileHeader, pEvent->MofData, pEvent->MofLength, &loggerName, &logFileName, Unicode); pEvent->MofData = (PVOID)&Logfiles[i]->LogfileHeader; } } else { NtClose(hFile); Status = WmipSetDosError(ERROR_FILE_CORRUPT); break; }
Logfiles[i]->IsKernelTrace = !wcscmp(loggerName, KERNEL_LOGGER_CAPTION);
Logfiles[i]->LogFileMode = (logfileHeader->LogFileMode & ~(EVENT_TRACE_REAL_TIME_MODE));
#ifdef DBG
DbgPrint("Dumping Logfile Header\n"); DbgPrint("\tStart Time %I64u\n", pEvent->Header.TimeStamp); DbgPrint("\tLogger Thread Id %X\n", pEvent->Header.ThreadId); DbgPrint("\tHeader Size %d\n", pEvent->Header.Size); DbgPrint("\tBufferSize %d\n", logfileHeader->BufferSize); DbgPrint("\tVersion %d\n", logfileHeader->Version); DbgPrint("\tProviderVersion %d\n", logfileHeader->ProviderVersion); DbgPrint("\tEndTime %I64u\n", logfileHeader->EndTime); DbgPrint("\tTimer Resolution %d\n", logfileHeader->TimerResolution); DbgPrint("\tMaximum File Size %d\n", logfileHeader->MaximumFileSize); DbgPrint("\tBuffers Written %d\n", logfileHeader->BuffersWritten); DbgPrint("\tEvents Lost %d\n", logfileHeader->EventsLost); DbgPrint("\tBuffers Lost %d\n", logfileHeader->BuffersLost); DbgPrint("\tStart Buffers%d\n", logfileHeader->StartBuffers); DbgPrint("\tReserved Flags %x\n", logfileHeader->ReservedFlags); DbgPrint("\tFrequency %I64u\n", logfileHeader->PerfFreq.QuadPart); DbgPrint("\tLogger Name %ls\n", loggerName); DbgPrint("\tStartTime %I64u\n", logfileHeader->StartTime.QuadPart);// DbgPrint("\tLogfile Name %ls\n",
// logFileName);
DbgPrint("\tLogfile Mode %X\n", logfileHeader->LogFileMode); DbgPrint("\tProcessorCount %d\n", logfileHeader->NumberOfProcessors);#endif
if (Logfiles[i]->IsKernelTrace) WmipDebugPrint(("\tLogfile contains kernel trace\n"));
BufferSize = logfileHeader->BufferSize;
WmipAssert(BufferSize > 0);
if ( (BufferSize/1024 == 0) || (((BufferSize/1024)*1024) != BufferSize) ) { NtClose(hFile); Status = WmipSetDosError(ERROR_FILE_CORRUPT); break; }
if (Logfiles[i]->IsKernelTrace) WmipDebugPrint(("\tLogfile contains kernel trace\n"));
if (bFree) { NtClose(hFile); } else { //
// At this point, the logfile is opened successfully
// Initialize the internal context now
//
pContext = WmipLookupTraceHandle(HandleArray[i]); if (pContext == NULL) { NtClose(hFile); // TODO: Find an appropriate eerror code here?
Status = WmipSetDosError(ERROR_OUTOFMEMORY); break; }
Logfiles[i]->Context = pContext; pContext->Handle = hFile;
//
// If the EndTime is 0, then compute the BuffersWritten from
// FileSize and BufferSize.
//
// However, an on-going session with a preallocated log file
// will use QueryTrace() to get BuffersWritten.
//
if (logfileHeader->EndTime.QuadPart == 0) { if (logfileHeader->LogFileMode & EVENT_TRACE_FILE_MODE_PREALLOCATE) { ULONG QueriedBuffersWritten = WmipGetBuffersWrittenFromQuery(loggerName);
if (QueriedBuffersWritten) { logfileHeader->BuffersWritten = QueriedBuffersWritten; } } else { FILE_STANDARD_INFORMATION FileInfo; NTSTATUS NtStatus; IO_STATUS_BLOCK IoStatus;
NtStatus = NtQueryInformationFile( hFile, &IoStatus, &FileInfo, sizeof(FILE_STANDARD_INFORMATION), FileStandardInformation ); if (NT_SUCCESS(NtStatus)) { ULONG64 FileSize = FileInfo.AllocationSize.QuadPart; ULONG64 BuffersWritten = FileSize / (ULONG64) BufferSize; logfileHeader->BuffersWritten = (ULONG) BuffersWritten; } } }
pContext->BufferCount = logfileHeader->BuffersWritten; pContext->BufferSize = logfileHeader->BufferSize; pContext->InitialSize = Size;
//
// Save the flags from OpenTrace at this time before the first
// buffer callback which will erase it.
//
pContext->ConversionFlags = SavedConversionFlags;
//
// Make the header the current Event ...
// and the callbacks for the header are handled by ProcessTraceLog.
pContext->UsePerfClock = logfileHeader->ReservedFlags; pContext->StartTime = logfileHeader->StartTime; pContext->PerfFreq = logfileHeader->PerfFreq; pContext->CpuSpeedInMHz = logfileHeader->CpuSpeedInMHz;
//
// If the conversion flags are set, adjust UsePerfClock accordingly.
//
if (pContext->ConversionFlags & EVENT_TRACE_USE_RAWTIMESTAMP) { pContext->UsePerfClock = EVENT_TRACE_CLOCK_RAW; }
if ((pContext->UsePerfClock == EVENT_TRACE_CLOCK_PERFCOUNTER) || (pContext->UsePerfClock == EVENT_TRACE_CLOCK_CPUCYCLE) ) { pContext->StartPerfClock = pEvent->Header.TimeStamp; Logfiles[i]->CurrentTime = pContext->StartTime.QuadPart; pEvent->Header.TimeStamp.QuadPart = pContext->StartTime.QuadPart; } else { Logfiles[i]->CurrentTime = pEvent->Header.TimeStamp.QuadPart; } } }
WmipFree(pBuffer); return Status;}
ULONGWmipDoEventCallbacks( PEVENT_TRACE_LOGFILEW logfile, PEVENT_TRACE pEvent ){ NTSTATUS Status; PEVENT_TRACE_CALLBACK pCallback;
//
// First the Generic Event Callback is called.
//
if ( logfile->EventCallback ) { try { (*logfile->EventCallback)(pEvent); } except (EXCEPTION_EXECUTE_HANDLER) { Status = GetExceptionCode();#ifdef DBG
WmipDebugPrint(("TRACE: EventCallback threw exception %X\n", Status));#endif
return WmipSetDosError(WmipNtStatusToDosError(Status)); } }
//
// Now Call the event specific callback.
//
pCallback = WmipGetCallbackRoutine( &pEvent->Header.Guid ); if ( pCallback != NULL ) { try { (*pCallback->CallbackRoutine)(pEvent); } except (EXCEPTION_EXECUTE_HANDLER) { Status = GetExceptionCode();#ifdef DBG
WmipDebugPrint(("EventCallback %X threw exception %X\n", pCallback->CallbackRoutine, Status));#endif
return WmipSetDosError(WmipNtStatusToDosError(Status)); } } logfile->CurrentTime = pEvent->Header.TimeStamp.QuadPart; return ERROR_SUCCESS;}
ULONG WmipAdvanceToNewEvent( PEVENT_TRACE_LOGFILEW logfile, BOOL EventInRange ){ ULONG Status = ERROR_SUCCESS; PEVENT_TRACE pEvent; PTRACELOG_CONTEXT pContext; PVOID pBuffer; PTRACE_BUFFER_LIST_ENTRY Current; ULONG Size; WMI_HEADER_TYPE HeaderType = WMIHT_NONE;
pContext = logfile->Context; if (pContext == NULL) { return WmipSetDosError(ERROR_INVALID_PARAMETER); } Current = WmipRemoveBuffer(&pContext->Root); if (Current == NULL) { pContext->EndOfFile = TRUE; return ERROR_SUCCESS; }
//
// Advance Event for current buffer
//
pEvent = &Current->Event;
//
// Before we make the callbacks, we need to restore the
// raw buffer, so that MofData will be pointing to the right data.
//
pBuffer = WmipGetCurrentBuffer(pContext, Current); if (pBuffer == NULL) { //
// This condition could happen when the file we are reading
// gets overwritten.
//
return ERROR_SHARING_VIOLATION; } if (EventInRange) { Status = WmipDoEventCallbacks( logfile, pEvent); if (Status != ERROR_SUCCESS) { return Status; } }
Size = 0; if ((HeaderType = WmiGetTraceHeader(pBuffer, Current->BufferOffset, &Size)) != WMIHT_NONE) { if (Size > 0) { Status = WmipParseTraceEvent(pContext, pBuffer, Current->BufferOffset, HeaderType, pEvent, sizeof(EVENT_TRACE)); Current->BufferOffset += Size; Current->TraceType = WmipConvertEnumToTraceType(HeaderType); } } Current->EventSize = Size;
if ( ( Size > 0) && (Status == ERROR_SUCCESS) ) { WmipInsertBuffer(&pContext->Root, Current); } else { DWORD BytesTransffered; //
// When the current buffer is exhausted, make the
// BufferCallback
//
if (logfile->BufferCallback) { ULONG bRetVal; PWMI_BUFFER_HEADER pHeader = (PWMI_BUFFER_HEADER)pBuffer; logfile->Filled = (ULONG)pHeader->Offset; logfile->EventsLost = pHeader->EventsLost; try { bRetVal = (*logfile->BufferCallback) (logfile); if (!bRetVal) { return ERROR_CANCELLED; } } except (EXCEPTION_EXECUTE_HANDLER) { pContext->EndOfFile = TRUE; Status = GetExceptionCode();#ifdef DBG
WmipDebugPrint(("TRACE: BufferCallback threw exception %X\n", Status));#endif
WmipSetDosError(WmipNtStatusToDosError(Status)); return ERROR_CANCELLED; // so that realtime also cleans up.
} } //
// Issue another asynch read on this buffer cache slot if there are no outstanding reads
// at this point.
// GetOverlappedResult() returns FALSE if IO is still pending.
//
if (pContext->BufferBeingRead == -1 || GetOverlappedResult(pContext->Handle, &pContext->AsynchRead, &BytesTransffered, FALSE)) {
LONG FileOffset = Current->FileOffset + MAX_TRACE_BUFFER_CACHE_SIZE; if ((ULONG)FileOffset < pContext->BufferCount) { ULONGLONG Offset = FileOffset * pContext->BufferSize; ResetEvent(pContext->AsynchRead.hEvent); pContext->AsynchRead.Offset = (DWORD)(Offset & 0xFFFFFFFF); pContext->AsynchRead.OffsetHigh = (DWORD)(Offset >> 32);
Status = ReadFile(pContext->Handle, (LPVOID)pBuffer, pContext->BufferSize, NULL, &pContext->AsynchRead); if (Status || GetLastError() == ERROR_IO_PENDING) { ULONG TableIndex = FileOffset % MAX_TRACE_BUFFER_CACHE_SIZE; pContext->BufferBeingRead = FileOffset; pContext->BufferCache[TableIndex].Index = FileOffset; } else { // Issuing asynch IO failed. Not a fatal error. Just continue for now.
SetEvent(pContext->AsynchRead.hEvent); pContext->BufferBeingRead = -1; } } } } //
// The File reaches end of file when the Root is NULL
//
if (pContext->Root == NULL) { pContext->EndOfFile = TRUE; } else { logfile->CurrentTime = pContext->Root->Event.Header.TimeStamp.QuadPart; }
return ERROR_SUCCESS;}
ULONG WmipBuildEventTable( PTRACELOG_CONTEXT pContext ){ ULONG i, nBytesRead; PVOID pBuffer; ULONG BufferSize = pContext->BufferSize; PEVENT_TRACE pEvent; ULONG TotalBuffersRead; NTSTATUS Status; ULONGLONG ReadPosition;
//
// File is already open.
// Reset the file pointer and continue.
// TODO: If we start at bottom of file and insert
// it might be more efficient.
//
ReadPosition = pContext->StartBuffer * BufferSize; TotalBuffersRead = pContext->StartBuffer;
//
// If there are no other buffers except header and guidmaps, EOF is true
//
if (TotalBuffersRead == pContext->BufferCount) { pContext->EndOfFile = TRUE; pContext->Root = NULL; return ERROR_SUCCESS; }
do { WMI_HEADER_TYPE HeaderType = WMIHT_NONE; ULONG Size; ULONG Offset; ULONG TableIndex;
TableIndex = TotalBuffersRead % MAX_TRACE_BUFFER_CACHE_SIZE ; pBuffer = pContext->BufferCache[TableIndex].Buffer;
if (!GetOverlappedResult(pContext->Handle, &pContext->AsynchRead, &nBytesRead, TRUE) && GetLastError() != ERROR_HANDLE_EOF) { WmipDebugPrint(("GetOverlappedResult failed with Status %d in BuildEventTable\n", GetLastError())); break; } pContext->AsynchRead.Offset = (DWORD)(ReadPosition & 0xFFFFFFFF); pContext->AsynchRead.OffsetHigh = (DWORD)(ReadPosition >> 32);
Status = WmipSynchReadFile(pContext->Handle, (LPVOID)pBuffer, BufferSize, &nBytesRead, &pContext->AsynchRead);
if (nBytesRead == 0) break;
ReadPosition += BufferSize; Offset = sizeof(WMI_BUFFER_HEADER);
pEvent = &pContext->BufferList[TotalBuffersRead].Event;
HeaderType = WmiGetTraceHeader(pBuffer, Offset, &Size); if ( (HeaderType == WMIHT_NONE) || (HeaderType == WMIHT_WNODE) || (Size == 0) ) { TotalBuffersRead++; continue; } Status = WmipParseTraceEvent(pContext, pBuffer, Offset, HeaderType, pEvent, sizeof(EVENT_TRACE));
//
// Set up the header structure properly
//
if (Status != ERROR_SUCCESS) { TotalBuffersRead++; continue; }
Offset += Size; pContext->BufferList[TotalBuffersRead].BufferOffset = Offset; pContext->BufferList[TotalBuffersRead].FileOffset = TotalBuffersRead; pContext->BufferList[TotalBuffersRead].EventSize = Size; pContext->BufferList[TotalBuffersRead].TraceType = WmipConvertEnumToTraceType(HeaderType); WmipInsertBuffer(&pContext->Root, &pContext->BufferList[TotalBuffersRead]);
TotalBuffersRead++; if (TotalBuffersRead >= pContext->BufferCount) { break; } } while (1);
return ERROR_SUCCESS;}
ULONGWmipProcessTraceLog( PTRACEHANDLE HandleArray, PEVENT_TRACE_LOGFILEW *Logfiles, ULONG LogfileCount, LONGLONG StartTime, LONGLONG EndTime, ULONG Unicode )/*++
Routine Description: This routine processes an array of traces (from file or realtime input stream). If the trace is from a file, goes through each event till the end of file, firing event callbacks (if any) along the way. If the trace is from realtime, it waits for event notification about buffer delivery from the realtime callback and processes the buffer delivered in the same way. It handles circular logfiles and windowing of data (with the given start and end times) correctly. When more than one trace it provides the callback in chronological order.
Arguments:
Logfiles Array of traces LogfileCount Number of traces StartTime Starting Time of the window of analysis EndTime Ending Time of the window of analysis Unicode Unicode Flag.
Returned Value:
Status Code.
--*/{ PEVENT_TRACE_LOGFILE logfile; ULONG Status; PEVENT_TRACE pEvent; PTRACELOG_CONTEXT pContext; EVENT_TRACE_PROPERTIES Properties; ULONG RealTimeDataFeed, LogFileDataFeed; USHORT LoggerId; TRACEHANDLE LoggerHandle = 0; ULONG i, j; BOOL Done = FALSE; ACCESS_MASK DesiredAccess = TRACELOG_ACCESS_REALTIME;
// ContextListHeadPtr = &ContextListHead;
// InitializeListHead(ContextListHeadPtr);
Status = WmipCreateGuidMapping(); if (Status != ERROR_SUCCESS) { return Status; }
//
// After reading the First Buffer, determine the BufferSize,
// Number of Buffers written, filesize, kernel or non-kernel logger
// Set a flag to strip out the GuidMap at the end.
//
Status = WmipProcessLogHeader( HandleArray, Logfiles, LogfileCount, Unicode, FALSE ); if (Status != ERROR_SUCCESS) { goto Cleanup; } Status = WmipProcessGuidMaps( Logfiles, LogfileCount, Unicode ); if (Status != ERROR_SUCCESS) { goto Cleanup; }
//
// Set up storage
//
for (i=0; i < LogfileCount; i++) { ULONG BufferSize, BufferCount; ULONG SizeNeeded; PUCHAR Space; PTRACE_BUFFER_LIST_ENTRY Current;
pContext = (PTRACELOG_CONTEXT)Logfiles[i]->Context;
BufferSize = pContext->BufferSize; BufferCount = pContext->BufferCount;
SizeNeeded = BufferCount * sizeof(TRACE_BUFFER_LIST_ENTRY); pContext->BufferList = WmipMemCommit( NULL, SizeNeeded );
if (pContext->BufferList == NULL) { Status = ERROR_OUTOFMEMORY; goto Cleanup; }
RtlZeroMemory(pContext->BufferList, SizeNeeded);
//
// Allocate Buffer Cache
//
SizeNeeded = MAX_TRACE_BUFFER_CACHE_SIZE * BufferSize; Space = WmipMemCommit( NULL, SizeNeeded ); if (Space == NULL) { Status = ERROR_OUTOFMEMORY; goto Cleanup; }
for (j=0; j<MAX_TRACE_BUFFER_CACHE_SIZE; j++) { pContext->BufferCache[j].Index = -1; pContext->BufferCache[j].Buffer = (PVOID)(Space + j * BufferSize); } pContext->BufferCacheSpace = Space; Status = WmipBuildEventTable(pContext); if (Status != ERROR_SUCCESS) { goto Cleanup; }
Current = pContext->Root; if (Current != NULL) { Logfiles[i]->CurrentTime = Current->Event.Header.TimeStamp.QuadPart; } else { pContext->EndOfFile = TRUE; } }
//
// Make the Second Pass and get the events.
//
#ifdef DBG
WmipDumpCallbacks();#endif
while (!Done) { LONGLONG nextTimeStamp; BOOL EventInRange; //
// Check to see if end of file has been reached on all the
// files.
//
logfile = NULL; nextTimeStamp = 0;
for (j=0; j < LogfileCount; j++) { pContext = (PTRACELOG_CONTEXT)Logfiles[j]->Context;
if (pContext->EndOfFile) continue; if (nextTimeStamp == 0) { nextTimeStamp = Logfiles[j]->CurrentTime; logfile = Logfiles[j]; } else if (nextTimeStamp > Logfiles[j]->CurrentTime) { nextTimeStamp = Logfiles[j]->CurrentTime; logfile = Logfiles[j]; } }
if (logfile == NULL) { break; } //
// if the Next event timestamp is not within the window of
// analysis, we do not fire the event callbacks.
//
EventInRange = TRUE;
if ((StartTime != 0) && (StartTime > nextTimeStamp)) EventInRange = FALSE; if ((EndTime != 0) && (EndTime < nextTimeStamp)) EventInRange = FALSE;
//
// Now advance to next event.
//
Status = WmipAdvanceToNewEvent(logfile, EventInRange); Done = (Status == ERROR_CANCELLED); }Cleanup: for (i=0; i < LogfileCount; i++) { pContext = (PTRACELOG_CONTEXT)Logfiles[i]->Context; if (pContext != NULL) { WmipCleanupTraceLog(pContext); } } return Status;
}
ULONGWmipCopyLogfileInfo( PTRACELOG_CONTEXT HandleEntry, PEVENT_TRACE_LOGFILEW Logfile, ULONG Unicode ){ ULONG bufSize; PWCHAR ws; //
// Allocate LogfileName and LoggerName as well
//
RtlCopyMemory(&HandleEntry->Logfile, Logfile, sizeof(EVENT_TRACE_LOGFILEW));
HandleEntry->Logfile.LogFileName = NULL; HandleEntry->Logfile.LoggerName = NULL;
if (Logfile->LogFileName != NULL) { if (Unicode) bufSize = (wcslen(Logfile->LogFileName) + 1) * sizeof(WCHAR); else bufSize = (strlen((PUCHAR)(Logfile->LogFileName)) + 1) * sizeof(WCHAR); ws = WmipAlloc( bufSize ); if (ws == NULL) return ERROR_OUTOFMEMORY;
if (Unicode) { wcscpy(ws, Logfile->LogFileName); } else { MultiByteToWideChar(CP_ACP, 0, (LPCSTR)Logfile->LogFileName, -1, (LPWSTR)ws, bufSize); } HandleEntry->Logfile.LogFileName = ws; } if (Logfile->LoggerName != NULL) { if (Unicode) bufSize = (wcslen(Logfile->LoggerName) + 1) * sizeof(WCHAR); else bufSize = (strlen((PUCHAR)(Logfile->LoggerName)) + 1) * sizeof(WCHAR);
ws = WmipAlloc( bufSize ); if (ws == NULL) return ERROR_OUTOFMEMORY;
if (Unicode) wcscpy(ws, Logfile->LoggerName); else { MultiByteToWideChar(CP_ACP, 0, (LPCSTR)Logfile->LoggerName, -1, (LPWSTR)ws, bufSize); } HandleEntry->Logfile.LoggerName = ws; } return ERROR_SUCCESS;}
TRACEHANDLEWMIAPIOpenTraceA( IN PEVENT_TRACE_LOGFILEA Logfile )/*++
Routine Description: This is the Ansi version of the ProcessTracelogHeader routine.
Arguments:
LogFile Trace Input
Returned Value:
TraceHandle
--*/{ ULONG status = ERROR_INVALID_PARAMETER; PTRACELOG_CONTEXT HandleEntry = NULL; TRACEHANDLE TraceHandle = (TRACEHANDLE)INVALID_HANDLE_VALUE;
WmipInitProcessHeap();
if (Logfile != NULL) { HandleEntry = WmipAllocateTraceHandle(); if (HandleEntry == NULL) { status = ERROR_OUTOFMEMORY; } else { //
// Copy the LogFileStructure over. Converts strings to Unicode
//
TraceHandle = HandleEntry->TraceHandle; try { status = WmipCopyLogfileInfo( HandleEntry, (PEVENT_TRACE_LOGFILEW)Logfile, FALSE ); if (status == ERROR_SUCCESS) { //
// For RealTime, handle is a place holder until ProcessTrace.
//
if ( (Logfile->LogFileMode & EVENT_TRACE_REAL_TIME_MODE) != EVENT_TRACE_REAL_TIME_MODE ) { status = WmipCreateGuidMapping(); if (status == ERROR_SUCCESS) { status = WmipProcessLogHeader( &HandleEntry->TraceHandle, (PEVENT_TRACE_LOGFILEW*)&Logfile, 1, FALSE, TRUE ); } } } } except (EXCEPTION_EXECUTE_HANDLER) { status = WmipNtStatusToDosError( GetExceptionCode() ); } } }
if ( (status != ERROR_SUCCESS) && (HandleEntry != NULL) ) { WmipFreeTraceHandle(TraceHandle); TraceHandle = (TRACEHANDLE)INVALID_HANDLE_VALUE; }
WmipSetDosError(status); return TraceHandle;}
TRACEHANDLEWMIAPIOpenTraceW( IN PEVENT_TRACE_LOGFILEW Logfile )/*++
Routine Description: This routine processes a trace input and returns the tracelog header. Only for logfiles. For realtime traces, the header may not be available.
Arguments:
Logfile Trace input.
Returned Value:
Pointer to Tracelog header.
--*/{ ULONG status = ERROR_INVALID_PARAMETER; PTRACELOG_CONTEXT HandleEntry = NULL; TRACEHANDLE TraceHandle = (TRACEHANDLE)INVALID_HANDLE_VALUE;
WmipInitProcessHeap();
if (Logfile != NULL) { HandleEntry = WmipAllocateTraceHandle(); if (HandleEntry == NULL) { status = ERROR_OUTOFMEMORY; } else { TraceHandle = HandleEntry->TraceHandle; try { status = WmipCopyLogfileInfo( HandleEntry, (PEVENT_TRACE_LOGFILEW)Logfile, TRUE ); if (status == ERROR_SUCCESS) { if ( (Logfile->LogFileMode & EVENT_TRACE_REAL_TIME_MODE) != EVENT_TRACE_REAL_TIME_MODE ) { status = WmipCreateGuidMapping(); if (status == ERROR_SUCCESS) { status = WmipProcessLogHeader( &HandleEntry->TraceHandle, (PEVENT_TRACE_LOGFILEW*)&Logfile, 1, TRUE, TRUE ); } } } } except (EXCEPTION_EXECUTE_HANDLER) { status = WmipNtStatusToDosError( GetExceptionCode() ); } } }
if ( (status != ERROR_SUCCESS) && (HandleEntry != NULL) ) { WmipFreeTraceHandle(TraceHandle); TraceHandle = (TRACEHANDLE)INVALID_HANDLE_VALUE; }
WmipSetDosError(status); return TraceHandle;}
ULONGWMIAPIProcessTrace( IN PTRACEHANDLE HandleArray, IN ULONG HandleCount, IN LPFILETIME StartTime, IN LPFILETIME EndTime ){
PEVENT_TRACE_LOGFILEW Logfiles[MAXLOGGERS]; PLIST_ENTRY Head, Next; PTRACELOG_CONTEXT pHandleEntry, pEntry; ULONG i, Status; LONGLONG sTime, eTime; TRACEHANDLE SavedArray[MAXLOGGERS];
PEVENT_TRACE_LOGFILE logfile; PEVENT_TRACE pEvent; PTRACELOG_CONTEXT pContext; PEVENT_TRACE_PROPERTIES Properties; ULONG szProperties; ULONG RealTimeDataFeed, LogFileDataFeed; USHORT LoggerId; TRACEHANDLE LoggerHandle = 0; ULONG j; BOOL Done = FALSE; ACCESS_MASK DesiredAccess = TRACELOG_ACCESS_REALTIME;
WmipInitProcessHeap();
if ((HandleCount == 0) || (HandleCount >= MAXLOGGERS)) { return ERROR_BAD_LENGTH; } if (HandleArray == NULL) { return ERROR_INVALID_PARAMETER; }
RtlZeroMemory(Logfiles, MAXLOGGERS*sizeof(PEVENT_TRACE_LOGFILEW) ); szProperties = sizeof(EVENT_TRACE_PROPERTIES) + 2 * MAXSTR * sizeof(WCHAR); Properties = WmipAlloc(szProperties); if (Properties == NULL) { return ERROR_OUTOFMEMORY; }
WmipEnterPMCritSection();
eTime = 0; sTime = 0;
try { if (StartTime != NULL) sTime = *((PLONGLONG) StartTime); if (EndTime != NULL) eTime = *((PLONGLONG) EndTime);
if ((eTime != 0) && (eTime < sTime) ) { WmipLeavePMCritSection(); Status = ERROR_INVALID_TIME; goto Cleanup; }
for (i=0; i<HandleCount; i++) { SavedArray[i] = HandleArray[i]; if (SavedArray[i] == (TRACEHANDLE) INVALID_HANDLE_VALUE) { WmipLeavePMCritSection(); Status = ERROR_INVALID_HANDLE; goto Cleanup; } }
for (i=0; i< HandleCount; i++) { pHandleEntry = NULL; Head = TraceHandleListHeadPtr; if (Head != NULL) { Next = Head->Flink; while (Next != Head) { pEntry = CONTAINING_RECORD(Next, TRACELOG_CONTEXT, Entry); Next = Next->Flink; if (SavedArray[i] == pEntry->TraceHandle) { if (pEntry->fProcessed == FALSE) { pHandleEntry = pEntry; pHandleEntry->fProcessed = TRUE; } break; } } } if (pHandleEntry == NULL) { Status = ERROR_INVALID_HANDLE; WmipLeavePMCritSection(); goto Cleanup; } Logfiles[i] = &pHandleEntry->Logfile; }
WmipLeavePMCritSection();
//
// Scan the Logfiles list and decide it's realtime or
// Logfile Proceessing.
//
for (i=0; i < HandleCount; i++) { RealTimeDataFeed = FALSE; LogFileDataFeed = FALSE; //
// Check to see if this is a RealTime Datafeed
//
if (Logfiles[i]->LogFileMode & EVENT_TRACE_REAL_TIME_MODE) { if (Logfiles[i]->LoggerName == NULL) { Status = WmipSetDosError(ERROR_INVALID_NAME); goto Cleanup; } //
// Using the LoggerName, Query the Logger to determine
// whether this is a Kernel or Usermode realtime logger.
//
RtlZeroMemory(Properties, szProperties); Properties->Wnode.BufferSize = szProperties;
Status = ControlTraceW(LoggerHandle, (LPWSTR)Logfiles[i]->LoggerName, Properties, EVENT_TRACE_CONTROL_QUERY);
if (Status != ERROR_SUCCESS) { goto Cleanup; }
if (!(Properties->LogFileMode & EVENT_TRACE_REAL_TIME_MODE)) { Status = ERROR_WMI_INSTANCE_NOT_FOUND; goto Cleanup; }
Logfiles[i]->IsKernelTrace = IsEqualGUID(&Properties->Wnode.Guid, &SystemTraceControlGuid);
LoggerId = WmiGetLoggerId(Properties->Wnode.HistoricalContext);
if (LoggerId == KERNEL_LOGGER_ID) LoggerId = 0; Logfiles[i]->Filled = LoggerId; // Temporarily stash it away
Logfiles[i]->LogfileHeader.LogInstanceGuid = Properties->Wnode.Guid;
//
// If the Logger is using UsePerfClock for TimeStamps, make a reference
// timestamp now.
//
Logfiles[i]->LogfileHeader.ReservedFlags = Properties->Wnode.ClientContext;
//
// Save the BuffferSize for Realtime Buffer Pool Allocation
//
Logfiles[i]->BufferSize = Properties->BufferSize * 1024;
//
// This is the place to do security check on this Guid.
//
Status = WmipCheckGuidAccess( &Properties->Wnode.Guid, DesiredAccess );
if (Status != ERROR_SUCCESS) { goto Cleanup; } RealTimeDataFeed = TRUE; } //
// Check to see if this is a Logfile datafeed.
//
if (!(Logfiles[i]->LogFileMode & EVENT_TRACE_REAL_TIME_MODE)) { if (Logfiles[i]->LogFileName == NULL) { Status = WmipSetDosError(ERROR_BAD_PATHNAME); goto Cleanup; }
if ( wcslen((LPWSTR)Logfiles[i]->LogFileName) <= 0 ) { Status = WmipSetDosError(ERROR_BAD_PATHNAME); goto Cleanup; }
LogFileDataFeed = TRUE; }
//
// We don't support both RealTimeFeed and LogFileDataFeed.
//
if (RealTimeDataFeed && LogFileDataFeed) { Status = WmipSetDosError(ERROR_INVALID_PARAMETER); goto Cleanup; } }
if (LogFileDataFeed) { Status = WmipProcessTraceLog(&SavedArray[0], Logfiles, HandleCount, sTime, eTime, TRUE); } else { Status = WmipProcessRealTimeTraces(&SavedArray[0], Logfiles, HandleCount, sTime, eTime, TRUE); }
} except (EXCEPTION_EXECUTE_HANDLER) { Status = GetExceptionCode();#ifdef DBG
WmipDebugPrint(("TRACE: WmipProcessTraceLog threw exception %X\n", Status));#endif
Status = WmipSetDosError(WmipNtStatusToDosError(Status)); }
try { WmipEnterPMCritSection(); for (i=0; i< HandleCount; i++) { pHandleEntry = NULL; Head = TraceHandleListHeadPtr; WmipAssert(Head); Next = Head->Flink; while (Next != Head) { pEntry = CONTAINING_RECORD(Next, TRACELOG_CONTEXT, Entry); Next = Next->Flink;
if (SavedArray[i] == pEntry->TraceHandle) { pEntry->fProcessed = FALSE; break; } } } WmipLeavePMCritSection(); } except (EXCEPTION_EXECUTE_HANDLER) { Status = GetExceptionCode();#ifdef DBG
WmipDebugPrint(("TRACE: WmipProcessTraceLog threw exception %X\n", Status));#endif
Status = WmipSetDosError(WmipNtStatusToDosError(Status)); }
Cleanup:
WmipFree(Properties); return Status;}
ULONGWMIAPICloseTrace( IN TRACEHANDLE TraceHandle ){ WmipInitProcessHeap(); if ((TraceHandle == 0) || (TraceHandle == (TRACEHANDLE)INVALID_HANDLE_VALUE)) return ERROR_INVALID_HANDLE; return WmipFreeTraceHandle(TraceHandle);}
VOIDWmipGuidMapCallback( PLIST_ENTRY GuidMapListHeadPtr, PEVENT_TRACE pEvent ){ PTRACEGUIDMAP GuidMap;
WmipInitProcessHeap(); if (pEvent == NULL) return;
GuidMap = (PTRACEGUIDMAP) pEvent->MofData; if (GuidMap != NULL) { WmipAddGuidHandleToGuidMapList(GuidMapListHeadPtr, GuidMap->GuidMapHandle, &GuidMap->Guid); }
}
voidWmipCleanupTraceLog( PTRACELOG_CONTEXT pContext ){ ULONG Size;
//
// Free up the realtime context arrays and buffers
//
WmipEnterPMCritSection();
if (pContext->IsRealTime) { if (pContext->Root != NULL) { WmipFree(pContext->Root); } WmipFreeRealTimeContext(pContext->RealTimeCxt); } else { if (pContext->Handle != NULL) { NtClose(pContext->Handle); pContext->Handle = NULL; } }
if (pContext->BufferList != NULL) { WmipMemFree(pContext->BufferList); } if (pContext->BufferCacheSpace != NULL) { WmipMemFree(pContext->BufferCacheSpace); }
WmipCleanupGuidMapList(&pContext->GuidMapListHead);
//
// The following fields need to be reset since the caller
// may call ProcessTrace again with the same handle
//
Size = sizeof(TRACELOG_CONTEXT) - FIELD_OFFSET(TRACELOG_CONTEXT, fProcessed); RtlZeroMemory(&pContext->fProcessed, Size); InitializeListHead (&pContext->GuidMapListHead);
WmipLeavePMCritSection();
//
// TODO: We need to use a ref count mechanism before deleting the
// EventMapList and CallbackLists
//
// if (EventMapList != NULL) {
// HeapFree(GetProcessHeap(), 0, EventMapList);
// EventMapList = NULL;
// }
// WmipFreeCallbackList();
}
ULONGWMIAPIWmiGetFirstTraceOffset( IN PWMIBUFFERINFO BufferInfo )/*++
Routine Description: This is the private API for buffer walking for cluster/ debugger support.
Returns the Offset to the first event.
Arguments:
Returned Value:
Status code
--*/{ PVOID pBuffer; PWMI_BUFFER_HEADER pHeader; PLONG LastByte;
if (BufferInfo == NULL) { return 0; } pBuffer = BufferInfo->Buffer;
if (pBuffer == NULL) { return 0; } pHeader = (PWMI_BUFFER_HEADER) pBuffer;
switch(BufferInfo->BufferSource) { case WMIBS_CURRENT_LIST: {// TODO: Fix GlennP's debugger problem in 2195
//
// ULONG lMask = ~((ULONG)0);
pHeader->Wnode.BufferSize = BufferInfo->BufferSize; pHeader->ClientContext.Alignment = (UCHAR)BufferInfo->Alignment;// if (BufferInfo->ProcessorNumber < lMask) {
// pHeader->ClientContext.ProcessorNumber = (UCHAR)BufferInfo->ProcessorNumber;
// }
pHeader->Offset = pHeader->CurrentOffset; break; } case WMIBS_FREE_LIST: { pHeader->Offset = pHeader->CurrentOffset;
if (pHeader->SavedOffset > 0) pHeader->Offset = pHeader->SavedOffset;
if (pHeader->Offset == 0) { pHeader->Offset = sizeof(WMI_BUFFER_HEADER); }
pHeader->Wnode.BufferSize = BufferInfo->BufferSize; break; } case WMIBS_TRANSITION_LIST: { if (pHeader->SavedOffset > 0) { pHeader->Offset = pHeader->SavedOffset; } break; } case WMIBS_FLUSH_LIST: { if (pHeader->SavedOffset > 0) { pHeader->Offset = pHeader->SavedOffset; } pHeader->Wnode.BufferSize = BufferInfo->BufferSize; break; } case WMIBS_LOG_FILE: { break; } }
if (BufferInfo->BufferSource != WMIBS_LOG_FILE) { LastByte = (PLONG) ((PUCHAR)pHeader+ pHeader->Offset); if (pHeader->Offset <= (BufferInfo->BufferSize - sizeof(ULONG)) ) {
*LastByte = -1; } }
return sizeof(WMI_BUFFER_HEADER);}
ULONG WmipConvertEnumToTraceType( WMI_HEADER_TYPE eTraceType ){ switch(eTraceType) { case WMIHT_SYSTEM32: return TRACE_HEADER_TYPE_SYSTEM32; case WMIHT_SYSTEM64: return TRACE_HEADER_TYPE_SYSTEM64; case WMIHT_EVENT_TRACE: return TRACE_HEADER_TYPE_FULL_HEADER; case WMIHT_EVENT_INSTANCE: return TRACE_HEADER_TYPE_INSTANCE; case WMIHT_TIMED: return TRACE_HEADER_TYPE_TIMED; case WMIHT_ULONG32: return TRACE_HEADER_TYPE_ULONG32; case WMIHT_WNODE: return TRACE_HEADER_TYPE_WNODE_HEADER; case WMIHT_MESSAGE: return TRACE_HEADER_TYPE_MESSAGE; case WMIHT_PERFINFO32: return TRACE_HEADER_TYPE_PERFINFO32; case WMIHT_PERFINFO64: return TRACE_HEADER_TYPE_PERFINFO64; default: return 0; }}
WMI_HEADER_TYPEWmipConvertTraceTypeToEnum( ULONG TraceType ){ switch(TraceType) { case TRACE_HEADER_TYPE_SYSTEM32: return WMIHT_SYSTEM32; case TRACE_HEADER_TYPE_SYSTEM64: return WMIHT_SYSTEM64; case TRACE_HEADER_TYPE_FULL_HEADER: return WMIHT_EVENT_TRACE; case TRACE_HEADER_TYPE_INSTANCE: return WMIHT_EVENT_INSTANCE; case TRACE_HEADER_TYPE_TIMED: return WMIHT_TIMED; case TRACE_HEADER_TYPE_ULONG32: return WMIHT_ULONG32; case TRACE_HEADER_TYPE_WNODE_HEADER: return WMIHT_WNODE; case TRACE_HEADER_TYPE_MESSAGE: return WMIHT_MESSAGE; case TRACE_HEADER_TYPE_PERFINFO32: return WMIHT_PERFINFO32; case TRACE_HEADER_TYPE_PERFINFO64: return WMIHT_PERFINFO64; default: return WMIHT_NONE; }}
WMI_HEADER_TYPEWMIAPIWmiGetTraceHeader( IN PVOID LogBuffer, IN ULONG Offset, OUT ULONG *Size ){ ULONG Status = ERROR_SUCCESS; ULONG TraceType;
try {
TraceType = WmipGetNextEventOffsetType( (PUCHAR)LogBuffer, Offset, Size );
return WmipConvertTraceTypeToEnum(TraceType);
} except (EXCEPTION_EXECUTE_HANDLER) { Status = GetExceptionCode();#ifdef DBG
WmipDebugPrint(("TRACE: WmiGetTraceHeader threw exception %X\n", Status));#endif
Status = WmipSetDosError(WmipNtStatusToDosError(Status)); }
return 0;}
ULONGWMIAPIWmiParseTraceEvent( IN PVOID LogBuffer, IN ULONG Offset, IN WMI_HEADER_TYPE HeaderType, IN OUT PVOID EventInfo, IN ULONG EventInfoSize ){
return WmipParseTraceEvent(NULL, LogBuffer, Offset, HeaderType, EventInfo, EventInfoSize);}
ULONGWmipParseTraceEvent( IN PTRACELOG_CONTEXT pContext, IN PVOID LogBuffer, IN ULONG Offset, IN WMI_HEADER_TYPE HeaderType, IN OUT PVOID EventInfo, IN ULONG EventInfoSize ){ PWMI_BUFFER_HEADER Header = (PWMI_BUFFER_HEADER)LogBuffer; ULONG Status = ERROR_SUCCESS; PVOID pEvent;
if ( (LogBuffer == NULL) || (EventInfo == NULL) || (EventInfoSize < sizeof(EVENT_TRACE_HEADER)) ) { return (ERROR_INVALID_PARAMETER); }
Status = WmipCreateGuidMapping(); if (Status != ERROR_SUCCESS) { return Status; }
try {
RtlZeroMemory(EventInfo, sizeof(EVENT_TRACE));
pEvent = (void*) ((PUCHAR)LogBuffer + Offset);
WmipCopyCurrentEvent(pContext, pEvent, EventInfo, WmipConvertEnumToTraceType(HeaderType), (PWMI_BUFFER_HEADER)LogBuffer );
( (PEVENT_TRACE)EventInfo)->ClientContext = Header->Wnode.ClientContext;
} except (EXCEPTION_EXECUTE_HANDLER) { Status = GetExceptionCode();#ifdef DBG
WmipDebugPrint(("TRACE: WmipParseTraceEvent threw exception %X\n", Status));#endif
Status = WmipSetDosError(WmipNtStatusToDosError(Status)); }
return Status;}
//
// RealTime Routines
//
PVOIDWmipAllocTraceBuffer( PTRACELOG_REALTIME_CONTEXT RTCxt, ULONG BufferSize ){ PVOID Buffer = NULL; PTRACE_BUFFER_HEADER Header; PLIST_ENTRY Head, Next; PTRACERT_BUFFER_LIST_ENTRY ListEntry; PTRACE_BUFFER_SPACE WmipTraceBufferSpace;
WmipEnterPMCritSection(); WmipTraceBufferSpace = RTCxt->WmipTraceBufferSpace; Head = &WmipTraceBufferSpace->FreeListHead; Next = Head->Flink; while (Head != Next) { ListEntry = CONTAINING_RECORD(Next, TRACERT_BUFFER_LIST_ENTRY, Entry); Next = Next->Flink; if (ListEntry->Size == BufferSize) { goto foundList; } } //
// No list for this bufferSize was found. So go Ahead and allocate one.
//
ListEntry = WmipAlloc(sizeof(TRACERT_BUFFER_LIST_ENTRY)); if (ListEntry == NULL) { WmipSetDosError(ERROR_OUTOFMEMORY); WmipLeavePMCritSection(); return NULL; } RtlZeroMemory(ListEntry, sizeof(TRACERT_BUFFER_LIST_ENTRY)); ListEntry->Size = BufferSize; InitializeListHead(&ListEntry->BufferListHead); InsertHeadList(&WmipTraceBufferSpace->FreeListHead, &ListEntry->Entry);
foundList: //
// Now look for a free buffer in this list
//
Head = &ListEntry->BufferListHead; Next = Head->Flink; while (Head != Next) { Header = CONTAINING_RECORD( Next, TRACE_BUFFER_HEADER, Entry ); if (((PWNODE_HEADER)Header)->BufferSize == BufferSize) { RemoveEntryList(&Header->Entry); Buffer = (PVOID)Header; break; } Next = Next->Flink; } WmipLeavePMCritSection(); //
// If No Free Buffers are found we try to allocate one and return.
//
if (Buffer == NULL) { PVOID Space; ULONG SizeLeft = WmipTraceBufferSpace->Reserved - WmipTraceBufferSpace->Committed; if (SizeLeft < BufferSize) { WmipSetDosError(ERROR_OUTOFMEMORY); return NULL; }
Space = (PVOID)( (PCHAR)WmipTraceBufferSpace->Space + WmipTraceBufferSpace->Committed );
Buffer = WmipMemCommit( Space, BufferSize );
if (Buffer != NULL) { WmipTraceBufferSpace->Committed += BufferSize; }
} return (Buffer);}VOIDWmipFreeTraceBuffer( PTRACELOG_REALTIME_CONTEXT RTCxt, PVOID Buffer ){ PTRACE_BUFFER_HEADER Header = (PTRACE_BUFFER_HEADER)Buffer; PLIST_ENTRY Head, Next; ULONG BufferSize = Header->Wnode.BufferSize; PTRACERT_BUFFER_LIST_ENTRY ListEntry; PLIST_ENTRY BufferList = NULL; PTRACE_BUFFER_SPACE WmipTraceBufferSpace;
WmipEnterPMCritSection(); WmipTraceBufferSpace = RTCxt->WmipTraceBufferSpace; Head = &WmipTraceBufferSpace->FreeListHead; Next = Head->Flink; while (Head != Next) { ListEntry = CONTAINING_RECORD(Next, TRACERT_BUFFER_LIST_ENTRY, Entry); Next = Next->Flink; if (ListEntry->Size == BufferSize) { BufferList = &ListEntry->BufferListHead; break; } } if (BufferList != NULL) {
InsertHeadList(BufferList, &Header->Entry); } else {
// We shoule not get here. If we do the buffer->Size is
// Corrupted.
WmipAssert(BufferList == NULL); } WmipLeavePMCritSection();}
//
// TODO: If two threads called processtrace for the same RT stream, how can we fire
// two callbacks
//
ULONGWmipRealTimeCallback( IN PWNODE_HEADER Wnode, IN ULONG_PTR RTContext //LogFileIndex
)/*++
Routine Description: This routine is called when a real time buffer becomes available. The buffer delivered by WMI is copied to a local pool of ring buffers. Each realtime data feed maintains its own pool of ring buffers and the LogFileIndex passed back via the Wnode (ProviderId field) identifies the stream to which the buffer is destined.
Arguments:
Wnode Buffer LogFileIndex Index of the Input stream from which this buffer came.
Returned Value:
Status Code.
--*/{ ULONG index; PTRACELOG_REALTIME_CONTEXT Context = (PTRACELOG_REALTIME_CONTEXT) RTContext; PWNODE_HEADER pHeader; PWMI_CLIENT_CONTEXT ClientContext;
//
// Assumes that the number of LogFiles is less than the MAXLOGGERS.
//
// Get the LogFileIndex to which this buffer is destined through the
// Logger Historical Context.
ClientContext = (PWMI_CLIENT_CONTEXT)&Wnode->ClientContext; //
// If we can't use this buffer for whatever reason, we return and
// the return code is always ERROR_SUCCESS.
//
//
// Circular FIFO queue of MAXBUFFERS to hold the buffers.
// Producer to Fill it and Consumer to Null it.
//
index = (Context->BuffersProduced % MAXBUFFERS); if (Context->RealTimeBufferPool[index] == NULL) { //Empty slot found.
pHeader = (PWNODE_HEADER) WmipAllocTraceBuffer(Context, Wnode->BufferSize); if (pHeader == NULL) { return ERROR_SUCCESS; } RtlCopyMemory(pHeader, Wnode, Wnode->BufferSize); // One more copy!?
Context->RealTimeBufferPool[index] = pHeader; Context->BuffersProduced++; NtSetEvent(Context->MoreDataEvent, NULL); //Signal the dc there's more data.
} else { // No Empty Slots found.
Context->BufferOverflow++; // Simply let the buffer go.
}
//
// wmi service maintains only the Delta buffersLost since the last time
// it was reported. The Count is zeroed once it is reported in a delivered
// buffer. This means I can add it directly.
//
Context->BufferOverflow += Wnode->CountLost;
return ERROR_SUCCESS;}
ULONGWmipSetupRealTimeContext( PTRACEHANDLE HandleArray, PEVENT_TRACE_LOGFILEW *Logfiles, ULONG LogfileCount )/*++
Routine Description: This routine sets up the context to process real time buffers. The real time buffers delivered will be copied and kept in a circular buffer pool until the ProcessTracelog routine can consume it.
Arguments:
LogFile Array of Logfiles being processed. LogFileCount Number of Logfiles in the Array.
Returned Value:
Status Code.
--*/{ ULONG i; ULONG Status; USHORT LoggerId; ULONG TotalBufferSize = 0; SYSTEM_BASIC_INFORMATION SystemInfo; ULONG RealTimeRegistered = FALSE;
Status = WmipCreateGuidMapping(); if (Status != ERROR_SUCCESS) { return Status; }
for (i=0; i < LogfileCount; i++) { if (Logfiles[i]->LogFileMode & EVENT_TRACE_REAL_TIME_MODE) { TotalBufferSize += Logfiles[i]->BufferSize; // * SystemInfo.NumberOfProcessors;
} } if (TotalBufferSize == 0) TotalBufferSize = DEFAULT_REALTIME_BUFFER_SIZE;
//
// Initialize the real time data feed Structures.
//
for (i=0; i < LogfileCount; i++) { PTRACELOG_REALTIME_CONTEXT RTCxt; PTRACELOG_CONTEXT pContext; PTRACE_BUFFER_LIST_ENTRY pListEntry; LARGE_INTEGER Frequency; ULONGLONG Counter = 0;
if (Logfiles[i]->LogFileMode & EVENT_TRACE_REAL_TIME_MODE) {
pContext = WmipLookupTraceHandle(HandleArray[i]); if (pContext == NULL) { return WmipSetDosError(ERROR_OUTOFMEMORY); } pContext->IsRealTime = TRUE; pContext->Handle = NULL; Logfiles[i]->Context = pContext; Logfiles[i]->BuffersRead = 0;
pContext->EndOfFile = TRUE;
//
// Save the flags from OpenTrace at this time before the first
// buffer callback which will erase it.
//
pContext->ConversionFlags = Logfiles[i]->LogfileHeader.ReservedFlags;
pContext->UsePerfClock = Logfiles[i]->LogfileHeader.ReservedFlags;
//
// If the conversion flags are set, adjust UsePerfClock accordingly.
//
if (pContext->ConversionFlags & EVENT_TRACE_USE_RAWTIMESTAMP ) { pContext->UsePerfClock = EVENT_TRACE_CLOCK_RAW; }
//
// Fill in the StartTime, Frequency and StartPerfClock fields
//
Status = NtQueryPerformanceCounter((PLARGE_INTEGER)&Counter, &Frequency); pContext->StartPerfClock.QuadPart = Counter; pContext->PerfFreq.QuadPart = Frequency.QuadPart; pContext->StartTime.QuadPart = WmipGetSystemTime(); RTCxt = (PTRACELOG_REALTIME_CONTEXT)WmipAlloc( sizeof(TRACELOG_REALTIME_CONTEXT));
if (RTCxt == NULL) { return WmipSetDosError(ERROR_OUTOFMEMORY); }
RtlZeroMemory(RTCxt, sizeof(TRACELOG_REALTIME_CONTEXT));
RTCxt->MoreDataEvent = CreateEvent(NULL, FALSE, FALSE, NULL); if (RTCxt->MoreDataEvent == NULL) { return WmipSetDosError(ERROR_OBJECT_NOT_FOUND); }
//
// Save the RTCxt in a global pContext array so that the
// notification callback from WMI can get at it through the
// logfile index i.
//
LoggerId = (USHORT)Logfiles[i]->Filled; // get the stashed LoggerId.
pContext->LoggerId = LoggerId;
pContext->RealTimeCxt = RTCxt;
RTCxt->InstanceGuid = Logfiles[i]->LogfileHeader.LogInstanceGuid;
//
// Allocate the buffer space to receive the ral time buffers
//
if ( !RealTimeRegistered) { ULONG SizeReserved; PVOID BufferSpace;
//
// Right before starting to receive the realtime buffers
// get a dump of the GuidMaps if any.
///
WmipDumpGuidMaps(NULL, &pContext->GuidMapListHead, TRUE);
RealTimeRegistered = TRUE;
RTCxt->WmipTraceBufferSpace = (PTRACE_BUFFER_SPACE)WmipAlloc( sizeof(TRACE_BUFFER_SPACE));
if (RTCxt->WmipTraceBufferSpace == NULL) { return ERROR_OUTOFMEMORY; } RtlZeroMemory(RTCxt->WmipTraceBufferSpace, sizeof(TRACE_BUFFER_SPACE)); InitializeListHead(&RTCxt->WmipTraceBufferSpace->FreeListHead);
SizeReserved = MAXBUFFERS * TotalBufferSize;
BufferSpace = WmipMemReserve( SizeReserved ); if (BufferSpace == NULL) { return ERROR_OUTOFMEMORY; }
RTCxt->WmipTraceBufferSpace->Reserved = SizeReserved; RTCxt->WmipTraceBufferSpace->Space = BufferSpace;
} //
// For Every Logger Stream we need to register with WMI
// for buffer notification with its Security Guid.
//
Status = WmiNotificationRegistration( (const LPGUID) &RTCxt->InstanceGuid, TRUE, WmipRealTimeCallback, (ULONG_PTR)RTCxt, NOTIFICATION_CALLBACK_DIRECT ); if (Status != ERROR_SUCCESS) { return Status; } //
// Allocate Room to process one event
//
pListEntry = (PTRACE_BUFFER_LIST_ENTRY) WmipAlloc( sizeof(TRACE_BUFFER_LIST_ENTRY) ); if (pListEntry == NULL) { return ERROR_OUTOFMEMORY; } RtlZeroMemory(pListEntry, sizeof(TRACE_BUFFER_LIST_ENTRY) );
pContext->Root = pListEntry;
} }
return ERROR_SUCCESS;}
ULONGWmipLookforRealTimeBuffers( PEVENT_TRACE_LOGFILEW logfile )/*++
Routine Description: This routine checks to see if there are any real time buffers ready for consumption. If so, it sets up the CurrentBuffer and the CurrentEvent for this logfile stream. If no buffers are available simply sets the EndOfFile to be true.
Arguments:
logfile Current Logfile being processed.
Returned Value:
ERROR_SUCCESS Successfully moved to the next event.
--*/{ ULONG index; ULONG BuffersRead; PVOID pBuffer; PEVENT_TRACE pEvent; PTRACELOG_CONTEXT pContext; PTRACELOG_REALTIME_CONTEXT RTCxt; PWMI_BUFFER_HEADER pHeader; WMI_HEADER_TYPE HeaderType = WMIHT_NONE; ULONG Size; ULONG Offset; ULONG Status;
if (logfile == NULL) { return WmipSetDosError(ERROR_INVALID_PARAMETER); } pContext = logfile->Context;
RTCxt = pContext->RealTimeCxt;
if (RTCxt == NULL) { return WmipSetDosError(ERROR_INVALID_DATA); }
if (pContext->EndOfFile != TRUE) {
pBuffer = pContext->BufferCache[0].Buffer; pEvent = &pContext->Root->Event; Status = ERROR_SUCCESS; Size = 0; if ((HeaderType = WmiGetTraceHeader(pBuffer, pContext->Root->BufferOffset, &Size)) != WMIHT_NONE) { if (Size > 0) { Status = WmipParseTraceEvent(pContext, pBuffer, pContext->Root->BufferOffset, HeaderType, pEvent, sizeof(EVENT_TRACE)); pContext->Root->BufferOffset += Size; } } pContext->Root->EventSize = Size;
if ( ( Size > 0) && (Status == ERROR_SUCCESS) ) { logfile->CurrentTime = pEvent->Header.TimeStamp.QuadPart; return ERROR_SUCCESS; } else { //
// When the current buffer is exhausted, make the
// BufferCallback
//
if (logfile->BufferCallback) { ULONG bRetVal; try { bRetVal = (*logfile->BufferCallback) (logfile); if (!bRetVal) { return ERROR_CANCELLED; } } except (EXCEPTION_EXECUTE_HANDLER) { pContext->EndOfFile = TRUE; Status = GetExceptionCode();#ifdef DBG
WmipDebugPrint(("TRACE: BufferCallback threw exception %X\n", Status));#endif
WmipSetDosError(WmipNtStatusToDosError(Status)); return ERROR_CANCELLED; // so that realtime also cleans up.
} } WmipFreeTraceBuffer(RTCxt, pBuffer); } }
pContext->EndOfFile = TRUE; logfile->CurrentTime = 0;
BuffersRead = logfile->BuffersRead; // Check to see if there are more buffers to consume.
if (BuffersRead < RTCxt->BuffersProduced) { pContext->EndOfFile = FALSE; index = (BuffersRead % MAXBUFFERS); if ( RTCxt->RealTimeBufferPool[index] != NULL) { PWMI_CLIENT_CONTEXT ClientContext; PWNODE_HEADER Wnode;
pBuffer = (char*) (RTCxt->RealTimeBufferPool[index]); pContext->BufferCache[0].Buffer = pBuffer; RTCxt->RealTimeBufferPool[index] = NULL;
Wnode = (PWNODE_HEADER)pContext->BufferCache[0].Buffer;
pHeader = (PWMI_BUFFER_HEADER)pContext->BufferCache[0].Buffer;
Offset = sizeof(WMI_BUFFER_HEADER);
pEvent = &pContext->Root->Event;
if ((HeaderType = WmiGetTraceHeader(pBuffer, Offset, &Size)) != WMIHT_NONE) { if (Size == 0) return ERROR_INVALID_DATA; Status = WmipParseTraceEvent(pContext, pBuffer, Offset, HeaderType, pEvent, sizeof(EVENT_TRACE));
if (Status != ERROR_SUCCESS) { return Status; } }
Offset += Size;
pContext->Root->BufferOffset = Offset; pContext->Root->EventSize = Size;
logfile->CurrentTime = pEvent->Header.TimeStamp.QuadPart;
// Since the RealTime Logger may have started after
// the consumer started, we have to get the buffersize
// like this.
logfile->BufferSize = Wnode->BufferSize; logfile->Filled = (ULONG)pHeader->Offset; logfile->EventsLost = pHeader->EventsLost;
logfile->BuffersRead++; } } return ERROR_SUCCESS;}
ULONGWmipCheckForRealTimeLoggers( PEVENT_TRACE_LOGFILEW *Logfiles, ULONG LogfileCount, ULONG Unicode){ ULONG Status; TRACEHANDLE LoggerHandle = 0; ULONG i;
for (i=0; i < LogfileCount; i++) { //
// Check to see if this is a RealTime Datafeed
//
if (Logfiles[i]->LogFileMode & EVENT_TRACE_REAL_TIME_MODE) { //
// Using the LoggerName, Query the Logger to determine
// whether this is a Kernel or Usermode realtime logger.
//
RtlZeroMemory(&Properties, sizeof(Properties) ); Properties.TraceProp.Wnode.BufferSize = sizeof(Properties);
if (Unicode) Status = ControlTraceW(LoggerHandle, (LPWSTR)Logfiles[i]->LoggerName, &Properties.TraceProp, EVENT_TRACE_CONTROL_QUERY); else Status = ControlTraceA(LoggerHandle, (LPSTR)Logfiles[i]->LoggerName, (PEVENT_TRACE_PROPERTIES)&Properties, EVENT_TRACE_CONTROL_QUERY); //
// If the Logger is still around and the Real Time bit
// is still set continue processing. Otherwise quit.
//
if ((Status == ERROR_SUCCESS) && (Properties.TraceProp.LogFileMode & EVENT_TRACE_REAL_TIME_MODE) ){ return TRUE; } } }#ifdef DBG
//
// We are expecting to see ERROR_WMI_INSTANCE_NOT_FOUND when the logger has gone away.
// Any other error is abnormal.
//
if ( Status != ERROR_WMI_INSTANCE_NOT_FOUND ) { WmipDebugPrint(("WET: WmipCheckForRealTimeLoggers abnormal failure. Status %X\n", Status)); }#endif
return FALSE;}
voidWmipFreeRealTimeContext( PTRACELOG_REALTIME_CONTEXT RTCxt ){ ULONG Status; PTRACERT_BUFFER_LIST_ENTRY ListEntry; PLIST_ENTRY Head, Next;
if (RTCxt != NULL) { Status = WmiNotificationRegistration( (const LPGUID) &RTCxt->InstanceGuid, FALSE, WmipRealTimeCallback, 0, NOTIFICATION_CALLBACK_DIRECT ); }
if (RTCxt->MoreDataEvent != NULL) { NtClose(RTCxt->MoreDataEvent); }
if (RTCxt->WmipTraceBufferSpace != NULL) { WmipMemFree(RTCxt->WmipTraceBufferSpace->Space); Head = &RTCxt->WmipTraceBufferSpace->FreeListHead; Next = Head->Flink; while (Head != Next) { ListEntry = CONTAINING_RECORD(Next, TRACERT_BUFFER_LIST_ENTRY, Entry); Next = Next->Flink; RemoveEntryList(&ListEntry->Entry); WmipFree(ListEntry); } WmipFree(RTCxt->WmipTraceBufferSpace); RTCxt->WmipTraceBufferSpace = NULL; }
WmipFree(RTCxt);}
ULONGWmipProcessRealTimeTraces( PTRACEHANDLE HandleArray, PEVENT_TRACE_LOGFILEW *Logfiles, ULONG LogfileCount, LONGLONG StartTime, LONGLONG EndTime, ULONG Unicode )/*++
Routine Description: Main entry point to process RealTime trace data streams.
Arguments:
Logfiles Array of logfile structures with LoggerNames of the RT stream LogfileCount Number of RealTime trace streams to process StartTime StartTime for windowing data EndTime EndTime for windowing data
Returned Value:
ERROR_SUCCESS Successfully processed data from realtime trace stream
--*/{ ULONG Status; BOOL Done = FALSE; ULONG i, j; PTRACELOG_CONTEXT pContext; HANDLE EventArray[MAXLOGGERS]; NTSTATUS NtStatus; LARGE_INTEGER timeout = {(ULONG)(-1 * 10 * 1000 * 1000 * 10), -1}; // Wait for 10 seconds
//
// Register for RealTime Callbacks
//
Status = WmipSetupRealTimeContext( HandleArray, Logfiles, LogfileCount); if (Status != ERROR_SUCCESS) { goto DoCleanup; }
//
// Build the Handle Array
//
for (j=0; j < LogfileCount; j++) { pContext = (PTRACELOG_CONTEXT)Logfiles[j]->Context; EventArray[j] = pContext->RealTimeCxt->MoreDataEvent; }
//
// Event Processing Loop
//
while (!Done) {
LONGLONG nextTimeStamp; BOOL EventInRange; PEVENT_TRACE_LOGFILEW logfile; ULONG j; PTRACELOG_CONTEXT pContext; //
// Check to see if end of file has been reached on all the
// files.
//
logfile = NULL; nextTimeStamp = 0;
for (j=0; j < LogfileCount; j++) { pContext = (PTRACELOG_CONTEXT)Logfiles[j]->Context;
if ((pContext->EndOfFile) && (Logfiles[j]->LogFileMode & EVENT_TRACE_REAL_TIME_MODE)) { WmipLookforRealTimeBuffers(Logfiles[j]); }
if (pContext->EndOfFile) continue; if (nextTimeStamp == 0) { nextTimeStamp = Logfiles[j]->CurrentTime; logfile = Logfiles[j]; } else if (nextTimeStamp > Logfiles[j]->CurrentTime) { nextTimeStamp = Logfiles[j]->CurrentTime; logfile = Logfiles[j]; } }
if (logfile == NULL) { //
// If no logfile with events found, wait on the realtime event.
// If no realtime datafeed, then we are done.
//
NtStatus = NtWaitForMultipleObjects(LogfileCount, &EventArray[0], WaitAny, FALSE, &timeout);
if (NtStatus == STATUS_TIMEOUT) { //
// If we timed out, then check to see if the loggers have gone away.
//
if ( !WmipCheckForRealTimeLoggers(Logfiles, LogfileCount, Unicode) ) { break; } } continue; break; }
//
// if the Next event timestamp is not within the window of
// analysis, we do not fire the event callbacks.
//
EventInRange = TRUE;
if ((StartTime != 0) && (StartTime > nextTimeStamp)) EventInRange = FALSE; if ((EndTime != 0) && (EndTime < nextTimeStamp)) EventInRange = FALSE;
//
// Make the Event Callbacks
//
if (EventInRange) { PEVENT_TRACE pEvent = &pContext->Root->Event; Status = WmipDoEventCallbacks( logfile, pEvent); if (Status != ERROR_SUCCESS) { return Status; } }
//
// Now advance to next event.
//
Status = WmipLookforRealTimeBuffers(logfile); Done = (Status == ERROR_CANCELLED); }
DoCleanup: for (i=0; i < LogfileCount; i++) { pContext = (PTRACELOG_CONTEXT)Logfiles[i]->Context; if (pContext != NULL) { WmipCleanupTraceLog(pContext); } } return Status;}
ULONGWMIAPIWmiOpenTraceWithCursor( IN PWMI_MERGE_ETL_CURSOR LogCursor )/*++
Routine Description: Main entry point to process Merged ETL file.
Arguments:
LogCursor pointer to WMI_MERGE_ETL_CURSOR
Returned Value:
Status
--*/{ ULONG DosStatus = ERROR_INVALID_PARAMETER; NTSTATUS Status; PTRACELOG_CONTEXT HandleEntry = NULL; TRACEHANDLE TraceHandle = (TRACEHANDLE)INVALID_HANDLE_VALUE; PEVENT_TRACE_LOGFILEW Logfile; PTRACELOG_CONTEXT pContext; ULONG BufferSize; PWMI_BUFFER_HEADER BufferHeader; ULONG CpuNum; BOOLEAN CpuBufferFound;
WmipInitProcessHeap();
if (LogCursor != NULL) { LogCursor->Base = NULL; LogCursor->TraceMappingHandle = NULL; LogCursor->CursorVersion = WMI_MERGE_ETL_CURSOR_VERSION;
Logfile = &LogCursor->Logfile; HandleEntry = WmipAllocateTraceHandle(); if (HandleEntry == NULL) { DosStatus = ERROR_OUTOFMEMORY; } else { TraceHandle = HandleEntry->TraceHandle; try { DosStatus = WmipCopyLogfileInfo( HandleEntry, Logfile, TRUE ); if (DosStatus == ERROR_SUCCESS) { DosStatus = WmipCreateGuidMapping(); if (DosStatus == ERROR_SUCCESS) { DosStatus = WmipProcessLogHeader( &HandleEntry->TraceHandle, &Logfile, 1, TRUE, FALSE ); } } } except (EXCEPTION_EXECUTE_HANDLER) { DosStatus = WmipNtStatusToDosError( GetExceptionCode() ); } } }
if (DosStatus == ERROR_SUCCESS) { //
// Now Make sure the bit was set, indicating a MERGED ETL
//
if ((LogCursor->Logfile.LogFileMode & EVENT_TRACE_RELOG_MODE) == 0) { //
// It is not Merged ETL.
//
DosStatus = ERROR_BAD_FORMAT; } else { //
// Now find out the number of CPU's, Current event, etc.
//
pContext = LogCursor->Logfile.Context; //
// Now Create a file Mapping
//
LogCursor->TraceMappingHandle = CreateFileMapping(pContext->Handle, 0, PAGE_READONLY, 0, 0, NULL );
if (LogCursor->TraceMappingHandle == NULL) { DosStatus = GetLastError(); return DosStatus; }
//
// MapView of the file
//
LogCursor->Base = MapViewOfFile(LogCursor->TraceMappingHandle, FILE_MAP_READ, 0, 0, 0); if (LogCursor->Base == NULL) { DosStatus = GetLastError(); return DosStatus; } //
// Now find the first event of each CPU
//
pContext = LogCursor->Logfile.Context; BufferSize = pContext->BufferSize; LogCursor->CurrentCpu = 0;
for (CpuNum = 0; CpuNum < LogCursor->Logfile.LogfileHeader.NumberOfProcessors; CpuNum++) { CpuBufferFound = FALSE; while (CpuBufferFound == FALSE) { BufferHeader = (PWMI_BUFFER_HEADER) ((UCHAR*) LogCursor->Base + LogCursor->BufferCursor[CpuNum].CurrentBufferOffset.QuadPart);
if (BufferHeader->ClientContext.ProcessorNumber == CpuNum) { CpuBufferFound = TRUE; LogCursor->BufferCursor[CpuNum].BufferHeader = BufferHeader; } else { LogCursor->BufferCursor[CpuNum].CurrentBufferOffset.QuadPart += BufferSize; if ((LogCursor->BufferCursor[CpuNum].CurrentBufferOffset.QuadPart/BufferSize) >= LogCursor->Logfile.LogfileHeader.BuffersWritten) { //
// Scanned the whole file;
//
LogCursor->BufferCursor[CpuNum].NoMoreEvents = TRUE; break; } } } if (CpuBufferFound) { //
// Found the buffer, set the offset
//
ULONG Size; WMI_HEADER_TYPE HeaderType = WMIHT_NONE; PVOID pBuffer;
LogCursor->BufferCursor[CpuNum].BufferHeader = BufferHeader; LogCursor->BufferCursor[CpuNum].CurrentEventOffset = sizeof(WMI_BUFFER_HEADER);
//
// Initialize the first event in each CPU Stream.
//
pBuffer = LogCursor->BufferCursor[CpuNum].BufferHeader;
HeaderType = WmiGetTraceHeader(pBuffer, LogCursor->BufferCursor[CpuNum].CurrentEventOffset, &Size);
if (HeaderType != WMIHT_NONE) { WmipParseTraceEvent(pContext, pBuffer, LogCursor->BufferCursor[CpuNum].CurrentEventOffset, HeaderType, &LogCursor->BufferCursor[CpuNum].CurrentEvent, sizeof(EVENT_TRACE));
LogCursor->BufferCursor[CpuNum].CurrentEventOffset += Size; LogCursor->CurrentCpu = CpuNum;
} else { //
// There is no event in this buffer.
//
DosStatus = ERROR_FILE_CORRUPT; return DosStatus; }
} } for (CpuNum = 0; CpuNum < LogCursor->Logfile.LogfileHeader.NumberOfProcessors; CpuNum++) { //
// Find the first event for whole trace.
//
if (LogCursor->BufferCursor[CpuNum].NoMoreEvents == FALSE) { if (LogCursor->BufferCursor[LogCursor->CurrentCpu].CurrentEvent.Header.TimeStamp.QuadPart > LogCursor->BufferCursor[CpuNum].CurrentEvent.Header.TimeStamp.QuadPart) { LogCursor->CurrentCpu = CpuNum; } } } } } else if ( HandleEntry != NULL) { WmipFreeTraceHandle(TraceHandle); TraceHandle = (TRACEHANDLE)INVALID_HANDLE_VALUE; }
WmipSetDosError(DosStatus); return DosStatus;}
ULONGWMIAPIWmiCloseTraceWithCursor( IN PWMI_MERGE_ETL_CURSOR LogCursor ){ ULONG Status = ERROR_INVALID_PARAMETER;
if (LogCursor != NULL) { if (LogCursor->Base != NULL) { if (UnmapViewOfFile(LogCursor->Base) == FALSE) { Status = GetLastError(); return Status; } else { Status = ERROR_SUCCESS; } } else { Status = ERROR_INVALID_PARAMETER; }
if (Status != ERROR_SUCCESS) { return Status; }
if (LogCursor->TraceMappingHandle != NULL) { if (CloseHandle(LogCursor->TraceMappingHandle) == FALSE) { Status = GetLastError(); return Status; } else { Status = ERROR_SUCCESS; } } else { Status = ERROR_INVALID_PARAMETER; } }
return Status;}
VOIDWMIAPIWmiConvertTimestamp( OUT PLARGE_INTEGER DestTime, IN PLARGE_INTEGER SrcTime, IN PWMI_MERGE_ETL_CURSOR LogCursor ){ WmipCalculateCurrentTime(DestTime, SrcTime, LogCursor->Logfile.Context);}
ULONGWMIAPIWmiGetNextEvent( IN PWMI_MERGE_ETL_CURSOR LogCursor ){ ULONG CurrentCpu = LogCursor->CurrentCpu; ULONG Size; WMI_HEADER_TYPE HeaderType = WMIHT_NONE; PVOID pBuffer; PWMI_BUFFER_HEADER BufferHeader; ULONG BufferSize; PTRACELOG_CONTEXT pContext; ULONG CpuNum; NTSTATUS Status; ULONG i; BOOLEAN CpuBufferFound = FALSE; BOOLEAN MoreEvents = FALSE;
if (LogCursor == NULL) { return MoreEvents; }
//
// Advance to the next event of this current CPU
//
retry:
pBuffer = LogCursor->BufferCursor[CurrentCpu].BufferHeader;
HeaderType = WmiGetTraceHeader(pBuffer, LogCursor->BufferCursor[CurrentCpu].CurrentEventOffset, &Size);
pContext = LogCursor->Logfile.Context; if (HeaderType == WMIHT_NONE) { //
// End of current buffer, advance to the next buffer for this CPU
//
BufferSize = pContext->BufferSize;
LogCursor->BufferCursor[CurrentCpu].CurrentBufferOffset.QuadPart = LogCursor->BufferCursor[CurrentCpu].CurrentBufferOffset.QuadPart + BufferSize;
if ((LogCursor->BufferCursor[CurrentCpu].CurrentBufferOffset.QuadPart/BufferSize) >= LogCursor->Logfile.LogfileHeader.BuffersWritten) { //
// Scanned the whole file;
//
LogCursor->BufferCursor[CurrentCpu].NoMoreEvents = TRUE; } else { while (CpuBufferFound == FALSE) { BufferHeader = (PWMI_BUFFER_HEADER) ((UCHAR*) LogCursor->Base + LogCursor->BufferCursor[CurrentCpu].CurrentBufferOffset.QuadPart);
if (BufferHeader->ClientContext.ProcessorNumber == CurrentCpu) { CpuBufferFound = TRUE; } else { LogCursor->BufferCursor[CurrentCpu].CurrentBufferOffset.QuadPart += BufferSize; if ((LogCursor->BufferCursor[CurrentCpu].CurrentBufferOffset.QuadPart/BufferSize) >= LogCursor->Logfile.LogfileHeader.BuffersWritten) { //
// Scanned the whole file;
//
LogCursor->BufferCursor[CurrentCpu].NoMoreEvents = TRUE; break; } } } } if (CpuBufferFound) { //
// Found the buffer, set the offset
//
LogCursor->BufferCursor[CurrentCpu].BufferHeader = BufferHeader; LogCursor->BufferCursor[CurrentCpu].CurrentEventOffset = sizeof(WMI_BUFFER_HEADER); goto retry; } else { //
// No more buffer in this CPU stream.
//
LogCursor->BufferCursor[CurrentCpu].NoMoreEvents = TRUE; } } else { WmipParseTraceEvent(pContext, pBuffer, LogCursor->BufferCursor[CurrentCpu].CurrentEventOffset, HeaderType, &LogCursor->BufferCursor[CurrentCpu].CurrentEvent, sizeof(EVENT_TRACE));
LogCursor->BufferCursor[CurrentCpu].CurrentEventOffset += Size;
MoreEvents = TRUE; }
//
// No more events in current CPU.
//
if (MoreEvents == FALSE) { for (CurrentCpu=0; CurrentCpu<LogCursor->Logfile.LogfileHeader.NumberOfProcessors; CurrentCpu++) { if (LogCursor->BufferCursor[CurrentCpu].NoMoreEvents == FALSE) { LogCursor->CurrentCpu = CurrentCpu; MoreEvents = TRUE; break; } } }
//
// Now find the CPU that has the next event
//
if (MoreEvents == TRUE) { for (i=0; i<LogCursor->Logfile.LogfileHeader.NumberOfProcessors; i++) { if (LogCursor->BufferCursor[i].NoMoreEvents == FALSE) { if (LogCursor->BufferCursor[LogCursor->CurrentCpu].CurrentEvent.Header.TimeStamp.QuadPart > LogCursor->BufferCursor[i].CurrentEvent.Header.TimeStamp.QuadPart) { LogCursor->CurrentCpu = i; } } } } //
// Finish finding the next event.
//
return MoreEvents;}
#endif
|
