Search code examples
c#etw.net-traceprocessing

How to read FileVersionTraceData with TraceProcessor?

I wanted to try out the new ETW processing TraceProcessor library. So far I have problems mapping ETW events from Tracevent to the new library. I want e.g. to dump data from FileVersionTraceData events with Microsoft.Windows.EventTracing.Processing.All. To do this I need to add some trace.Usexxxxx where many Use clauses are defined but they do not tell me which events they actually will return. The ETW event I am after contains the fields

  • ImageSize
  • TimeDateStamp
  • BuildTime
  • OrigFileName
  • FileDescription
  • FileVersion
  • BinFileVersion
  • VerLanguage
  • ProductName
  • CompanyName
  • ProductVersion
  • FileId
  • ProgramId

what would be the corresponding Use clause and what is the type name for it in the new world?

The event is mapped to FileVersionTraceData by TraceEvent from the provider KernelTraceControl with the FileVersion 0x40:

    internal static readonly Guid ImageIDTaskGuid = new Guid(unchecked((int)0xB3E675D7), 0x2554, 0x4f18, 0x83, 0x0B, 0x27, 0x62, 0x73, 0x25, 0x60, 0xDE);
    public static readonly string ProviderName = "KernelTraceControl";
    public static readonly Guid ProviderGuid = new Guid(0x28ad2447, 0x105b, 0x4fe2, 0x95, 0x99, 0xe5, 0x9b, 0x2a, 0xa9, 0xa6, 0x34);

    public const int DBGID_LOG_TYPE_FILEVERSION = 0x40;

    source.RegisterEventTemplate(new FileVersionTraceData(value, 0xFFFF, 0, "ImageID", ImageIDTaskGuid, DBGID_LOG_TYPE_FILEVERSION, "FileVersion", ProviderGuid, ProviderName));
Solution

  • (I am a developer at Microsoft, and I work on the TraceProcessor library.)

    In our docs (https://aka.ms/TraceProcessing) we have a list of the various trace.Use*() calls and the corresponding data that is accessible with each of them.

    I am not an expert on TraceEvent, but I searched for FileVersionTraceData in their repo, and it seems to me that it maps to the IImage type in the TraceProcessor library. A list of the images loaded into a process's address space during the trace appears in the IProcess type, which is accessible through the trace.UseProcesses() call.

    For example, you could do something like:

    using Microsoft.Windows.EventTracing;
using Microsoft.Windows.EventTracing.Processes;
using System;
using System.Globalization;

class Program
{
    static void Main(string[] args)
    {
        if (args.Length != 1)
        {
            Console.Error.WriteLine("Usage: ListImages.exe <trace.etl>");
            return;
        }

        string tracePath = args[0];

        using (ITraceProcessor trace = TraceProcessor.Create(tracePath))
        {
            IPendingResult<IProcessDataSource> pendingProcessData = trace.UseProcesses();

            trace.Process();

            IProcessDataSource processData = pendingProcessData.Result;

            foreach (IProcess process in processData.Processes)
            {
                foreach (IImage image in process.Images)
                {
                    DataSize ImageSize = image.Size;
                    long TimeDataStamp = image.Timestamp;
                    string OrigFileName = image.OriginalFileName;
                    string FileDescription = image.FileDescription;
                    string FileVersion = image.FileVersion;
                    Version BinFileVersion = image.FileVersionNumber;
                    CultureInfo VerLanguage = image.Locale;
                    string ProductName = image.ProductName;
                    string CompanyName = image.CompanyName;
                    string ProductVersion = image.ProductVersion;
                    string FileId = image.CompatibilityFileId;
                    string ProgramId = image.CompatibilityProgramId;
                }
            }
        }
    }
}

    I used the field names from your question as the variable names to show the mapping. I'm not seeing BuildTime data, but I'll reply back if I find it.