tag:blogger.com,1999:blog-6005115657005435504.post6478034078834410401..comments2023-12-14T08:45:09.086+03:00Comments on windows deep internals: NtTraceControlredphttp://www.blogger.com/profile/08507461414274306940noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-6005115657005435504.post-77669808738001069322011-11-07T19:13:35.871+04:002011-11-07T19:13:35.871+04:00I am not sure that you need session name
If you ch...I am not sure that you need session name<br />If you check advapi32!StartTraceA you can see code which compare name of session and put some IID to EVENT_TRACE_PROPERTIES + 0x18:<br />"NT Kernel Logger" - SystemTraceControlGuid<br />"Circular Kernel Context Logger" - 54DEA73A-ED1F-42A4-AF71-3E63D056F174<br /><br />Check content of EVENT_TRACE_PROPERTIES after calling StartTraceredphttps://www.blogger.com/profile/08507461414274306940noreply@blogger.comtag:blogger.com,1999:blog-6005115657005435504.post-32199943452887768702011-11-07T15:53:59.516+04:002011-11-07T15:53:59.516+04:00Can you do a quick SRE of EtwpQueryTrace through N...Can you do a quick SRE of EtwpQueryTrace through NtTraceControl and provide some sample code? I was looking at the user mode call for QueryAllTraces to get all of the sessions going on and wanted to do this in kernel code. So, I looked at the code and it seems to loop from 0-40 (max sessions) and call QueryTrace for each index, for what I think is the session ID, which ends up calling NtTraceControl for op code 3.<br /><br />But, I can't get the input correct to get the output of a session. I allocate for the sizeof(EVENT_TRACE_PROPERTIES) and add more at the end of the structure for the session name and session log file name and update the pointers like in the example. But I don't know how/where to put the index (session id) ... I keep getting status code 0xc00000d, sometimes 0xc00000005. <br /><br />Any help is appreciated! Thanks.3jg13https://www.blogger.com/profile/00494161691436390113noreply@blogger.com