一.QueryAllTraces
ULONG
WMIAPI
QueryAllTracesW(
__out_ecount(PropertyArrayCount) PEVENT_TRACE_PROPERTIES *PropertyArray,
__in ULONG PropertyArrayCount,
__out PULONG LoggerCount
);
The QueryAllTraces function retrieves the properties and statistics for all event tracing sessions started on the computer.
1.首先分配内存
PEVENT_TRACE_PROPERTIES Storage;
ULONG SizeForOneProperty = sizeof(EVENT_TRACE_PROPERTIES) +
2 * MAXSTR * sizeof(TCHAR);
//
// We need to prepare space to receieve the inforamtion for the loggers.
// Each logger information needs one EVENT_TRACE_PROPERTIES sturucture
// followed by the logger name and the logfile path strings.
//
SizeNeeded = MAXIMUM_LOGGERS * SizeForOneProperty;
Storage = (PEVENT_TRACE_PROPERTIES)malloc(SizeNeeded);
if (Storage == NULL) {
Status = ERROR_OUTOFMEMORY;
break;
}
RtlZeroMemory(Storage, SizeNeeded);
2.填充和初始化数组指针
PEVENT_TRACE_PROPERTIES TempStorage=Storage;
PEVENT_TRACE_PROPERTIES LoggerInfo[MAXIMUM_LOGGERS];
//
// Save the pointer for free() later.
//
//
// Initialize the LoggerInfo array, before passing it to QueryAllTraces.
//
for (LoggerCounter = 0; LoggerCounter < MAXIMUM_LOGGERS; LoggerCounter++) {
Storage->Wnode.BufferSize = SizeForOneProperty;
Storage->LoggerNameOffset = sizeof(EVENT_TRACE_PROPERTIES);
Storage->LogFileNameOffset = sizeof(EVENT_TRACE_PROPERTIES) +
MAXSTR * sizeof(TCHAR);
LoggerInfo[LoggerCounter] = Storage;
//
// Move Storage to point to the next allocated buffer for the
// logger information.
//
Storage = (PEVENT_TRACE_PROPERTIES)((PUCHAR)Storage +
Storage->Wnode.BufferSize);
}
3.查询状态
Status = QueryAllTraces(LoggerInfo,
MAXIMUM_LOGGERS,
&ReturnCount);
if (Status == ERROR_SUCCESS) {
for (LoggerCounter = 0; LoggerCounter < ReturnCount; LoggerCounter++) {
PrintLoggerStatus(LoggerInfo[LoggerCounter], Status);
_tprintf(_T("\n"));
}
}
//
// Free the memory allocated for the logger information buffers.
//
free(TempStorage);
二.StartTrace
The StartTrace function registers and starts an event tracing session.
ULONG
WMIAPI
StartTraceW(
__out PTRACEHANDLE TraceHandle,
__in LPCWSTR InstanceName,
__inout PEVENT_TRACE_PROPERTIES Properties
);
示例:
Status = StartTrace(&LoggerHandle, LoggerName, LoggerInfo);
if (Status != ERROR_SUCCESS) {
_tprintf(_T("Could not start logger: %s\n")
_T("Operation Status: %uL\n"),
LoggerName,
Status);
break;
}
_tprintf(_T("Logger Started...\n"));
三.ControlTrace
对于event tracing session,ControlTrace可以用于停止,查询,更新的操作
停止操作注意点: 第一个参数需要为空
Status = ControlTrace(0,
LoggerName,
LoggerInfo,
EVENT_TRACE_CONTROL_STOP);
查询操作注意点:必须指定BufferSize参数
TempSizeNeeded= LoggerInfo->Wnode.BufferSize;
RtlZeroMemory(LoggerInfo, SizeNeeded);
LoggerInfo->Wnode.BufferSize=TempSizeNeeded;
Status = ControlTrace(LoggerHandle,
LoggerName,
LoggerInfo,
EVENT_TRACE_CONTROL_QUERY);
更新操作注意点:必须参数有更改,该方法才能生效
LoggerInfo->LogFileNameOffset = 0; //Do not update the file name
LoggerInfo->Wnode.Flags = WNODE_FLAG_TRACED_GUID;
LoggerInfo->EnableFlags |= EVENT_TRACE_FLAG_PROCESS | EVENT_TRACE_FLAG_THREAD;
Status = ControlTrace(NULL,
LoggerName,
LoggerInfo,
EVENT_TRACE_CONTROL_UPDATE);
四.EnableTrace
The EnableTrace function enables or disables the specified event trace provider.
Status = EnableTrace(TRUE,
0,
TRACE_LEVEL_INFORMATION,
&TargetGuid,
LoggerHandle);
Status = EnableTrace(FALSE,
0,
0,
&TargetGuid,
LoggerHandle);