错误:无法在 C++ 中启动 ETW 跟踪会话(错误代码 87)
我正在开发一个 C++ 应用程序,以使用 Windows 事件跟踪 (ETW) 来使用和打印实时事件。但是,我在尝试启动跟踪并注册提供程序时遇到了问题。错误如下:
无法启动跟踪 87 无法注册提供商 87
这些错误指示 ERROR_INVALID_PARAMETER,但我无法识别哪些参数不正确。下面是我的代码片段:
#pragma once
#include <windows.h>
#include <evntrace.h>
#include <evntcons.h>
#include <iostream>
#include <thread>
class EventProvider
{
private:
TRACEHANDLE sessionhandle;
TRACEHANDLE consumertrace;
GUID eventprovider;
LPCWSTR sessionname;
PEVENT_TRACE_PROPERTIES properties;
bool running;
public:
EventProvider(LPCWSTR, GUID);
void initProperty();
void startTrace();
void consumer();
static void run(PTRACEHANDLE);
static VOID WINAPI eventcallback(PEVENT_RECORD);
~EventProvider();
};
EventProvider::EventProvider(LPCWSTR sessionname, GUID provider)
: sessionhandle(0), consumertrace(0), eventprovider(provider), sessionname(sessionname), properties(nullptr), running(false)
{
this->initProperty();
this->startTrace();
this->consumer();
}
void EventProvider::initProperty() {
ULONG buffsize = sizeof(EVENT_TRACE_PROPERTIES) + 2 * sizeof(WCHAR) * 1024;
this->properties = (EVENT_TRACE_PROPERTIES*)malloc(buffsize);
if (this->properties == NULL) {
std::cout << "Unable to allocate bytes for properties" << std::endl;
}
ZeroMemory(this->properties, buffsize);
this->properties->Wnode.BufferSize = buffsize;
this->properties->Wnode.Guid = this->eventprovider;
this->properties->Wnode.Flags = WNODE_FLAG_TRACED_GUID;
this->properties->LogFileMode = EVENT_TRACE_REAL_TIME_MODE;
this->properties->Wnode.ClientContext = 1;
this->properties->LogFileNameOffset = 0;
this->properties->EnableFlags = EVENT_TRACE_FLAG_PROCESS;
this->properties->BufferSize = 64; // Size of each tracing buffer in KB
this->properties->MinimumBuffers = 1;
this->properties->MaximumBuffers = 5;
this->properties->MaximumFileSize = 0;
}
VOID WINAPI EventProvider::eventcallback(PEVENT_RECORD pevent) {
std::cout << "i have bbencalled" << std::endl;
}
void EventProvider::startTrace() {
DWORD status = StartTraceW((PTRACEHANDLE)sessionhandle, sessionname, properties);
if (status != ERROR_SUCCESS) {
std::cout << "unable to start trace " << GetLastError() << std::endl;
}
DWORD status2 = EnableTraceEx2(this->sessionhandle, &this->eventprovider, EVENT_CONTROL_CODE_ENABLE_PROVIDER, TRACE_LEVEL_INFORMATION, 0, 0, 0, NULL);
if (status != ERROR_SUCCESS) {
std::cout << "unable to register provider " << GetLastError() << std::endl;
}
}
void EventProvider::run(PTRACEHANDLE handel) {
if (ProcessTrace(handel, 1, 0, 0) != ERROR_SUCCESS) {
exit(0);
}
}
void EventProvider::consumer() {
EVENT_TRACE_LOGFILEW trace;
TRACE_LOGFILE_HEADER* pheader = &trace.LogfileHeader;
ZeroMemory(&trace, sizeof(EVENT_TRACE_LOGFILEW));
trace.ProcessTraceMode = PROCESS_TRACE_MODE_REAL_TIME | PROCESS_TRACE_MODE_EVENT_RECORD;
trace.EventRecordCallback = (PEVENT_RECORD_CALLBACK)(EventProvider::eventcallback);
trace.LoggerName = (LPWSTR)R"(ANTI TRACER)";
TRACEHANDLE handle = OpenTraceW((PEVENT_TRACE_LOGFILEW)&trace);
if (handle == INVALID_PROCESSTRACE_HANDLE) {
std::cout << "Unable start trace session : " << GetLastError() << std::endl;
}
consumertrace = (TRACEHANDLE)handle;
std::thread thread(run, (PTRACEHANDLE)consumertrace);
}
我需要帮助来识别和解决问题。我的目标是实时使用事件并将每个事件的输出打印到终端。任何指导或建议将不胜感激。
我认为在开始跟踪之前,请确保之前的跟踪是否正在运行,您需要停止它们。所以只需调用 ControlTrace(0, SessionName, sessionProperties, EVENT_TRACE_CONTROL_STOP);
我希望这可以消除您的错误。也在“this->properties->Wnode.Guid = this->eventprovider;”中我认为这不是事件提供者,这是会话的 GUID。