none
Windows Event Tracing with bcl.TraceEvent

    Question

  • Hi,

    In our project we need to track write-access to certain files on the whole system. I figgured out that ETW (Event Trace 4 Windows) could help us doing that.

    I got the TraceEvent lib to track those system events.

    It turned out out that the file events only contain an integer representation of the file itself. The kernel parser returns it as "FileKey". There is also an "FileObject" property.

    The documentation says that one of both must be mapped to names retrieved by other events containing a file name. I tried this, but it seems that i only get very few of those file names. The TraceEvent library itself uses a similar mapping and also doesn't retrieve all of those names.

    Is there any way to retrieve the name of a certain FileObject manually from the system (without bcl)?

     


    • Edited by Vittel Tuesday, September 27, 2011 8:32 AM removed broken link
    Tuesday, September 27, 2011 8:31 AM

All replies

  • Hi,

     

    I found a project in CodePlex close to your purpose:TraceEvent

    TraceEvent is an library that greatly simplifies reading Event Tracing for Windows (ETW) events. See TraceEvent for an overview. For an example of the usage of this library, see the PerfMonitor tool. 

     

    More information, you can refer to MSDN document:

    TraceSource Class


    Paul Zhou [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Thursday, September 29, 2011 5:00 AM
  • Hi Paul,

    I'm already using the libary you mentioned. It is where i got those issues with. There is no way to lookup the FileKey and/or FileObject properties of the FileIoWrite events.

    Now i don't know how i can retrieve the related file names. 

    In some explaining text (found here) there are mentioned file-detail events. But i dumped pretty much all events of the system and couldn't find others than FileIoCreate. But the FileObject proerty there does not match any FileIoWrite events.

    Thursday, September 29, 2011 10:17 AM