ETW How to get process and thread IDs for SysCallEnter / SysCallExit event? RRS feed

  • Question

  • I'm using ETW to get information about particular system calls, and using SysCallEnter / SysCallExit events seems to work, however those events miss process ID and thread ID. Is there a way to retrieve them? 

    Strange enough if I request call stack event for those calls, a separate StackWalk event comes with all required information, however it's impossible to understand which SysCallEnter call matches that StackWalk event without having PID/TID.

    So, let's say if it's impossible to get the PID and TID, is there any other way to match the StackWalk to SysCallEnter? Thanks

    Friday, September 18, 2020 6:51 AM

All replies