none
TdhFormatProperty incorrect data RRS feed

  • Question

  • Hi, I followed https://docs.microsoft.com/en-us/windows/win32/etw/using-tdhformatproperty-to-consume-event-data to consume evebt data.

    i tried provider guid={43d1a55c-76d6-4f7e-995c-64c711e5cafe} and keywords=0x8000000000000001

    and received event id 101 that expected result is:

    <Data Name="HINTERNET">0xcc0004</Data>
    <Data Name="_UserAgentLength">0</Data>
    <Data Name="UserAgent" />
    <Data Name="_AccessTypeLength">9</Data>
    <Data Name="AccessType">PRECONFIG</Data>
    <Data Name="_ProxyListLength">0</Data>
    <Data Name="ProxyList" />
    <Data Name="_ProxyBypassListLength">0</Data>
    <Data Name="ProxyBypassList" />
    <Data Name="Flags">0</Data>

    but TdhFormatProperty will get error value:

    "AccessType" : "ECONFIG",         // value error here
    "HINTERNET" : "0xCC0004",
    "ProxyBypassList" : "",
    "ProxyList" : "",
    "UserAgent" : "\t",                    // here
    "_AccessTypeLength" : "21072",  // here
    "_ProxyBypassListLength" : "0",
    "_ProxyListLength" : "0",
    "_UserAgentLength" : "0"

    i thought maybe is wrong at out BufferSize parameter?

    i also tried https://docs.microsoft.com/en-us/windows/win32/etw/using-tdhgetproperty-to-consume-event-data that can get value like event viewer.

    platform: windows 10 

    complier: vs142

    thanks,



    Friday, December 13, 2019 10:01 AM