Halloween Spooktacular Day 5: Call TraceSetInformation Twice
As suggested in the first hint, you will need to tell ETW which PMCs to collect using TraceSetInformation. It’s tricky figuring out how it’s supposed to work, but even if you do, you will find that you still don’t get any PMCs with your ETW events. Why not?
Well, one reason is because ETW also needs to know which events should trigger PMC collection. Unlike timestamps — which all ETW events get — ETW will only attach PMC data to an event if you explicitly ask it to do so for that type of event.
And that’s today’s hint: you must call TraceSetInformation with TracePmcCounterListInfo to select which PMCs you want to collect, but you must also call TraceSetInformation a second time — this time with TracePmcEventListInfo — to select which events you want PMCs collected for:
CLASSIC_EVENT_ID EventIDs[] =
{
// events to enable go here
};
ULONG Status = TraceSetInformation(TraceHandle, TracePmcEventListInfo, EventIDs, sizeof(EventIDs));That concludes today’s hint. Until tomorrow, good luck making progress on the Spooktacular Challenge!
I will post additional hints here every day until Halloween. If you’d like the rest of the Spooktacular Challenge to be delivered automatically to your inbox, you can select a subscription option here:
CLASSIC_EVENT_ID led me way off track before I figured out the valid values. To avoid spoiling anything unnecessarily, here's a base64 encoded link I found with valid values (and some remarks on what I tried before I found it):
aHR0cHM6Ly9sZWFybi5taWNyb3NvZnQuY29tL2VuLXVzL3dpbmRvd3Mvd2luMzIvZXR3L250LWtlcm5lbC1sb2dnZXItY29uc3RhbnRzCgpXaHkgd2FzIHRoaXMgbm90IGxpbmtlZCBpbiB0aGUgQ0xBU1NJQ19FVkVOVF9JRCBtc2RuIHBhZ2U/ISBJbnN0ZWFkIHRoZXkgc3VnZ2VzdCBsb29raW5nIGF0IHJvb3Rcd21pLCB3aGljaCBJIHdvdWxkbid0IHJlY29tbWVuZC4gSSB3YXMgdXNpbmcgd2JlbXRlc3QgYW5kIGxvb2tlZCB0aHJvdWdoICVTeXN0ZW1Sb290JVxTeXN0ZW0zMlx3YmVtLCBtYXliZSB5b3UncmUgc3VwcG9zZWQgdG8gbG9vayBlbHNld2hlcmUuCgpFRElUOiBJIGRpZCBmaW5kIHRoaXMgaGFuZHkgbGluayB0byB0aGUgTU9GIGZpbGUgdGhhdCBzZWVtcyB0byBkZWZpbmUgdmlydHVhbGx5IChpZiBub3QpIGFsbCB0aGUgcmVsZXZhbnQgR1VJRCdzIGFuZCB0aGVpciBFdmVudCBUeXBlcy4gRXZlbiB0aG9zZSBub3QgaW5jbHVkZWQgb24gTVNETjoKaHR0cHM6Ly9naXN0LmdpdGh1Yi5jb20vamR1MjYwMC9hMmIwM2U0ZTljZjE5MjgyYTQxYWQ3NjYzODhjOTg1Ng==
It looks like that TracePmcEventListInfo can only be used of kernel ETW session (with name "NT Kernel Logger"). So does this mean that for capturing PCM counters, we need to trigger a kernel ETW event?I guess we can not just register new kernel event, so we would need to "abuse" a current one - preferably one that does not burn too many CPU cycles - such as Kernel/FileCreate :-)