fix update provider bug

bluekrabs/bluekrabs/parser.hpp

@@ -87,6 +87,16 @@ namespace krabs {
         template <typename T>
         T parse(const std::wstring &name);
 
+        /**
+        * todo
+        */
+        std::pair<const char*, _TDH_IN_TYPE> parse_in_type(const std::wstring& name);
+
+        /**
+        * todo
+        */
+        std::pair<const char*, _TDH_OUT_TYPE> parse_out_type(const std::wstring& name);
+
         template <typename Adapter>
         auto view_of(const std::wstring &name, Adapter &adapter) -> collection_view<typename Adapter::const_iterator>;
 
@@ -414,6 +424,32 @@ namespace krabs {
         return pointer::from_bytes(propInfo.pPropertyIndex_, propInfo.length_);
     }
 
+    // pars_type
+    // ------------------------------------------------------------------------
+
+    inline std::pair<const char*, _TDH_IN_TYPE> parser::parse_in_type(const std::wstring& name)
+    {
+        auto prop_info = find_property(name);
+        throw_if_property_not_found(prop_info);
+
+        auto in_type_value = (_TDH_IN_TYPE)prop_info.pEventPropertyInfo_->nonStructType.OutType;
+        auto in_type_str = in_type_to_string(in_type_value);
+
+        return std::make_pair(in_type_str, in_type_value);
+    }
+
+    inline std::pair<const char*, _TDH_OUT_TYPE> parser::parse_out_type(const std::wstring& name)
+    {
+        auto prop_info = find_property(name);
+        throw_if_property_not_found(prop_info);
+
+        auto out_type_value = (_TDH_OUT_TYPE)prop_info.pEventPropertyInfo_->nonStructType.OutType;
+        auto out_type_str = out_type_to_string(out_type_value);
+
+        return std::make_pair(out_type_str, out_type_value);
+    }
+
+
     // view_of
     // ------------------------------------------------------------------------
 

bluekrabs/bluekrabs/tdh_helpers.hpp

@@ -14,50 +14,103 @@
 
 namespace krabs {
 
-#define CASE_TYPE(enum) case TDH_INTYPE_##enum: return #enum
+#define CASE_IN_TYPE(enum) case TDH_INTYPE_##enum: return #enum
 
     inline const char* in_type_to_string(_TDH_IN_TYPE type)
     {
         switch (type)
         {
-            CASE_TYPE(NULL);
-            CASE_TYPE(UNICODESTRING);
-            CASE_TYPE(ANSISTRING);
-            CASE_TYPE(INT8);
-            CASE_TYPE(UINT8);
-            CASE_TYPE(INT16);
-            CASE_TYPE(UINT16);
-            CASE_TYPE(INT32);
-            CASE_TYPE(UINT32);
-            CASE_TYPE(INT64);
-            CASE_TYPE(UINT64);
-            CASE_TYPE(FLOAT);
-            CASE_TYPE(DOUBLE);
-            CASE_TYPE(BOOLEAN);
-            CASE_TYPE(BINARY);
-            CASE_TYPE(GUID);
-            CASE_TYPE(POINTER);
-            CASE_TYPE(FILETIME);
-            CASE_TYPE(SYSTEMTIME);
-            CASE_TYPE(SID);
-            CASE_TYPE(HEXINT32);
-            CASE_TYPE(HEXINT64);
-            CASE_TYPE(COUNTEDSTRING);
-            CASE_TYPE(COUNTEDANSISTRING);
-            CASE_TYPE(REVERSEDCOUNTEDSTRING);
-            CASE_TYPE(REVERSEDCOUNTEDANSISTRING);
-            CASE_TYPE(NONNULLTERMINATEDSTRING);
-            CASE_TYPE(NONNULLTERMINATEDANSISTRING);
-            CASE_TYPE(UNICODECHAR);
-            CASE_TYPE(ANSICHAR);
-            CASE_TYPE(SIZET);
-            CASE_TYPE(HEXDUMP);
-            CASE_TYPE(WBEMSID);
+            CASE_IN_TYPE(NULL);
+            CASE_IN_TYPE(UNICODESTRING);
+            CASE_IN_TYPE(ANSISTRING);
+            CASE_IN_TYPE(INT8);
+            CASE_IN_TYPE(UINT8);
+            CASE_IN_TYPE(INT16);
+            CASE_IN_TYPE(UINT16);
+            CASE_IN_TYPE(INT32);
+            CASE_IN_TYPE(UINT32);
+            CASE_IN_TYPE(INT64);
+            CASE_IN_TYPE(UINT64);
+            CASE_IN_TYPE(FLOAT);
+            CASE_IN_TYPE(DOUBLE);
+            CASE_IN_TYPE(BOOLEAN);
+            CASE_IN_TYPE(BINARY);
+            CASE_IN_TYPE(GUID);
+            CASE_IN_TYPE(POINTER);
+            CASE_IN_TYPE(FILETIME);
+            CASE_IN_TYPE(SYSTEMTIME);
+            CASE_IN_TYPE(SID);
+            CASE_IN_TYPE(HEXINT32);
+            CASE_IN_TYPE(HEXINT64);
+            CASE_IN_TYPE(COUNTEDSTRING);
+            CASE_IN_TYPE(COUNTEDANSISTRING);
+            CASE_IN_TYPE(REVERSEDCOUNTEDSTRING);
+            CASE_IN_TYPE(REVERSEDCOUNTEDANSISTRING);
+            CASE_IN_TYPE(NONNULLTERMINATEDSTRING);
+            CASE_IN_TYPE(NONNULLTERMINATEDANSISTRING);
+            CASE_IN_TYPE(UNICODECHAR);
+            CASE_IN_TYPE(ANSICHAR);
+            CASE_IN_TYPE(SIZET);
+            CASE_IN_TYPE(HEXDUMP);
+            CASE_IN_TYPE(WBEMSID);
             default: return "<INVALID VALUE>";
         }
     }
 
-#undef CASE_TYPE
+#undef CASE_IN_TYPE
+
+#define CASE_OUT_TYPE(enum) case TDH_OUTTYPE_##enum: return #enum
+
+    inline const char* out_type_to_string(_TDH_OUT_TYPE type)
+    {
+        switch (type)
+        {
+            CASE_OUT_TYPE(NULL);
+            CASE_OUT_TYPE(STRING);
+            CASE_OUT_TYPE(DATETIME);
+            CASE_OUT_TYPE(BYTE);
+            CASE_OUT_TYPE(UNSIGNEDBYTE);
+            CASE_OUT_TYPE(SHORT);
+            CASE_OUT_TYPE(UNSIGNEDSHORT);
+            CASE_OUT_TYPE(INT);
+            CASE_OUT_TYPE(UNSIGNEDINT);
+            CASE_OUT_TYPE(LONG);
+            CASE_OUT_TYPE(UNSIGNEDLONG);
+            CASE_OUT_TYPE(FLOAT);
+            CASE_OUT_TYPE(DOUBLE);
+            CASE_OUT_TYPE(BOOLEAN);
+            CASE_OUT_TYPE(GUID);
+            CASE_OUT_TYPE(HEXBINARY);
+            CASE_OUT_TYPE(HEXINT8);
+            CASE_OUT_TYPE(HEXINT16);
+            CASE_OUT_TYPE(HEXINT32);
+            CASE_OUT_TYPE(HEXINT64);
+            CASE_OUT_TYPE(PID);
+            CASE_OUT_TYPE(TID);
+            CASE_OUT_TYPE(PORT);
+            CASE_OUT_TYPE(IPV4);
+            CASE_OUT_TYPE(IPV6);
+            CASE_OUT_TYPE(SOCKETADDRESS);
+            CASE_OUT_TYPE(CIMDATETIME);
+            CASE_OUT_TYPE(ETWTIME);
+            CASE_OUT_TYPE(XML);
+            CASE_OUT_TYPE(ERRORCODE);
+            CASE_OUT_TYPE(WIN32ERROR);
+            CASE_OUT_TYPE(NTSTATUS);
+            CASE_OUT_TYPE(HRESULT);
+            CASE_OUT_TYPE(CULTURE_INSENSITIVE_DATETIME);
+            CASE_OUT_TYPE(JSON);
+            CASE_OUT_TYPE(UTF8);
+            CASE_OUT_TYPE(PKCS7_WITH_TYPE_INFO);
+            CASE_OUT_TYPE(CODE_POINTER);
+            CASE_OUT_TYPE(DATETIME_UTC);
+            CASE_OUT_TYPE(REDUCEDSTRING);
+            CASE_OUT_TYPE(NOPRINT);
+            default: return "<INVALID VALUE>";
+        }
+    }
+
+#undef CASE_OUT_TYPE
 
     namespace debug {
 

bluekrabs/bluekrabs/trace.hpp

@@ -497,7 +497,7 @@ namespace krabs {
             }
         };
 
-        if (registrationHandle_ == INVALID_PROCESSTRACE_HANDLE) {
+        if (registrationHandle_ == INVALID_PROCESSTRACE_HANDLE && sessionHandle_ == INVALID_PROCESSTRACE_HANDLE) {
             insert_unique(p);
         }
         else {        

examples/ManagedExamples/Program.cs

@@ -23,7 +23,8 @@ static void Main(string[] args)
             //UserTrace009_OpenTrace.Start();
             //UserTrace010_ExtendedData.Start();
             //UserTrace011_UpdateTrace.Start();
-            UserTrace012_UpdateProvider.Start();
+            //UserTrace012_UpdateProvider.Start();
+            UserTrace012_UpdateProvider.Start1();
         }
     }
 }

examples/ManagedExamples/UserTrace004.cs

@@ -39,6 +39,7 @@ public static void Start()
             {
                 System.Diagnostics.Debug.Assert(record.Id == 7937);
                 Console.WriteLine(record.GetUnicodeString("ContextInfo"));
+
             };
 
             // EventFilters are attached to providers. Events that are attached to the filter

examples/ManagedExamples/UserTrace012_UpdateProvider.cs

@@ -54,5 +54,59 @@ public static void Start()
             trace.Disable(providerApi);
 
         }
+
+        public static void Start1()
+        {
+            var trace = new UserTrace("SecSense");
+
+            // Rundown events are not true real-time tracing events. Instead they describe the state of the system.
+            // Usually these are just extra events in the provider. For example, Microsoft-Windows-Kernel-Process
+            // has ProcessRundown events as well as ProcessStart events.            
+            var secProvider = new Provider(Guid.Parse("{16c6501a-ff2d-46ea-868d-8f96cb0cb52d}"));
+            var fileProvider = new Provider(Guid.Parse("{edd08927-9cc4-4e65-b970-c2560fb5c289}"));
+
+            //provider.Any = 0x10;  // WINEVENT_KEYWORD_PROCESS
+            // ...but the rundown events often cannot be enabled by keyword alone.
+            // The trace needs to be sent EVENT_CONTROL_CODE_CAPTURE_STATE.
+            // This is what EnableRundownEvents() does.
+            //provider.EnableRundownEvents();
+
+            // process rundown events - i.e. running processes
+            //var processRundownFilter = new EventFilter(Filter.EventIdIs(15));  // ProcessRundown
+            secProvider.OnEvent += (record) =>
+            {
+                // Records have general properties that are applicable to every ETW
+                // record regardless of schema. They give us general information.
+                Console.WriteLine("Event " + record.Id + " (" + record.Name + ") received.");
+            };
+            //provider.AddFilter(processRundownFilter);
+
+            fileProvider.OnEvent += (record) =>
+            {
+                // Records have general properties that are applicable to every ETW
+                // record regardless of schema. They give us general information.
+                Console.WriteLine("Event " + record.Id + " (" + record.Name + ") received.");
+            };
+
+            trace.Enable(secProvider);
+            trace.Open();
+            trace.Enable(fileProvider);
+            Thread workingThread = new Thread(() => {
+                trace.Process();
+            });
+
+            workingThread.Start();
+            Thread.Sleep(1000);
+            trace.Close();
+            workingThread.Join();
+
+        }
     }
+
+
+
+
+
 }
+
+

examples/NativeExamples/user_trace_001.cpp

@@ -47,6 +47,8 @@ void user_trace_001::start()
             // We could alternatively use try_parse if we didn't want an exception to
             // be thrown in the case of failure.
             std::wstring context = parser.parse<std::wstring>(L"ContextInfo");
+            std::cout << "intype " << parser.parse_in_type(L"ContextInfo").first << std::endl;
+            std::cout << "outtype " << parser.parse_out_type(L"ContextInfo").first << std::endl;
             std::wcout << L"\tContext: " << context << std::endl;
         }
     });

examples/NativeExamples/user_trace_012_open_trace.cpp

@@ -87,8 +87,29 @@ void user_trace_012_open_trace::start()
         // to snap in a schema to ask it for information.
         krabs::schema schema(record, trace_context.schema_locator);
         // We then have the ability to ask a few questions of the event.
-        std::wcout << L"ProviderName " << schema.provider_name() << std::endl;
-        std::wcout << L"EventId" << schema.event_id() << std::endl;
+        switch (schema.event_id()) {
+        case 1:
+            break;
+        case 17:
+            break;
+        case 18:
+            break;
+        case 19:
+            break;
+        case 22:
+            break;
+        case 23:
+            break;
+        case 24:
+            break;
+        case 35:
+            break;
+        default:
+            std::wcout << L"ProviderName " << schema.provider_name() << std::endl;
+            std::wcout << L"EventId" << schema.event_id() << std::endl;
+            break;
+        }
+
         };
     sec_provider.add_on_event_callback(on_event);
     file_provider.add_on_event_callback(on_event);
@@ -126,7 +147,7 @@ void user_trace_012_open_trace::start()
         trace.process();
         });
 
-    const int durationInSeconds = 10;
+    const int durationInSeconds = 100000;
     std::this_thread::sleep_for(std::chrono::seconds(durationInSeconds));
     auto stats1 = trace.query_stats();
     trace.close();