Where is the list of device driver images stored in ETW?
I am trying to programatically get the list of device drives from an ETW with the great TraceProcessing Library which is used by WPA.
using ITraceProcessor processor = TraceProcessor.Create(myEtlFile, new
TraceProcessorSettings
{
AllowLostEvents = true,
AllowTimeInversion = true,
});
myProcesses = processor.UseProcesses();
foreach (var process in myProcesses.Result.Processes)
{
foreach (var dll in process.Images)
{
// get dll.Path, dll.FileVersion, dll.ProductVersion, dll.ProductName, dll.FileVersionNumber, dll.FileDescription
}
}
This works for every process except the Kernel (System(4)). Why do I have only 3 dlls in the System process? I would expect the driver files in the System process there as well. In CPU sampling the image is there so it looks like everything is right there. This would be very useful to check for driver versions if the data is present. But so far I was not able to find it. Am I missing something here?
Solution
Happy to hear you enjoy using the TraceProcessor library!
Device drivers are logged against the "Idle (0)" process by ETW, here is an example:
using var tp = TraceProcessor.Create(@"trace.etl");
var processes = tp.UseProcesses();
tp.Process();
var idleProcess = processes.Result.Processes.FirstOrDefault(x => x.Id == 0);
foreach (var image in idleProcess?.Images)
{
Console.WriteLine(image.Path);
}
- Find Task-Manager Description Column from CMD?
- How do I find out which process is listening on a TCP or UDP port on Windows?
- WINMAIN and main() in C++ (Extended)
- How to install ripgrep on Windows?
- CryptographicException: Access denied - How to give access on User store?
- How to set the UDP packet reassembly timeout in Windows 10
- Unable to create Symlink - cannot create a file when that file already exists
- How can I open a cmd window in a specific location?
- When running flutter app on window it show following error
- Can I use NotifyIcon in WPF?
- Python: How to open a folder on Windows Explorer(Python 3.6.2, Windows 10)
- ANSI In Terminal (Windows 10)
- How to get "valid data length" of a file?
- Check CMake version using python
- How do I update golang from command prompt on Windows?
- in powershell, set affinity in start-process
- Crypto++ library link error using Visual Studio 2017
- Limit python script RAM usage in Windows
- Powershell script throws error (80040154 Class not registered) only when it is executed from codedeploy, Why?
- How to change default scheduled task process priority in Windows
- How can I tile horizontally certain windows programmatically?
- C# get good color for label
- install gitlab on Windows with Docker
- Faking an RS232 Serial Port
- Rename all files in a directory with a Windows batch script
- An attempt was made to load a program with an incorrect format. VS2022 Service-based database
- How to set adminstrator privilege using manifest for Windows 10?
- Is it possible to modify a registry entry via a .bat/.cmd script?
- Quasar dev PSSecurityException
- How do I add a gzip command to Windows CMD?