Skip to content

Commit

Permalink
Add Microsoft-Windows-Kernel-Process
Browse files Browse the repository at this point in the history 
Suggested by @tiraniddo for investigating process freeze/thaw events
in relationship to a resume-from-standby issue:

https://twitter.com/tiraniddo/status/1230228418102353920

https://twitter.com/BruceDawson0xB/status/1229879280819007488
  • Loading branch information
@randomascii
randomascii committed Feb 20, 2020
1 parent bbc6625 commit 5d1aff1
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions UIforETW/UIforETWDlg.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1093,6 +1093,13 @@ void CUIforETWDlg::OnBnClickedStarttracing()
// Memory-> Virtual Memory Snapshots. On windows 8.1 and above this makes the working set
// scanning in UIforETW unnecessary.
userProviders += L"+Microsoft-Windows-Kernel-Memory:0xE0";
if (IsWindowsTenOrGreater())
{
// This includes process freeze events, thread priority change events, and
// other good stuff. I don't know when it was first created and I can't easily
// test so I'm gating this to Windows 10.
userProviders += L"+Microsoft-Windows-Kernel-Process";
}

if (!extraUserProviders_.empty())
{
Expand Down

2 comments on commit 5d1aff1

@MagicAndre1981
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also see this in Windows 8.1 :

   <provider name="Microsoft-Windows-Kernel-Process" guid="{22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716}" resourceFileName="Microsoft-Windows-Kernel-Process" messageFileName="Microsoft-Windows-Kernel-Process" symbol="MicrosoftWindowsKernelProcess" source="Xml" >
    <keywords>
     <keyword name="WINEVENT_KEYWORD_PROCESS" message="$(string.keyword_WINEVENT_KEYWORD_PROCESS)" mask="0x10"/>
     <keyword name="WINEVENT_KEYWORD_THREAD" message="$(string.keyword_WINEVENT_KEYWORD_THREAD)" mask="0x20"/>
     <keyword name="WINEVENT_KEYWORD_IMAGE" message="$(string.keyword_WINEVENT_KEYWORD_IMAGE)" mask="0x40"/>
     <keyword name="WINEVENT_KEYWORD_CPU_PRIORITY" message="$(string.keyword_WINEVENT_KEYWORD_CPU_PRIORITY)" mask="0x80"/>
     <keyword name="WINEVENT_KEYWORD_OTHER_PRIORITY" message="$(string.keyword_WINEVENT_KEYWORD_OTHER_PRIORITY)" mask="0x100"/>
     <keyword name="WINEVENT_KEYWORD_PROCESS_FREEZE" message="$(string.keyword_WINEVENT_KEYWORD_PROCESS_FREEZE)" mask="0x200"/>
    </keywords>

Windows 7 misses the freeze so you can assume that it was added in 8 because of the new metro apps.

@randomascii
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the feedback. I changed the check to Windows 8.1 or greater in 17979d0

Please sign in to comment.