EnumerateTraceGuidsEx 函数 (evntrace.h)
检索有关计算机上当前运行的事件跟踪提供程序的信息。
语法
ULONG WMIAPI EnumerateTraceGuidsEx(
[in] TRACE_QUERY_INFO_CLASS TraceQueryInfoClass,
[in] PVOID InBuffer,
[in] ULONG InBufferSize,
[out] PVOID OutBuffer,
[in] ULONG OutBufferSize,
[out] PULONG ReturnLength
);
参数
[in] TraceQueryInfoClass
确定要返回的信息类型。 有关可能的值,请参阅 TRACE_QUERY_INFO_CLASS 枚举。
[in] InBuffer
要检索其信息的提供程序或提供程序组的 GUID。 仅当 TraceQueryInfoClass 为 TraceGuidQueryInfo 或 TraceGroupQueryInfo 时指定 GUID。
[in] InBufferSize
数据 InBuffer 的大小(以字节为单位)。
[out] OutBuffer
包含枚举信息的应用程序分配的缓冲区。 信息的格式取决于 TraceQueryInfoClass 的值。
[in] OutBufferSize
OutBuffer 缓冲区的大小(以字节为单位)。 如果函数成功, 则 ReturnLength 参数将接收所用缓冲区的大小。 如果缓冲区太小,则函数返回 ERROR_INSUFFICIENT_BUFFER , ReturnLength 参数接收所需的缓冲区大小。 如果输入上的缓冲区大小为零,则缓冲区中不会返回任何数据, 并且 ReturnLength 参数将接收所需的缓冲区大小。
[out] ReturnLength
OutBuffer 中的数据的实际大小(以字节为单位)。
返回值
如果函数成功,则返回值为 ERROR_SUCCESS。
如果函数失败,则返回值为 系统错误代码之一。 下面是一些常见错误及其原因。
ERROR_INVALID_PARAMETER
其中一个参数无效。
ERROR_INSUFFICIENT_BUFFER
OutBuffer 缓冲区太小,无法接收所有已注册提供程序的信息。 使用 ReturnLength 中返回的大小重新分配缓冲区。
注解
此函数返回有关已通过 RegisterTraceGuids 或 EventRegister) (启动但尚未停止的事件跟踪提供程序的信息。
注意
若要获取有关已在系统上注册的提供程序清单的信息, (即通过 wevtutil) 注册的清单,请使用 TdhEnumerateProviders。
如果 TraceQueryInfoClass 是 TraceGuidQueryInfo,则 ETW 返回 TRACE_GUID_INFO 块中的数据,该块是信息的标头。 信息块包含使用同一 GUID 的每个提供程序 的TRACE_PROVIDER_INSTANCE_INFO 块。 每个实例信息块都包含启用提供程序的每个会话的 TRACE_ENABLE_INFO 结构。
示例
以下示例演示如何调用此函数。
#include <windows.h>
#include <stdio.h>
#include <evntcons.h>
DWORD GetProviderInfo(GUID ProviderGuid, PTRACE_GUID_INFO& pInfo);
int wmain(void)
{
ULONG status = ERROR_SUCCESS;
GUID* pTemp = NULL;
GUID* pGuids = NULL;
DWORD GuidListSize = 0;
DWORD GuidCount = 0;
DWORD RequiredListSize = 0;
WCHAR ProviderGuid[50];
PTRACE_GUID_INFO pInfo = NULL;
PTRACE_PROVIDER_INSTANCE_INFO pInstance = NULL;
PTRACE_ENABLE_INFO pEnable = NULL;
// Get the required buffer size for the query.
status = EnumerateTraceGuidsEx(TraceGuidQueryList, NULL, 0, pGuids, GuidListSize, &RequiredListSize);
// The number of registered providers could change between the
// time you called to get the buffer size and the time you called
// to get the actual data, so call EnumerateTraceGuidsEx in a loop
// until you no longer get ERROR_INSUFFICIENT_BUFFER.
while (ERROR_INSUFFICIENT_BUFFER == status)
{
pTemp = (GUID*)realloc(pGuids, RequiredListSize);
if (NULL == pTemp)
{
printf("Error allocating memory for list of provider GUIDs.\n");
goto cleanup;
}
pGuids = pTemp;
pTemp = NULL;
GuidListSize = RequiredListSize;
ZeroMemory(pGuids, GuidListSize);
status = EnumerateTraceGuidsEx(TraceGuidQueryList, NULL, 0, pGuids, GuidListSize, &RequiredListSize);
}
if (ERROR_SUCCESS == status)
{
GuidCount = GuidListSize / sizeof(GUID);
// For each registered provider on the computer, get information
// about how it was registered. If a session enabled the
// provider, get information on how the session enabled the provider.
for (USHORT i = 0; i < GuidCount; i++)
{
StringFromGUID2(pGuids[i], ProviderGuid, sizeof(ProviderGuid));
printf("Provider: %ls\n", ProviderGuid);
status = GetProviderInfo(pGuids[i], pInfo);
if (ERROR_SUCCESS == status)
{
pInstance = (PTRACE_PROVIDER_INSTANCE_INFO)((PBYTE)pInfo + sizeof(TRACE_GUID_INFO));
if (pInfo->InstanceCount > 1)
{
printf("There are %d providers that use the same GUID.\n", pInfo->InstanceCount);
}
for (DWORD j = 0; j < pInfo->InstanceCount; j++)
{
printf("\tThe PID of the process that registered the provider is %lu.\n", pInstance->Pid);
if ((pInstance->Flags & TRACE_PROVIDER_FLAG_PRE_ENABLE) == TRACE_PROVIDER_FLAG_PRE_ENABLE)
{
printf("\tThe provider is not registered; however, one or more sessions have enabled the provider.\n");
}
else
{
if ((pInstance->Flags & TRACE_PROVIDER_FLAG_LEGACY) == TRACE_PROVIDER_FLAG_LEGACY)
{
printf("\tThe provider used RegisterTraceGuids to register itself.\n");
}
else
{
printf("\tThe provider used EventRegister to register itself.\n");
}
}
if (pInstance->EnableCount > 0)
{
printf("\tThe provider is enabled to the following sessions.\n");
pEnable = (PTRACE_ENABLE_INFO)((PBYTE)pInstance + sizeof(TRACE_PROVIDER_INSTANCE_INFO));
for (DWORD k = 0; k < pInstance->EnableCount; k++)
{
printf("\t\tSession Id: %hu\n", pEnable->LoggerId);
printf("\t\tLevel used to enable the provider: %hu\n", pEnable->Level);
printf("\t\tMatchAnyKeyword value used to enable the provider: %I64u\n", pEnable->MatchAnyKeyword);
printf("\t\tMatchAllKeyword value used to enable the provider: %I64u\n", pEnable->MatchAllKeyword);
if (pEnable->EnableProperty > 0)
{
printf("\t\tThe session requested that the following information be included with each event:\n");
if ((pEnable->EnableProperty & EVENT_ENABLE_PROPERTY_SID) == EVENT_ENABLE_PROPERTY_SID)
{
printf("\t\t\tThe SID of the user that logged the event\n");
}
if ((pEnable->EnableProperty & EVENT_ENABLE_PROPERTY_TS_ID) == EVENT_ENABLE_PROPERTY_TS_ID)
{
printf("\t\t\tThe terminal session ID\n");
}
}
pEnable++;
printf("\n");
}
}
pInstance = (PTRACE_PROVIDER_INSTANCE_INFO)((PBYTE)pInstance + pInstance->NextOffset);
printf("\n");
}
printf("\n");
}
else
{
printf("Error retrieving provider info (%lu)\n\n", status);
}
}
printf("\nRegistered provider count is %lu.\n", GuidCount);
}
else
{
printf("EnumerateTraceGuidsEx(TraceGuidQueryList) failed with %lu.\n", status);
goto cleanup;
}
cleanup:
if (pGuids)
{
free(pGuids);
pGuids = NULL;
}
if (pInfo)
{
free(pInfo);
pInfo = NULL;
}
return 0;
}
// Get information about the specified provider.
DWORD GetProviderInfo(GUID ProviderGuid, PTRACE_GUID_INFO& pInfo)
{
ULONG status = ERROR_SUCCESS;
PTRACE_GUID_INFO pTemp = NULL;
DWORD InfoListSize = 0;
DWORD RequiredListSize = 0;
status = EnumerateTraceGuidsEx(TraceGuidQueryInfo, &ProviderGuid, sizeof(GUID), pInfo, InfoListSize, &RequiredListSize);
while (ERROR_INSUFFICIENT_BUFFER == status)
{
pTemp = (PTRACE_GUID_INFO)realloc(pInfo, RequiredListSize);
if (NULL == pTemp)
{
printf("Error allocating memory for provider info.\n");
goto cleanup;
}
pInfo = pTemp;
pTemp = NULL;
InfoListSize = RequiredListSize;
ZeroMemory(pInfo, InfoListSize);
status = EnumerateTraceGuidsEx(TraceGuidQueryInfo, &ProviderGuid, sizeof(GUID), pInfo, InfoListSize, &RequiredListSize);
}
if (ERROR_SUCCESS != status)
{
printf("EnumerateTraceGuidsEx(TraceGuidQueryInfo) failed with %lu.\n", status);
}
cleanup:
return status;
}
要求
| 要求 | 值 |
|---|---|
| 最低受支持的客户端 | Windows Vista [桌面应用 | UWP 应用] |
| 最低受支持的服务器 | Windows Server 2008 [桌面应用 | UWP 应用] |
| 目标平台 | Windows |
| 标头 | evntrace.h |
| Library | Advapi32.lib |
| DLL | Advapi32.dll |