c# - 从 FileIORename ETW 事件获取新文件名
问题描述
我正在使用https://www.nuget.org/packages/Microsoft.Diagnostics.Tracing.TraceEvent/订阅内核 ETW 事件。
是否可以监视文件重命名以便我知道以前和新的文件路径是什么?
我认为这很简单,需要挂钩到FileIORename
事件,但有效负载 ( FileIOInfoTraceData
) 仅包含属性中的前一个文件路径FileName
。
kernelSession.Source.Kernel.FileIORename += FileIORename
...
private void OnFileIORename(FileIOInfoTraceData data)
{
var prevFilePath = data.FileName;
var newFilePath = ?
...
}
解决方案
我使用FileIOFSControl事件获取新文件名的解决方案,我使用FileKey属性在FileIORename事件和FileIOFSControl事件之间进行链接。
VB.NET 中的完整代码
Imports System.IO
Imports Microsoft.Diagnostics.Tracing.Parsers
Imports Microsoft.Diagnostics.Tracing.Session
Imports Microsoft.Diagnostics.Tracing.Parsers.Kernel
Module Module1
Private _etwSessionID As String
Private _etwSession As TraceEventSession
Private lstEvents As List(Of FileIOTraceEvent)
Sub Main()
lstEvents = New List(Of FileIOTraceEvent)
_etwSessionID = "TestSession"
_etwSession = New TraceEventSession(_etwSessionID) With {.StopOnDispose = True}
_etwSession.EnableKernelProvider(KernelTraceEventParser.Keywords.DiskFileIO Or KernelTraceEventParser.Keywords.FileIO Or KernelTraceEventParser.Keywords.FileIOInit)
AddHandler _etwSession.Source.Kernel.FileIORename, AddressOf FileIOTrace
AddHandler _etwSession.Source.Kernel.FileIOFSControl, AddressOf FileIOTrace
_etwSession.Source.Process()
Console.Read()
End Sub
Private Sub FileIOTrace(data As FileIOInfoTraceData)
Try
If data.EventName = FileIOTraceEvent.EVENT_NAME_FILEIO_RENAME Then
lstEvents.Add(New FileIOTraceEvent(data.ID, data.TimeStamp, data.EventName, data.ProcessID, data.ProcessName, data.FileName, data.FileKey))
ElseIf data.EventName = FileIOTraceEvent.EVENT_NAME_FILEIO_FSCONTROL Then
Dim fileEvent = lstEvents.FirstOrDefault(Function(ev) ev.EventName = FileIOTraceEvent.EVENT_NAME_FILEIO_RENAME AndAlso ev.FileKey = data.FileKey)
If fileEvent IsNot Nothing Then
fileEvent.NewFileName = Path.GetFileName(data.FileName)
Console.WriteLine(fileEvent.ToString)
End If
End If
Catch ex As Exception
End Try
End Sub
#Region "Classes"
Private Class FileIOTraceEvent
#Region "Public Members"
''' <summary>
''' Event ID
''' </summary>
Public ID As UShort
''' <summary>
''' Event date
''' </summary>
Public Timestamp As Date
''' <summary>
''' Event name
''' </summary>
Public EventName As String
''' <summary>
''' The process ID that raised the event
''' </summary>
Public ProcessID As Integer
''' <summary>
''' The process name that raised the event
''' </summary>
Public ProcessName As String
''' <summary>
''' File full path
''' </summary>
Public FilePath As String
''' <summary>
''' The new file name
''' </summary>
Public NewFileName As String
Public FileKey As ULong
#End Region
#Region "Public Methods"
Public Sub New(id As UShort, timestamp As Date, eventName As String, processID As Integer, processName As String, filePath As String, fileKey As ULong)
Me.ID = id
Me.Timestamp = timestamp
Me.EventName = eventName
Me.ProcessID = processID
Me.ProcessName = processName
Me.FilePath = filePath
Me.FileKey = fileKey
End Sub
Public Overrides Function ToString() As String
Return String.Concat("Event ID: ", ID, ", Date: ", Timestamp, ", Event Name: ", EventName, ", File Path: ", FilePath, ", New File Name: ", NewFileName)
End Function
#End Region
#Region "Constants"
Public Const EVENT_NAME_FILEIO_RENAME = "FileIO/Rename"
Public Const EVENT_NAME_FILEIO_DELETE = "FileIO/Delete"
Public Const EVENT_NAME_FILEIO_WRITE = "FileIO/Write"
Public Const EVENT_NAME_FILEIO_SETINFO = "FileIO/SetInfo"
Public Const EVENT_NAME_FILEIO_CREATE = "FileIO/Create"
Public Const EVENT_NAME_FILEIO_FSCONTROL = "FileIO/FSControl"
#End Region
End Class
#End Region
End Module
推荐阅读
- c++ - 在 C++ 中,如何将变量放入数组中?
- python - 从Python中的多行字符串中获取每行的第一个字符
- dhcp - DHCP 服务器如何同时处理多个 DHCPDiscover 消息
- windows - 在用户帐户下运行 Windows 服务时的路径环境变量
- cypress - 从 DOM 返回值的赛普拉斯命令
- elasticsearch - Grafana - ElasticSearch:如何比较两个日期字段
- mysql - 如何在 MySQL 中不四舍五入得到小数点后 2 位?
- java - 使用 Joda 的不同时区的日期之间的天数
- javascript - onchange 函数调用无穷次
- google-apps-script - urlfetchapp.fetch
Google Apps 脚本中不允许出现错误