问题
I am trying to create a consumer application in vc++, which will collect all disk events using etw tracing at real-time.
I have enabled two flags, the EVENT_TRACE_FLAG_DISK_FILE_IO and the EVENT_TRACE_FLAG_DISK_IO for tracing but the problem is I am not getting as many FileIO_Name events compared to the number of DiskIo_TypeGroup1 events.
But If I only enable the EVENT_TRACE_FLAG_DISK_FILE_IO flag then I am getting more number of FileIO_Name events in my calllback.
FLAG EVENT
EVENT_TRACE_FLAG_DISK_IO Enables the following DiskIo event types:
0x00000100 DiskIo_TypeGroup1
DiskIo_TypeGroup3
EVENT_TRACE_FLAG_DISK_FILE_IO Enables the following FileIo event type:
0x00000200 FileIo_Name
I guess I need both the flags because... from the FileIO_Name events I will get FileObject and FileName data and from DiskIO_TypeGroup1 I will get FileObject , DiskNumber , TransferSize and other data's I need to match the common fileobjects to merge both separate data set and get the desired output.
so when I use both flags I get the DiskIO_TypeGroup1:FileObject ratio as 4:1.
But when I tweet my code to get only the FileIO_Name event I get 3x times the events that I was getting earlier, if not more.
来源:https://stackoverflow.com/questions/27813110/how-to-determine-the-file-name-involved-in-an-io-operation-using-windows-etw-tra