问题
I've been investigating ETW for process/file/registry/network monitoring. It looks like it on Win7 it has everything I need. However, on XP it seems to be lacking the same level of detail. Specifcally, with file IO only "FileCreate" events seem to be logged and process creation events don't give a full path.
Is it possible to determine when a file is written to on XP with ETW? And how about the full path to a process start event?
回答1:
Starting with Vista MS added a lot of ETW providers to Windows. XP/Server only had a few of them. So you can't fix this for XP.
来源:https://stackoverflow.com/questions/16069230/etw-file-io-monitoring-on-xp-2003