问题
How one could get a process id who generated the system call in ETW? As long as ProcessID and ThreadID members of event header are = to -1, this can't be used. I heard about activating CSWitch flag to capture every single context switch, but that only gives me, NewThreadId and OldThreadId according the MOF class. I want the process id too.
Thanks
来源:https://stackoverflow.com/questions/26440639/etw-system-calls-tracing