perfview icon indicating copy to clipboard operation
perfview copied to clipboard
verified publisher icon microsoft

TraceParserGen does NOT support field type "win:SID"

Open gabiganam opened this issue 6 years ago • 3 comments

In Windows 10 Update 1903, the "Microsoft-Windows-Kernel-Process" manifest was updated, and a new type "win:SID" was introduced. This type is of variable length, it is a simple security identifier.

TraceParserGen has an internal "SkipSID" method, which is misleading, because it is actually a "SkipTokenUserAndSID", or "SkipWBEMSID".

A correct implementation of SkipSID is:

		internal int SkipSID(int offset)
		{
			// This is a Security Token.  Either it is null, which takes 4 bytes,
			// Otherwise it is an SID, which is variable size (sigh) depending on the 2nd byte in the SID
			int sid = GetInt32At(offset);
			if (sid == 0) return offset + 4;

			// 8 bytes for the SID (1 byte revision, 1 byte authorities count, 6 bytes identifier authority)
			int numAuthorities = GetByteAt(offset + 1); // Each authority is 4 bytes long
			return offset + 8 + 4 * numAuthorities;
		}

gabiganam avatar Oct 03 '19 11:10 gabiganam

Due to lack of recent activity, this issue has been labeled as 'stale'. It will be closed if no further activity occurs within 30 more days. Any new comment will remove the label.

github-actions[bot] avatar Oct 03 '25 14:10 github-actions[bot]

This issue will now be closed since it has been labeled 'stale' without activity for 30 days.

github-actions[bot] avatar Nov 03 '25 02:11 github-actions[bot]

Keeping this one alive - it can be fixed after we have a test bed for traceparsergen.

brianrob avatar Nov 06 '25 17:11 brianrob