perfview icon indicating copy to clipboard operation
perfview copied to clipboard
verified publisher icon microsoft

Microsoft.Diagnostics.Tracing: Incomplete data in payload for some OS providers

Open palenshus opened this issue 3 years ago • 1 comments

For some type(s) of built-in Windows events, I'm not getting the complete payload, namely AppId/AppVersion, and also I can't figure out how to get PartA data. To demonstrate, here’s a short LINQPad code sample: http://share.linqpad.net/5hsr9t.linq

using var session = new TraceEventSession("EtwMonitor", TraceEventSessionOptions.Create);
session.EnableProvider(new Guid("487d6e37-1b9d-46d3-a8fd-54ce8bdf8a53"));

session.Source.Dynamic.All += delegate (TraceEvent e)
{
    if (e.EventName == "AppInteractivitySummary")
    {
        LINQPad.Extensions.Dump(e, e.EventName, collapseTo: 0);
        e.ToString().Dump();
    }
};
session.Source.Process();

However, it doesn’t give me the PartA properties, or even the AppId in the data section. Here’s what I get from the library:

<Event MSec=  "4249.0443"
    PID="45780"
    PName=        ""
    TID="48412"
    EventName="AppInteractivitySummary"
    ProviderName="Win32kTraceLogging"
    UTCReplace_AppId="0000b2d4-0002-001e-2a75-1bec3a50d801"
    UTCReplace_AppVersion="True"
    UTCReplace_CommandLineHash="True"
    PartATransform_AppSessionGuidToUserSid="0000b2d4-0002-001e-2a75-1bec3a50d801"
    AppSessionId="0000b2d4-0002-001e-2a75-1bec3a50d801"
    AggregationStartTime="4/14/2022 12:56:06 PM"
    ...
/>

And here’s what I get from the TelemetryRealTimeTool:

"data": {
        "AppId": "U:Microsoft.WindowsCalculator_11.2203.1.0_x64__8wekyb3d8bbwe!App",
        "AppVersion": "11.2203.1.0_x64_!2022/03/29:18:19:11!0!calculatorapp.exe",
        "CommandLineHash": 791235508,
        "AppSessionId": "00010D88-0002-001E-8F8D-E8B72F50D801",
        "AggregationStartTime": "2022-04-14T18:33:13.8264585Z",
    …

Any idea why AppId/AppVersion are being stripped replaced? Is it some kind of security feature at work? And is there any way to get PartA event data using the library? Thanks!

palenshus avatar Apr 14 '22 20:04 palenshus

Additionally, I tried to follow the instructions at https://github.com/microsoft/perfview/blob/main/documentation/TraceEvent/TraceEventProgrammersGuide.md#building-compile-time-traceeventparser-parsers-using-traceparsergen to generate a manifest for the Win32kTraceLogging provider, but it didn't work, fails with:

Error: Could not find provider with name Win32kTraceLogging

Using the GUID results in a similar error.

palenshus avatar Apr 14 '22 20:04 palenshus