Handles events, Windows 10 and "NT Kernel session" in EventTracing API

[LordKiRon]

I was under impression that you do not need special singleton "kernel" session called "NT Kernel Logger" starting from Windows 8 or something like that anymore.

And indeed this is true when I work with EventTracing API (TraceEventSession object) EnableKernelProvider with "KernelTraceEventParser.Keywords.Process" and such flags. Before in Win7 I needed this session, now I don't.

However, if/when I try run it with "KernelTraceEventParser.Keywords.Handle" flag I get an error (On Windows 10) that I need to have this single session. I checked the source code there and it looks like it comes from following check: in "EnableKernelProvider" :

if (m_SessionName != KernelTraceEventParser.KernelSessionName) { if ((flags & KernelTraceEventParser.NonOSKeywords) != 0) { throw new NotSupportedException("Keyword specified this is only supported on the " + KernelTraceEventParser.KernelSessionName + " session."); }

So, assuming there is a bug in NonOSKeywords definition I removed this check, now it all passed but handle events ("ObjectCreateHandle" and so on) do not happen (even after my fix in https://github.com/microsoft/perfview/issues/1768 )

So basically I have a two part question:

1. If this intentional/required to have this single session in Win10 too to work with handles event ? Or it just result as @brianrob mentioned in other bug this flow was never executed and tested at all ?
2. If later :) is it possible to fix it ? As my understanding (or better to say luck of it :)) of inner workings of the internal native API that does event tracing does not allow me to understand whats going on there and fix it.