ETW Keyword filtering

[vbwins]

This is driving me nuts. I cannot seem to get it right.

https://learn.microsoft.com/en-us/me...level-settings

I have tried using currency and large_integer type as we have to here.

As I understand the documentation I need to OR the keyword values together to create 64 bit mask. This is what I cannot get right.

Some example key words from the Microsoft-Windows-HttpService provider are:

ReceiveRequest 0x8000000000000102
ReceiveResponse 0x8000000000000006
SendComplete 0x8000000000000016

Does anyone have any ideas how I can do this?

As an example I have tried making the high word part of the value (0x80000000) and the low word value (0x00000102) and them copying the structure to a currency and passing that but it does not work.

In calculator the high word part in decimal is 2147483648 and in VB it is -2147483648 because if the signed long issue I guess. Does this mean that VB is not representing the value correctly?

If I just pass 0 as the keyword I get everything returned but I don't want that as I only want the provider to deliver the events I want.

[fafalone]

When it comes to issues like these I like to check with C++. The Keyword arguments in EnableTraceEx2 take them as ULONGLONG, so that's what I used:

Code:

    ULONGLONG n1 = 0x8000000000000102ULL;
    ULONGLONG n2 = 0x8000000000000006ULL;
    ULONGLONG n3 = 0x8000000000000016ULL;

    ULONGLONG r1 = n1 | n2;
    ULONGLONG r2 = r1 | n3;

    std::cout
        << "n1|n2 = " << std::hex << r1 << '\n';
    std::cout << "n1|n2|n3 = " << std::hex << r2;

n1|n2 = 8000000000000106
n1|n2|n3 = 8000000000000116


So something has gone wrong with your Or arithmetic because -2147483648 = FFFFFFFF80000000.

LongLongs are always a pain... perhaps just store in a byte array.

Code:

Dim bt(7) As Byte
Dim curKW As Currency
bt(0) = &H16
bt(1) = &H01
bt(7) = &H80
CopyMemory curKW, bt(0), 8

Now you're guaranteed to have the correct value (the omitted array indexes are 0).

Edit: ninja'd with a better solution from The trick

[The trick]

Code:

Private Type T64Lng
    lL  As Long
    lH  As Long
End Type

Private Declare Sub GetMem8 Lib "msvbvm60" ( _
                    ByRef pSrc As Any, _
                    ByRef pDst As Any)

Private Function CYOr( _
                 ByVal c1 As Currency, _
                 ByVal c2 As Currency) As Currency
    Dim t1 As T64Lng
    Dim t2 As T64Lng
     
    GetMem8 c1, t1
    GetMem8 c2, t2
    
    t1.lL = t1.lL Or t2.lL
    t1.lH = t1.lH Or t2.lH
    
    GetMem8 t1, CYOr
    
End Function

[vbwins]

Thanks guys. Will have a play. I have to admit I find the documentation quite confusing when it comes to matchAnyKeyword and matchAllKeyword. I don't know why they made filtering so complicated but I guess there is a reason.

Also I am not entirely clear why the keyword in EventHeader.EventDescriptor.keyword.lowPart sometimes don't match the keywords defined in the manifest as visible in perfview.

[vbwins]

Code:

Private Type T64Lng
    lL  As Long
    lH  As Long
End Type

Private Declare Sub GetMem8 Lib "msvbvm60" ( _
                    ByRef pSrc As Any, _
                    ByRef pDst As Any)

Private Function CYOr( _
                 ByVal c1 As Currency, _
                 ByVal c2 As Currency) As Currency
    Dim t1 As T64Lng
    Dim t2 As T64Lng
     
    GetMem8 c1, t1
    GetMem8 c2, t2
    
    t1.lL = t1.lL Or t2.lL
    t1.lH = t1.lH Or t2.lH
    
    GetMem8 t1, CYOr
    
End Function

Hi Trick,

How do I pass a keyword of 0x8000000000000102 to CYOr

cheers

[fafalone]

The trick probably has a better way but you can combine the two methods we've posted...

Code:

Dim bt(7) As Byte
Dim curKW As Currency
bt(0) = &H02
bt(1) = &H01
bt(7) = &H80
CopyMemory curKW, bt(0), 8

curKW then contains 0x8000000000000102 and can be passed to CYOr.


BTW, I'm using twinBASIC for helping with this...

Code:

    Dim n1 As LongLong = &H8000000000000102
    Dim n2 As LongLong = &H8000000000000006
    Dim n3 As LongLong = &H8000000000000016
    Dim n4 As LongLong = &H8000000000000102
        
    Dim c1 As LongLong
    Dim c2 As LongLong
    Dim bt(7) As Byte
    Dim bt2(7) As Byte
        
    c1 = n1 Or n2 Or n3
    CopyMemory bt(0), n4, 8
    Dim i As Long
    For i = 0 To 7
        Debug.Print "&H" & Format$(Hex$(bt(i)), "00")
    Next

Life is much easier with a real LongLong

[wqweto]

Btw, you can use VT_I8 64-bit Variants w/ built-in Or operator in VB6 like this

Code:

Option Explicit

Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
Private Declare Function VariantChangeType Lib "oleaut32" (Dest As Variant, Src As Variant, ByVal wFlags As Integer, ByVal vt As VbVarType) As Long

Private Function CLngLng(vValue As Variant) As Variant
    Const VT_I8 As Long = &H14
    Call VariantChangeType(CLngLng, vValue, 0, VT_I8)
End Function

Private Function Hex64(vValue As Variant) As String
    Static S(0 To 1) As Long
    Call CopyMemory(S(0), ByVal VarPtr(vValue) + 8, 8)
    Hex64 = Right$("0000000" & Hex(S(1)), 8) & Right$("0000000" & Hex$(S(0)), 8)
End Function

Private Sub Form_Load()
    Debug.Print Hex64(CLngLng("&H8000000000000102") Or CLngLng("&H8000000000000006"))
    '-> 8000000000000106
    Debug.Print Hex64(CLngLng("&H8000000000000102") Or CLngLng("&H8000000000000006") Or CLngLng("&H8000000000000016"))
    '-> 8000000000000116
End Sub

The problem w/ VT_I8 64-bit Variants calculations is that these are slow.

cheers,
</wqw>

[vbwins]

Thanks guys. Will play some more. I don't think I can pass a 64 bit variant to ETW unless I am not understanding. Speed is not important. It happens once when the trace is set up and stays in place for the duration of the trace. Typically weeks.

[The trick]

Hi Trick,

How do I pass a keyword of 0x8000000000000102 to CYOr

cheers

For example:



we get -9223372036854775550 / 10000 = -922337203685477.5550@.

The same way is for 0x8000000000000016, we get -922337203685477.5786@.

Then we can ORish them as:

Code:

Debug.Print CYOr(-922337203685477.5550@, -922337203685477.5786@)

It prints -922337203685477.553 which is:

[vbwins]

Ahh. I think I have it. Thanks Trick.