TdhGetEventInformation

[vbwins]

I am doing some ewt work using the ndis packet capture provider. Has anyone had any luck calling TdhGetEventInformation from vb6? I have spent hours both myself and with Claude and chat gpt and all i get is stack corruption after the call

[baka]

did u ask for a c++ example and after that ask AI to translate it into VB6 code?

[VanGoghGaming]

Have you tried to use fafalone's API definitions? Chances are he's got the correct structures with all the unions and stuff.

[fafalone]

Instead of AI try GitHub code search in c/cpp files for actual working examples.

Hard to know what's wrong without code. How you handle the trace info struct is my guess, with the unions and variable c-style array. In my defs I assumed a maximum of 128 descriptors but for production use you may want a dynamic allocation.

[vbwins]

Instead of AI try GitHub code search in c/cpp files for actual working examples.

Hard to know what's wrong without code. How you handle the trace info struct is my guess, with the unions and variable c-style array. In my defs I assumed a maximum of 128 descriptors but for production use you may want a dynamic allocation.

Thanks all. Will take a look at the suggestions. @Faf. Is there an example in codebank where you use it?

[fafalone]

No but I did cover all the tdh definitions, https://github.com/fafalone/WinDevLi...ETW.twin#L2309

[fafalone]

I've got it working using the defs from WinDevLib, so compare your defs to that.

Code:

Private Sub dbgTestTDH(pRec As EVENT_RECORD)
    
    
    Dim hr As Long
    Dim tInfo As TRACE_EVENT_INFO_sa
    Dim cb As Long
     
    hr = TdhGetEventInformation(pRec, 0, ByVal vbNullPtr, ByVal vbNullPtr, cb)
    If hr = ERROR_INSUFFICIENT_BUFFER Then
        Dim pInfo As LongPtr = LocalAlloc(LPTR, cb)
        hr = TdhGetEventInformation(pRec, 0, ByVal vbNullPtr, ByVal pInfo, cb)
    Else
        PostLog "TdhGetEventInformation initial call failed, ret=" & hr
        Exit Sub
    End If
    PostLog "TdhGetEventInformation ret=" & hr & ", cb=" & cb
    If hr = ERROR_SUCCESS Then
        CopyMemory tInfo, ByVal pInfo, 112
        PostLog "TdhGetEventInformation provider=" & dbg_GUIDToString(tInfo.ProviderGuid) & "; opcodeoffset=" & tInfo.OpcodeNameOffset & "; propcount=" & tInfo.TopLevelPropertyCount
        If tInfo.ProviderNameOffset Then
            Dim provName As String
            provName = LPWSTRtoStr(pInfo + tInfo.ProviderNameOffset, False)
            PostLog "TdhGetEventInformation provider name=" & provName
        Else
            PostLog "TdhGetEventInformation no provider offset"
        End If
        If tInfo.TopLevelPropertyCount Then
            ReDim tInfo.EventPropertyInfoArray(tInfo.TopLevelPropertyCount - 1)
            CopyMemory tInfo.EventPropertyInfoArray(0), ByVal pInfo + &H70, LenB(Of EVENT_PROPERTY_INFO) * tInfo.TopLevelPropertyCount
            For i As Long = 0 To tInfo.TopLevelPropertyCount - 1
                If tInfo.EventPropertyInfoArray(i).NameOffset Then
                Dim propName As String
                propName = LPWSTRtoStr(pInfo + tInfo.EventPropertyInfoArray(i).NameOffset, False)
                PostLog "TdhGetEventInformation propName[" & i & "]=" & propName
                Else
                    PostLog "no name offset"
                End If
            Next
        End If
    End If
    LocalFree pInfo
End Sub

Successfully returns the provider guid/name and property names.