TdhGetEventInformation

[vbwins]

I am doing some ewt work using the ndis packet capture provider. Has anyone had any luck calling TdhGetEventInformation from vb6? I have spent hours both myself and with Claude and chat gpt and all i get is stack corruption after the call

[baka]

did u ask for a c++ example and after that ask AI to translate it into VB6 code?

[VanGoghGaming]

Have you tried to use fafalone's API definitions? Chances are he's got the correct structures with all the unions and stuff.

[fafalone]

Instead of AI try GitHub code search in c/cpp files for actual working examples.

Hard to know what's wrong without code. How you handle the trace info struct is my guess, with the unions and variable c-style array. In my defs I assumed a maximum of 128 descriptors but for production use you may want a dynamic allocation.

[vbwins]

Instead of AI try GitHub code search in c/cpp files for actual working examples.

Hard to know what's wrong without code. How you handle the trace info struct is my guess, with the unions and variable c-style array. In my defs I assumed a maximum of 128 descriptors but for production use you may want a dynamic allocation.

Thanks all. Will take a look at the suggestions. @Faf. Is there an example in codebank where you use it?

[fafalone]

No but I did cover all the tdh definitions, https://github.com/fafalone/WinDevLi...ETW.twin#L2309

[fafalone]

I've got it working using the defs from WinDevLib, so compare your defs to that.

Code:

Private Sub dbgTestTDH(pRec As EVENT_RECORD)
    
    
    Dim hr As Long
    Dim tInfo As TRACE_EVENT_INFO_sa
    Dim cb As Long
     
    hr = TdhGetEventInformation(pRec, 0, ByVal vbNullPtr, ByVal vbNullPtr, cb)
    If hr = ERROR_INSUFFICIENT_BUFFER Then
        Dim pInfo As LongPtr = LocalAlloc(LPTR, cb)
        hr = TdhGetEventInformation(pRec, 0, ByVal vbNullPtr, ByVal pInfo, cb)
    Else
        PostLog "TdhGetEventInformation initial call failed, ret=" & hr
        Exit Sub
    End If
    PostLog "TdhGetEventInformation ret=" & hr & ", cb=" & cb
    If hr = ERROR_SUCCESS Then
        CopyMemory tInfo, ByVal pInfo, 112 'Copy everything before the variable c-style array
        PostLog "TdhGetEventInformation provider=" & dbg_GUIDToString(tInfo.ProviderGuid) & "; opcodeoffset=" & tInfo.OpcodeNameOffset & "; propcount=" & tInfo.TopLevelPropertyCount
        If tInfo.ProviderNameOffset Then
            Dim provName As String
            provName = LPWSTRtoStr(pInfo + tInfo.ProviderNameOffset, False)
            PostLog "TdhGetEventInformation provider name=" & provName
        Else
            PostLog "TdhGetEventInformation no provider offset"
        End If
        If tInfo.TopLevelPropertyCount Then
            ReDim tInfo.EventPropertyInfoArray(tInfo.TopLevelPropertyCount - 1)
            CopyMemory tInfo.EventPropertyInfoArray(0), ByVal pInfo + &H70, LenB(Of EVENT_PROPERTY_INFO) * tInfo.TopLevelPropertyCount
            For i As Long = 0 To tInfo.TopLevelPropertyCount - 1
                If tInfo.EventPropertyInfoArray(i).NameOffset Then
                    Dim propName As String
                    propName = LPWSTRtoStr(pInfo + tInfo.EventPropertyInfoArray(i).NameOffset, False)
                    PostLog "TdhGetEventInformation propName[" & i & "]=" & propName
                Else
                    PostLog "no name offset"
                End If
            Next
        End If
    End If
    If pInfo Then LocalFree pInfo
End Sub

Successfully returns the provider guid/name and property names, so looks like everything is being filled in correctly. I'll try to port a more thorough property dump tomorrow.

I'll leave all the copy/pasting and minor adjustments to you to back-port to vb6. Once you get used to just straight coding and not needing to constantly interrupt it to find/copy/paste or port from C all the win32 API defs you'll never want to go back. And etw is particularly bad for the language substitutions and alignment edge cases that are easy to mess up... like my original event tracing project you can't just blindly substitute Currency for ULONGLONG or use a 2xLong LARGE_INTEGER without accounting for it not being a true 8-byte alignment -- watch out for that with WinDevLib defs because it uses LongLong which is a true 8-byte type so there's no manual padding. Doesn't seem to impact the code above but if you go deeper into things it might come up. Plus WOW64 issues. Really should move to tB, it's very strong on supporting these API-based projects; my original ETW project was the first thing I tried in tB, it went great, and that was years ago with major improvements since-- and event tracers I expect will significantly benefit from LLVM optimization which is coming very very soon now, possibly this week.