I’m using ETW to get information about particular system calls, and using SysCallEnter / SysCallExit events seems to work, however those miss process ID and thread ID. Is there a way to retrieve them? Thanks
So, since I don’t really understand what you’re asking, I’m drawn to answering: “PsGetProcessId() and PsGetThreadId()”…
But, I’m betting that’s not your question.
Peter
Presumably he’s consuming the system call enter/exit ETW events.
These events are logged with minimal information and do not provide the PID/TID. These events are not very useful…
Yes Scott is right, I’m using ETW Kernel Logger for consuming the system call events, and my task is to understand which process those are coming from. Any hints are appreciated.
BTW If I request call stack event for those calls, a separate StackWalk event comes with all required information, however it’s impossible to understand which SysCallEnter call corresponds to that StackWalk event. Not sure why it is implemented in such a weird way in ETW.
There’s no way to get the corresponding PID/TID for these particular events. Not sure why the O/S chose not to include this info, but it’s just not there. I haven’t used it yet but you might want to try using DTrace for Windows. I haven’t played with it yet but it does not rely on ETW and appears to provide the PID.
Thanks for the pointer Scott!