I am using the StartTrace Function to trace the NT Kernel Events. But i am unable to trace the FileIO events. My aim is to track the events when any file is created, opened or closed.
In order to do this i have set the EVENT_TRACE_PROPERTIES members.
When i set the EnableFlags of EVENT_TRACE_PROPERTIES structure to EVENT_TRACE_FLAG_DISK_IO | EVENT_TRACE_FLAG_DISK_FILE_IO, I am getting some diskio events traced.
As i want to trace the FileIO events, i am setting EnableFlags of EVENT_TRACE_PROPERTIES structure to EVENT_TRACE_FLAG_FILE_IO. But my code is giving error as unknown identifier. So i defined it as
#define EVENT_TRACE_FLAG_FILE_IO 0x02000000
After this definition my code got compiled, but i am not getting the FileIO Events
Can anybody help me on this issue.
Thanking you in advance
Datta Kandalkar