etw icon indicating copy to clipboard operation
etw copied to clipboard
verified publisher icon bi-zone

getMapInfo always returns (nil, nil)

Open zdandoh opened this issue 5 years ago • 2 comments

Hi, first off, thank you for making such a useful library.

I noticed an issue where *event.EventProperties() was taking 2-5 milliseconds to return and causing high CPU usage. It appears that this is caused by the call to TdhGetEventMapInformation in getMapInfo in event.go. This function appears to always return windows.ERROR_NOT_FOUND, but only after doing some work for ~1 millisecond on my machine. This function is called multiple times for each call to EventProperties(). Is this a bug? I am running x64 Windows 10, version 1909 with x86_64-w64-mingw32-gcc version 8.1. Any information you can provide would be appreciated.

zdandoh avatar Oct 09 '20 22:10 zdandoh

Hi! It's great to hear that it can be useful for the community!

As you could see in MS docs and examples (e.g. https://docs.microsoft.com/en-us/windows/win32/etw/using-tdhgetproperty-to-consume-event-data) TdhGetEventMapInformation is required to render some values (like enum or bit flags) to the string "just like you can see it in EventViewer".

So if events you are interested in do not have such mappings getMapInfo will always return nil, nil which is pretty OK.

As for your problem: we could think about an option like WithoutMapInfo (or something like that) which disables enums/flags rendering in consuming events.

Sadly, I'm unsure about how difficult it can be in the current code, so I can't offer you an estimate of any kind.

But. If you can hack through the code and check (or even confirm using docs/examples) whether we could just disable it without losing the possibility to get events with map information, it would surely help us to add the changes asap

yalegko avatar Oct 12 '20 08:10 yalegko

Hi, I spent a good deal of time looking and unfortunately was unable to find any confirmation that TdhGetEventMapInformation could be safely disabled. I also couldn't find any other mention of this issue, which is surprising, given that the CPU usage on my machine was ~20-30% while tracing network traffic events until I removed the call to TdhGetEventMapInformation, after which it dropped to zero. Would accept a PR that adds WithoutMapInfo?

zdandoh avatar Dec 02 '20 17:12 zdandoh