microsoft
How to get the user mode call stack
I used EVENT_ENABLE_PROPERTY_STACK_TRACE as a flag and used schema.stack_trace() to retrieve the call stack and return PC.
However, almost all call stacks obtained only have kernel mode call stacks (PC > 0xFFFF000000000000), and there are no user mode call stacks.
After consulting the documentation, I found that the EVENT_EXTENDED_ITEM_STACK_TRACE64 structure contains ULONG64 MatchId;, as described in the documentation:
MatchId
A unique identifier that you use to match the kernel-mode calls to the user-mode calls; the kernel-mode calls and user-mode calls are captured in separate events if the environment prevents both from being captured in the same event. If the kernel-mode and user-mode calls were captured in the same event, the value is zero.
There are many messages that have non-zero MatchId values. How can I use this value to find the user mode call stack?
Thanks.
iirc the usermode stack will be emitted as Microsoft-Windows-Kernel-EventTracing event 18 - StackTraceUserModeStackTrace.
I have the same issue as OP. Using user-ETW (not kernel/system ETW).
ImageLoad events (and ImageLoadInfo, ThreadStart, and others) have usermode callstack addresses after the kernel ones. Thats how it should look like:
ImageUnloadInfo events (and ThreadStop, ProcessStop) have no userspace addresses, only kernelspace:
I expect that if the *Load events show usermode addresses, the *Unload events should contain them too, as both have the kernel stack addresses. But i'll have a look at the recommended Microsoft-Windows-Kernel-EventTracing, maybe they appear there.
Edit: On a second thought, maybe the *Unload events are generated by the kernel, and all is correct.
