This project has moved and is read-only. For the latest updates, please go here.

Receiving FileIoName events not possible

Sep 29, 2011 at 3:38 PM

Hi,

I' trying to track file write io for certain files in a given directory.

The FileIoWrite events occur properly, but its not possible to lookup for the filenames, since the lookup table does not contain either the FileObject nor the FileKey.

It seems like the events are simply not provided by the session. How can i enable them? Even when I enable "All" keywords, im not receiving ANY name events.

It is a realtime session:

 

KernelSession = new TraceEventSession(
    KernelTraceEventParser.KernelSessionName, null);
KernelSource = new ETWTraceEventSource(
    KernelTraceEventParser.KernelSessionName, TraceEventSourceType.Session);
KernelParser = new KernelTraceEventParser(
    KernelSource);

...


KernelSession.StopOnDispose = true;

KernelSession.EnableKernelProvider(
    KernelTraceEventParser.Keywords.FileIO |
    KernelTraceEventParser.Keywords.FileIOInit |
    KernelTraceEventParser.Keywords.Thread);

SourceProcessor = Task.Factory.StartNew(() =>
    KernelSource.Process());

Sep 29, 2011 at 3:39 PM

I posted another request here : http://social.msdn.microsoft.com/Forums/en-US/netfxbcl/thread/43b8f4eb-f85c-4060-938a-c627bed2b3ab

Sep 30, 2011 at 1:29 PM

I tried to enable "KernelTraceEventParser.Keywords.DiskFileIO" only. There is not a single event. According to the comment on this flag it should deliver all of those naming events.

How can i get them?

Oct 4, 2011 at 11:53 PM

What is needed is the FileName 'rundown' events.    These events map file objects  to their name, and are normally emitted at the end of a trace.

Current these events are only generated at 'rundown' when an ETL file closes and there is no way of triggering this in a realtime provider.

This has been fixed in Windows 8, but until then you must use a file to track File I/O.