I have a ETL file and I am trying to parse it with OpenTrace and get the information with TdhGetEventInformation when I get the callback EventRecordCallback.
However, for the provider that I need, it always return 1168 (NOT FOUND). The only way it works is by loading the manifest with TdhLoadManifest, this way I get all the information. But I don't understand how WPA and PerfView can get all the events for my provider even when I am not providing the manifest...
I found that the TDH.dll has some undocumented functions that PerfView uses like TdhGetAllEventsInformation, I tried to use this function by loading the DLL with LoadLibraryEx, the function again return 1168..
Following code is mostly by Microsoft samples:
DWORD status = ERROR_SUCCESS;
DWORD BufferSize = 0;
status = TdhGetEventInformation(pEvent, 0, nullptr, pInfo, &BufferSize);
if (1168 == status)
return status; // THIS
if (ERROR_INSUFFICIENT_BUFFER == status)
{
pInfo = (TRACE_EVENT_INFO*)malloc(BufferSize);
ZeroMemory(pInfo, BufferSize);
if (pInfo == NULL)
{
LogPrintError(L"Failed to allocate memory for event info (size=%lu).\n", BufferSize);
status = ERROR_OUTOFMEMORY;
goto cleanup;
}
// Retrieve the event metadata.
status = TdhGetEventInformation(pEvent, 0, NULL, pInfo, &BufferSize);
}
I really want to know how PerfView get this information without the manifest. So far I see they use TdhGetAllEventsInformation but I keep receiving 1168, I am missing something?
Thanks.