This repository has been archived by the owner on Nov 1, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 113
can processhacker plugin support individual file op ? #82
Comments
hi, dmex, do you know why EventRecord->EventHeader->ProcessId and EventRecord->EventHeader->ThreadId always -1 in windows7 on file io event . i modify the etwmon.c code as below, and the question still exist, can dmex have idea about this? ` EtpTraceProperties->Wnode.BufferSize = bufferSize;
|
You ignore these for the ID included in the event message. |
where can we get the correct process id and threadid? can dmex supply some helps ? |
The kernel generally returns files to the application from cache not disk. components like superfetch speculatively load files before the process is created so when the ID is zero you default to processId 4 for system. |
hi,dmex,do you have any update? |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
I am a heavy user of processhack, sometimes i need to analysis file operation(read,write), Hope processhack can have such a plugin
The text was updated successfully, but these errors were encountered: