How to get the user mode call stack

[slayercat]

I used EVENT_ENABLE_PROPERTY_STACK_TRACE as a flag and used schema.stack_trace() to retrieve the call stack and return PC.

However, almost all call stacks obtained only have kernel mode call stacks (PC > 0xFFFF000000000000), and there are no user mode call stacks.

After consulting the documentation, I found that the EVENT_EXTENDED_ITEM_STACK_TRACE64 structure contains ULONG64 MatchId;, as described in the documentation:

MatchId

A unique identifier that you use to match the kernel-mode calls to the user-mode calls; the kernel-mode calls and user-mode calls are captured in separate events if the environment prevents both from being captured in the same event. If the kernel-mode and user-mode calls were captured in the same event, the value is zero.

There are many messages that have non-zero MatchId values. How can I use this value to find the user mode call stack?

Thanks.

[jdu2600]

iirc the usermode stack will be emitted as Microsoft-Windows-Kernel-EventTracing event 18 - StackTraceUserModeStackTrace.

[dobin]

I have the same issue as OP. Using user-ETW (not kernel/system ETW).

ImageLoad events (and ImageLoadInfo, ThreadStart, and others) have usermode callstack addresses after the kernel ones. Thats how it should look like:

ImageUnloadInfo events (and ThreadStop, ProcessStop) have no userspace addresses, only kernelspace:

I expect that if the *Load events show usermode addresses, the *Unload events should contain them too, as both have the kernel stack addresses. But i'll have a look at the recommended Microsoft-Windows-Kernel-EventTracing, maybe they appear there.

Edit: On a second thought, maybe the *Unload events are generated by the kernel, and all is correct.