Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

processhack etw plugin can not show process read write file event #749

Closed
yangjian123 opened this issue Dec 9, 2020 · 7 comments
Closed

processhack etw plugin can not show process read write file event #749

yangjian123 opened this issue Dec 9, 2020 · 7 comments

Comments

@yangjian123
Copy link

Describe the bug
on windows7, i write a test app, which create,write,read,rename files, i switch to the disk tab in the processhacker and can not see anything event fired by my test app.

To Reproduce

  1. start my test app
  2. open processhacker and switch to disk tab

Expected behavior
processhacker can show file event fired by my test app

Desktop (please complete the following information):

  • OS: windows7 x64 serive pack 1

Additional context
on windows7 , i write my own etw app to monitor test app, and my etw session name is nt kernel logger, it is also can not monitor my test app file event, the main cause is etw give process and thread id -1 which can not correlate filepath
@yangjian123
Copy link
Author

my test code show in the below picture

image

@yangjian123
Copy link
Author

processhacker test result picture show below
image

@dmex
Copy link
Member

dmex commented Dec 9, 2020

switch to the disk tab in the processhacker and can not see anything event fired by my test app

Does Resource Monitor show the disk activity?

Start > Run > "perfmon /res"

Expand the Disk Activity section and check for the files here:

image

@yangjian123
Copy link
Author

it seems perfmon also can not monitor file read write, i test all of this in vmware. but windows performance record and procmon can detect this behaviour, i hava no idea about this
image

@dmex
Copy link
Member

dmex commented Dec 9, 2020
edited
Loading

perfmon also can not monitor file read write

Perfmon and Process Hacker are showing physical disk events which are separate to File events. Raymond Chen posted notes about this here: https://devblogs.microsoft.com/oldnewthing/20201125-00/?p=104480

image

windows performance record and procmon can detect this behaviour

The Disk tab only shows events from DISK IO for the actual physical disk activity. Those tools are showing FILE IO for every operation preformed on the file.

i write a test app, which create,write,read,rename files

The operation must touch the physical disk to become visible on the Process Hacker disk tab. When the disk cache or a minifilter or another kernel driver processes/blocks/caches the operation and doesn't touch the physical disk then it won't be visible.

I can post a new plugin that shows the individual file operations like procmon does if you create a new issue in the plugins-extra repository asking for a new plugin for the FileIO?
https://github.com/processhacker/plugins-extra/issues/new

The events are too verbose to include in the main application:
image

@yangjian123
Copy link
Author

thanks dmex‘s Explanation, I am a heavy user of processhack,I really hope to have such a plugin and i will create a new issue in plugins-extra repository

@dmex
Copy link
Member

dmex commented Dec 9, 2020

really hope to have such a plugin and i will create a new issue

Thanks, I'll post something in a week or two over Christmas 👍

@dmex dmex closed this as completed Dec 9, 2020
@dmex dmex mentioned this issue Dec 9, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dmex @yangjian123