Object Handle tracing in ETW
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
1
Process Explorer from Sysinternals displays all the handles held by a process, with fields such as the object's name, type, address and the handle value. For example:
ETW's NT Kernel Logger trace session has events for handle operations with the syntax:
class ObHandleEvent : ObTrace
{
uint32 Handle;
uint32 Object;
string ObjectName;
uint16 ObjectType;
};
My question is this:
ObjectType in ETW is a 16-bit integer. How to map the integer ObjectType value to the corresponding object type name (as displayed in Process Explorer)?
etw process-explorer
edited Nov 22 '18 at 16:09
magicandre1981
16.6k35084
asked Nov 22 '18 at 8:40
noone23noone23
212
add a comment |
1
Process Explorer from Sysinternals displays all the handles held by a process, with fields such as the object's name, type, address and the handle value. For example:
ETW's NT Kernel Logger trace session has events for handle operations with the syntax:
class ObHandleEvent : ObTrace
{
uint32 Handle;
uint32 Object;
string ObjectName;
uint16 ObjectType;
};
My question is this:
ObjectType in ETW is a 16-bit integer. How to map the integer ObjectType value to the corresponding object type name (as displayed in Process Explorer)?
etw process-explorer
edited Nov 22 '18 at 16:09
magicandre1981
16.6k35084
asked Nov 22 '18 at 8:40
noone23noone23
212
Clarification:Ctrl+Hdisplays the Handles of the process in the Lower Pane View.
– shadowbq
Mar 20 at 15:06
add a comment |
1
1
1
1
Process Explorer from Sysinternals displays all the handles held by a process, with fields such as the object's name, type, address and the handle value. For example:
ETW's NT Kernel Logger trace session has events for handle operations with the syntax:
class ObHandleEvent : ObTrace
{
uint32 Handle;
uint32 Object;
string ObjectName;
uint16 ObjectType;
};
My question is this:
ObjectType in ETW is a 16-bit integer. How to map the integer ObjectType value to the corresponding object type name (as displayed in Process Explorer)?
etw process-explorer
edited Nov 22 '18 at 16:09
magicandre1981
16.6k35084
asked Nov 22 '18 at 8:40
noone23noone23
212
Process Explorer from Sysinternals displays all the handles held by a process, with fields such as the object's name, type, address and the handle value. For example:
ETW's NT Kernel Logger trace session has events for handle operations with the syntax:
class ObHandleEvent : ObTrace
{
uint32 Handle;
uint32 Object;
string ObjectName;
uint16 ObjectType;
};
My question is this:
ObjectType in ETW is a 16-bit integer. How to map the integer ObjectType value to the corresponding object type name (as displayed in Process Explorer)?
etw process-explorer
etw process-explorer
edited Nov 22 '18 at 16:09
magicandre1981
16.6k35084
asked Nov 22 '18 at 8:40
noone23noone23
212
edited Nov 22 '18 at 16:09
magicandre1981
16.6k35084
asked Nov 22 '18 at 8:40
noone23noone23
212
edited Nov 22 '18 at 16:09
magicandre1981
16.6k35084
edited Nov 22 '18 at 16:09
magicandre1981
16.6k35084
edited Nov 22 '18 at 16:09
magicandre1981
16.6k35084
16.6k35084
asked Nov 22 '18 at 8:40
noone23noone23
212
asked Nov 22 '18 at 8:40
noone23noone23
212
asked Nov 22 '18 at 8:40
noone23noone23
212
212
Clarification:Ctrl+Hdisplays the Handles of the process in the Lower Pane View.
– shadowbq
Mar 20 at 15:06
add a comment |
Clarification:Ctrl+Hdisplays the Handles of the process in the Lower Pane View.
– shadowbq
Mar 20 at 15:06
Clarification:
Ctrl+H displays the Handles of the process in the Lower Pane View.– shadowbq
Mar 20 at 15:06
Clarification:
Ctrl+H displays the Handles of the process in the Lower Pane View.– shadowbq
Mar 20 at 15:06
add a comment |
1 Answer
1
active
oldest
votes
0
I think the kernel object types are the ones you are after. Check out in a Kernel debugger or livekd with the command
0: kd> !object ObjectTypes
Object: ffffe589f9c17aa0 Type: (ffffb28572cd3820) Directory
ObjectHeader: ffffe589f9c17a70 (new version)
HandleCount: 0 PointerCount: 68
Directory Object: ffffe589f9c14a60 Name: ObjectTypes
Hash Address Type Name
---- ------- ---- ----
00 ffffb28572d7e180 Type TmTm
01 ffffb28572d76310 Type Desktop
ffffb28572c3e680 Type Process
02 ffffb28572d53ad0 Type EnergyTracker
ffffb28572d5cbb0 Type RegistryTransaction
03 ffffb28572cccc60 Type DebugObject
04 ffffb28575682520 Type VRegConfigurationContext
ffffb28572ccc440 Type TpWorkerFactory
05 ffffb28572d6da20 Type Adapter
ffffb28572ccfc40 Type Token
06 ffffb2857562ebb0 Type DxgkSharedResource
07 ffffb28572ccb560 Type PsSiloContextPaged
....
Then you can dump the object header with
0: kd> dt nt!_OBJECT_TYPE ffffb28572d68e80
+0x000 TypeList : _LIST_ENTRY [ 0xffffb285`72d68e80 - 0xffffb285`72d68e80 ]
+0x010 Name : _UNICODE_STRING "Section"
+0x020 DefaultObject : 0xfffff801`a03c4680 Void
**+0x028 Index : 0x29 ')'**
+0x02c TotalNumberOfObjects : 0x4943
+0x030 TotalNumberOfHandles : 0xf50
+0x034 HighWaterNumberOfObjects : 0x4ccc
+0x038 HighWaterNumberOfHandles : 0x10c3
+0x040 TypeInfo : _OBJECT_TYPE_INITIALIZER
+0x0b8 TypeLock : _EX_PUSH_LOCK
+0x0c0 Key : 0x74636553
+0x0c8 CallbackList : _LIST_ENTRY [ 0xffffb285`72d68f48 - 0xffffb285`72d68f48 ]
The Index field should relate to the corresponding ETW event. I am not sure if this index is constant between windows versions but I think not.
Process Hacker (the better process explorer) formats the object type with this method:
static VOID PhpDumpObjectInfo(
_In_ PPH_OBJECT_HEADER ObjectHeader
)
{
PVOID object;
PPH_OBJECT_TYPE objectType;
object = PhObjectHeaderToObject(ObjectHeader);
objectType = PhGetObjectType(object);
__try
{
wprintf(L"Type: %sn", objectType->Name);
wprintf(L"Reference count: %dn", ObjectHeader->RefCount);
wprintf(L"Flags: %xn", ObjectHeader->Flags);
if (objectType == PhObjectTypeObject)
{
wprintf(L"Name: %sn", ((PPH_OBJECT_TYPE)object)->Name);
wprintf(L"Number of objects: %un", ((PPH_OBJECT_TYPE)object)->NumberOfObjects);
wprintf(L"Flags: %un", ((PPH_OBJECT_TYPE)object)->Flags);
wprintf(L"Type index: %un", ((PPH_OBJECT_TYPE)object)->TypeIndex);
wprintf(L"Free list count: %un", ((PPH_OBJECT_TYPE)object)->FreeList.Count);
}
else if (objectType == PhStringType)
{
wprintf(L"%sn", ((PPH_STRING)object)->Buffer);
}
That should give you some pointers where to look next.
answered Dec 11 '18 at 18:55
Alois KrausAlois Kraus
10.4k2553
1
The index field is definitely not constant, it even changes in all Windows Builds even between RS releases in Win10.
– shadowbq
Mar 20 at 15:04
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53426872%2fobject-handle-tracing-in-etw%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
0
I think the kernel object types are the ones you are after. Check out in a Kernel debugger or livekd with the command
0: kd> !object ObjectTypes
Object: ffffe589f9c17aa0 Type: (ffffb28572cd3820) Directory
ObjectHeader: ffffe589f9c17a70 (new version)
HandleCount: 0 PointerCount: 68
Directory Object: ffffe589f9c14a60 Name: ObjectTypes
Hash Address Type Name
---- ------- ---- ----
00 ffffb28572d7e180 Type TmTm
01 ffffb28572d76310 Type Desktop
ffffb28572c3e680 Type Process
02 ffffb28572d53ad0 Type EnergyTracker
ffffb28572d5cbb0 Type RegistryTransaction
03 ffffb28572cccc60 Type DebugObject
04 ffffb28575682520 Type VRegConfigurationContext
ffffb28572ccc440 Type TpWorkerFactory
05 ffffb28572d6da20 Type Adapter
ffffb28572ccfc40 Type Token
06 ffffb2857562ebb0 Type DxgkSharedResource
07 ffffb28572ccb560 Type PsSiloContextPaged
....
Then you can dump the object header with
0: kd> dt nt!_OBJECT_TYPE ffffb28572d68e80
+0x000 TypeList : _LIST_ENTRY [ 0xffffb285`72d68e80 - 0xffffb285`72d68e80 ]
+0x010 Name : _UNICODE_STRING "Section"
+0x020 DefaultObject : 0xfffff801`a03c4680 Void
**+0x028 Index : 0x29 ')'**
+0x02c TotalNumberOfObjects : 0x4943
+0x030 TotalNumberOfHandles : 0xf50
+0x034 HighWaterNumberOfObjects : 0x4ccc
+0x038 HighWaterNumberOfHandles : 0x10c3
+0x040 TypeInfo : _OBJECT_TYPE_INITIALIZER
+0x0b8 TypeLock : _EX_PUSH_LOCK
+0x0c0 Key : 0x74636553
+0x0c8 CallbackList : _LIST_ENTRY [ 0xffffb285`72d68f48 - 0xffffb285`72d68f48 ]
The Index field should relate to the corresponding ETW event. I am not sure if this index is constant between windows versions but I think not.
Process Hacker (the better process explorer) formats the object type with this method:
static VOID PhpDumpObjectInfo(
_In_ PPH_OBJECT_HEADER ObjectHeader
)
{
PVOID object;
PPH_OBJECT_TYPE objectType;
object = PhObjectHeaderToObject(ObjectHeader);
objectType = PhGetObjectType(object);
__try
{
wprintf(L"Type: %sn", objectType->Name);
wprintf(L"Reference count: %dn", ObjectHeader->RefCount);
wprintf(L"Flags: %xn", ObjectHeader->Flags);
if (objectType == PhObjectTypeObject)
{
wprintf(L"Name: %sn", ((PPH_OBJECT_TYPE)object)->Name);
wprintf(L"Number of objects: %un", ((PPH_OBJECT_TYPE)object)->NumberOfObjects);
wprintf(L"Flags: %un", ((PPH_OBJECT_TYPE)object)->Flags);
wprintf(L"Type index: %un", ((PPH_OBJECT_TYPE)object)->TypeIndex);
wprintf(L"Free list count: %un", ((PPH_OBJECT_TYPE)object)->FreeList.Count);
}
else if (objectType == PhStringType)
{
wprintf(L"%sn", ((PPH_STRING)object)->Buffer);
}
That should give you some pointers where to look next.
answered Dec 11 '18 at 18:55
Alois KrausAlois Kraus
10.4k2553
1
The index field is definitely not constant, it even changes in all Windows Builds even between RS releases in Win10.
– shadowbq
Mar 20 at 15:04
add a comment |
0
I think the kernel object types are the ones you are after. Check out in a Kernel debugger or livekd with the command
0: kd> !object ObjectTypes
Object: ffffe589f9c17aa0 Type: (ffffb28572cd3820) Directory
ObjectHeader: ffffe589f9c17a70 (new version)
HandleCount: 0 PointerCount: 68
Directory Object: ffffe589f9c14a60 Name: ObjectTypes
Hash Address Type Name
---- ------- ---- ----
00 ffffb28572d7e180 Type TmTm
01 ffffb28572d76310 Type Desktop
ffffb28572c3e680 Type Process
02 ffffb28572d53ad0 Type EnergyTracker
ffffb28572d5cbb0 Type RegistryTransaction
03 ffffb28572cccc60 Type DebugObject
04 ffffb28575682520 Type VRegConfigurationContext
ffffb28572ccc440 Type TpWorkerFactory
05 ffffb28572d6da20 Type Adapter
ffffb28572ccfc40 Type Token
06 ffffb2857562ebb0 Type DxgkSharedResource
07 ffffb28572ccb560 Type PsSiloContextPaged
....
Then you can dump the object header with
0: kd> dt nt!_OBJECT_TYPE ffffb28572d68e80
+0x000 TypeList : _LIST_ENTRY [ 0xffffb285`72d68e80 - 0xffffb285`72d68e80 ]
+0x010 Name : _UNICODE_STRING "Section"
+0x020 DefaultObject : 0xfffff801`a03c4680 Void
**+0x028 Index : 0x29 ')'**
+0x02c TotalNumberOfObjects : 0x4943
+0x030 TotalNumberOfHandles : 0xf50
+0x034 HighWaterNumberOfObjects : 0x4ccc
+0x038 HighWaterNumberOfHandles : 0x10c3
+0x040 TypeInfo : _OBJECT_TYPE_INITIALIZER
+0x0b8 TypeLock : _EX_PUSH_LOCK
+0x0c0 Key : 0x74636553
+0x0c8 CallbackList : _LIST_ENTRY [ 0xffffb285`72d68f48 - 0xffffb285`72d68f48 ]
The Index field should relate to the corresponding ETW event. I am not sure if this index is constant between windows versions but I think not.
Process Hacker (the better process explorer) formats the object type with this method:
static VOID PhpDumpObjectInfo(
_In_ PPH_OBJECT_HEADER ObjectHeader
)
{
PVOID object;
PPH_OBJECT_TYPE objectType;
object = PhObjectHeaderToObject(ObjectHeader);
objectType = PhGetObjectType(object);
__try
{
wprintf(L"Type: %sn", objectType->Name);
wprintf(L"Reference count: %dn", ObjectHeader->RefCount);
wprintf(L"Flags: %xn", ObjectHeader->Flags);
if (objectType == PhObjectTypeObject)
{
wprintf(L"Name: %sn", ((PPH_OBJECT_TYPE)object)->Name);
wprintf(L"Number of objects: %un", ((PPH_OBJECT_TYPE)object)->NumberOfObjects);
wprintf(L"Flags: %un", ((PPH_OBJECT_TYPE)object)->Flags);
wprintf(L"Type index: %un", ((PPH_OBJECT_TYPE)object)->TypeIndex);
wprintf(L"Free list count: %un", ((PPH_OBJECT_TYPE)object)->FreeList.Count);
}
else if (objectType == PhStringType)
{
wprintf(L"%sn", ((PPH_STRING)object)->Buffer);
}
That should give you some pointers where to look next.
answered Dec 11 '18 at 18:55
Alois KrausAlois Kraus
10.4k2553
1
The index field is definitely not constant, it even changes in all Windows Builds even between RS releases in Win10.
– shadowbq
Mar 20 at 15:04
add a comment |
0
0
0
I think the kernel object types are the ones you are after. Check out in a Kernel debugger or livekd with the command
0: kd> !object ObjectTypes
Object: ffffe589f9c17aa0 Type: (ffffb28572cd3820) Directory
ObjectHeader: ffffe589f9c17a70 (new version)
HandleCount: 0 PointerCount: 68
Directory Object: ffffe589f9c14a60 Name: ObjectTypes
Hash Address Type Name
---- ------- ---- ----
00 ffffb28572d7e180 Type TmTm
01 ffffb28572d76310 Type Desktop
ffffb28572c3e680 Type Process
02 ffffb28572d53ad0 Type EnergyTracker
ffffb28572d5cbb0 Type RegistryTransaction
03 ffffb28572cccc60 Type DebugObject
04 ffffb28575682520 Type VRegConfigurationContext
ffffb28572ccc440 Type TpWorkerFactory
05 ffffb28572d6da20 Type Adapter
ffffb28572ccfc40 Type Token
06 ffffb2857562ebb0 Type DxgkSharedResource
07 ffffb28572ccb560 Type PsSiloContextPaged
....
Then you can dump the object header with
0: kd> dt nt!_OBJECT_TYPE ffffb28572d68e80
+0x000 TypeList : _LIST_ENTRY [ 0xffffb285`72d68e80 - 0xffffb285`72d68e80 ]
+0x010 Name : _UNICODE_STRING "Section"
+0x020 DefaultObject : 0xfffff801`a03c4680 Void
**+0x028 Index : 0x29 ')'**
+0x02c TotalNumberOfObjects : 0x4943
+0x030 TotalNumberOfHandles : 0xf50
+0x034 HighWaterNumberOfObjects : 0x4ccc
+0x038 HighWaterNumberOfHandles : 0x10c3
+0x040 TypeInfo : _OBJECT_TYPE_INITIALIZER
+0x0b8 TypeLock : _EX_PUSH_LOCK
+0x0c0 Key : 0x74636553
+0x0c8 CallbackList : _LIST_ENTRY [ 0xffffb285`72d68f48 - 0xffffb285`72d68f48 ]
The Index field should relate to the corresponding ETW event. I am not sure if this index is constant between windows versions but I think not.
Process Hacker (the better process explorer) formats the object type with this method:
static VOID PhpDumpObjectInfo(
_In_ PPH_OBJECT_HEADER ObjectHeader
)
{
PVOID object;
PPH_OBJECT_TYPE objectType;
object = PhObjectHeaderToObject(ObjectHeader);
objectType = PhGetObjectType(object);
__try
{
wprintf(L"Type: %sn", objectType->Name);
wprintf(L"Reference count: %dn", ObjectHeader->RefCount);
wprintf(L"Flags: %xn", ObjectHeader->Flags);
if (objectType == PhObjectTypeObject)
{
wprintf(L"Name: %sn", ((PPH_OBJECT_TYPE)object)->Name);
wprintf(L"Number of objects: %un", ((PPH_OBJECT_TYPE)object)->NumberOfObjects);
wprintf(L"Flags: %un", ((PPH_OBJECT_TYPE)object)->Flags);
wprintf(L"Type index: %un", ((PPH_OBJECT_TYPE)object)->TypeIndex);
wprintf(L"Free list count: %un", ((PPH_OBJECT_TYPE)object)->FreeList.Count);
}
else if (objectType == PhStringType)
{
wprintf(L"%sn", ((PPH_STRING)object)->Buffer);
}
That should give you some pointers where to look next.
answered Dec 11 '18 at 18:55
Alois KrausAlois Kraus
10.4k2553
I think the kernel object types are the ones you are after. Check out in a Kernel debugger or livekd with the command
0: kd> !object ObjectTypes
Object: ffffe589f9c17aa0 Type: (ffffb28572cd3820) Directory
ObjectHeader: ffffe589f9c17a70 (new version)
HandleCount: 0 PointerCount: 68
Directory Object: ffffe589f9c14a60 Name: ObjectTypes
Hash Address Type Name
---- ------- ---- ----
00 ffffb28572d7e180 Type TmTm
01 ffffb28572d76310 Type Desktop
ffffb28572c3e680 Type Process
02 ffffb28572d53ad0 Type EnergyTracker
ffffb28572d5cbb0 Type RegistryTransaction
03 ffffb28572cccc60 Type DebugObject
04 ffffb28575682520 Type VRegConfigurationContext
ffffb28572ccc440 Type TpWorkerFactory
05 ffffb28572d6da20 Type Adapter
ffffb28572ccfc40 Type Token
06 ffffb2857562ebb0 Type DxgkSharedResource
07 ffffb28572ccb560 Type PsSiloContextPaged
....
Then you can dump the object header with
0: kd> dt nt!_OBJECT_TYPE ffffb28572d68e80
+0x000 TypeList : _LIST_ENTRY [ 0xffffb285`72d68e80 - 0xffffb285`72d68e80 ]
+0x010 Name : _UNICODE_STRING "Section"
+0x020 DefaultObject : 0xfffff801`a03c4680 Void
**+0x028 Index : 0x29 ')'**
+0x02c TotalNumberOfObjects : 0x4943
+0x030 TotalNumberOfHandles : 0xf50
+0x034 HighWaterNumberOfObjects : 0x4ccc
+0x038 HighWaterNumberOfHandles : 0x10c3
+0x040 TypeInfo : _OBJECT_TYPE_INITIALIZER
+0x0b8 TypeLock : _EX_PUSH_LOCK
+0x0c0 Key : 0x74636553
+0x0c8 CallbackList : _LIST_ENTRY [ 0xffffb285`72d68f48 - 0xffffb285`72d68f48 ]
The Index field should relate to the corresponding ETW event. I am not sure if this index is constant between windows versions but I think not.
Process Hacker (the better process explorer) formats the object type with this method:
static VOID PhpDumpObjectInfo(
_In_ PPH_OBJECT_HEADER ObjectHeader
)
{
PVOID object;
PPH_OBJECT_TYPE objectType;
object = PhObjectHeaderToObject(ObjectHeader);
objectType = PhGetObjectType(object);
__try
{
wprintf(L"Type: %sn", objectType->Name);
wprintf(L"Reference count: %dn", ObjectHeader->RefCount);
wprintf(L"Flags: %xn", ObjectHeader->Flags);
if (objectType == PhObjectTypeObject)
{
wprintf(L"Name: %sn", ((PPH_OBJECT_TYPE)object)->Name);
wprintf(L"Number of objects: %un", ((PPH_OBJECT_TYPE)object)->NumberOfObjects);
wprintf(L"Flags: %un", ((PPH_OBJECT_TYPE)object)->Flags);
wprintf(L"Type index: %un", ((PPH_OBJECT_TYPE)object)->TypeIndex);
wprintf(L"Free list count: %un", ((PPH_OBJECT_TYPE)object)->FreeList.Count);
}
else if (objectType == PhStringType)
{
wprintf(L"%sn", ((PPH_STRING)object)->Buffer);
}
That should give you some pointers where to look next.
answered Dec 11 '18 at 18:55
Alois KrausAlois Kraus
10.4k2553
answered Dec 11 '18 at 18:55
Alois KrausAlois Kraus
10.4k2553
answered Dec 11 '18 at 18:55
Alois KrausAlois Kraus
10.4k2553
answered Dec 11 '18 at 18:55
Alois KrausAlois Kraus
10.4k2553
10.4k2553
1
The index field is definitely not constant, it even changes in all Windows Builds even between RS releases in Win10.
– shadowbq
Mar 20 at 15:04
add a comment |
1
The index field is definitely not constant, it even changes in all Windows Builds even between RS releases in Win10.
– shadowbq
Mar 20 at 15:04
1
1
The index field is definitely not constant, it even changes in all Windows Builds even between RS releases in Win10.
– shadowbq
Mar 20 at 15:04
The index field is definitely not constant, it even changes in all Windows Builds even between RS releases in Win10.
– shadowbq
Mar 20 at 15:04
add a comment |
draft saved
draft discarded
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53426872%2fobject-handle-tracing-in-etw%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Clarification:
Ctrl+Hdisplays the Handles of the process in the Lower Pane View.– shadowbq
Mar 20 at 15:06