Skip to main content

TraceEvent

windows_erg::etw

Struct TraceEvent 

Source 
pub struct TraceEvent {
    pub id: u16,
    pub version: u8,
    pub opcode: u8,
    pub level: u8,
    pub provider_guid: GUID,
    pub process_id: ProcessId,
    pub thread_id: ThreadId,
    pub timestamp: SystemTime,
    pub data: Vec<u8>,
    pub thread_context: Option<ThreadContext>,
    pub stack_trace: Option<StackTrace>,
    pub cpu_sample: Option<CpuSample>,
    /* private fields */
}
Expand description

A single event captured from a kernel trace session.

Each TraceEvent is emitted by one of the active SystemProviders. The id and opcode fields identify the specific operation; the data field contains the raw binary payload whose layout depends on the provider and event ID.

Fields§

§id: u16

Event ID — identifies the event type within the provider.

§version: u8

Event version.

§opcode: u8

Opcode — identifies the operation phase (start, stop, info, etc.).

§level: u8

Severity level of this event.

§provider_guid: GUID

GUID of the provider that emitted this event.

§process_id: ProcessId

ID of the process that triggered the event.

§thread_id: ThreadId

ID of the thread that triggered the event.

§timestamp: SystemTime

When the event was recorded.

§data: Vec<u8>

Raw binary payload. Layout depends on the provider and event ID.

§thread_context: Option<ThreadContext>

Optional thread context enrichment (enabled by with_thread_context).

§stack_trace: Option<StackTrace>

Optional stack trace enrichment (enabled by with_stack_traces).

§cpu_sample: Option<CpuSample>

Optional CPU sampling enrichment (enabled by with_cpu_samples).

Implementations§

Source§

impl TraceEvent

Source

pub fn from_event_record(record: &EVENT_RECORD) -> Self

Build a TraceEvent from a raw EVENT_RECORD.

Used by the ProcessTrace callback pipeline in session.rs.

Source

pub fn decode(&self) -> DecodedEvent

Decode this event into a typed representation when a known kernel layout is available.

Returns DecodedEvent::Unknown when no direct decoder matches the provider, version, and opcode combination.

Source

pub fn fields(&self) -> Option<&[EventField]>

Returns schema-parsed fields when detailed event parsing is enabled.

Trait Implementations§

Source§

impl Clone for TraceEvent

Source§

fn clone(&self) -> TraceEvent

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for TraceEvent

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.