Hey Pavel, nice video as always :) Can I ask you a question about Windows HANDLEs, I am having a bit of trouble with this one :(. Basically, I want to make a simple handle monitoring application, where I want to have some special functions, like determining an object type from it's HANDLE value. I am aware that I can use NtQuerySystemInformation with SystemHandleInformation, which gives me a snapshot of all HANDLEs in the system, but it usually takes up several seconds to filter out that list for a specific SYSTEM_HANDLE_TABLE_ENTRY_INFO object just to query a HANDLE's type. I am basically asking if there is a basic "int getObjectType(HANDLE)" usermode function that I could use for this purpose? Thanks for your answer in advance, unfortunately I couldn't find anything by myself yet.
Μr Pavel , I would like to ask you a question regarding Windows Performance Analyzer. When I select the DPC/ISR Tab to analyze drivers, I can't seem to identify a clear driver related to devices like the keyboard or mouse. Therefore, I'm unable to study the results I've collected for my peripherals. Could you please advise me on what I might be doing wrong or what steps I should take to address this issue?
I can't say for sure why. Do note that many drivers for keyboard/mouse are written in user mode (UMDF), so DPC/ISR is unlikely to be shown for these drivers.
Does this mean that the DPC & ISR doesn't handle drivers for devices such as the keyboard and mouse? Furthermore, if I intend to analyze data (before and after) resulting from configurations directly related to these devices drivers, with a focus on theoretically reducing their execution time, what process would you recommend I follow? Your guidance would be greatly appreciated.@@zodiacon
USB connected devices are triggered by a USB bus driver. I'm not sure how you can reduce any execution time unless you write the drivers yourself. If you really want to examine what is going on, you should write a filter driver for the device of interest and/or for USB controllers. You can start by looking for ETW events that may provide some insight without the need to write code.
@@zodiacon Μr Pavel, I happened to notice something interesting. When I mentioned to you that I couldn't see the drivers related to peripherals when I opened WPA, I didn't mention that I had conducted the tests using xperf. Now that I've performed the tests with WPR, I observed that as soon as I opened the .etl file, drivers appeared that were not present ( like USBXHCI.SYS ) with xperf. Therefore, I assume that the process of how I conduct these measurements plays a significant role.
One more question related with your document about thread priorities . Is it possible to change the thread priority of a driver ( for instance the ndis.sys ) via registry parameterization or not ?
is there a way to differentiate between file upload initiated by user instead of file upload one internally by a browser ? since most of the file upload stuff is done using IFileopenDialog, is it possible to use ETW to check it information?
Thanks Pavel, I’ve been missing your videos! 😊
Great video, I was trying to learn what ETW is and couldn't really understand it without examples but this video helped me a lot! Thank you :)
Pefect timing! Thanks :)
Great video , thank you
Hey Pavel, nice video as always :)
Can I ask you a question about Windows HANDLEs, I am having a bit of trouble with this one :(.
Basically, I want to make a simple handle monitoring application, where I want to have some special functions, like determining an object type from it's HANDLE value.
I am aware that I can use NtQuerySystemInformation with SystemHandleInformation, which gives me a snapshot of all HANDLEs in the system, but it usually takes up several seconds to filter out that list for a specific SYSTEM_HANDLE_TABLE_ENTRY_INFO object just to query a HANDLE's type.
I am basically asking if there is a basic "int getObjectType(HANDLE)" usermode function that I could use for this purpose?
Thanks for your answer in advance, unfortunately I couldn't find anything by myself yet.
There is NtQueryObject with ObjectTypeInformation that you can use.
Thanks a lot you are a life saver! :)@@zodiacon
Μr Pavel , I would like to ask you a question regarding Windows Performance Analyzer. When I select the DPC/ISR Tab to analyze drivers, I can't seem to identify a clear driver related to devices like the keyboard or mouse. Therefore, I'm unable to study the results I've collected for my peripherals. Could you please advise me on what I might be doing wrong or what steps I should take to address this issue?
I can't say for sure why. Do note that many drivers for keyboard/mouse are written in user mode (UMDF), so DPC/ISR is unlikely to be shown for these drivers.
Does this mean that the DPC & ISR doesn't handle drivers for devices such as the keyboard and mouse? Furthermore, if I intend to analyze data (before and after) resulting from configurations directly related to these devices drivers, with a focus on theoretically reducing their execution time, what process would you recommend I follow? Your guidance would be greatly appreciated.@@zodiacon
USB connected devices are triggered by a USB bus driver. I'm not sure how you can reduce any execution time unless you write the drivers yourself. If you really want to examine what is going on, you should write a filter driver for the device of interest and/or for USB controllers. You can start by looking for ETW events that may provide some insight without the need to write code.
@@zodiaconThank you !
@@zodiacon Μr Pavel, I happened to notice something interesting. When I mentioned to you that I couldn't see the drivers related to peripherals when I opened WPA, I didn't mention that I had conducted the tests using xperf. Now that I've performed the tests with WPR, I observed that as soon as I opened the .etl file, drivers appeared that were not present ( like USBXHCI.SYS ) with xperf. Therefore, I assume that the process of how I conduct these measurements plays a significant role.
One more question related with your document about thread priorities . Is it possible to change the thread priority of a driver ( for instance the ndis.sys ) via registry parameterization or not ?
There is no meaning to that. A driver is not a thread, it has no priority. It's invoked by client code or because of interrupts.
Thank you for opening my eyes! @@zodiacon
Tks..😀
Thanks 👍
Is it possible to query the ETW for the Event fields with logman instead than using ETW explorer?
No as far as I can tell.
is there a way to differentiate between file upload initiated by user instead of file upload one internally by a browser ?
since most of the file upload stuff is done using IFileopenDialog, is it possible to use ETW to check it information?
Only if the IFileOpenDialog implementation raises ETW events - since there are many ETW providers and events, more research is needed.
Hudson Road
Daniela Stream