In my previous post, I described using PowerShell script to correlate ETW events. For large event logs, the overall performance of the script is not very fast.

Here is a .Net version of doing ETW event correlation:

 

        class ActivityData

        {

            public ActivityData()

            {

                this.Events = new Dictionary<int, EventRecord>();

            }

             public Dictionary<int, EventRecord> Events { get; private set; }

        }

         private static Dictionary<Guid, ActivityData> GetActivities(

            string eventLogFileName,

            int [] interestingEventIds)

        {

            EventLogQuery eventsQuery = new EventLogQuery(eventLogFileName, PathType.FilePath);

             EventLogReader logReader = new EventLogReader(eventsQuery);

             Dictionary<Guid, ActivityData> activities = new Dictionary<Guid, ActivityData>();

             for (EventRecord eventInstance = logReader.ReadEvent(); eventInstance != null; eventInstance = logReader.ReadEvent())

            {

                if (interestingEventIds.Contains(eventInstance.Id))

                {

                    if (eventInstance.ActivityId != null && activities.ContainsKey(eventInstance.ActivityId.Value) == false)

                    {

                        activities.Add(eventInstance.ActivityId.Value, new ActivityData());

                    }

 

                    activities[eventInstance.ActivityId.Value].Events.Add(eventInstance.Id, eventInstance);

                }

            }

             return activities;

        }

         private static void PrintTime()

        {

            int[] interestingEventIds = new int[] { EventIdStart, EventIdEnd};

 

            string eventLogFileName = System.IO.Path.Combine(System.IO.Directory.GetCurrentDirectory(), "Analytic.evtx");

            Dictionary<Guid, ActivityData> activities = GetActivities(eventLogFileName, interestingEventIds);

 

            foreach (ActivityData activity in activities.Values)

            {

                DateTime startTime = DateTime.MinValue;

                DateTime endTime = DateTime.MinValue;

                EventRecord eventRecord;

                if (activity.Events.TryGetValue(EventIdStart, out eventRecord) && eventRecord.TimeCreated != null)

                {

                    startTime = eventRecord.TimeCreated.Value;

                }

                 if (activity.Events.TryGetValue(EventIdEnd, out eventRecord) && eventRecord.TimeCreated != null)

                {

                    endTime = eventRecord.TimeCreated.Value;

                }

                 if (startTime != DateTime.MinValue && endTime != DateTime.MinValue)

                {

                    Console.WriteLine(startTime.ToLongDateString() + " " + (endTime - startTime).TotalMilliseconds.ToString());

                }

            }

        }