Prev: Find the users-home-folders from within a driver
Next: Windows API for PowerPoint Presentation Mode?
From: R.Wieser on 12 May 2010 15:54
Hello All,

I'm attempting to log, in XP, changes to the registry and I've got a few
troubles :

I declared an EVENT_TRACE_PROPERTIES structure, and loaded the
LoggerFieldOffset field as per an example with the size of the structure.
The value of the structure turned out to be 74 Hex bytes.

Alas, StartTrace returned an error 57 Hex, invalid argument. After a lot of
searching and in the end disassembling the StartTrace function itself it
turns out that the offset should be *at least* at 78 Hex.

First question : Why ? Did I miss a field after the LoggerFieldOffset ? Is
it an alignment-issue (if so, why doesn't MS description of the command and
structure not mention it) ?

When I did set the offset to 78 Hex.the function returned error 0, OK.

But than when I tried to use the ControlTrace command with the
EVENT_TRACE_CONTROL_STOP argument I get an 03E6 Hex, illegal memory access.
A subsequent CloseHandle command returns an error 6, Invalid Handle.

By the way : the handle-value was 0000FFFF Hex (not quite expected, but not
the described error-result of Zero)

Question two : What makes the StartTrace return an OK, but still an
incorrect handle ?

Regards,
Rudy Wieser



 | 
Pages: 1
Prev: Find the users-home-folders from within a driver
Next: Windows API for PowerPoint Presentation Mode?