I am trying to create a REAL TIME ETW consumer in VC++ . My objective is to get the file names which are accessed. I am using the GUID. Microsoft-Windows-Kernel-File {EDD08927-9CC4-4E65-B970-C2560FB5C289} for my code.
I am able to retrieve the PID from the PEVENT_RECORD structure with the below code.
VOID WINAPI ProcessEvent(PEVENT_RECORD pEvent)
{
wprintf(L"ProcessEvent: processID: %d\n", pEvent->EventHeader.ProcessId);
}
Is it possible to retrieve the file name from PEVENT_RECORD->UserData field ? if so how do I it? Are there any examples?