ETW automatically replays any events that were missed before ProcessTrace was called, which means that kernel events during the boot will all be incoming at once and processed appropriately. UBPM also waits on the SCM’s auto-start event, which makes sure that when these events do come in, there will at least have been a couple of services that registered for them; otherwise, starting the trace too early will result in events with no registered consumers, which will cause them to be lost.
Finally, UBPM sets up a local RPC interface to TaskHost—the second component of UBPM, which we’ll describe later—and it also sets up its own local RPC interface, which exposes the APIs that allows services to use UBPM functionality (such as registering trigger providers, generating triggers and notifications, and so forth). These APIs are implemented in the Ubpm.dll library and use RPC to communicate to the RPC interface in the UBPM code of Services.exe.
When UBPM exits, the opposite actions in the reverse order are performed to reset the system to its previous state.
UBPM API
UBPM enables the following mechanisms to be used by having services use the UBPM API:
Registering and unregistering a trigger provider, as well as opening and closing a handle to one
Generating a notification or a trigger
Setting and querying the configuration of a trigger provider
Sending a control command to a trigger provider
Provider Registration
Providers are registered through the SCM Extension DLL, which uses the
Now that a provider is registered, the open and close API can be used to increment the reference count to the provider and return its provider block. Furthermore, if the provider was not registered in a disabled state, and this is the first reference to it, its GUID is enabled in the real-time ETW trace.
Similarly, unregistering a provider will disable its GUID and unlink it from the provider list, and as soon as all references are closed, the provider block will be deleted.
EXPERIMENT: Viewing UBPM Trigger Providers
You can use the Performance Monitor to see UBPM actively monitoring all the ETW providers that have registered with it. Follow these instructions to do so:
Open the Performance Monitor by clicking on the Start button, and then choosing Run.
Type perfmon, and click OK.
When Performance Monitor launches, expand Data Collector Sets on the left sidebar by clicking the arrow.
Choose Event Trace Sessions from the list, and then double click on the UBPM entry.
The following screen shot displays the UBPM trigger providers on the author’s machine. You should see a similar display.
As you can see from the large list, dozens of providers are registered, each of them capable of generating individual events. For example, the BfeTriggerProvider handles Firewall events. In a later experiment, you will see a consumer of such an event.
Consumer Registration
Service consumer registration is initially exposed by the
