New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ensure filename is not null when loggin WDAC ETW events #20910
Conversation
This PR has Quantification details
Why proper sizing of changes matters
Optimal pull request sizes drive a better predictable PR flow as they strike a
What can I do to optimize my changes
How to interpret the change counts in git diff output
Was this comment helpful? 👍 :ok_hand: :thumbsdown: (Email) |
@SteveL-MSFT Who replaced Paul? Who could review this? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thanks for the fix @jborean93!
📣 Hey @jborean93, how did we do? We would love to hear your feedback with the link below! 🗣️ 🔗 https://aka.ms/PSRepoFeedback |
PR Summary
Ensures the
filename
value used in WDAC ETW events is set to an empty string if the input value is null. This ensures the value matches up with the manifest defined which has the following properties for this task allowing ETW consumers to be able to consume this event.PR Context
The manifest defines the properties for this event as
When running as it is now and the
FileName
isnull
we get the following event in the event logThe raw XML for the event is
The
ErrorCode
representsERROR_EVT_INVALID_EVENT_DATA
and theEventPayload
shows the raw value which when formatted withFormat-Hex
showsWe can see the first value for
QueryName
is the Unicode NULL terminated stringWldpGetLockdownPolicy
. The next string value is going to consume the00 00
as the empty string NULL terminator forFileName
. This only leaves 6 bytes left for theQuerySuccess
andQuerySResult
which is invalid causing the error. The problem here is there is actually no value forFileName
, there should be an extra 2 0 bytes between the first and third value.With this PR we can see that the event is now decoded properly
There's probably other events affected but this is just what I came across when testing things out and only needed a simple fix.
PR Checklist
.h
,.cpp
,.cs
,.ps1
and.psm1
files have the correct copyright headerWIP:
or[ WIP ]
to the beginning of the title (theWIP
bot will keep its status check atPending
while the prefix is present) and remove the prefix when the PR is ready.(which runs in a different PS Host).