Merged PR 6277720: [Git2Git] Merged PR 6275065: Trace console attach/detatch

As identified by Michael Niksa, our MDE heuristics for understanding relationship between conhost and related processes was incorrect. Exposing trace here to assist in correlation. Related work items: MSFT-32957145 Retrieved from https://microsoft.visualstudio.com os.2020 OS official/rs_wdx_dxp_windev 3c886da66d77d1aa36b52794929e388af292539c
2021-07-21 18:41:37 +00:00 · 2021-07-21 18:41:37 +00:00 · 01b5195275
parent dfda41074d
commit 01b5195275
7 changed files with 55 additions and 1 deletions
--- a/src/host/telemetry.cpp
+++ b/src/host/telemetry.cpp
@ -587,3 +587,8 @@ void Telemetry::LogRipMessage(_In_z_ const char* pszMessage, ...) const
                                TraceLoggingString(szMessageEvaluated, "Message"));
    }
 }
+
+bool Telemetry::IsUserInteractive()
+{
+    return _fUserInteractiveForTelemetry;
+}
--- a/src/host/telemetry.hpp
+++ b/src/host/telemetry.hpp
@ -51,6 +51,8 @@ public:

    void LogRipMessage(_In_z_ const char* pszMessage, ...) const;

+    bool IsUserInteractive();
+
    // Names are from the external API call names.  Note that some names can be different
    // than the internal API calls.
    // Don't worry about the following APIs, because they are external to our conhost codebase and hard to track through
--- a/src/host/tracing.cpp
+++ b/src/host/tracing.cpp
@ -21,6 +21,7 @@ enum TraceKeywords
    API = 0x400,
    UIA = 0x800,
    CookedRead = 0x1000,
+    ConsoleAttachDetach = 0x2000,
    All = 0x1FFF
 };
 DEFINE_ENUM_FLAG_OPERATORS(TraceKeywords);
@ -416,6 +417,38 @@ void Tracing::s_TraceCookedRead(_In_reads_(cchCookedBufferLength) const wchar_t*
        TraceLoggingKeyword(TraceKeywords::CookedRead));
 }

+void Tracing::s_TraceConsoleAttachDetach(_In_ const ConsoleProcessHandle* pConsoleProcessHandle, _In_ bool bIsAttach)
+{
+    FILETIME ftCreationTime, ftDummyTime = { 0 };
+    ULARGE_INTEGER creationTime = { 0 };
+    
+    if (TraceLoggingProviderEnabled(g_hConhostV2EventTraceProvider,
+                                    WINEVENT_LEVEL_LOG_ALWAYS,
+                                    TraceKeywords::ConsoleAttachDetach)) {
+
+        if (::GetProcessTimes(pConsoleProcessHandle->GetRawHandle(),
+                              &ftCreationTime,
+                              &ftDummyTime,
+                              &ftDummyTime,
+                              &ftDummyTime)) {
+            creationTime.HighPart = ftCreationTime.dwHighDateTime;
+            creationTime.LowPart = ftCreationTime.dwLowDateTime;
+        }
+
+        bool bIsUserInteractive = Telemetry::Instance().IsUserInteractive();
+
+        TraceLoggingWrite(
+            g_hConhostV2EventTraceProvider,
+            "ConsoleAttachDetach",
+            TraceLoggingUInt32(pConsoleProcessHandle->dwProcessId, "ProcessId"),
+            TraceLoggingUInt64(creationTime.QuadPart, "ProcessCreationTime"),
+            TraceLoggingBool(bIsAttach, "IsAttach"),
+            TraceLoggingBool(bIsUserInteractive, "IsUserInteractive"),
+            TraceLoggingKeyword(TIL_KEYWORD_TRACE),
+            TraceLoggingKeyword(TraceKeywords::ConsoleAttachDetach));
+    }
+}
+
 void __stdcall Tracing::TraceFailure(const wil::FailureInfo& failure) noexcept
 {
    TraceLoggingWrite(
--- a/src/host/tracing.hpp
+++ b/src/host/tracing.hpp
@ -62,7 +62,8 @@ public:
    static void s_TraceWindowMessage(const MSG& msg);
    static void s_TraceInputRecord(const INPUT_RECORD& inputRecord);

-    static void Tracing::s_TraceCookedRead(_In_reads_(cchCookedBufferLength) const wchar_t* pwchCookedBuffer, _In_ ULONG cchCookedBufferLength);
+    static void s_TraceCookedRead(_In_reads_(cchCookedBufferLength) const wchar_t* pwchCookedBuffer, _In_ ULONG cchCookedBufferLength);
+    static void s_TraceConsoleAttachDetach(_In_ const ConsoleProcessHandle* pConsoleProcessHandle, _In_ bool bIsAttach);

    static void __stdcall TraceFailure(const wil::FailureInfo& failure) noexcept;

--- a/src/server/IoDispatchers.cpp
+++ b/src/server/IoDispatchers.cpp
@ -431,6 +431,8 @@ PCONSOLE_API_MSG IoDispatchers::ConsoleHandleConnectionRequest(_In_ PCONSOLE_API
        CommandHistory::s_Free((HANDLE)ProcessData);
        gci.ProcessHandleList.FreeProcessData(ProcessData);
    }
+    
+    Tracing::s_TraceConsoleAttachDetach(ProcessData, true);

    UnlockConsole();

@ -470,6 +472,8 @@ PCONSOLE_API_MSG IoDispatchers::ConsoleClientDisconnectRoutine(_In_ PCONSOLE_API
        pNotifier->NotifyConsoleEndApplicationEvent(pProcessData->dwProcessId);
    }

+    Tracing::s_TraceConsoleAttachDetach(pProcessData, false);
+
    LOG_IF_FAILED(RemoveConsole(pProcessData));

    pMessage->SetReplyStatus(STATUS_SUCCESS);
--- a/src/server/ProcessHandle.cpp
+++ b/src/server/ProcessHandle.cpp
@ -65,3 +65,10 @@ const ConsoleShimPolicy ConsoleProcessHandle::GetShimPolicy() const
 {
    return _shimPolicy;
 }
+
+// Routine Description:
+// - Retrieves the raw process handle
+const HANDLE ConsoleProcessHandle::GetRawHandle() const
+{
+    return _hProcess.get();
+}
--- a/src/server/ProcessHandle.h
+++ b/src/server/ProcessHandle.h
@ -40,6 +40,8 @@ public:
    const ConsoleProcessPolicy GetPolicy() const;
    const ConsoleShimPolicy GetShimPolicy() const;

+    const HANDLE GetRawHandle() const;
+
    CD_CONNECTION_INFORMATION GetConnectionInformation(IDeviceComm* deviceComm) const;

 private: