diff --git a/Microsoft.O365.Security.Native.ETW/AssemblyInfo.cpp b/Microsoft.O365.Security.Native.ETW/AssemblyInfo.cpp
index 574432e..c1e793f 100644
--- a/Microsoft.O365.Security.Native.ETW/AssemblyInfo.cpp
+++ b/Microsoft.O365.Security.Native.ETW/AssemblyInfo.cpp
@@ -32,7 +32,7 @@ using namespace System::Security::Permissions;
// You can specify all the value or you can default the Revision and Build Numbers
// by using the '*' as shown below:
-[assembly:AssemblyVersionAttribute("4.4.2.0")];
+[assembly:AssemblyVersionAttribute("4.4.3.0")];
[assembly:ComVisible(false)];
diff --git a/Microsoft.O365.Security.Native.ETW/EventRecordMetadata.hpp b/Microsoft.O365.Security.Native.ETW/EventRecordMetadata.hpp
index 8f112eb..5aef8d1 100644
--- a/Microsoft.O365.Security.Native.ETW/EventRecordMetadata.hpp
+++ b/Microsoft.O365.Security.Native.ETW/EventRecordMetadata.hpp
@@ -26,6 +26,17 @@ namespace Microsoft { namespace O365 { namespace Security { namespace ETW {
: record_(&record)
, header_(&record.EventHeader) { }
+ EventRecordMetadata() { }
+
+ ///
+ /// Updates this instance to point to the specified event record.
+ ///
+ virtual void Update(const EVENT_RECORD& record)
+ {
+ record_ = &record;
+ header_ = &record.EventHeader;
+ }
+
public:
// For container ID's, we are expecting format "00000000-0000-0000-0000-0000000000000",
// 32 hex digits with 4 hyphens, no braces.
diff --git a/Microsoft.O365.Security.Native.ETW/RawProvider.hpp b/Microsoft.O365.Security.Native.ETW/RawProvider.hpp
index 183c6ff..4f81642 100644
--- a/Microsoft.O365.Security.Native.ETW/RawProvider.hpp
+++ b/Microsoft.O365.Security.Native.ETW/RawProvider.hpp
@@ -122,6 +122,7 @@ namespace Microsoft { namespace O365 { namespace Security { namespace ETW {
NativePtr> provider_;
GCHandle delegateHookHandle_;
GCHandle delegateHandle_;
+ EventRecordMetadata^ data_;
void SetUpProvider();
};
@@ -148,6 +149,8 @@ namespace Microsoft { namespace O365 { namespace Security { namespace ETW {
delegateHookHandle_ = GCHandle::Alloc(bridged);
provider_->add_on_event_callback((krabs::c_provider_callback)bridged.ToPointer());
+
+ data_ = gcnew EventRecordMetadata();
}
inline RawProvider::~RawProvider()
@@ -165,6 +168,8 @@ namespace Microsoft { namespace O365 { namespace Security { namespace ETW {
inline void RawProvider::EventNotification(const EVENT_RECORD &record)
{
- OnEvent(gcnew EventRecordMetadata(record));
+ data_->Update(record);
+
+ OnEvent(data_);
}
} } } }
\ No newline at end of file
diff --git a/O365.Security.Native.ETW.Debug.nuspec b/O365.Security.Native.ETW.Debug.nuspec
index 08bace4..b07342b 100644
--- a/O365.Security.Native.ETW.Debug.nuspec
+++ b/O365.Security.Native.ETW.Debug.nuspec
@@ -2,7 +2,7 @@
Microsoft.O365.Security.Native.ETW.Debug
- 4.4.2
+ 4.4.3
Microsoft.O365.Security.Native.ETW Debug - managed wrappers for krabsetw
Microsoft
Microsoft
@@ -12,8 +12,8 @@
Microsoft.O365.Security.Native.ETW Debug is a managed wrapper around the krabsetw ETW library. This is the Debug build.
Microsoft.O365.Security.Native.ETW Debug is a managed wrapper around the krabsetw ETW library. This is the Debug build.
- Version 4.4.2:
- - Support reading TraceLogging events.
+ Version 4.4.3:
+ - RawProvider only allocates EventRecordMetadata once per instance.
© Microsoft Corporation. All rights reserved.
diff --git a/O365.Security.Native.ETW.nuspec b/O365.Security.Native.ETW.nuspec
index 08e0178..c4eb241 100644
--- a/O365.Security.Native.ETW.nuspec
+++ b/O365.Security.Native.ETW.nuspec
@@ -2,7 +2,7 @@
Microsoft.O365.Security.Native.ETW
- 4.4.2
+ 4.4.3
Microsoft.O365.Security.Native.ETW - managed wrappers for krabsetw
Microsoft
Microsoft
@@ -12,8 +12,8 @@
Microsoft.O365.Security.Native.ETW is a managed wrapper around the krabsetw ETW library.
Microsoft.O365.Security.Native.ETW is a managed wrapper around the krabsetw ETW library.
- Version 4.4.2:
- - Support reading TraceLogging events.
+ Version 4.4.3:
+ - RawProvider only allocates EventRecordMetadata once per instance.
© Microsoft Corporation. All rights reserved.
diff --git a/krabsetw.nuspec b/krabsetw.nuspec
index e750726..3cc3b2d 100644
--- a/krabsetw.nuspec
+++ b/krabsetw.nuspec
@@ -2,7 +2,7 @@
Microsoft.O365.Security.Krabsetw
- 4.4.2
+ 4.4.3
Krabs ETW Wrappers
Microsoft
Microsoft
@@ -12,8 +12,8 @@
Krabs ETW provides a modern C++ wrapper around the low-level ETW trace consumption functions
Krabs ETW provides a modern C++ wrapper around the low-level ETW trace consumption functions
- Version 4.4.2:
- - Support reading TraceLogging events.
+ Version 4.4.3:
+ - RawProvider only allocates EventRecordMetadata once per instance.
© Microsoft Corporation. All rights reserved.