Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
NT Kernel Logger max size for CommandLine field
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 79%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOC%3C/text%3E%3C/svg%3E)
Ori Carmely
6
Reputation points
Hi :)
I'm using the following commands to trace the command line arguments of sub-processes:
logman start "NT Kernel Logger" -p "Windows Kernel Trace" (process) -o out.etl -ets
//... running main process which I want to trace its sub-process calls...
logman stop "NT Kernel Logger" -ets
I've used both tracerpt and traceview to read the event data, specifically the CommandLine field of the process event.
I'm seeing a behavior where the CommandLine field of process events is capped at 512 character.
00000365 MSNT_SystemTrace 2472 10724 4 0 03\05\2022-13:48:08:671 {"UniqueProcessKey":"0xFFFFA50D2C7EE080","ProcessId":"0x30E8","ParentId":"0x9A8","SessionId":1,"ExitStatus":259,"DirectoryTableBase":"0x1186AD000","Flags":0,"UserSID":"S-1-5-21-1109103017-3393704352-1484820215-1001","ImageFileName":"xxxxxx.exe","CommandLine":"xxxxxx xxxxx/xxx/xxx.x xxxxx/xxxxxxx/xxxxxxx/xxx/xxxxxxxxxxxxxxxxxxx/xxxxxx.x xxxxx/xxxxxxx/xxxxxxx/xxx/xxxxxxxxxxxxxxxxxxx/xxxxxx.x xxxxx/xxxxxxx/xxxxxxx/xxx/xxxxxxxxxxxxxxxxxxx/xxxxxx.x xxxxx/xxxxxxx/xxxxxxx/xxx/xxxxxxxxxxxxxxxxxxx/xxxx.x xxxxx/xxxxxxx/xxxxxxx/xxx/xxxxxxxxxxxxxxxxxxx/xxxx.x xxxxx/xxxxxxx/xxxxxxx/xxx/xxxxxxxxxxxxxxxxxxx/xxxxx.x xxxxx/xxxxxxx/xxxxxxx/xxx/xxxxxxxxxxxxxxxxxxx/xxxxx.x xxxxx/xxxxxxx/xxxxxxx/xxx/xxxxxxxxxxxxxxxxxxx/xxxxxxxx.x xxxxx/xxxxxxx/xxxxxxx/xxx/xxxxxxxxxxxxxxxxxxx/xxxxxx","PackageFullName":"","ApplicationId":"","meta":{"provider":"MSNT_SystemTrace","event":"Start","time":"2022-03-05T13:48:08.671","cpu":4,"pid":2472,"tid":10724,"task":"Process"}}
I'm really not sure what is causing this limit and would be glad for assistance.
Thanks in advance!
Ori
Sysinternals
Windows for business | Windows Client for IT Pros | User experience | Other
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 45%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIS%3C/text%3E%3C/svg%3E)
Itamar Stollar 1 Reputation point2022-04-24T09:37:44.79+00:00 Hi,
I've encountered a similar issue when tracing process start kernel events using Event Tracing for Windows (ETW) via the C# Microsoft.Diagnostics.Tracing.TraceEvent package, i.e. all CommandLine properties are truncated at 512 characters.
Any help retrieving the full command line would be greatly appreciated.Thanks,
Itamar
Sign in to comment
Sign in to answer