BTW: The whole point of this exercise is to detect various system
messages running in applications and trace back what app called that
message. Additionally, we would look for various events, like spikes in
disk activity, cpu util, etc and try to trace what app is causing it.
Does this sound like something ETW can accomplish???
EtwRegister(
__in LPCGUID ProviderId,
__in_opt ETWENABLECALLBACK EnableCallback,
__in_opt PVOID CallbackContext,
__out PREGHANDLE RegHandle
);
cross posted to *win32.programmer.kernel