Fixes for .evtx files exported from EventVwr

2013-05-15 16:11:08 -07:00 · 2013-05-15 16:11:08 -07:00 · ed736147be
--- a/Source/AssemblyInfo.cs
+++ b/Source/AssemblyInfo.cs
@ -5,5 +5,5 @@ using System.Reflection;
 [assembly: AssemblyCompany("MS Open Tech")]
 [assembly: AssemblyProduct("Tx (LINQ to Traces)")]
 [assembly: AssemblyCopyright("Copyright © MS Open Tech 2012")]
-[assembly: AssemblyVersion("1.0.30512.0")]
-[assembly: AssemblyFileVersion("1.0.30512.0")]
+[assembly: AssemblyVersion("1.0.30515.0")]
+[assembly: AssemblyFileVersion("1.0.30515.0")]
--- a/Source/Tx.LinqPad/SamplesDescription.txt
+++ b/Source/Tx.LinqPad/SamplesDescription.txt
@ -4,15 +4,9 @@

 	<a class="download" href="http://linqpadupdates.net/tx/samples.zip">Download Tx samples</a>
 <br />
-	</p>
-<p>Tx surfaces event sources such as Event Tracing for Windows (ETW) as IObservable sequences.
-This allows using Reactive Extensions (Rx) and LINQ to Objects to perform queries on:</p>
-<ul>
-<li>Raw files such as .etl, .evtx and .blg</li>
-<li>Real-time sessions (nothing hits the disk)</li>
-</ul>
+</p>
 <p>     The Tx samples show how to mix Reactive Extensions and LINQ to Objects
-        to create efficient queries on logs/traces.
+        to create efficient queries on raw logs/traces, such as ETW, .blg files from PerfMon and Windows Event Logs
 </p>
 <p>
     For more information, check out the Tx
--- a/Source/Tx.LinqPad/TypeCache.cs
+++ b/Source/Tx.LinqPad/TypeCache.cs
@ -91,6 +91,9 @@ namespace Tx.LinqPad
                        }
                        break;

+                    case ".evtx":
+                        break;
+
                    default:
                        throw new Exception("Unknown metadata format " + f);
                }
--- a/Source/Tx.Windows/Evtx/EvtxManifestTypeMap.cs
+++ b/Source/Tx.Windows/Evtx/EvtxManifestTypeMap.cs
@ -21,8 +21,8 @@ namespace Tx.Windows
            return new ManifestEventPartitionKey
                {
                    EventId = (ushort) evt.Id,
-                    ProviderId = evt.ProviderId.Value,
-                    Version = evt.Version.Value
+                    ProviderId = evt.ProviderId.HasValue ? evt.ProviderId.Value : Guid.Empty, // looks like in evtx files we can also have name instead of Guid?
+                    Version = evt.Version.HasValue ? evt.Version.Value : (byte) 0
                };
        }

--- a/Source/Tx.Windows/Evtx/EvtxTypeMap.cs
+++ b/Source/Tx.Windows/Evtx/EvtxTypeMap.cs
@ -44,7 +44,7 @@ namespace Tx.Windows
                            EventId = (ushort) e.Id,
                            Keywords = e.Keywords.HasValue ? (ulong) e.Keywords.Value : (ulong) 0,
                            Opcode = e.Opcode.HasValue ? (byte) e.Opcode.Value : (byte) 0,
-                            ProcessId = (uint) e.ProcessId.Value,
+                            ProcessId = e.ProcessId.HasValue ? (uint) e.ProcessId.Value : 0,
                            ProviderId = e.ProviderId.HasValue ? e.ProviderId.Value : Guid.Empty,
                            RelatedActivityId = e.RelatedActivityId.HasValue ? e.RelatedActivityId.Value : Guid.Empty,
                            Task = e.Task.HasValue ? (ushort) e.Task.Value : (ushort) 0,