Fix issue where full process path was reported.

When running presentmon as-admin, and when running presentmon before the
target application, the application process would be reported as
\Device\HarddiskVolumn...\...\Process.exe instead of Process.exe as
in other cases.

This change prunes off everything but the Process.exe for that case.

It also makes it more clear that ImageName is only valid for process
start events (since the property on ProcessStop is not reliable).

Addresses issue #157

Author: JeffersonMontgomery-Intel

PresentData/PresentMonTraceConsumer.cpp

@@ -2186,21 +2186,23 @@ void PMTraceConsumer::HandleProcessEvent(EVENT_RECORD* pEventRecord)
             auto ImageName      = desc[1].GetData<std::wstring>();
             event.IsStartEvent  = true;
 
-            auto size = ImageName.size();
+            // When run as-administrator, ImageName will be a fully-qualified path.
+            // e.g.: \Device\HarddiskVolume...\...\Proces.exe.  We prune off everything other than
+            // the filename here to be consistent.
+            size_t start = ImageName.find_last_of('\\') + 1;
+            size_t size = ImageName.size() - start;
             event.ImageFileName.resize(size + 1);
-            wcstombs_s(&size, &event.ImageFileName[0], size + 1, ImageName.c_str(), size);
+            wcstombs_s(&size, &event.ImageFileName[0], size + 1, ImageName.c_str() + start, size);
             event.ImageFileName.resize(size - 1);
             break;
         }
         case Microsoft_Windows_Kernel_Process::ProcessStop_Stop::Id: {
             EventDataDesc desc[] = {
                 { L"ProcessID" },
-                { L"ImageName" },
             };
             mMetadata.GetEventData(pEventRecord, desc, _countof(desc));
-            event.ProcessId     = desc[0].GetData<uint32_t>();
-            event.ImageFileName = desc[1].GetData<std::string>();
-            event.IsStartEvent  = false;
+            event.ProcessId    = desc[0].GetData<uint32_t>();
+            event.IsStartEvent = false;
             break;
         }
         default:
@@ -2210,21 +2212,25 @@ void PMTraceConsumer::HandleProcessEvent(EVENT_RECORD* pEventRecord)
     } else { // hdr.ProviderId == NT_Process::GUID
         if (hdr.EventDescriptor.Opcode == EVENT_TRACE_TYPE_START ||
             hdr.EventDescriptor.Opcode == EVENT_TRACE_TYPE_DC_START) {
-            event.IsStartEvent = true;
+            EventDataDesc desc[] = {
+                { L"ProcessId" },
+                { L"ImageFileName" },
+            };
+            mMetadata.GetEventData(pEventRecord, desc, _countof(desc));
+            event.ProcessId     = desc[0].GetData<uint32_t>();
+            event.ImageFileName = desc[1].GetData<std::string>();
+            event.IsStartEvent  = true;
         } else if (hdr.EventDescriptor.Opcode == EVENT_TRACE_TYPE_END||
                    hdr.EventDescriptor.Opcode == EVENT_TRACE_TYPE_DC_END) {
+            EventDataDesc desc[] = {
+                { L"ProcessId" },
+            };
+            mMetadata.GetEventData(pEventRecord, desc, _countof(desc));
+            event.ProcessId    = desc[0].GetData<uint32_t>();
             event.IsStartEvent = false;
         } else {
             return;
         }
-
-        EventDataDesc desc[] = {
-            { L"ProcessId" },
-            { L"ImageFileName" },
-        };
-        mMetadata.GetEventData(pEventRecord, desc, _countof(desc));
-        event.ProcessId     = desc[0].GetData<uint32_t>();
-        event.ImageFileName = desc[1].GetData<std::string>();
     }
 
     std::lock_guard<std::mutex> lock(mProcessEventMutex);

PresentData/PresentMonTraceConsumer.hpp

@@ -124,10 +124,10 @@ struct InputEvent {
 
 // A ProcessEvent occurs whenever a Process starts or stops.
 struct ProcessEvent {
-    std::string ImageFileName;
-    uint64_t QpcTime;
-    uint32_t ProcessId;
-    bool IsStartEvent;
+    std::string ImageFileName;  // The name of the process exe file.  This is only available on process start events.
+    uint64_t QpcTime;           // The time of the start/stop event.
+    uint32_t ProcessId;         // The id of the process.
+    bool IsStartEvent;          // Whether this is a start event (true) or a stop event (false).
 };
 
 struct PresentEvent {