I'm using ETW to get information about particular system calls, and using SysCallEnter / SysCallExit events seems to work, however those events miss process ID and thread ID. Is there a way to retrieve them?
Strange enough if I request call stack event for those calls, a separate StackWalk event comes with all required information, however it's impossible to understand which SysCallEnter call matches that StackWalk event without having PID/TID.
So, let's say if it's impossible to get the PID and TID, is there any other way to match the StackWalk to SysCallEnter? Thanks