in Microsoft.O365.Security.Native.ETW/EventRecordMetadata.hpp [181:211]
virtual bool TryGetContainerId([Out] System::Guid% result)
{
auto extended_data_count = record_->ExtendedDataCount;
for (USHORT i = 0; i < extended_data_count; i++)
{
auto& extended_data = record_->ExtendedData[i];
if (extended_data.ExtType == EVENT_HEADER_EXT_TYPE_CONTAINER_ID)
{
try
{
// Convert to managed System::Guid for returning to managed code.
result = ConvertGuid(
krabs::guid_parser::parse_guid(
reinterpret_cast<char*>(extended_data.DataPtr),
extended_data.DataSize));
}
catch (const std::runtime_error& err)
{
// Convert to managed exception coming from managed function.
throw gcnew ContainerIdFormatException(gcnew System::String(err.what()));
}
return true;
}
}
// Not found.
result = System::Guid::Empty;
return false;
}