Performance counter vs ETW
https://stackoverflow.com/questions/4864576
-
27-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Are performance counters part of ETW? If not, what is the difference between the two?
Solution
Performance counters and ETW are distinct technologies. Performance counters are not exposed through ETW.
The basic difference: performance counters provide high-level metrics on system behavior (think timers and bytes read and objects allocated) while ETW is a diagnostic tracing and logging facility (think Debug.WriteLine messages, but richer and more structured).
Currently, both ETW and performance counters have full support from Windows, and as a developer, you can write code to produce and consume data for both technologies.
Performance Counters
Performance counters, also known as PDH (Performance Data Helper) counters, are simple numeric metrics that give you a high-level summary of how a particular system is behaving. For example, % Processor Time is a performance counter that tells you how much of the processor's time is being used to execute user-mode code. As a more complex example, # of Methods Jitted in the .NET CLR Jit category tells you how many .NET methods were JIT compiled since the start of an application.
Performance counters are generally used to monitor system health and to diagnose specific performance issues. They are a good indicator of issues when something goes wildly wrong, but they don't give you much detail as to why a particular issue is happening.
To view Windows performance counters, you can simply run perfmon. On Vista+, you might need to click on the "Performance Monitor" node to see the counter chart. To programmatically access performance counters, look at the System.Diagnostics.PerformanceCounter class in .NET or the PDH library for native code.
Event Tracing for Windows (ETW)
ETW is a tracing system built into Windows. Essentially, any component (e.g. a user application, or even the Windows kernel itself) can send out diagnostic trace information about specific events that occur that the component cares about. For example, the kernel sends out ETW events when a process starts and stops, when an image (e.g. DLL) is loaded and unloaded, when a thread is created or destroyed, or even when a thread does a context switch. The logged data is in a serialized format that's described by the component elsewhere, allowing diagnostic tools to read and understand the ETW events logged during a session. See here for a boxes-and-lines diagram of how everything works together.
ETW is meant to be fast and should not materially impact the system's performance when logging is not enabled. Starting with Vista, ETW is pervasive throughout Windows and is intended for use by application developers (meaning, specifically, your application can be an ETW provider that logs events). ETW is the basis for the Event Log, and can be used by performance profilers, debuggers, or system monitors.
See my other SO post here for some resources on interfacing with ETW.
OTHER TIPS
It would seem that based on this document starting in Vista+ performance counters have an ETW Façade so they can be consumed exactly in the same way as ETW.
The new Performance Counter Library (PERFLIB version 2.0) included with Windows Vista® offers a number of advantages to the developer, including:
A standard inter-process communication (IPC) mechanism between a provider and consumer that is based on Event Tracing for Windows (ETW) notification, and which results in simplified development and more uniform and reliable code.
