Consuming “Event Tracing for Windows” events
https://stackoverflow.com/questions/2384161
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
An answer to this question has led me to look into using "Event Tracing for Windows" for our tracing needs. I have come across NTrace, which seems to be a good way to produce ETW events from C# code (using the XP-compatible "classic provider" model).
However, I am unable to find an easy way to consume these events - to see them in real-time and/or log them to a file. The only way I have found is that described in the NTrace documentation: using a tool which is only available as part of the Windows DDK.
In the case of a complex problem in the field, we may need to ask the user to produce a file containing a trace. We can't ask users to download the DDK or carry out a number of complex operations in order to do this.
Is there a straightforward, user-friendly way to log ETW events to a file?
Also, is it possible for someone to consume ETW events on Windows Vista/7 if they are not running as administrator?
Solution
TraceView is the easiest out-of-the-box solution, but it is possible to write your own ETW viewer that is specific to your provider. This would give you full control over the presentation and make it much easier on the end user as TraceView is really more of a debugging tool than something you can ask end users to run.
As far as real-time tracing goes, according to the documentation:
Only users with administrative privileges, users in the Performance Log Users group, and services running as LocalSystem, LocalService, NetworkService can consume events in real time. To grant a restricted user the ability to consume events in real time, add them to the Performance Log Users group.
Windows XP and Windows 2000: Anyone can consume real time events.
If you're interested in writing your own ETW viewer (real-time or log file), here is the relevant documentation.
OTHER TIPS
Windows Event Log reads the ETW. In fact I'd say this is the correct way for a consumer (non program) to view and export the ETW traces.
See here for an example. http://blogs.microsoft.co.il/blogs/applisec/archive/2009/10/12/reading-etw-tracing-using-event-viewer.aspx
This question on msdn Discuses what to do when the logs don't appear. Does anything here help?
ETW tracing was designed to run only by administrators because trace may contain personal identifiable information. And it would pose security threat if a non-admin can capture the trace.
Here is a warning Example from xperf
The trace you have just captured "C:\Windows\system32\kernel.etl" may contain personally identifiable information, including but not necessarily limited to paths to files accessed, paths to registry accessed and process names. Exact information depends on the events that were logged. Please be aware of this when sharing out this trace with other people.
Hope this answers your question
Here is how you can get custom ETW traces from your own custom provider and how ETW can be used within managed code
Hope this helps.
