Consuming an ETW kernel trace using C#

Question

I am using Windows Server 2012 and trying to consume a kernel trace from ETW using C#. For example, I have a Data Collector Set entitled "LiveKernel" which has a "Windows Kernel Trace" provider catching thread syscall events and the stream mode is Real Time.

Using the code made available by Daniel Vasquez Lopez as a starting point, I am trying to consume these events. However, the output I receive is always just:

Listening...Press <Enter> to exit

Which to me indicates that it is not consuming any events. My understanding of this code is that all I have to do is change the name and GUID to reflect my new choices, so I update the code to have

    Guid RewriteProviderId = new Guid("9E814AAD-3204-11D2-9A82-006008A86939");
    using (EventTraceWatcher watcher = new EventTraceWatcher("LiveKernel", RewriteProviderId)) {

Is there something I am missing here? Is there a better way to consume a Kernel Trace? Is there something special about the "Windows Kernel Trace" provider that prevents us from consuming events from it in real time?

Answer 1

To accomplish want you want use the TraceEvent library from Vance Morrison's blog. I have tested the sample on my Windows 8 running as administrator and it works perfectly.

To list each payload property name and value you need to exchange the sample delegate to the below sample.

Action<TraceEvent> action = delegate(TraceEvent data)
{
  foreach (var name in data.PayloadNames)
  {
    Console.WriteLine("\t" + name + " -- " + data.PayloadByName(name));
  }
};

Simply run the sample then start a new process and you should start seeing some trace info.

-- Lars