Why isn't my Event Trace for Windows working?

Question

I'm trying to figure out how to use Event Tracing for Windows... but I'm failing.
Why does this code give me the error code ERROR_WMI_INSTANCE_NOT_FOUND?

#include <stdio.h>
#include <tchar.h>
#include <Windows.h>
#include <Wmistr.h>
#include <Evntrace.h>
#include <evntcons.h>

ULONG NTAPI EtpEtwBufferCallback(IN PEVENT_TRACE_LOGFILE Buffer) { return TRUE; }
VOID  NTAPI  EtpEtwEventCallback(IN PEVENT_TRACE EventTrace) { }

int _tmain()
{
    LPCTSTR loggerName = KERNEL_LOGGER_NAME;
    EVENT_TRACE_LOGFILE logFile = {0};
    logFile.LoggerName = const_cast<LPTSTR>(loggerName);
    logFile.ProcessTraceMode = PROCESS_TRACE_MODE_REAL_TIME;
    logFile.BufferCallback = EtpEtwBufferCallback;
    logFile.EventCallback = EtpEtwEventCallback;
    TRACEHANDLE hTrace = OpenTrace(&logFile);
    ULONG result = ProcessTrace(&hTrace, 1, NULL, NULL);
    // result is ERROR_WMI_INSTANCE_NOT_FOUND
    _tprintf(_T("%u\n"), result);
}

arx · Accepted Answer · 2012-07-17T07:55:50.820

1

From the ProcessTrace docs, ERROR_WMI_INSTANCE_NOT_FOUND means "the session from which you are trying to consume events in real time is not running or does not have the real-time trace mode enabled".

You can start the NT Kernel Logger using tracelog from the Windows Driver Kit, though I don't have the WDK to hand so I haven't tried it.

This article explains how to start the NT Kernel Logger yourself.

edited Jul 17 '12 at 07:55

answered Jul 16 '12 at 19:26

arx

16,686
2
44
61

What does tracelog do, exactly? Whatever it does, my program should be able to do as well -- programs like Process Monitor don't need tracelog. – user541686 Jul 17 '12 at 01:08
I actually figured it out before reading the article, but yes, that'd have been helpful; thanks! – user541686 Jul 18 '12 at 08:23

Why isn't my Event Trace for Windows working?

1 Answers1