How to consume ETW events at the driver level?

Question

From inside of my Windows driver, I would like to know how to:

a) turn on certain built-in providers

b) consume events real-time by providing a callback function (wherein I want to do something) that is part of my driver.

c) turn off the providers.

PS: I have loosely used the word "turn on" and "turn off". In Windows ETW parlance, I think it is referred to as "enabling" a provider.

So far, I have been searching the web for info on how to do this, but haven't found anything as of yet.

Answer 1

Drivers are only able to provide ETW events -- they cannot control sessions or consume events.

For a) & c) Use StartTrace() followed by EnableTraceEx2(). This must be done in user-mode.

For b) Use OpenTrace() followed by ProcessTrace(). This must be done in user-mode.

ETW APIs for drivers: http://msdn.microsoft.com/en-us/library/windows/hardware/ff545707(v=vs.85).aspx

ETW APIs for user-mode code: http://msdn.microsoft.com/en-us/library/aa363795(v=vs.85).aspx