3

Using C++/Win32 API I create myself an event trace session. My application must supported NT5 thus I can't newer the newer APIs.

I am using the circular mode flags and real time flags.

I have everything working apart from one snag, when I reboot the machine the ETW session isn't persisted, my service starts up and recreates the ETW session (as the reboot has wiped it) which then causes the log file to be overwritten.

According to MSDN I must use the "global" logger on NT5 of which there can only be one, or an "AutoLogger" on NT6 of which there can be many. However MSDN says:

http://msdn.microsoft.com/en-us/library/windows/desktop/aa363687(v=vs.85).aspx

The AutoLogger sessions increase the system boot time and should be used sparingly. Services that want to capture information during the boot process should consider adding controller logic to itself instead of using the AutoLogger session.

Sounds like overkill for what I'm trying to do. Indeed my service does contain the "controller" logic itself.

So how do I get ETW to keep my trace session for the next reboot? Or alternatively how do I re-create my ETW session on the next reboot without overwriting the ETW file if its already there?

paulm
  • 5,629
  • 7
  • 47
  • 70
  • What do you have so far in term of code? – ALOToverflow Apr 07 '15 at 18:09
  • I don't have a min repro at the moment - its abstracted in to controller/provider/consumer objects etc – paulm Apr 07 '15 at 18:23
  • Okay. So there is a difference in terms of consumers and sessions that might not be clear in the documentation. Some loggers can only be started once, but you can still have multiple consumers getting events from them (NT kernel logger, Global Logger, etc.). – ALOToverflow Apr 07 '15 at 18:27

0 Answers0