Filtering ETW Event Callbacks

Asked Feb 16 '15 at 14:52

Active Feb 16 '15 at 14:58

Viewed 751 times

Is there any way to filter ETW Event callbacks?

I am getting all of the events I need by starting a trace with a keyword; unfortunately some keywords enable many many event ids (for example, FILEIO keyword for Microsoft-Windows-Kernel-File provider gives me all IO events, when I just need file close). I can filter these within the callback but I'd rather not even receive the callback for certain event IDs. I've tried the PEVENT_FILTER_DESCRIPTOR with EnableTraceEx2 but without any luck (filters seem to have no effect).

Do those filters work on Window 7?
Are there other ways to filter callbacks?

Thanks!

edited Feb 16 '15 at 14:58

asked Feb 16 '15 at 14:52

Ed Bigelow

So you only want to trigger your callback on FileIo events? – ALOToverflow Apr 22 '15 at 13:59
@ALOToverflow That was just an example, but notionally I only want to trigger my callback on "File Close" events. Through trace keywords you can filter on "File IO" events, but not specific event IDs within that keyword. (The "File IO" keyword enables: File Open, Read, Write and Close, among others). – Ed Bigelow Apr 23 '15 at 19:08

Filtering ETW Event Callbacks

0 Answers0