EventSource events show empty in Windows Performance Analyzer

Question

I can successfully generate ETW events with EventSource in a C# console app; however if I store the events in a an ETL file and use Windows Performance Analyzer, the columns corresponding to the payload values, the event name and the provider name show are empty.

QUESTION

Are there any extra configurations for the EventSource that would allow the columns in WPA to get populated?

Notes:

There is another question posted here: "How do you view ETW events created by EventSource using Windows Performance Analyzer?", I believe that that question is not a duplicate of mine, as I can see the rows representing the events in WPA, it's just that the events are empty.
If I analyze the ETL with PerView.exe, I can see that the raw data for the event is present
If I create the event from C++ using a library I have at hand, the resulting ETW events show correctly in WPA
Having empty columns in WPA is not a big issue, my real problem is that a second application written in C++ that is expecting the events to have a payload and an event name is not being able to identify the events. I believe that the empty columns in WPA and the C++ app not being to identify the events are two related symptoms, and given that the WPA having empty columns is something that anyone could reproduce by simply running the steps I describe below, that's why I mentioned that issue as the main symptom in the introduction of my question.

Minimal code:

using System.Diagnostics.Tracing;
namespace EtwConsoleApp {
    class Program {
        static void Main(string[] args) {
            MyEventSource.Instance.MyEvent("x");
            MyEventSource.Instance.MyEvent("y");
            MyEventSource.Instance.MyEvent("z");
        }
    }

    [EventSource(Guid = "56ff7ff6-0418-4501-945f-c12737bc1c70")]
    sealed class MyEventSource : EventSource {
        [Event(1, Level = EventLevel.Verbose, Opcode = EventOpcode.Info)]
        public void MyEvent(string value) {
            this.WriteEvent(1, value);
        }

        public static MyEventSource Instance = new MyEventSource();
    }
}

See the empty rows in WPA:

Open an elevated CMD
logman create trace MySession -p {56ff7ff6-0418-4501-945f-c12737bc1c70} -o MySession.etl
logman start MySession
Run C# console application
logman stop MySession
Open the ETL with WPA, you will see the three rows corresponding to the three events from the code, however the rows are empty
Open the ETL with PerfView, you will see that the raw data is present (you can dump an event to the console in PerfView by pressing ALT+D when the event is selected)

which WPA version do you use? Try the WPA from Win10 SDK: https://dev.windows.com/en-us/downloads/windows-10-sdk — magicandre1981, Feb 03 '16 at 16:52
@maciandre1981 I'm using the WPA from the latest Windows 10 SDK, the version of my WPA is 10.0.10586. I believe the issue is not WPA, but instead with the way the ETW events get generated. — rcxr, Feb 03 '16 at 20:18
System.Diagnostics.Tracing shows that you use the inbox version. try the Nuget version: https://www.nuget.org/packages/Microsoft.Diagnostics.Tracing.EventSource — magicandre1981, Feb 04 '16 at 05:04
also try to capture the Events via **xperf.exe -start UserLogger -on 56ff7ff6-0418-4501-945f-c12737bc1c70 -buffersize 4096 -f User.etl xperf.exe -stop UserLogger xperf.exe -merge User.etl kernel.etl Result.etl -compress** — magicandre1981, Feb 12 '16 at 17:06
I voted to close the question as **too broad** because you never gave any feedback to suggestions and without this we can't help you. — magicandre1981, Feb 22 '16 at 16:52
I added the solution I finally used. Which was to use the Nuget version: Micrsofot.Diagnostics.Tracing.EventSource — rcxr, Feb 23 '16 at 18:27

rcxr · Answer 1 · 2016-02-25T08:21:14.273

1

System.Diagnostics.Tracing.EventSource from .NET 4.5 does not produce events that are correctly visualized by WPA.

Solution was to use: Microsoft.Diagnostics.Tracing.EventSource

Another solution is to use: System.Diagnostics.Tracing.EventSource from .NET 4.6 (which in my case was not possible)

edited Feb 25 '16 at 08:21

answered Feb 23 '16 at 18:26

rcxr

31
3

1

posting the solution from others is not the best idea ;) – magicandre1981 Feb 24 '16 at 05:03
What's your problem? I surfaced the solution for whoever needs it in the future, I do not want benefit or anything like that, I just want to help. Also, consider that by having voted -1 on the solution, just because you "think" I am trying to steal the answer is demoting a good solution with reasons that are not related to the correctness of the solution per se. Be more objective in the future. – rcxr Feb 25 '16 at 08:21
The correct way of you would be saying, ok the nuget version helped, post it as answer and I mark it as answer. in the future I'll simply ignore you and no longer answer. – magicandre1981 Feb 27 '16 at 07:07

score 0 · Answer 2 · answered Feb 24 '16 at 05:04

0

System.Diagnostics.Tracing shows that you use the inbox version of the .net framework 4.5. Try the Nuget version Microsoft.Diagnostics.Tracing.EventSource which gets updated more often to get new features.

answered Feb 24 '16 at 05:04

magicandre1981

27,895
5
86
127

EventSource events show empty in Windows Performance Analyzer

2 Answers2