Questions tagged [etw]

Event Tracing for Windows (ETW) is a high-speed tracing facility provided by the Windows Operating System which was first introduced in Windows 2000.

Event Tracing for Windows (ETW) is a general-purpose, high-speed tracing facility provided by the Windows operating system. Using a buffering and logging mechanism implemented in the kernel, ETW provides a tracing mechanism for events raised by both user-mode applications and kernel-mode device drivers.

Additionally, ETW gives you the ability to enable and disable logging dynamically, making it easy to perform detailed tracing in production environments without requiring reboots or application restarts. The logging mechanism uses per-processor buffers that are written to disk by an asynchronous writer thread. This allows large-scale server applications to write events with minimum disturbance.

ETW is the core tracing facility in Windows on top of which both the Event Log and WPP are built.

ETW was first introduced on Windows 2000. Since then, various core OS and server components have adopted ETW to instrument their activities, and it's now one of the key instrumentation technologies on Windows platforms.

On Windows Vista, ETW has gone through a major upgrade, and one of the most significant changes is the introduction of the unified event provider model and APIs. In short, the new unified APIs combine logging traces and writing to the Event Viewer into one consistent, easy-to-use mechanism for event providers. At the same time, several new features have been added to improve developer and end user experience.

445 questions

votes

1 answer

Translating TypeId from GCSampledObjectAllocationHigh

I have code that uses the Microsoft.Diagnostics.Tracing.TraceEvent NuGet package, and I wrote the following code: using (var session = new TraceEventSession("mine")) { session.StopOnDispose = true; …

profiling etw

asked Aug 24 '15 at 22:15

Ayende Rahien

22,925
1
36
41

votes

4 answers

How can I organize EventSources for the Semantic Logging Application Block?

The Semantic Logging Application Block (SLAB) is very appealing to me, and I wish to use it in a large, composite application I am writing. To use it, one writes a class derived from 'EventSource', and includes one method in the class for each event…

c# logging etw semantic-logging

asked Mar 22 '14 at 19:04

ProfK

49,207
121
399
775

votes

2 answers

How can I use the TCB value from the ETW Microsoft-Windows-TCPIP provider to get the TCB information

I am trying to capture real time data on TCP connections on a machine using ETW and the Microsoft-Windows-TCPIP provider and the Microsoft TraceEvent Library. One of the values you can get from this is the TCB which is a number. I know what a TCB is…

c# etw

asked Feb 01 '18 at 10:52

Mant101

2,705
1
23
27

votes

1 answer

How to get a list of all Windows Event Logs (Event Viewer Logs) with their hierarchy and friendly names in C#

I'm trying to replicate the following from the Event Viewer: I'm having trouble with a few things. Some of the names I get back are not the display names or friendly names. For example, for "Microsoft Office Alerts" I just get back "OAlerts". How…

c# .net system.diagnostics etw event-viewer

asked Jun 06 '16 at 16:21

Mark

5,223
11
51
81

votes

3 answers

How do I listen to TPL TaskStarted/TaskCompleted ETW events

I am interested in listening to ETW (event tracing for Windows) TPL events, in particular I'd like to know when a Task starts and when it stops. Here's a sample program I've used for testing: using System; using System.Collections.Generic; …

c# .net task-parallel-library etw

asked Feb 16 '15 at 11:46

Marcus

5,987
3
27
40

votes

0 answers

Using "Microsoft Windows Security Auditing" provider in real-time consumer with ETW (Event Tracing for Windows)

My task is to make an ETW real-time consumer with events provided by 'Microsoft Windows Security Auditing'. I made a simple controller and consumer application, basing on this example…

security winapi event-log etw auditing

asked Jan 01 '15 at 20:20

user4410709

votes

5 answers

Consuming "Event Tracing for Windows" events

An answer to this question has led me to look into using "Event Tracing for Windows" for our tracing needs. I have come across NTrace, which seems to be a good way to produce ETW events from C# code (using the XP-compatible "classic provider"…

windows logging trace etw

asked Mar 05 '10 at 02:22

user200783

13,722
12
69
135

votes

0 answers

Winsock tracing can't get verbose level events

while it's very easy to get info level tracing started with Windows-Winsock-AFD using: netsh trace start provider=Microsoft-Windows-Winsock-AFD TraceFile=my_ winsock_log3_trace.etl the file generated seems to not include verbose level events such…

windows winsock2 netsh etw

asked May 01 '13 at 13:21

user1730969

votes

5 answers

Why does implementing an interface on a subclass of EventSource throw an exception at runtime?

I'm trying to use Event Tracing for Windows (ETW) in my .NET application via the EventSource class that was included in .NET 4.5. I'm subclassing EventSource as MyEventSource and trying to implement an interface IMyEventSource (for mocking purposes)…

.net-4.5 etw etw-eventsource perfview

asked Apr 30 '13 at 13:48

Mike

7,500
8
44
62

votes

1 answer

How do I get the address to kernel modules nt and win32k?

I need to know the base addresses where nt and win32k are loaded. I can find out this information by booting the system with kernel debugging enabled, start a kernel debug session, and run the command lm to get a list of the loaded modules. What…

windows windows-server-2008 windbg etw windows-kernel

asked May 21 '12 at 18:09

canzar

votes

3 answers

Get total number of allocations in C#

Is there a way to get the total number of allocations (note - number of allocations, not bytes allocated)? It can be either for the current thread, or globally, whichever is easier. I want to check how many objects a particular function allocates,…

c# garbage-collection allocation etw .net-core-3.1

asked Apr 07 '20 at 13:24

sashoalm

75,001
122
434
781

votes

3 answers

Dependency concerns Implementing EventSource for semantic logging in large application

I'm working on a large product consisting of a three windows services and several normal windows applications (.exe). Now we want to move to ETW and Semantic Logging, and use the Microsoft.Diagnostics.Tracing.EventSource. I read somewhere that all…

.net etw etw-eventsource

asked Oct 12 '14 at 18:30

DeCaf

6,026
1
29
51

votes

1 answer

Is it possible to subclass an EventSource in ETW?

I'd like to be able to declare an EventSource which has a minimum of several methods which by default provide regular logging facilities. e.g. Info() Warn() Error() In addition I'd like to be able to within each service, define a specific event…

.net system.diagnostics etw etw-eventsource

asked Sep 25 '13 at 10:55

jaffa

26,770
50
178
289

votes

2 answers

Can ETW (event tracing for windows) be used to gather also memory statistics?

Is it possible using ETW to also get memory statistics of all the processes and the system ? With memory statistics I mean : e.g. Commited bytes, private bytes,paged pool,working set,... I cannot find anything about using xperf to get and see memory…

performance memory etw xperf

asked May 31 '12 at 22:45

Alxg

votes

2 answers

C++ Event Tracing for Windows (ETW) wrapper

I have been investigating Event Tracing for Windows (ETW) for use within existing backend/server applications. MSDN and other sources have sold the power of the framework and its integration with xperf, etc. which frankly I am impressed…

c++ windows events trace etw

asked Jun 19 '11 at 06:14

MW_dev

2,146
1
26
40

Prev 1

…

29 30 Next