Questions tagged [etw]

Event Tracing for Windows (ETW) is a high-speed tracing facility provided by the Windows Operating System which was first introduced in Windows 2000.

Filter by
Sorted by
Tagged with
25votes
6answers
10kviews

ETW, .NET 4.5 - how to write to the event log?

I am trying to wrap my head around ETW and how to integrate t into a high Performance application. We all know the old dreaded EventLog with it's non structured (and thus not so optimal) API. Now ...
user avatar
  • 1
24votes
2answers
6kviews

.NET Tracing: What is the "Default" listener?

Every example of tracing in .NET people remove the "Default" listener: <configuration> <system.diagnostics> <sources> <source name="TraceSourceApp" switchName="...
user avatar
  • 232k
23votes
2answers
7kviews

Performance counter vs ETW

Are performance counters part of ETW? If not, what is the difference between the two?
user avatar
  • 6,299
21votes
3answers
9kviews

Risk of missing events from ETW logging with EventSource

I'm instrumenting my .NET 4.5 applications to emit ETW events using the EventSource class. The goal is to be able to capture some of these events (the Error level events) for error logging. After ...
user avatar
  • 2,496
16votes
2answers
12kviews

How to use ETW from a C++ Windows client

I'm researching Event Tracing for Windows (ETW) to allow a user-mode windows client to write out tracing information. The existing documentation is, to put it lightly, insanely incomplete. What would ...
user avatar
  • 2,532
15votes
3answers
3kviews

What is the best way to log exceptions using ETW?

Is there a standard way to log exceptions using ETW? As far as I have seen the only way to do this is to log the message and possibly the inner exception message as there is not strongly typed ...
user avatar
  • 25.5k
15votes
2answers
5kviews

How do you view ETW events created by EventSource using Windows Performance Analyzer?

I would like to fire ETW events using EventSource and view them with Windows Performance Analyzer. I have a basic EventSource: [EventSource(Name = "BasicEventSource")] public class ETWLogger : ...
user avatar
  • 1,436
14votes
4answers
8kviews

WARNING -Provider resources not accessible running wevtutil

I need help solving the "Provider '' resources not accessible when trying to create a windows event provider. I create my manifest file with the ManGen utility, and name my '.exe' file as my message ...
user avatar
  • 149
14votes
2answers
7kviews

Why use ETW over EventLog and vice versa?

Why should I use Event Tracing for Windows (ETW) over the standard .NET EventLog class, and vice versa? Does knowing that we'll be using quite a few performance counters impact the decision? What I ...
user avatar
11votes
1answer
3kviews

Getting WPF ETW events using XPerf.exe

I cannot figure out the correct combination of command line switches and parameters to feed to XPerf.exe to get it to load the WPF ETW provider (Microsoft-Windows-WPF? a42c77db-874f-422e-9b44-...
user avatar
  • 26.4k
11votes
4answers
10kviews

How to consume real-time ETW events from the Microsoft-Windows-NDIS-PacketCapture provider?

The larger question is how to consume real-time ETW network stack events in general but I'm particularly interested in the Microsoft-Windows-NDIS-PacketCapture provider. All other network stack ...
user avatar
11votes
3answers
2kviews

What exactly are new ETW features in CLR 4.0?

My colleague mentioned that there are some major improvements in CLR 4.0 related to Event Tracing for Windows but I couldn't find details of what exactly is new. There are few blog posts that mention ...
user avatar
  • 6,299
9votes
3answers
6kviews

Windows - see active ETW sessions so that I can close one of them

I am working with Event Tracing for Windows API, and from time to time, I run my application and it does not manage to close the ETW trace controller session after opening it. Basically I do ::...
user avatar
  • 4,222
9votes
2answers
4kviews

Azure ServiceFabric samples not logging to ETW

I'm running the very first sample of ServiceFabric (Preview version 1.4.87): https://azure.microsoft.com/en-us/documentation/articles/service-fabric-create-your-first-application-in-visual-studio/ , ...
user avatar
9votes
1answer
2kviews

what does AWAIT_TIME exactly mean in the Azure profiler?

I am looking at my performance profile of one of my slowest requests, and I see an AWAIT_TIME of more than 6 seconds, but I am not able to get any more information regarding it. How do I figure out ...
user avatar
  • 6,072
9votes
4answers
3kviews

How can I organize EventSources for the Semantic Logging Application Block?

The Semantic Logging Application Block (SLAB) is very appealing to me, and I wish to use it in a large, composite application I am writing. To use it, one writes a class derived from 'EventSource', ...
user avatar
  • 46.5k
8votes
5answers
2kviews

Why does implementing an interface on a subclass of EventSource throw an exception at runtime?

I'm trying to use Event Tracing for Windows (ETW) in my .NET application via the EventSource class that was included in .NET 4.5. I'm subclassing EventSource as MyEventSource and trying to implement ...
user avatar
  • 7,348
8votes
1answer
5kviews

How do I get the address to kernel modules nt and win32k?

I need to know the base addresses where nt and win32k are loaded. I can find out this information by booting the system with kernel debugging enabled, start a kernel debug session, and run the ...
user avatar
  • 320
8votes
3answers
2kviews

How do I listen to TPL TaskStarted/TaskCompleted ETW events

I am interested in listening to ETW (event tracing for Windows) TPL events, in particular I'd like to know when a Task starts and when it stops. Here's a sample program I've used for testing: ...
user avatar
  • 5,739
8votes
2answers
931views

How can I use the TCB value from the ETW Microsoft-Windows-TCPIP provider to get the TCB information

I am trying to capture real time data on TCP connections on a machine using ETW and the Microsoft-Windows-TCPIP provider and the Microsoft TraceEvent Library. One of the values you can get from this ...
user avatar
  • 2,665
8votes
1answer
440views

Translating TypeId from GCSampledObjectAllocationHigh

I have code that uses the Microsoft.Diagnostics.Tracing.TraceEvent NuGet package, and I wrote the following code: using (var session = new TraceEventSession("mine")) { session.StopOnDispose = ...
user avatar
8votes
0answers
459views

Winsock tracing can't get verbose level events

while it's very easy to get info level tracing started with Windows-Winsock-AFD using: netsh trace start provider=Microsoft-Windows-Winsock-AFD TraceFile=my_ winsock_log3_trace.etl the file ...
user avatar
7votes
2answers
3kviews

Can ETW (event tracing for windows) be used to gather also memory statistics?

Is it possible using ETW to also get memory statistics of all the processes and the system ? With memory statistics I mean : e.g. Commited bytes, private bytes,paged pool,working set,... I cannot ...
user avatar
  • 91
7votes
5answers
13kviews

Consuming "Event Tracing for Windows" events

An answer to this question has led me to look into using "Event Tracing for Windows" for our tracing needs. I have come across NTrace, which seems to be a good way to produce ETW events from C# code (...
user avatar
  • 12.9k
7votes
1answer
2kviews

How to get a list of all Windows Event Logs (Event Viewer Logs) with their hierarchy and friendly names in C#

I'm trying to replicate the following from the Event Viewer: I'm having trouble with a few things. Some of the names I get back are not the display names or friendly names. For example, for "...
user avatar
  • 4,851
7votes
1answer
984views

Is it possible to subclass an EventSource in ETW?

I'd like to be able to declare an EventSource which has a minimum of several methods which by default provide regular logging facilities. e.g. Info() Warn() Error() In addition I'd like to be able ...
user avatar
  • 25.5k
7votes
0answers
2kviews

Using "Microsoft Windows Security Auditing" provider in real-time consumer with ETW (Event Tracing for Windows)

My task is to make an ETW real-time consumer with events provided by 'Microsoft Windows Security Auditing'. I made a simple controller and consumer application, basing on this example http://msdn....
user avatar
7votes
3answers
585views

Dependency concerns Implementing EventSource for semantic logging in large application

I'm working on a large product consisting of a three windows services and several normal windows applications (.exe). Now we want to move to ETW and Semantic Logging, and use the Microsoft....
user avatar
  • 5,881
6votes
1answer
524views

Using .NET 4.5.1, how do I use some of the non-intuitive properties provided by ETW?

With the advancements in .NET v4.5.1, I would like to jump on the ETW bandwagon. However, it is unclear how some of the properties are best used to create an intuitive custom trace. How do I use some ...
user avatar
  • 4,667
6votes
2answers
5kviews

C++ Event Tracing for Windows (ETW) wrapper [closed]

I have been investigating Event Tracing for Windows (ETW) for use within existing backend/server applications. MSDN and other sources have sold the power of the framework and its integration with ...
user avatar
  • 2,147
6votes
3answers
2kviews

Get total number of allocations in C#

Is there a way to get the total number of allocations (note - number of allocations, not bytes allocated)? It can be either for the current thread, or globally, whichever is easier. I want to check ...
user avatar
  • 68k
6votes
1answer
419views

AppFabric - Etw - Unable to unregister the trace provider

We're using AppFabric Monitoring to inspect execution timings and to track log messages. This works pretty well since one year, but a few servers have suddenly stopped to monitor our WCF services. I ...
user avatar
  • 24k
6votes
3answers
3kviews

ETW tracking from .net, user mode and driver

We have an application that parts of it are in .net, c++ usermode and C++ drivers. The application is divided into several executables that run on demand and communication with each other using LPC(...
user avatar
6votes
1answer
3kviews

EventSource tracing with correlated activity id

I've started using ETW and the out-of-process Semantic Logging Block from Entlib 6. When I use async/await, the CurrentThreadActivityId is not set on the continuation thread and the TPL framework ...
user avatar
5votes
2answers
4kviews

.Net 4.5 EventSource ETW provider not showing up in provider list

I have been working on using .NET4.5 new feature ETW(EventSource). I have trouble having it show up on the trace provider lists using perfmon->Data Collector Sets. I was able to see the logs using ...
user avatar
5votes
1answer
925views

WPA does not see ETW event data, tracerpt does

I am capturing ADO.Net diagnostics ETW, as described in Data Access Tracing in SQL Server 2008. The setup works, an ETL file is produced and I can see the ADO.Net trace if I use, say, tracerpt: ...
user avatar
5votes
1answer
611views

EventSource vs EventProvider

What are the main differences between the EventSource and EventProvider classes? I understand both classes to be an event provider for ETW. If there aren't key differences in the two then what are ...
user avatar
5votes
1answer
1kviews

TraceEventSession usage in ServiceFabric application raises insufficient resource error

I have a State-full service fabric application running in a cluster.. I have about 20 State-full applications running in the same cluster. i have used TraceEventSession for correlation purposes. My ...
user avatar
  • 212
5votes
2answers
3kviews

Are there any ETW events created by IIS or ASP.NET which include the request URL?

I have been trying, without much success, to capture ETW events created by IIS or ASP.NET which include the request URL. I am using Windows 8 (development) and Windows Server 2008 R2 (production), ...
user avatar
  • 7,967
5votes
1answer
3kviews

Which API does Windows Resource Monitor use?

Windows Resource Monitor displays (among other things) which files on disk are currently accessed by which processes. And it does that in realtime. How? I know that it probably uses ETW and that I ...
user avatar
  • 8,927
5votes
1answer
354views

Semantic Logging: An item with the same key has already been added

Im trying to use new semantic application block for logging. As per MSDN i have test method which inspects the EventSource using EventSourceAnalyzer.InspectAll(MyEventSource.Log); But when i run ...
user avatar
  • 151
5votes
1answer
645views

Trouble registering an ETW Provider [duplicate]

I am working on a UWP based application for Windows 10 IoT and I am wanting to configure ETW Tracing so I can view logging remotely using the integrated web interface: I believe I have created the ...
user avatar
4votes
2answers
1kviews

How to view generic event details with wpa?

I record ETW events for CLR provider: xperf -start clr -on e13c0d23-ccbc-4e12-931b-d9cc2eee27e4 -f clr.etl ... xperf -stop clr then open clr.etl in wpa.exe and see plenty of 'generic event'. But ...
user avatar
4votes
1answer
1kviews

Activate Stacks only for some specific ETW Tasks in a provider?

Since Windows 7 it is possible to activate callstacks for usermode events. This works fine, but sometimes activating stacks for all tasks/Events in a provider is not needed and it would be nice to ...
user avatar
4votes
3answers
2kviews

Optimizing Stack-Walking performance

Currently i use the dbghelp library to walk through the stack of some process' thread (using GetThreadContext() and StackWalk64()) and collect only the return addresses each frame contains. However, ...
user avatar
  • 259
4votes
2answers
1kviews

Is there a tool to dump/show event data templates defined in a provider's manifest?

> wevtutil.exe gp <provider-name> /ge /gm /f:xml prints the manifest given a provider, except for its data templates. Is there a tool I am missing that would display the templates defined in ...
user avatar
  • 4,697
4votes
1answer
4kviews

Strange threads in application in Win7 WOW64

We are observing 4-6 threads on Windows 7 x64 in the application which have 3 threads and behaves normally on any Windows (either 32 or 64 bit) prior Windows 7. Process Explorer shows the following "...
user avatar
  • 5,420
4votes
1answer
2kviews

How to correlate RPC calls in ETW traces?

I recorded a trace of an application performing Local RPC calls on Windows. I used xperf with the Microsoft-Windows-RPC provider enabled. After opening the trace, I realized that it's not that simple ...
user avatar
  • 3,601
4votes
1answer
680views

How to remotely register static ETW manifests as part of a website deployment?

I'm doing a pilot effort to use the new EventSource (Microsoft.Diagnostics.Tracing.EventSource from nuget) and its new support for ETW channels in order to write to the windows event log. The code is ...
user avatar
  • 8,303
4votes
1answer
1kviews

Windows File System Filter Driver

I am trying to create a small file system filter driver for testing/demonstrating how to track the impact that filter drivers have on I/O performance using ETW in Windows Server 2008 R2. I've ...
user avatar

15 30 50 per page
1
2 3 4 5
9