Event Tracing
Overview of the Event Tracing technology.
To develop Event Tracing, you need these headers:
For programming guidance for this technology, see:
Enumerations
| DECODING_SOURCE Defines the source of the event data. |
| ETW_PROCESS_HANDLE_INFO_TYPE Specifies the operation that will be performed on a trace processing session. |
| EVENT_FIELD_TYPE Defines the provider information to retrieve. |
| EVENT_INFO_CLASS The EVENT_INFO_CLASS enumeration type is used with the EventSetInformation function to specify the configuration operation to be performed on an ETW event provider registration. |
| EVENTSECURITYOPERATION Defines what component of the security descriptor that the EventAccessControl function modifies. |
| MAP_FLAGS Defines constant values that indicate if the map is a value map, bitmap, or pattern map. |
| MAP_VALUETYPE Defines if the value map value is in a ULONG data type or a string. |
| PROPERTY_FLAGS Defines if the property is contained in a structure or array. |
| TDH_CONTEXT_TYPE Defines the context type. |
| TEMPLATE_FLAGS Defines constant values that indicates the layout of the event data. |
| TRACE_QUERY_INFO_CLASS Used with EnumerateTraceGuidsEx and TraceSetInformation to specify a type of trace information. |
Functions
| AddLogfileTraceStream Adds a new logfile-based ETW trace stream to the relogger. |
| AddRealtimeTraceStream Adds a new real-time ETW trace stream to the relogger. |
| Cancel Terminates the relogging process. |
| Clone Creates a duplicate copy of an event. |
| CloseTrace The CloseTrace function closes a trace processing session that was created with OpenTrace. |
| ControlTraceA The ControlTrace function flushes, queries, updates, or stops the specified event tracing session. |
| ControlTraceW The ControlTrace function flushes, queries, updates, or stops the specified event tracing session. |
| CreateEventInstance Generates a new event. |
| CreateTraceInstanceId A RegisterTraceGuids-based ("Classic") event provider uses the CreateTraceInstanceId function to create a unique transaction identifier and map it to a registration handle. The provider can then use the transaction identifier when calling the TraceEventInstance function. |
| CveEventWrite A tracing function for publishing events when an attempted security vulnerability exploit is detected in your user-mode application. |
| EnableTrace A trace session controller calls EnableTrace to configure how an ETW event provider logs events to a trace session. The EnableTraceEx2 function supersedes this function. |
| EnableTraceEx A trace session controller calls EnableTraceEx to configure how an ETW event provider logs events to a trace session. The EnableTraceEx2 function supersedes this function. |
| EnableTraceEx2 A trace session controller calls EnableTraceEx2 to configure how an ETW event provider logs events to a trace session. |
| EnumerateTraceGuids Retrieves information about event trace providers that are currently running on the computer. The EnumerateTraceGuidsEx function supersedes this function. |
| EnumerateTraceGuidsEx Retrieves information about event trace providers that are currently running on the computer. |
| EventAccessControl Adds or modifies the permissions of the specified provider or session. |
| EventAccessQuery Retrieves the permissions for the specified controller or provider. |
| EventAccessRemove Removes the permissions defined in the registry for the specified provider or session. |
| EventActivityIdControl Creates, queries, and sets activity identifiers for use in ETW events. |
| EventDataDescCreate Sets the values of an EVENT_DATA_DESCRIPTOR. |
| EventDescCreate Sets the values of an event descriptor. |
| EventDescGetChannel Retrieves the channel from the event descriptor. |
| EventDescGetId Retrieves the event identifier from the event descriptor. |
| EventDescGetKeyword Retrieves the keyword from the event descriptor. |
| EventDescGetLevel Retrieves the severity level from the event descriptor. |
| EventDescGetOpcode Retrieves the operation code from the event descriptor. |
| EventDescGetTask Retrieves the task from the event descriptor. |
| EventDescGetVersion Retrieves the version from the event descriptor. |
| EventDescOrKeyword Adds another keyword to the event descriptor. |
| EventDescSetChannel Sets the Channel member of the event descriptor. |
| EventDescSetId Sets the Id member of the event descriptor. |
| EventDescSetKeyword Sets the Keyword member of the event descriptor. |
| EventDescSetLevel Sets the Level member of the event descriptor. |
| EventDescSetOpcode Sets the Opcode member of the event descriptor. |
| EventDescSetTask Sets the Task member of the event descriptor. |
| EventDescSetVersion Sets the Version member of the event descriptor. |
| EventDescZero Initializes an event descriptor to zero. |
| EventEnabled Determines whether an event provider should generate a particular event based on the event's EVENT_DESCRIPTOR. |
| EventProviderEnabled Determines whether an event provider should generate a particular event based on the event's Level and Keyword. |
| EventRegister Registers an ETW event provider, creating a handle that can be used to write ETW events. |
| EventSetInformation Configures an ETW event provider. |
| EventUnregister Unregisters an ETW event provider. |
| EventWrite Writes an ETW event that uses the current thread's activity ID. |
| EventWriteEx Writes an ETW event with an activity ID, an optional related activity ID, session filters, and special options. |
| EventWriteString Writes an ETW event that contains a string as its data. This function should not be used. |
| EventWriteTransfer Writes an ETW event with an activity ID and an optional related activity ID. |
| FlushTraceA The FlushTrace function causes an event tracing session to immediately deliver buffered events for the specified session. The ControlTrace function supersedes this function. |
| FlushTraceW The FlushTrace function causes an event tracing session to immediately deliver buffered events for the specified session. The ControlTrace function supersedes this function. |
| GetEventRecord Retrieves the event record that describes an event. |
| GetTraceEnableFlags A RegisterTraceGuids-based ("Classic") event provider uses the GetTraceEnableFlags function to retrieve the enable flags specified by the trace controller to indicate which category of events to trace. Providers call this function from their ControlCallback function. |
| GetTraceEnableLevel A RegisterTraceGuids-based ("Classic") event provider uses the GetTraceEnableLevel function to retrieve the enable level specified by the trace controller to indicate which level of events to trace. Providers call this function from their ControlCallback function. |
| GetTraceLoggerHandle A RegisterTraceGuids-based ("Classic") event provider uses the GetTraceLoggerHandle function to retrieve the handle of the event tracing session to which it should write events. Providers call this function from their ControlCallback function. |
| GetUserContext Retrieves the user context associated with the stream to which the event belongs. |
| Inject Injects a non-system-generated event into the event stream being written to the output trace logfile. |
| OnBeginProcessTrace Indicates that a trace is about to begin so that relogging can be started. |
| OnEvent Indicates that an event has been received on the trace streams associated with a relogger. |
| OnFinalizeProcessTrace Indicates that a trace is about to end so that relogging can be finalized. |
| OpenTraceA The OpenTrace function opens an ETW trace processing handle for consuming events from an ETW real-time trace session or an ETW log file. |
| OpenTraceW The OpenTrace function opens an ETW trace processing handle for consuming events from an ETW real-time trace session or an ETW log file. |
| PENABLECALLBACK ETW event providers optionally define an EnableCallback function to receive configuration change notifications. The PENABLECALLBACK type defines a pointer to this callback function. EnableCallback is a placeholder for the application-defined function name. |
| PEVENT_CALLBACK ETW event consumers implement this callback to receive events from a trace processing session. The EventRecordCallback callback supersedes this callback. |
| PEVENT_RECORD_CALLBACK ETW event consumers implement this callback to receive events from a trace processing session. The PEVENT_RECORD_CALLBACK type defines a pointer to this callback function. EventRecordCallback is a placeholder for the application-defined function name. |
| PEVENT_TRACE_BUFFER_CALLBACKA ETW event consumers implement this function to receive statistics about each buffer of events that ETW delivers during a trace processing session. |
| PEVENT_TRACE_BUFFER_CALLBACKW ETW event consumers implement this function to receive statistics about each buffer of events that ETW delivers during a trace processing session. |
| ProcessTrace Delivers events from one or more trace processing sessions to the consumer. |
| ProcessTrace Delivers events from the associated trace streams to the consumer. |
| QueryAllTracesA The QueryAllTraces function retrieves the properties and statistics for all event tracing sessions for which the caller has permissions to query. |
| QueryAllTracesW The QueryAllTraces function retrieves the properties and statistics for all event tracing sessions for which the caller has permissions to query. |
| QueryTraceA The QueryTrace function retrieves the property settings and session statistics for the specified event tracing session. The ControlTrace function supersedes this function. |
| QueryTraceProcessingHandle Retrieves information about an ETW trace processing session opened by OpenTrace. |
| QueryTraceW The QueryTrace function retrieves the property settings and session statistics for the specified event tracing session. The ControlTrace function supersedes this function. |
| RegisterCallback Registers an implementation of IEventCallback with the relogger in order to signal trace activity (starting, stopping, and logging new events). |
| RegisterTraceGuidsA Registers a "Classic" (Windows 2000-style) ETW event trace provider and the event trace classes that it uses to generate events. This function is obsolete. |
| RegisterTraceGuidsW Registers a "Classic" (Windows 2000-style) ETW event trace provider and the event trace classes that it uses to generate events. This function is obsolete. |
| RemoveTraceCallback The RemoveTraceCallback function stops an EventCallback function from receiving events for an event trace class. This function is obsolete. |
| SetCompressionMode Enables or disables compression on the relogged trace. |
| SetEventDescriptor Sets the event descriptor for an event. |
| SetOutputFilename Indicates the file to which ETW should write the new, relogged trace. |
| SetPayload Sets the payload for an event. |
| SetProcessId Assigns an event to a specific process. |
| SetProviderId Sets the GUID for the provider which traced an event. |
| SetThreadId Sets the identifier of a thread that generates an event. |
| SetTimeStamp Sets the time at which an event occurred. |
| SetTraceCallback The SetTraceCallback function specifies an EventCallback function to process events for the specified event trace class. This function is obsolete. |
| StartTraceA The StartTrace function starts an event tracing session. |
| StartTraceW The StartTrace function starts an event tracing session. |
| StopTraceA The StopTrace function stops the specified event tracing session. The ControlTrace function supersedes this function. |
| StopTraceW The StopTrace function stops the specified event tracing session. The ControlTrace function supersedes this function. |
| TdhAggregatePayloadFilters Aggregates multiple payload filters for a single provider into a single data structure for use with the EnableTraceEx2 function. |
| TdhCleanupPayloadEventFilterDescriptor Frees the aggregated structure of payload filters created using the TdhAggregatePayloadFilters function. |
| TdhCloseDecodingHandle Frees any resources associated with the input decoding handle. |
| TdhCreatePayloadFilter Creates a single filter for a single payload to be used with the EnableTraceEx2 function. |
| TdhDeletePayloadFilter Frees the memory allocated for a single payload filter by the TdhCreatePayloadFilter function. |
| TdhEnumerateManifestProviderEvents Retrieves the list of events present in the provider manifest. |
| TdhEnumerateProviderFieldInformation Retrieves the specified field metadata for a given provider. |
| TdhEnumerateProviderFilters Enumerates the filters that the specified provider defined in the manifest. |
| TdhEnumerateProviders Retrieves a list of providers that have registered a MOF class or manifest file on the computer. |
| TdhFormatProperty Formats a property value for display. |
| TdhGetDecodingParameter Retrieves the value of a decoding parameter. |
| TdhGetEventInformation Retrieves metadata about an event. |
| TdhGetEventMapInformation Retrieves information about the event map contained in the event. |
| TdhGetManifestEventInformation Retrieves metadata about an event in a manifest. |
| TdhGetProperty Retrieves a property value from the event data. |
| TdhGetPropertySize Retrieves the size of one or more property values in the event data. |
| TdhGetWppMessage Retrieves the formatted WPP message embedded into an EVENT_RECORD structure. |
| TdhGetWppProperty Retrieves a specific property associated with a WPP message. |
| TdhLoadManifest Loads the manifest used to decode a log file. |
| TdhLoadManifestFromBinary Takes a NULL-terminated path to a binary file that contains metadata resources needed to decode a specific event provider. |
| TdhOpenDecodingHandle Opens a decoding handle. |
| TdhQueryProviderFieldInformation Retrieves information for the specified field from the event descriptions for those field values that match the given value. |
| TdhSetDecodingParameter Sets the value of a decoding parameter. |
| TdhUnloadManifest Unloads the manifest that was loaded by the TdhLoadManifest function. |
| TraceEvent A RegisterTraceGuids-based ("Classic") event provider uses the TraceEvent function to send a structured event to an event tracing session. |
| TraceEventInstance A RegisterTraceGuids-based ("Classic") event provider uses the TraceEventInstance function to send a structured event to an event tracing session with an instance identifier. |
| TraceMessage A RegisterTraceGuids-based ("Classic") event provider uses the TraceMessage function to send a message-based (TMF-based WPP) event to an event tracing session. |
| TraceMessageVa A RegisterTraceGuids-based ("Classic") event provider uses the TraceMessageVa function to send a message-based (TMF-based WPP) event to an event tracing session using va_list parameters. |
| TraceQueryInformation Provides information about an event tracing session. |
| TraceSetInformation Configures event tracing session settings. |
| UnregisterTraceGuids Unregisters a "Classic" (Windows 2000-style) ETW event trace provider that was registered using RegisterTraceGuids. |
| UpdateTraceA The UpdateTrace function updates the property setting of the specified event tracing session. The ControlTrace function supersedes this function. |
| UpdateTraceW The UpdateTrace function updates the property setting of the specified event tracing session. The ControlTrace function supersedes this function. |
| WMIDPREQUEST A RegisterTraceGuids-based ("Classic") event provider implements this function to receive notifications from controllers. The WMIDPREQUEST type defines a pointer to this callback function. ControlCallback is a placeholder for the application-defined function name. |
Interfaces
| ITraceEvent Provides access to data relating to a specific event. |
| ITraceEventCallback Used by ETW to provide information to the relogger as the tracing process starts, ends, and logs events. |
| ITraceRelogger Provides access to the relogging functionality, allowing you to manipulate and relog events from an ETW trace stream. |
Structures
| CLASSIC_EVENT_ID Identifies the kernel event for which you want to enable call stack tracing. |
| ENABLE_TRACE_PARAMETERS Contains information used to enable a provider via EnableTraceEx2. |
| ENABLE_TRACE_PARAMETERS_V1 Contains information used to enable a provider via EnableTraceEx2. This structure is obsolete. |
| ETW_BUFFER_CONTEXT Provides context information about the event. |
| ETW_BUFFER_CONTEXT Provides context information about the event. |
| ETW_TRACE_PARTITION_INFORMATION Contains partition information pulled from an ETW trace. |
| EVENT_DATA_DESCRIPTOR The EVENT_DATA_DESCRIPTOR structure defines a block of data that will be used in an ETW event. |
| EVENT_DESCRIPTOR The EVENT_DESCRIPTOR structure contains information (metadata) about an ETW event. |
| EVENT_DESCRIPTOR Contains metadata that defines the event. |
| EVENT_EXTENDED_ITEM_INSTANCE Defines the relationship between events if TraceEventInstance was used to log related events. |
| EVENT_EXTENDED_ITEM_RELATED_ACTIVITYID Defines the parent event of this event. |
| EVENT_EXTENDED_ITEM_STACK_TRACE32 Defines a call stack on a 32-bit computer. |
| EVENT_EXTENDED_ITEM_STACK_TRACE64 Defines a call stack on a 64-bit computer. |
| EVENT_EXTENDED_ITEM_TS_ID Defines the terminal session that logged the event. |
| EVENT_FILTER_DESCRIPTOR Defines the filter data that a session passes to the provider's enable callback function. |
| EVENT_FILTER_EVENT_ID Defines event IDs used in an EVENT_FILTER_DESCRIPTOR structure for an event ID or stack walk filter. |
| EVENT_FILTER_EVENT_NAME Defines event IDs used in an EVENT_FILTER_DESCRIPTOR structure for an event name or stalk walk name filter. |
| EVENT_FILTER_HEADER Defines the header data that must precede the filter data that is defined in the instrumentation manifest. |
| EVENT_FILTER_LEVEL_KW Defines event IDs used in an EVENT_FILTER_DESCRIPTOR structure for a stack walk level-keyword filter. |
| EVENT_HEADER Defines information about the event. |
| EVENT_HEADER Defines information about the event. |
| EVENT_HEADER_EXTENDED_DATA_ITEM Defines the extended data that ETW collects as part of the event data. |
| EVENT_HEADER_EXTENDED_DATA_ITEM Defines the extended data that ETW collects as part of the event data. |
| EVENT_INSTANCE_HEADER The EVENT_INSTANCE_HEADER structure contains standard event tracing information common to all events written by TraceEventInstance. |
| EVENT_INSTANCE_INFO The EVENT_INSTANCE_INFO structure maps a unique transaction identifier to a registered event trace class for TraceEventInstance. |
| EVENT_MAP_ENTRY Defines a single value map entry. |
| EVENT_MAP_INFO Defines the metadata about the event map. |
| EVENT_PROPERTY_INFO Provides information about a single property of the event or filter. |
| EVENT_RECORD Defines the layout of an event that ETW delivers. |
| EVENT_RECORD Defines the layout of an event that ETW delivers. |
| EVENT_TRACE The EVENT_TRACE structure is used to deliver event information to an event trace consumer. |
| EVENT_TRACE_HEADER The EVENT_TRACE_HEADER structure contains standard event tracing information common to all events written by TraceEvent. |
| EVENT_TRACE_LOGFILEA The EVENT_TRACE_LOGFILE structure stores information about a trace data source. It is used by trace consumers when calling OpenTrace and when receiving trace data via the user-defined BufferCallback. |
| EVENT_TRACE_LOGFILEW The EVENT_TRACE_LOGFILE structure stores information about a trace data source. It is used by trace consumers when calling OpenTrace and when receiving trace data via the user-defined BufferCallback. |
| EVENT_TRACE_PROPERTIES The EVENT_TRACE_PROPERTIES structure contains information about an event tracing session and is used with APIs such as StartTrace and ControlTrace. |
| EVENT_TRACE_PROPERTIES_V2 The EVENT_TRACE_PROPERTIES_V2 structure contains information about an event tracing session and is used with APIs such as StartTrace and ControlTrace. |
| MOF_FIELD You may use the MOF_FIELD structures to append event data to the EVENT_TRACE_HEADER or EVENT_INSTANCE_HEADER structures. |
| PAYLOAD_FILTER_PREDICATE Defines an event payload filter predicate that describes how to filter on a single field in a trace session. |
| PROPERTY_DATA_DESCRIPTOR Defines the property to retrieve. |
| PROVIDER_ENUMERATION_INFO Defines the array of providers that have registered a MOF or manifest on the computer. |
| PROVIDER_EVENT_INFO Defines an array of events in a provider manifest. |
| PROVIDER_FIELD_INFO Defines the field information. |
| PROVIDER_FIELD_INFOARRAY Defines metadata information about the requested field. |
| PROVIDER_FILTER_INFO Defines a filter and its data. |
| TDH_CONTEXT Defines the additional information required to parse an event. |
| TRACE_ENABLE_INFO Defines the session and the information that the session used to enable the provider. |
| TRACE_EVENT_INFO Defines the information about the event. |
| TRACE_GUID_INFO Returned by EnumerateTraceGuidsEx. Defines the header to the list of sessions that enabled a provider. |
| TRACE_GUID_PROPERTIES Returned by EnumerateTraceGuids. Contains information about an event trace provider. |
| TRACE_GUID_REGISTRATION Used with RegisterTraceGuids to register event trace classes. |
| TRACE_LOGFILE_HEADER The TRACE_LOGFILE_HEADER structure contains information about an event tracing session and its events. |
| TRACE_PERIODIC_CAPTURE_STATE_INFO Used with TraceQueryInformation and TraceSetInformation to get or set information relating to a periodic capture state. |
| TRACE_PROVIDER_INFO Defines the GUID and name for a provider. |
| TRACE_PROVIDER_INSTANCE_INFO Defines an instance of the provider GUID. |
| TRACE_VERSION_INFO Determines the version information of the TraceLogging session. |