Event Tracing

  • 13 minutes to read

Overview of the Event Tracing technology.

To develop Event Tracing, you need these headers:

For programming guidance for this technology, see:

Enumerations

Title Description
DECODING_SOURCE Defines the source of the event data.
ETW_PROCESS_HANDLE_INFO_TYPE Specifies what kind of operation will be done on a handle.
EVENT_FIELD_TYPE Defines the provider information to retrieve.
EVENT_INFO_CLASS Defines a type of operation to perform on a registration object.
EVENTSECURITYOPERATION Defines what component of the security descriptor that the EventAccessControl function modifies.
MAP_FLAGS Defines constant values that indicate if the map is a value map, bitmap, or pattern map.
MAP_VALUETYPE Defines if the value map value is in a ULONG data type or a string.
PROPERTY_FLAGS Defines if the property is contained in a structure or array.
TDH_CONTEXT_TYPE Defines the context type.
TEMPLATE_FLAGS Defines constant values that indicates the layout of the event data.
TRACE_QUERY_INFO_CLASS Determines the type of information to include with the trace.

Functions

Title Description
AddLogfileTraceStream Adds a new logfile-based ETW trace stream to the relogger.
AddRealtimeTraceStream Adds a new real-time ETW trace stream to the relogger.
Cancel Terminates the relogging process.
Clone Creates a duplicate copy of an event.
CloseTrace The CloseTrace function closes a trace.
ControlTraceA The ControlTrace function flushes, queries, updates, or stops the specified event tracing session.
ControlTraceW The ControlTrace function flushes, queries, updates, or stops the specified event tracing session.
CreateEventInstance Generates a new event.
CreateTraceInstanceId The CreateTraceInstanceId function creates a unique transaction identifier and maps it to a class GUID registration handle. You then use the transaction identifier when calling the TraceEventInstance function.
CveEventWrite A tracing function for publishing events when an attempted security vulnerability exploit is detected in your user-mode application.
EnableTrace Enables or disables the specified classic event trace provider. On Windows Vista and later, call the EnableTraceEx function to enable or disable a provider.
EnableTraceEx Enables or disables the specified event trace provider. The EnableTraceEx2 function supersedes this function.
EnableTraceEx2 Enables or disables the specified event trace provider.
EnumerateTraceGuids The EnumerateTraceGuids function retrieves information about registered event trace providers that are running on the computer.
EnumerateTraceGuidsEx Use this function to retrieve information about trace providers that are registered on the computer.
EventAccessControl Adds or modifies the permissions of the specified provider or session.
EventAccessQuery Retrieves the permissions for the specified controller or provider.
EventAccessRemove Removes the permissions defined in the registry for the specified provider or session.
EventActivityIdControl Creates, queries, and sets the current activity identifier used by the EventWriteTransfer function.
EventDataDescCreate Sets the values of an event data descriptor.
EventDescCreate Sets the values of an event descriptor.
EventDescGetChannel Retrieves the channel from the event descriptor.
EventDescGetId Retrieves the event identifier from the event descriptor.
EventDescGetKeyword Retrieves the keyword from the event descriptor.
EventDescGetLevel Retrieves the severity level from the event descriptor.
EventDescGetOpcode Retrieves the operation code from the event descriptor.
EventDescGetTask Retrieves the task from the event descriptor.
EventDescGetVersion Retrieves the version from the event descriptor.
EventDescOrKeyword Adds another keyword to the event descriptor.
EventDescSetChannel Sets the Channel member of the event descriptor.
EventDescSetId Sets the Id member of the event descriptor.
EventDescSetKeyword Sets the Keyword member of the event descriptor.
EventDescSetLevel Sets the Level member of the event descriptor.
EventDescSetOpcode Sets the Opcode member of the event descriptor.
EventDescSetTask Sets the Task member of the event descriptor.
EventDescSetVersion Sets the Version member of the event descriptor.
EventDescZero Initializes an event descriptor to zero.
EventEnabled Determines if the event is enabled for any session.
EventProviderEnabled Determines if the event is enabled for any session.
EventRegister Registers the provider.
EventSetInformation Performs operations on a registration object.
EventUnregister Removes the provider's registration. You must call this function before your process exits.
EventWrite Use this function to write an event.
EventWriteEx Use this function to write an event.
EventWriteString Writes an event that contains a string as its data.
EventWriteTransfer Links events together when tracing events in an end-to-end scenario.
FlushTraceA The FlushTrace function causes an event tracing session to immediately deliver buffered events for the specified session.
FlushTraceW The FlushTrace function causes an event tracing session to immediately deliver buffered events for the specified session.
GetEventRecord Retrieves the event record that describes an event.
GetTraceEnableFlags The GetTraceEnableFlags function retrieves the enable flags passed by the controller to indicate which category of events to trace.Providers can only call this function from their ControlCallback function.
GetTraceEnableLevel The GetTraceEnableLevel function retrieves the severity level passed by the controller to indicate the level of logging the provider should perform. Providers can only call this function from their ControlCallback function.
GetTraceLoggerHandle The GetTraceLoggerHandle function retrieves the handle of the event tracing session. Providers can only call this function from their ControlCallback function.
GetUserContext Retrieves the user context associated with the stream to which the event belongs.
Inject Injects a non-system-generated event into the event stream being written to the output trace logfile.
OnBeginProcessTrace Indicates that a trace is about to begin so that relogging can be started.
OnEvent Indicates that an event has been received on the trace streams associated with a relogger.
OnFinalizeProcessTrace Indicates that a trace is about to end so that relogging can be finalized.
OpenTraceA The OpenTrace function opens a real-time trace session or log file for consuming.
OpenTraceW The OpenTrace function opens a real-time trace session or log file for consuming.
PENABLECALLBACK Providers implement this function to receive enable or disable notification requests. The PENABLECALLBACK type defines a pointer to this callback function. EnableCallback is a placeholder for the application-defined function name.
PEVENT_CALLBACK Consumers implement this function to receive events from a session. The PEVENT_CALLBACK type defines a pointer to this callback function. EventCallback is a placeholder for the application-defined function name.
PEVENT_RECORD_CALLBACK Consumers implement this callback to receive events from a session. The PEVENT_RECORD_CALLBACK type defines a pointer to this callback function. EventRecordCallback is a placeholder for the application-defined function name.
PEVENT_TRACE_BUFFER_CALLBACKA Consumers implement this function to receive statistics about each buffer of events that ETW delivers to an event trace consumer.
PEVENT_TRACE_BUFFER_CALLBACKW Consumers implement this function to receive statistics about each buffer of events that ETW delivers to an event trace consumer.
ProcessTrace The ProcessTrace function delivers events from one or more event tracing sessions to the consumer.
ProcessTrace Delivers events from the associated trace streams to the consumer.
QueryAllTracesA The QueryAllTraces function retrieves the properties and statistics for all event tracing sessions started on the computer for which the caller has permissions to query.
QueryAllTracesW The QueryAllTraces function retrieves the properties and statistics for all event tracing sessions started on the computer for which the caller has permissions to query.
QueryTrace The QueryTrace function retrieves the property settings and session statistics for the specified event tracing session. The ControlTrace function supersedes this function.
QueryTraceA The QueryTrace function retrieves the property settings and session statistics for the specified event tracing session. The ControlTrace function supersedes this function.
QueryTraceProcessingHandle Queries the system for the trace processing handle.
QueryTraceW The QueryTrace function retrieves the property settings and session statistics for the specified event tracing session. The ControlTrace function supersedes this function.
RegisterCallback Registers an implementation of IEventCallback with the relogger in order to signal trace activity (starting, stopping, and logging new events).
RegisterTraceGuidsA The RegisterTraceGuids function registers an event trace provider and the event trace classes that it uses to generate events. This function also specifies the function the provider uses to enable and disable tracing.
RegisterTraceGuidsW The RegisterTraceGuids function registers an event trace provider and the event trace classes that it uses to generate events. This function also specifies the function the provider uses to enable and disable tracing.
RemoveTraceCallback The RemoveTraceCallback function stops an EventClassCallback function from receiving events for an event trace class.
SetCompressionMode Enables or disables compression on the relogged trace.
SetEventDescriptor Sets the event descriptor for an event.
SetOutputFilename Indicates the file to which ETW should write the new, relogged trace.
SetPayload Sets the payload for an event.
SetProcessId Assigns an event to a specific process.
SetProviderId Sets the GUID for the provider which traced an event.
SetThreadId Sets the identifier of a thread that generates an event.
SetTimeStamp Sets the time at which an event occurred.
SetTraceCallback The SetTraceCallback function specifies an EventClassCallback function to process events for the specified event trace class.
StartTraceA The StartTrace function registers and starts an event tracing session.
StartTraceW The StartTrace function registers and starts an event tracing session.
StopTrace The StopTrace function stops the specified event tracing session. The ControlTrace function supersedes this function.
StopTraceA The StopTrace function stops the specified event tracing session. The ControlTrace function supersedes this function.
StopTraceW The StopTrace function stops the specified event tracing session. The ControlTrace function supersedes this function.
TdhAggregatePayloadFilters Aggregates multiple payload filters for a single provider into a single data structure for use with the EnableTraceEx2 function.
TdhCleanupPayloadEventFilterDescriptor Frees the aggregated structure of payload filters created using the TdhAggregatePayloadFilters function.
TdhCloseDecodingHandle Frees any resources associated with the input decoding handle.
TdhCreatePayloadFilter Creates a single filter for a single payload to be used with the EnableTraceEx2 function.
TdhDeletePayloadFilter Frees the memory allocated for a single payload filter by the TdhCreatePayloadFilter function.
TdhEnumerateManifestProviderEvents Retrieves the list of events present in the provider manifest.
TdhEnumerateProviderFieldInformation Retrieves the specified field metadata for a given provider.
TdhEnumerateProviderFilters Enumerates the filters that the specified provider defined in the manifest.
TdhEnumerateProviders Retrieves a list of providers that have registered a MOF class or manifest file on the computer.
TdhFormatProperty Formats a property value for display.
TdhGetDecodingParameter Retrieves the value of a decoding parameter.
TdhGetEventInformation Retrieves metadata about an event.
TdhGetEventMapInformation Retrieves information about the event map contained in the event.
TdhGetManifestEventInformation Retrieves metadata about an event in a manifest.
TdhGetProperty Retrieves a property value from the event data.
TdhGetPropertySize Retrieves the size of one or more property values in the event data.
TdhGetWppMessage Retrieves the formatted WPP message embedded into an EVENT_RECORD structure.
TdhGetWppProperty Retrieves a specific property associated with a WPP message.
TdhLoadManifest Loads the manifest used to decode a log file.
TdhLoadManifestFromBinary Takes a NULL-terminated path to a binary file that contains metadata resources needed to decode a specific event provider.
TdhOpenDecodingHandle Opens a decoding handle.
TdhQueryProviderFieldInformation Retrieves information for the specified field from the event descriptions for those field values that match the given value.
TdhSetDecodingParameter Sets the value of a decoding parameter.
TdhUnloadManifest Unloads the manifest that was loaded by the TdhLoadManifest function.
TraceEvent The TraceEvent function sends an event to an event tracing session.
TraceEventInstance The TraceEventInstance function sends an event to an event tracing session. The event uses an instance identifier to associate the event with a transaction. This function may also be used to trace hierarchical relationships between related events.
TraceMessage The TraceMessage function sends an informational message to an event tracing session.
TraceMessageVa The TraceMessageVa function sends an informational message with variable arguments to an event tracing session.
TraceQueryInformation Queries event tracing session settings for the specified information class.
TraceSetInformation Enables or disables event tracing session settings for the specified information class.
UnregisterTraceGuids The UnregisterTraceGuids function unregisters an event trace provider and its event trace classes.
UpdateTrace The UpdateTrace function updates the property setting of the specified event tracing session. The ControlTrace function supersedes this function.
UpdateTraceA The UpdateTrace function updates the property setting of the specified event tracing session. The ControlTrace function supersedes this function.
UpdateTraceW The UpdateTrace function updates the property setting of the specified event tracing session. The ControlTrace function supersedes this function.
WMIDPREQUEST Providers implement this function to receive enable or disable notification requests from controllers. The WMIDPREQUEST type defines a pointer to this callback function. ControlCallback is a placeholder for the application-defined function name.

Interfaces

Title Description
ITraceEvent Provides access to data relating to a specific event.
ITraceEventCallback Used by ETW to provide information to the relogger as the tracing process starts, ends, and logs events.
ITraceRelogger Provides access to the relogging functionality, allowing you to manipulate and relog events from an ETW trace stream.

Structures

Title Description
CLASSIC_EVENT_ID Identifies the kernel event for which you want to enable call stack tracing.
ENABLE_TRACE_PARAMETERS Defines the information used to enable a provider.
ENABLE_TRACE_PARAMETERS_V1 Defines the information used to enable a provider.
ETW_BUFFER_CONTEXT Provides context information about the event.
ETW_BUFFER_CONTEXT Provides context information about the event.
ETW_TRACE_PARTITION_INFORMATION Contains partition information pulled from an ETW trace.
EVENT_DATA_DESCRIPTOR Defines one of the data items of the event data.
EVENT_DESCRIPTOR Contains metadata that defines the event.
EVENT_DESCRIPTOR Contains metadata that defines the event.
EVENT_EXTENDED_ITEM_INSTANCE Defines the relationship between events if TraceEventInstance was used to log related events.
EVENT_EXTENDED_ITEM_RELATED_ACTIVITYID Defines the parent event of this event.
EVENT_EXTENDED_ITEM_STACK_TRACE32 Defines a call stack on a 32-bit computer.
EVENT_EXTENDED_ITEM_STACK_TRACE64 Defines a call stack on a 64-bit computer.
EVENT_EXTENDED_ITEM_TS_ID Defines the terminal session that logged the event.
EVENT_FILTER_DESCRIPTOR Defines the filter data that a session passes to the provider's enable callback function.
EVENT_FILTER_EVENT_ID Defines event IDs used in an EVENT_FILTER_DESCRIPTOR structure for an event ID or stack walk filter.
EVENT_FILTER_EVENT_NAME Defines event IDs used in an EVENT_FILTER_DESCRIPTOR structure for an event name or stalk walk name filter.
EVENT_FILTER_HEADER Defines the header data that must precede the filter data that is defined in the instrumentation manifest.
EVENT_FILTER_LEVEL_KW Defines event IDs used in an EVENT_FILTER_DESCRIPTOR structure for a stack walk level-keyword filter.
EVENT_HEADER Defines information about the event.
EVENT_HEADER Defines information about the event.
EVENT_HEADER_EXTENDED_DATA_ITEM Defines the extended data that ETW collects as part of the event data.
EVENT_HEADER_EXTENDED_DATA_ITEM Defines the extended data that ETW collects as part of the event data.
EVENT_INSTANCE_HEADER The EVENT_INSTANCE_HEADER structure contains standard event tracing information common to all events.
EVENT_INSTANCE_INFO The EVENT_INSTANCE_INFO structure maps a unique transaction identifier to a registered event trace class.
EVENT_MAP_ENTRY Defines a single value map entry.
EVENT_MAP_INFO Defines the metadata about the event map.
EVENT_PROPERTY_INFO Provides information about a single property of the event or filter.
EVENT_RECORD Defines the layout of an event that ETW delivers.
EVENT_RECORD Defines the layout of an event that ETW delivers.
EVENT_TRACE The EVENT_TRACE structure is used to deliver event information to an event trace consumer.
EVENT_TRACE_HEADER The EVENT_TRACE_HEADER structure contains standard event tracing information common to all events.
EVENT_TRACE_LOGFILEA The EVENT_TRACE_LOGFILE structure specifies how the consumer wants to read events (from a log file or in real-time) and the callbacks that will receive the events.
EVENT_TRACE_LOGFILEW The EVENT_TRACE_LOGFILE structure specifies how the consumer wants to read events (from a log file or in real-time) and the callbacks that will receive the events.
EVENT_TRACE_PROPERTIES The EVENT_TRACE_PROPERTIES structure contains information about an event tracing session. You use this structure when you define a session, change the properties of a session, or query for the properties of a session.
EVENT_TRACE_PROPERTIES_V2 The EVENT_TRACE_PROPERTIES_V2 structure contains information about an event tracing session.
MOF_FIELD You may use the MOF_FIELD structures to append event data to the EVENT_TRACE_HEADER or EVENT_INSTANCE_HEADER structures.
PAYLOAD_FILTER_PREDICATE Defines an event payload filter predicate that describes how to filter on a single field in a trace session.
PROPERTY_DATA_DESCRIPTOR Defines the property to retrieve.
PROVIDER_ENUMERATION_INFO Defines the array of providers that have registered a MOF or manifest on the computer.
PROVIDER_EVENT_INFO Defines an array of events in a provider manifest.
PROVIDER_FIELD_INFO Defines the field information.
PROVIDER_FIELD_INFOARRAY Defines metadata information about the requested field.
PROVIDER_FILTER_INFO Defines a filter and its data.
TDH_CONTEXT Defines the additional information required to parse an event.
TRACE_ENABLE_INFO Defines the session and the information that the session used to enable the provider.
TRACE_EVENT_INFO Defines the information about the event.
TRACE_GUID_INFO Defines the header to the list of sessions that enabled the provider specified in the InBuffer parameter of EnumerateTraceGuidsEx.
TRACE_GUID_PROPERTIES The TRACE_GUID_PROPERTIES structure contains information about an event trace provider.
TRACE_GUID_REGISTRATION The TRACE_GUID_REGISTRATION structure is used to register event trace classes.
TRACE_LOGFILE_HEADER The TRACE_LOGFILE_HEADER structure contains information about an event tracing session and its events.
TRACE_PERIODIC_CAPTURE_STATE_INFO Information relating to a periodic capture state.
TRACE_PROVIDER_INFO Defines the GUID and name for a provider.
TRACE_PROVIDER_INSTANCE_INFO Defines an instance of the provider GUID.
TRACE_VERSION_INFO Determines the version information of the TraceLogging session.