QueryAllTracesA function

The QueryAllTraces function retrieves the properties and statistics for all event tracing sessions started on the computer for which the caller has permissions to query.

Syntax

ULONG WMIAPI QueryAllTracesA(
  PEVENT_TRACE_PROPERTIES *PropertyArray,
  ULONG                   PropertyArrayCount,
  PULONG                  LoggerCount
);

Parameters

PropertyArray

An array of pointers to EVENT_TRACE_PROPERTIES structures that receive session properties and statistics for the event tracing sessions.

You only need to set the Wnode.BufferSize, LoggerNameOffset , and LogFileNameOffset members of the EVENT_TRACE_PROPERTIES structure. The other members should all be set to zero.

PropertyArrayCount

Number of structures in the PropertyArray array. This value must be less than or equal to 64, the maximum number of event tracing sessions that ETW supports.

LoggerCount

Actual number of event tracing sessions started on the computer.

Return Value

If the function succeeds, the return value is ERROR_SUCCESS.

If the function fails, the return value is one of the system error codes. The following table includes some common errors and their causes.

Return code Description
ERROR_INVALID_PARAMETER
One of the following is true:
  • PropertyArrayCount is zero or greater than the maximum number of supported sessions
  • PropertyArray is NULL
ERROR_MORE_DATA
The property array is too small to receive information for all sessions (SessionCount is greater than PropertyArrayCount). The function fills the property array with the number of property structures specified in PropertyArrayCount.

Remarks

Event trace controllers call this function.

This function retrieves the trace sessions that the caller has permissions to query. Users running with elevated administrative privileges, users in the Performance Log Users group, and services running as LocalSystem, LocalService, NetworkService can view all tracing sessions.

This function does not return private logging sessions.

To retrieve information for a single session, use the ControlTrace function and set the ControlCode parameter to EVENT_TRACE_CONTROL_QUERY.

Examples

The following example shows how to call this function.

#include <windows.h>
#include <stdio.h>
#include <wmistr.h>
#include <evntrace.h>

#define MAX_SESSIONS 64
#define MAX_SESSION_NAME_LEN 1024
#define MAX_LOGFILE_PATH_LEN 1024

void wmain(void)
{
    ULONG status = ERROR_SUCCESS;
    PEVENT_TRACE_PROPERTIES pSessions[MAX_SESSIONS];    // Array of pointers to property structures
    PEVENT_TRACE_PROPERTIES pBuffer = NULL;             // Buffer that contains all the property structures
    ULONG SessionCount = 0;                             // Actual number of sessions started on the computer
    ULONG BufferSize = 0;
    ULONG PropertiesSize = 0;
    WCHAR SessionGuid[50];


    // The size of the session name and log file name used by the
    // controllers are not known, therefore create a properties structure that allows
    // for the maximum size of both.

    PropertiesSize = sizeof(EVENT_TRACE_PROPERTIES) +
        (MAX_SESSION_NAME_LEN*sizeof(WCHAR)) +
        (MAX_LOGFILE_PATH_LEN*sizeof(WCHAR));

    BufferSize = PropertiesSize * MAX_SESSIONS;

    pBuffer = (PEVENT_TRACE_PROPERTIES) malloc(BufferSize);

    if (pBuffer)
    {
        ZeroMemory(pBuffer, BufferSize);

        for (USHORT i = 0; i < MAX_SESSIONS; i++)
        {
            pSessions[i] = (EVENT_TRACE_PROPERTIES*)((BYTE*)pBuffer + (i*PropertiesSize));
            pSessions[i]->Wnode.BufferSize = PropertiesSize;
            pSessions[i]->LoggerNameOffset = sizeof(EVENT_TRACE_PROPERTIES);
            pSessions[i]->LogFileNameOffset = sizeof(EVENT_TRACE_PROPERTIES) + (MAX_SESSION_NAME_LEN*sizeof(WCHAR));
        }
    }
    else
    {
        wprintf(L"Error allocating memory for properties.\n");
        goto cleanup;
    }

    status = QueryAllTraces(pSessions, (ULONG)MAX_SESSIONS, &SessionCount);

    if (ERROR_SUCCESS == status || ERROR_MORE_DATA == status)
    {
        wprintf(L"Requested session count, %d. Actual session count, %d.\n\n", MAX_SESSIONS, SessionCount);

        for (USHORT i = 0; i < SessionCount; i++)
        {
            StringFromGUID2(pSessions[i]->Wnode.Guid, SessionGuid, (sizeof(SessionGuid) / sizeof(SessionGuid[0])));

                wprintf(L"Session GUID: %s\nSession ID: %d\nSession name: %s\nLog file: %s\n"
                    L"min buffers: %d\nmax buffers: %d\nbuffers: %d\nbuffers written: %d\n"
                    L"buffers lost: %d\nevents lost: %d\n\n",
                    SessionGuid,
                    pSessions[i]->Wnode.HistoricalContext,
                    (LPWSTR)((char*)pSessions[i] + pSessions[i]->LoggerNameOffset),
                    (LPWSTR)((char*)pSessions[i] + pSessions[i]->LogFileNameOffset),
                    pSessions[i]->MinimumBuffers,
                    pSessions[i]->MaximumBuffers,
                    pSessions[i]->NumberOfBuffers,
                    pSessions[i]->BuffersWritten,
                    pSessions[i]->LogBuffersLost,
                    pSessions[i]->EventsLost);
        }
    }
    else
    {
        wprintf(L"Error calling QueryAllTraces, %d.\n", status);
        goto cleanup;
    }

cleanup:

    if (pBuffer)
    {
        free(pBuffer);
        pBuffer = NULL;
    }
}

Requirements

   
Minimum supported client Windows 2000 Professional [desktop apps only]
Minimum supported server Windows 2000 Server [desktop apps only]
Target Platform Windows
Header evntrace.h
Library Sechost.lib on Windows 8.1 and Windows Server 2012 R2; Advapi32.lib on Windows 8, Windows Server 2012, Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Vista and Windows XP
DLL Sechost.dll on Windows 8.1 and Windows Server 2012 R2; Advapi32.dll on Windows 8, Windows Server 2012, Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Vista and Windows XP

See Also

ControlTrace

EVENT_TRACE_PROPERTIES

EnumerateTraceGuids