Configuring and Starting a SystemTraceProvider Session
The SystemTraceProvider is a kernel provider with a predefined sets of kernel events supported on Windows 7, Windows Server 2008 R2, and later. On Windows 7 and Windows Server 2008 R2, the SystemTraceProvider could only be used for the NT Kernel Logger session.
On Windows 8, Windows Server 2012, and later, the SystemTraceProvider can be multiplexed for up to 8 logger sessions. The first two slots for logger sessions are reserved for the NT Kernel Logger and the Circular Kernel Context Logger .
For more information on using the NT Kernel Logger session as a trace provider, see Configuring and Starting the NT Kernel Logger Session.
On Windows 10 SDK build 20348 and later, the SystemTraceProvider can be configured via separate System Providers, which can be controlled with EnableTraceEx2 like standard Event Tracing for Windows event providers. For a full list of system providers, keywords, and corresponding legacy flags and groups, see System Providers
Enable a SystemTraceProvider session
To enable the SystemTraceProvider to start a session other than the NT Kernel Logger, execute the following command:
tracelog -start MySession -f c:\Kernel1.etl -eflag PROC_THREAD+LOADER+CSWITCH
To programmatically enable the SystemTraceProvider to start a session other than the NT Kernel Logger, use the following steps.
Define a private logger name.
#define PRIVATE_LOGGER_NAME L”Some Private Trace Session”
At the controller, set the following members of the EVENT_TRACE_PROPERTIES structure.
Set LogFileMode to EVENT_TRACE_SYSTEM_LOGGER_MODE.
Set LoggerName to private logger, instead of KERNEL_LOGGER_NAME.
Make sure the Wnode.Guid member of the EVENT_TRACE_PROPERTIES structure is not set to SystemTraceControlGuid. You must assign a new GUID to this member.
At the consumer, set the LoggerName member of the EVENT_TRACE_LOGFILE structure to this private logger.
If you want a non-administrators or a non-TCB process to be able to start a profiling trace session using the SystemTraceProvider on behalf of third party applications, then you need to grant the user profile privilege and then add this user to both the session GUID (created for the logger session) and the system trace provider GUID to enable the system trace provider. For more information, see the EventAccessControl function.