Event Tracing

Overview of the Event Tracing technology.

To develop Event Tracing, you need these headers:

For programming guidance for this technology, see:

Enumerations

 
DECODING_SOURCE

Defines the source of the event data.
ETW_PROCESS_HANDLE_INFO_TYPE

Specifies the operation that will be performed on a trace processing session.
EVENT_FIELD_TYPE

Defines the provider information to retrieve.
EVENT_INFO_CLASS

The EVENT_INFO_CLASS enumeration type is used with the EventSetInformation function to specify the configuration operation to be performed on an ETW event provider registration.
EVENTSECURITYOPERATION

Defines what component of the security descriptor that the EventAccessControl function modifies.
MAP_FLAGS

Defines constant values that indicate if the map is a value map, bitmap, or pattern map.
MAP_VALUETYPE

Defines if the value map value is in a ULONG data type or a string.
PROPERTY_FLAGS

Defines if the property is contained in a structure or array.
TDH_CONTEXT_TYPE

Defines the context type.
TEMPLATE_FLAGS

Defines constant values that indicates the layout of the event data.
TRACE_QUERY_INFO_CLASS

Used with EnumerateTraceGuidsEx and TraceSetInformation to specify a type of trace information.

Functions

 
AddLogfileTraceStream

Adds a new logfile-based ETW trace stream to the relogger.
AddRealtimeTraceStream

Adds a new real-time ETW trace stream to the relogger.
Cancel

Terminates the relogging process.
Clone

Creates a duplicate copy of an event.
CloseTrace

The CloseTrace function closes a trace processing session that was created with OpenTrace.
ControlTraceA

The ControlTrace function flushes, queries, updates, or stops the specified event tracing session.
ControlTraceW

The ControlTrace function flushes, queries, updates, or stops the specified event tracing session.
CreateEventInstance

Generates a new event.
CreateTraceInstanceId

A RegisterTraceGuids-based ("Classic") event provider uses the CreateTraceInstanceId function to create a unique transaction identifier and map it to a registration handle. The provider can then use the transaction identifier when calling the TraceEventInstance function.
CveEventWrite

A tracing function for publishing events when an attempted security vulnerability exploit is detected in your user-mode application.
EnableTrace

A trace session controller calls EnableTrace to configure how an ETW event provider logs events to a trace session. The EnableTraceEx2 function supersedes this function.
EnableTraceEx

A trace session controller calls EnableTraceEx to configure how an ETW event provider logs events to a trace session. The EnableTraceEx2 function supersedes this function.
EnableTraceEx2

A trace session controller calls EnableTraceEx2 to configure how an ETW event provider logs events to a trace session.
EnumerateTraceGuids

Retrieves information about event trace providers that are currently running on the computer. The EnumerateTraceGuidsEx function supersedes this function.
EnumerateTraceGuidsEx

Retrieves information about event trace providers that are currently running on the computer.
EventAccessControl

Adds or modifies the permissions of the specified provider or session.
EventAccessQuery

Retrieves the permissions for the specified controller or provider.
EventAccessRemove

Removes the permissions defined in the registry for the specified provider or session.
EventActivityIdControl

Creates, queries, and sets activity identifiers for use in ETW events.
EventDataDescCreate

Sets the values of an EVENT_DATA_DESCRIPTOR.
EventDescCreate

Sets the values of an event descriptor.
EventDescGetChannel

Retrieves the channel from the event descriptor.
EventDescGetId

Retrieves the event identifier from the event descriptor.
EventDescGetKeyword

Retrieves the keyword from the event descriptor.
EventDescGetLevel

Retrieves the severity level from the event descriptor.
EventDescGetOpcode

Retrieves the operation code from the event descriptor.
EventDescGetTask

Retrieves the task from the event descriptor.
EventDescGetVersion

Retrieves the version from the event descriptor.
EventDescOrKeyword

Adds another keyword to the event descriptor.
EventDescSetChannel

Sets the Channel member of the event descriptor.
EventDescSetId

Sets the Id member of the event descriptor.
EventDescSetKeyword

Sets the Keyword member of the event descriptor.
EventDescSetLevel

Sets the Level member of the event descriptor.
EventDescSetOpcode

Sets the Opcode member of the event descriptor.
EventDescSetTask

Sets the Task member of the event descriptor.
EventDescSetVersion

Sets the Version member of the event descriptor.
EventDescZero

Initializes an event descriptor to zero.
EventEnabled

Determines whether an event provider should generate a particular event based on the event's EVENT_DESCRIPTOR.
EventProviderEnabled

Determines whether an event provider should generate a particular event based on the event's Level and Keyword.
EventRegister

Registers an ETW event provider, creating a handle that can be used to write ETW events.
EventSetInformation

Configures an ETW event provider.
EventUnregister

Unregisters an ETW event provider.
EventWrite

Writes an ETW event that uses the current thread's activity ID.
EventWriteEx

Writes an ETW event with an activity ID, an optional related activity ID, session filters, and special options.
EventWriteString

Writes an ETW event that contains a string as its data. This function should not be used.
EventWriteTransfer

Writes an ETW event with an activity ID and an optional related activity ID.
FlushTraceA

The FlushTrace function causes an event tracing session to immediately deliver buffered events for the specified session. The ControlTrace function supersedes this function.
FlushTraceW

The FlushTrace function causes an event tracing session to immediately deliver buffered events for the specified session. The ControlTrace function supersedes this function.
GetEventRecord

Retrieves the event record that describes an event.
GetTraceEnableFlags

A RegisterTraceGuids-based ("Classic") event provider uses the GetTraceEnableFlags function to retrieve the enable flags specified by the trace controller to indicate which category of events to trace. Providers call this function from their ControlCallback function.
GetTraceEnableLevel

A RegisterTraceGuids-based ("Classic") event provider uses the GetTraceEnableLevel function to retrieve the enable level specified by the trace controller to indicate which level of events to trace. Providers call this function from their ControlCallback function.
GetTraceLoggerHandle

A RegisterTraceGuids-based ("Classic") event provider uses the GetTraceLoggerHandle function to retrieve the handle of the event tracing session to which it should write events. Providers call this function from their ControlCallback function.
GetUserContext

Retrieves the user context associated with the stream to which the event belongs.
Inject

Injects a non-system-generated event into the event stream being written to the output trace logfile.
OnBeginProcessTrace

Indicates that a trace is about to begin so that relogging can be started.
OnEvent

Indicates that an event has been received on the trace streams associated with a relogger.
OnFinalizeProcessTrace

Indicates that a trace is about to end so that relogging can be finalized.
OpenTraceA

The OpenTrace function opens an ETW trace processing handle for consuming events from an ETW real-time trace session or an ETW log file.
OpenTraceW

The OpenTrace function opens an ETW trace processing handle for consuming events from an ETW real-time trace session or an ETW log file.
PENABLECALLBACK

ETW event providers optionally define an EnableCallback function to receive configuration change notifications. The PENABLECALLBACK type defines a pointer to this callback function. EnableCallback is a placeholder for the application-defined function name.
PEVENT_CALLBACK

ETW event consumers implement this callback to receive events from a trace processing session. The EventRecordCallback callback supersedes this callback.
PEVENT_RECORD_CALLBACK

ETW event consumers implement this callback to receive events from a trace processing session. The PEVENT_RECORD_CALLBACK type defines a pointer to this callback function. EventRecordCallback is a placeholder for the application-defined function name.
PEVENT_TRACE_BUFFER_CALLBACKA

ETW event consumers implement this function to receive statistics about each buffer of events that ETW delivers during a trace processing session.
PEVENT_TRACE_BUFFER_CALLBACKW

ETW event consumers implement this function to receive statistics about each buffer of events that ETW delivers during a trace processing session.
ProcessTrace

Delivers events from one or more trace processing sessions to the consumer.
ProcessTrace

Delivers events from the associated trace streams to the consumer.
QueryAllTracesA

The QueryAllTraces function retrieves the properties and statistics for all event tracing sessions for which the caller has permissions to query.
QueryAllTracesW

The QueryAllTraces function retrieves the properties and statistics for all event tracing sessions for which the caller has permissions to query.
QueryTraceA

The QueryTrace function retrieves the property settings and session statistics for the specified event tracing session. The ControlTrace function supersedes this function.
QueryTraceProcessingHandle

Retrieves information about an ETW trace processing session opened by OpenTrace.
QueryTraceW

The QueryTrace function retrieves the property settings and session statistics for the specified event tracing session. The ControlTrace function supersedes this function.
RegisterCallback

Registers an implementation of IEventCallback with the relogger in order to signal trace activity (starting, stopping, and logging new events).
RegisterTraceGuidsA

Registers a "Classic" (Windows 2000-style) ETW event trace provider and the event trace classes that it uses to generate events. This function is obsolete.
RegisterTraceGuidsW

Registers a "Classic" (Windows 2000-style) ETW event trace provider and the event trace classes that it uses to generate events. This function is obsolete.
RemoveTraceCallback

The RemoveTraceCallback function stops an EventCallback function from receiving events for an event trace class. This function is obsolete.
SetCompressionMode

Enables or disables compression on the relogged trace.
SetEventDescriptor

Sets the event descriptor for an event.
SetOutputFilename

Indicates the file to which ETW should write the new, relogged trace.
SetPayload

Sets the payload for an event.
SetProcessId

Assigns an event to a specific process.
SetProviderId

Sets the GUID for the provider which traced an event.
SetThreadId

Sets the identifier of a thread that generates an event.
SetTimeStamp

Sets the time at which an event occurred.
SetTraceCallback

The SetTraceCallback function specifies an EventCallback function to process events for the specified event trace class. This function is obsolete.
StartTraceA

The StartTrace function starts an event tracing session.
StartTraceW

The StartTrace function starts an event tracing session.
StopTraceA

The StopTrace function stops the specified event tracing session. The ControlTrace function supersedes this function.
StopTraceW

The StopTrace function stops the specified event tracing session. The ControlTrace function supersedes this function.
TdhAggregatePayloadFilters

Aggregates multiple payload filters for a single provider into a single data structure for use with the EnableTraceEx2 function.
TdhCleanupPayloadEventFilterDescriptor

Frees the aggregated structure of payload filters created using the TdhAggregatePayloadFilters function.
TdhCloseDecodingHandle

Frees any resources associated with the input decoding handle.
TdhCreatePayloadFilter

Creates a single filter for a single payload to be used with the EnableTraceEx2 function.
TdhDeletePayloadFilter

Frees the memory allocated for a single payload filter by the TdhCreatePayloadFilter function.
TdhEnumerateManifestProviderEvents

Retrieves the list of events present in the provider manifest.
TdhEnumerateProviderFieldInformation

Retrieves the specified field metadata for a given provider.
TdhEnumerateProviderFilters

Enumerates the filters that the specified provider defined in the manifest.
TdhEnumerateProviders

Retrieves a list of providers that have registered a MOF class or manifest file on the computer.
TdhFormatProperty

Formats a property value for display.
TdhGetDecodingParameter

Retrieves the value of a decoding parameter.
TdhGetEventInformation

Retrieves metadata about an event.
TdhGetEventMapInformation

Retrieves information about the event map contained in the event.
TdhGetManifestEventInformation

Retrieves metadata about an event in a manifest.
TdhGetProperty

Retrieves a property value from the event data.
TdhGetPropertySize

Retrieves the size of one or more property values in the event data.
TdhGetWppMessage

Retrieves the formatted WPP message embedded into an EVENT_RECORD structure.
TdhGetWppProperty

Retrieves a specific property associated with a WPP message.
TdhLoadManifest

Loads the manifest used to decode a log file.
TdhLoadManifestFromBinary

Takes a NULL-terminated path to a binary file that contains metadata resources needed to decode a specific event provider.
TdhOpenDecodingHandle

Opens a decoding handle.
TdhQueryProviderFieldInformation

Retrieves information for the specified field from the event descriptions for those field values that match the given value.
TdhSetDecodingParameter

Sets the value of a decoding parameter.
TdhUnloadManifest

Unloads the manifest that was loaded by the TdhLoadManifest function.
TraceEvent

A RegisterTraceGuids-based ("Classic") event provider uses the TraceEvent function to send a structured event to an event tracing session.
TraceEventInstance

A RegisterTraceGuids-based ("Classic") event provider uses the TraceEventInstance function to send a structured event to an event tracing session with an instance identifier.
TraceMessage

A RegisterTraceGuids-based ("Classic") event provider uses the TraceMessage function to send a message-based (TMF-based WPP) event to an event tracing session.
TraceMessageVa

A RegisterTraceGuids-based ("Classic") event provider uses the TraceMessageVa function to send a message-based (TMF-based WPP) event to an event tracing session using va_list parameters.
TraceQueryInformation

Provides information about an event tracing session.
TraceSetInformation

Configures event tracing session settings.
UnregisterTraceGuids

Unregisters a "Classic" (Windows 2000-style) ETW event trace provider that was registered using RegisterTraceGuids.
UpdateTraceA

The UpdateTrace function updates the property setting of the specified event tracing session. The ControlTrace function supersedes this function.
UpdateTraceW

The UpdateTrace function updates the property setting of the specified event tracing session. The ControlTrace function supersedes this function.
WMIDPREQUEST

A RegisterTraceGuids-based ("Classic") event provider implements this function to receive notifications from controllers. The WMIDPREQUEST type defines a pointer to this callback function. ControlCallback is a placeholder for the application-defined function name.

Interfaces

 
ITraceEvent

Provides access to data relating to a specific event.
ITraceEventCallback

Used by ETW to provide information to the relogger as the tracing process starts, ends, and logs events.
ITraceRelogger

Provides access to the relogging functionality, allowing you to manipulate and relog events from an ETW trace stream.

Structures

 
CLASSIC_EVENT_ID

Identifies the kernel event for which you want to enable call stack tracing.
ENABLE_TRACE_PARAMETERS

Contains information used to enable a provider via EnableTraceEx2.
ENABLE_TRACE_PARAMETERS_V1

Contains information used to enable a provider via EnableTraceEx2. This structure is obsolete.
ETW_BUFFER_CONTEXT

Provides context information about the event.
ETW_BUFFER_CONTEXT

Provides context information about the event.
ETW_TRACE_PARTITION_INFORMATION

Contains partition information pulled from an ETW trace.
EVENT_DATA_DESCRIPTOR

The EVENT_DATA_DESCRIPTOR structure defines a block of data that will be used in an ETW event.
EVENT_DESCRIPTOR

The EVENT_DESCRIPTOR structure contains information (metadata) about an ETW event.
EVENT_DESCRIPTOR

Contains metadata that defines the event.
EVENT_EXTENDED_ITEM_INSTANCE

Defines the relationship between events if TraceEventInstance was used to log related events.
EVENT_EXTENDED_ITEM_RELATED_ACTIVITYID

Defines the parent event of this event.
EVENT_EXTENDED_ITEM_STACK_TRACE32

Defines a call stack on a 32-bit computer.
EVENT_EXTENDED_ITEM_STACK_TRACE64

Defines a call stack on a 64-bit computer.
EVENT_EXTENDED_ITEM_TS_ID

Defines the terminal session that logged the event.
EVENT_FILTER_DESCRIPTOR

Defines the filter data that a session passes to the provider's enable callback function.
EVENT_FILTER_EVENT_ID

Defines event IDs used in an EVENT_FILTER_DESCRIPTOR structure for an event ID or stack walk filter.
EVENT_FILTER_EVENT_NAME

Defines event IDs used in an EVENT_FILTER_DESCRIPTOR structure for an event name or stalk walk name filter.
EVENT_FILTER_HEADER

Defines the header data that must precede the filter data that is defined in the instrumentation manifest.
EVENT_FILTER_LEVEL_KW

Defines event IDs used in an EVENT_FILTER_DESCRIPTOR structure for a stack walk level-keyword filter.
EVENT_HEADER

Defines information about the event.
EVENT_HEADER

Defines information about the event.
EVENT_HEADER_EXTENDED_DATA_ITEM

Defines the extended data that ETW collects as part of the event data.
EVENT_HEADER_EXTENDED_DATA_ITEM

Defines the extended data that ETW collects as part of the event data.
EVENT_INSTANCE_HEADER

The EVENT_INSTANCE_HEADER structure contains standard event tracing information common to all events written by TraceEventInstance.
EVENT_INSTANCE_INFO

The EVENT_INSTANCE_INFO structure maps a unique transaction identifier to a registered event trace class for TraceEventInstance.
EVENT_MAP_ENTRY

Defines a single value map entry.
EVENT_MAP_INFO

Defines the metadata about the event map.
EVENT_PROPERTY_INFO

Provides information about a single property of the event or filter.
EVENT_RECORD

Defines the layout of an event that ETW delivers.
EVENT_RECORD

Defines the layout of an event that ETW delivers.
EVENT_TRACE

The EVENT_TRACE structure is used to deliver event information to an event trace consumer.
EVENT_TRACE_HEADER

The EVENT_TRACE_HEADER structure contains standard event tracing information common to all events written by TraceEvent.
EVENT_TRACE_LOGFILEA

The EVENT_TRACE_LOGFILE structure stores information about a trace data source. It is used by trace consumers when calling OpenTrace and when receiving trace data via the user-defined BufferCallback.
EVENT_TRACE_LOGFILEW

The EVENT_TRACE_LOGFILE structure stores information about a trace data source. It is used by trace consumers when calling OpenTrace and when receiving trace data via the user-defined BufferCallback.
EVENT_TRACE_PROPERTIES

The EVENT_TRACE_PROPERTIES structure contains information about an event tracing session and is used with APIs such as StartTrace and ControlTrace.
EVENT_TRACE_PROPERTIES_V2

The EVENT_TRACE_PROPERTIES_V2 structure contains information about an event tracing session and is used with APIs such as StartTrace and ControlTrace.
MOF_FIELD

You may use the MOF_FIELD structures to append event data to the EVENT_TRACE_HEADER or EVENT_INSTANCE_HEADER structures.
PAYLOAD_FILTER_PREDICATE

Defines an event payload filter predicate that describes how to filter on a single field in a trace session.
PROPERTY_DATA_DESCRIPTOR

Defines the property to retrieve.
PROVIDER_ENUMERATION_INFO

Defines the array of providers that have registered a MOF or manifest on the computer.
PROVIDER_EVENT_INFO

Defines an array of events in a provider manifest.
PROVIDER_FIELD_INFO

Defines the field information.
PROVIDER_FIELD_INFOARRAY

Defines metadata information about the requested field.
PROVIDER_FILTER_INFO

Defines a filter and its data.
TDH_CONTEXT

Defines the additional information required to parse an event.
TRACE_ENABLE_INFO

Defines the session and the information that the session used to enable the provider.
TRACE_EVENT_INFO

Defines the information about the event.
TRACE_GUID_INFO

Returned by EnumerateTraceGuidsEx. Defines the header to the list of sessions that enabled a provider.
TRACE_GUID_PROPERTIES

Returned by EnumerateTraceGuids. Contains information about an event trace provider.
TRACE_GUID_REGISTRATION

Used with RegisterTraceGuids to register event trace classes.
TRACE_LOGFILE_HEADER

The TRACE_LOGFILE_HEADER structure contains information about an event tracing session and its events.
TRACE_PERIODIC_CAPTURE_STATE_INFO

Used with TraceQueryInformation and TraceSetInformation to get or set information relating to a periodic capture state.
TRACE_PROVIDER_INFO

Defines the GUID and name for a provider.
TRACE_PROVIDER_INSTANCE_INFO

Defines an instance of the provider GUID.
TRACE_VERSION_INFO

Determines the version information of the TraceLogging session.