Understanding Windows Event Tracing (ETW)

Tags:
Categories:
  • Understanding Windows Event Tracing (ETW)

Understanding ETW

Some unnecessary information has been filtered out; see the complete documentation at: https://docs.microsoft.com/en-us/windows/win32/etw/event-tracing-portal

Understanding the Basics

https://learn.microsoft.com/en-us/windows/win32/etw/about-event-tracing

Architecture

Session

There are four kinds of sessions:

Session Type Usage Limitations Characteristics
Event Tracing Session(Standard ETW) 1. EVENT_TRACE_PROPERTIES
2. StartTrace: create a session
3. EnableTrace
1. EnableTrace for classic providers
2. EnableTraceEx for manifest-based providers
4. ControlTrace stop the session		 - A manifest-based provider can deliver events to at most 8 sessions.
- A classic provider can only serve one session.
- The last session to enable a provider supersedes any earlier sessions.		 Standard ETW.
SystemTraceProvider Session 1. EVENT_TRACE_PROPERTIESEnableFlags
2. StartTrace
3. ControlTrace to stop the session		 - SystemTraceProvider is a kernel-mode provider that supplies a set of predefined kernel events.
- The NT Kernel Logger session is a predefined system session that records a specified set of kernel events.
- Windows 7/Windows Server 2008 R2 only the NT Kernel Logger session may use SystemTraceProvider.
- Windows 8/Windows Server 2012 SystemTraceProvider can feed 8 logger sessions, two of which are reserved for NT Kernel Logger and Circular Kernel Context Logger.
- Windows 10 20348 and later, individual System providers can be controlled separately.		 Obtain kernel predefined events.
AutoLogger Session 1. Edit the registry
2. EnableTraceEx
3. ControlTrace to stop the session		 - The Global Logger Session is a special, standalone session that records events during system boot.
- Ordinary AutoLogger sessions must explicitly enable providers; Global Logger does not.
- AutoLogger does not support NT Kernel Logger events; only Global Logger does.
- Impacts boot time—use sparingly.		 Record OS boot-time events.
Private Logger Session - User-mode ETW
- Used only within a process
- Not counted toward the 64-session concurrency limit.		 Per-process only.

Tools

  • logman
  • wevtutil
    • XPath query example: wevtutil qe Security /c:2 /q:"*[System[EventID=5157]]" /f:text
  • tracelog
    • To use the Visual Studio tracelog tool, you can dynamically add and remove ETW Providers and ETW Sessions at runtime.
  • mc
  • etw-providers-docs