About Event Tracing
Event Tracing for Windows (ETW) is an efficient kernel-level tracing facility that lets you log kernel or application-defined events to a log file. You can consume the events in real time or from a log file and use them to debug an application or to determine where performance issues are occurring in the application.
ETW lets you enable or disable event tracing dynamically, allowing you to perform detailed tracing in a production environment without requiring computer or application restarts.
The Event Tracing API is broken into three distinct components:
- Controllers, which start and stop an event tracing session and enable providers
- Providers, which provide the events
- Consumers, which consume the events
The following diagram shows the event tracing model.

Controllers
Controllers are applications that define the size and location of the log file, start and stop event tracing sessions, enable providers so they can log events to the session, manage the size of the buffer pool, and obtain execution statistics for sessions. Session statistics include the number of buffers used, the number of buffers delivered, and the number of events and buffers lost. For more information, see Controlling Event Tracing Sessions.
Providers
Providers are applications that contain event tracing instrumentation. After a provider registers itself, a controller can then enable or disable event tracing in the provider. The provider defines its interpretation of being enabled or disabled. Generally, an enabled provider generates events, while a disabled provider does not. This lets you add event tracing to your application without requiring that it generate events all the time. For more information, see Providing Events.
Although the ETW model separates the controller and provider into separate applications, an application can include both components.
There are two types of providers: the classic provider and the manifest-based provider. You should use a manifest-based provider if you are writing applications for Windows Vista or later that do not need to support legacy systems.
A classic provider:
- Uses the RegisterTraceGuids and TraceEvent functions to register itself and write events.
- Uses MOF classes to define its events so that consumers know how to consume them.
- Can be enabled by only one trace session.
- Uses EventRegister and EventWrite to register itself and write events.
- Uses a manifest to define its events so that consumers know how to consume them.
- Can be enabled by up to eight trace sessions.
Consumers
Consumers are applications that select one or more event tracing sessions as a source of events. A consumer can request events from multiple event tracing sessions simultaneously; the system delivers the events in chronological order. Consumers can receive events stored in log files, or from sessions that deliver events in real time. When processing events, a consumer can specify start and end times, and only events that occur in the specified time frame will be delivered. For more information, see Consuming Events.
Send comments about this topic to Microsoft
Build date: 3/6/2012
- 11/30/2011
- lsbs23
- 2/23/2011
- RobSchee
ok i run a generate health report and it came back with event tracing for windows it said data was loss during data collection how can i fix this thanks
[tfl - 10 12 09] Hi - and thanks for your post. You should post questions like this to the MSDN Forums at http://forums.microsoft.com/msdn or the MSDN Newsgroups at http://www.microsoft.com/communities/newsgroups/en-us/. You are much more likely get a quicker response using the forums than through the Community Content. For specific help about:
.NET Framework : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.dotnet.framework
PowerShell : http://groups.google.com/group/microsoft.public.windows.powershell/topics?pli=1
SQL Server : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.sqlserver%2C&
Visual Studio : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.vstudio%2C&
Windows : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.windows%2C&
All Public : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public%2C&
- 12/9/2009
- azapata59
- 4/7/2010
- Stanley Roark
- 3/14/2010
- Gonzo44
- 4/7/2010
- Stanley Roark