About Event Tracing

Event Tracing for Windows (ETW) is an efficient kernel-level tracing facility that lets you log kernel or application-defined events to a log file. You can consume the events in real time or from a log file and use them to debug an application or to determine where performance issues are occurring in the application.

ETW lets you enable or disable event tracing dynamically, allowing you to perform detailed tracing in a production environment without requiring computer or application restarts.

The Event Tracing API is broken into three distinct components:

• Controllers, which start and stop an event tracing session and enable providers
• Providers, which provide the events
• Consumers, which consume the events

The following diagram shows the event tracing model.

Controllers

Controllers are applications that define the size and location of the log file, start and stop event tracing sessions, enable providers so they can log events to the session, manage the size of the buffer pool, and obtain execution statistics for sessions. Session statistics include the number of buffers used, the number of buffers delivered, and the number of events and buffers lost. For more information, see Controlling Event Tracing Sessions.

Providers

Providers are applications that contain event tracing instrumentation. After a provider registers itself, a controller can then enable or disable event tracing in the provider. The provider defines its interpretation of being enabled or disabled. Generally, an enabled provider generates events, while a disabled provider does not. This lets you add event tracing to your application without requiring that it generate events all the time. For more information, see Providing Events.

Although the ETW model separates the controller and provider into separate applications, an application can include both components.

There are two types of providers: the classic provider and the manifest-based provider. You should use a manifest-based provider if you are writing applications for Windows Vista or later that do not need to support legacy systems.

A classic provider:

• Uses the RegisterTraceGuids and TraceEvent functions to register itself and write events.
• Uses MOF classes to define its events so that consumers know how to consume them.
• Can be enabled by only one trace session.

A manifest-based provider:

• Uses EventRegister and EventWrite to register itself and write events.
• Uses a manifest to define its events so that consumers know how to consume them.
• Can be enabled by up to eight trace sessions.

Consumers

Consumers are applications that select one or more event tracing sessions as a source of events. A consumer can request events from multiple event tracing sessions simultaneously; the system delivers the events in chronological order. Consumers can receive events stored in log files, or from sessions that deliver events in real time. When processing events, a consumer can specify start and end times, and only events that occur in the specified time frame will be delivered. For more information, see Consuming Events.

 

 

Send comments about this topic to Microsoft

Build date: 3/6/2012

24% events were lost during data collection?

The settings for Windows (ETW) maximum buffers and buffer size may not be optimal depending on which data sets being collected. HELP!

Lost Events

When you see a notification about lost events, you can try to add specified buffers to your trace syntax, for example: -BufferSize 1024 -MinBuffers 1024 -MaxBuffers 1024. This will ensure the buffers are reserved when the trace is started. You can also try to lower the sample frequency using -SetProfInt.

need help

ok i run a generate health report and it came back with event tracing for windows it said data was loss during data collection how can i fix this thanks

[tfl - 10 12 09] Hi - and thanks for your post. You should post questions like this to the MSDN Forums at http://forums.microsoft.com/msdn or the MSDN Newsgroups at http://www.microsoft.com/communities/newsgroups/en-us/. You are much more likely get a quicker response using the forums than through the Community Content. For specific help about:
.NET Framework : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.dotnet.framework
PowerShell : http://groups.google.com/group/microsoft.public.windows.powershell/topics?pli=1
SQL Server : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.sqlserver%2C&
Visual Studio : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.vstudio%2C&
Windows : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public.windows%2C&
All Public : http://groups.google.com/groups/dir?sel=usenet%3Dmicrosoft.public%2C&

same problem, health report advised me 21% of events data lost during collection

I have the same problem, I ran a health report and it also came back that 21% of events were lost during data collection- something about events tracing for windows needs to be investigated...how canI fix......ever since I loaded upgrade for Windows 7 - computer has difficulty loading web pages and requires a diagnostic check every time before I can load anything , even homepage ...help ?