About Event Tracing

Event Tracing for Windows (ETW) is an efficient kernel-level tracing facility that lets you log kernel or application-defined events to a log file. You can consume the events in real time or from a log file and use them to debug an application or to determine where performance issues are occurring in the application.

ETW lets you enable or disable event tracing dynamically thus making it possible to perform detailed tracing in a production environment without requiring computer or application restarts.

The Event Tracing API is broken into three distinct components:

  • Controllers, which start and stop an event tracing session and enable providers
  • Providers, which provide the events
  • Consumers, which consume the events

The following diagram shows the event tracing model.

 

Event tracing model

 

Controllers

Controllers are applications that define the size and location of the log file, start and stop event tracing sessions, enable providers so they can log events to the session, manage the size of the buffer pool, and obtain execution statistics for sessions. Session statistics include the number of buffers used, the number of buffers delivered, and the number of events and buffers lost. For more information, see Controlling Event Tracing Sessions.

Providers

Providers are applications that contain event tracing instrumentation. After a provider registers itself, a controller can then enable or disable event tracing in the provider. The provider defines its interpretation of being enabled or disabled. Generally, an enabled provider generates events, while a disabled provider does not. This lets you add event tracing to your application without requiring that it generate events all the time. For more information, see Providing Events.

Although the ETW model separates the controller and provider into separate applications, an application can include both components.

There are two types of providers: the classic provider and the manifest-based provider. You should use a manifest-based provider if you are writing new applications for Windows Vista that do not also need to support legacy systems.

A classic provider:

  • Uses the RegisterTraceGuids and TraceEvent functions to register itself and write events.
  • Uses MOF classes to define its events so that consumers know how to consume them.
  • Can be enabled by only one trace session.
A manifest-based provider:

  • Uses EventRegister and EventWrite to register itself and write events.
  • Uses a manifest to define its events so that consumers know how to consume them.
  • Can be enabled by up to eight trace sessions.

Consumers

Consumers are applications that select one or more event tracing sessions as a source of events. A consumer can request events from multiple event tracing sessions simultaneously; the system delivers the events in chronological order. Consumers can receive events stored in log files, or from sessions that deliver events in real time. When processing events, a consumer can specify start and end times, and only events that occur in the specified time frame are delivered. For more information, see Consuming Events.

Send comments about this topic to Microsoft

Build date: 10/15/2009

Tags :


Community Content

Stephen Edgar
Removed Spam

.

Tags : contentbug

Albert Lopez MN 40
help
Hi there, My name is Albert. I'm having problem when i turn on and off my PC, it's taking too long to start and shutdown. The hotmail messenger window takes more time to show up on the screen then before, and sometimes it's become frozen. The rest of the the computer has no problem, well that i know. The computer has an Norton antivirus instaled, and its do not show that the computer is infested. lorrainechisholm I don't know what I'm doing.Please help me.Thank you

sincerely.

Albert.

Page view tracker