2.2.11.1.2 Keywords
The second piece of metadata a controller can provide when enabling a provider to a session are the keywords. The keyword is a bitmask that indicates to which subcategories an event belongs, and is represented by a 64-bit bitmask. A controller can specify which keywords to enable for a particular provider using the KeywordsAny and KeywordsAll fields that ETW exposes. The KeywordsAny bitmask tells ETW that any event raised by the provider with any of the keywords specified in the mask will be logged, assuming that it also passes the KeywordsAll check. The KeywordsAll flag is a collection of keywords that the event needs to have in order to be logged to the session. The following table is an example of what events will be logged if the controller specifies KeywordsAny to be B and C, but KeywordsAll to be A.
Controller enables provider with KeywordsAny={B,C} and KeywordsAll={A}
|
Keywords on Trace Provider Event |
Event Logged |
|---|---|
|
A and B and C |
True |
|
A and B |
True |
|
A and C |
True |
|
B and C |
False |
|
A |
False |
|
B |
False |
|
C |
False |
There are 16 keywords that have been reserved (16 bits of the 64-bit keyword), so a provider can freely define 48 different keywords that it exposes to controllers. The ETW system simply checks the keyword of the event against that KeywordsAll and KeywordsAny values, and if that returns TRUE, logs the event to the appropriate session. <7> For example, a network trace provider defines two keywords, "Send" and "Receive". Events with the "Send" keyword are logged by the network provider as packets are being sent from the server, while those events with the "Receive" keyword are logged when packets are being received by the network provider.