EventProvider

  • Article

Applies To: Windows 8, Windows 8.1

Configures the Event Tracing for Windows® (ETW) user-mode provider.

Element Hierarchy

<WindowsPerformanceRecorder>
     <Profiles>
          <EventProvider>

          <Profile>
               <Collectors>
                    <EventCollectorId>
                         <EventProviders>
                              <EventProvider>

Syntax

<EventProvider Id               = IdType
               Name             = string
               Base             = string
               NonPageMemory    = boolean
               Stack            = boolean
               SID              = boolean
               TSID             = boolean
               Level            = unsigendByte
               CaptureStateOnly = boolean>

  <!-- Child elements -->
  Keywords,
  CaptureStateOnStart,
  CaptureStateOnSave

</EventProvider>

Attributes and Elements

Attributes

Attribute Description Data type Required Default

Id

Uniquely identifies the event provider.

String that must have at least one character and cannot contain colons (:) or spaces.

Yes

Name

Indicates the name of the event provider.

This attribute can have one of the following values:

  • A registered Crimson provider, for example, "Microsoft-Windows-Search-Core".

  • A provider GUID, for example "49c2c27c-fe2d-40bf-8c4e-c3fb518037e7".

  • The name of a legacy provider, for example "IE6".

  • A special-case name, such as "PerfTrack" or "DotNetProvider".

Yes

Base

Indicates the base for the provider.

string

No

NonPagedMemory

Indicates whether non-paged memory is to be used.

boolean

No

false

Stack

Indicates whether the provider should capture stacks.

boolean

No

false

SID

Indicates whether to include the security identifier (SID) of the user to the extended data of logged events.

boolean

No

false

TSID

Indicates whether the terminal session identifier is included in the extended data of logged events.

boolean

No

false

Level

Indicates the level value.

unsignedByte

No

Zero, which ETW treats as 0xFFFFFFFFFFFFFFFF.

CaptureStateOnly

Indicates whether a provider is enabled only at start or save of a tracing session.

boolean

No

false

Child Elements

Element Description Requirement

Keywords (in EventProvider)

Represents a collection of Keyword (in EventProvider) elements.

Required, 1 or more.

CaptureStateOnStart

Represents a collection of Keyword (in EventProvider) elements for events to be captured at the start of a trace.

Optional, zero or 1.

CaptureStateOnSave

Represents a collection of Keyword (in EventProvider) elements for events to be captured when a trace is saved.

Optional, zero or 1.

Parent Elements

Element Description

EventProviders

Represents a collection of EventProvider elements.

Profiles

Represents a collection of collectors, providers, and profiles.

Remarks

Provider definition order is important. Definitions must appear in the following order in the .wprp file:

  1. Collectors

  2. System provider

  3. Event provider(s)

Optional inner XML tags specify what keywords to enable. Unlike for system providers, there are no textual constants defined for event providers, so hexadecimal-style strings must be used. However, the syntax is the same as for system provider. If no keywords are specified, the default value of zero is used (which is treated by ETW as the string 0xFFFFFFFFFFFFFFFF).

Derived event providers have all the attributes of the base provider by default. They can be overridden by explicitly specifying them in the derived provider. For more information, see Inheritance.

Example

The following example defines two event providers.

<EventProvider
  Id="Win32K-provider"
  Name="Microsoft-Windows-Win32K"
  NonPagedMemory="true"
  Stack="true"> 
  <Keywords>
    <Keyword
      Value="0x240000"/>
  </Keywords>
</EventProvider>

<EventProvider
  Id="Search-Core-provider"
  Name="Microsoft-Windows-Search-Core"/>

The following code examples define capture-state providers.

<EventProvider Id="sample-provider" Name="SampleProvider" NonPagedMemory="true" Level="5">
  <Keywords>
    <Keyword Value="0x98"/> <!-- Provider is enabled with these keywords throughout the tracing session. -->
  </Keywords>
  <CaptureStateOnStart>
    <Keyword Value="0xff4"/> <!-- Provider is enabled with these keywords when tracing is started. -->
  </CaptureStateOnStart>
  <CaptureStateOnSave>
    <Keyword Value="0x118"/> <!-- Provider is enabled with these keywords when tracing is saved. -->
  </CaptureStateOnSave>
</EventProvider>

<EventProvider Id="EventProvider_DWMWin32k_CaptureState" Name="e7ef96be-969f-414f-97d7-3ddb7b558ccc" NonPagedMemory="true" CaptureStateOnly="true" > 
  <!-- CaptureStateOnly="true" means that provider is not enabled throughout the tracing session. -->
  <CaptureStateOnSave>
    <Keyword Value="0x80000"/> <!-- Provider is enabled with these keywords when tracing is saved. -->
  </CaptureStateOnSave>
</EventProvider>

For managed scenarios, use the following event provider definition:

<EventCollectorId Value ="WPAEventCollector">
  <EventProviders>
    <EventProviderId Value="EventProvider_DotNetProvider" />
    <EventProvider Name="Microsoft-Windows-WPA" Id="Microsoft-Windows-WPA" Stack="true">
    </EventProvider>
  </EventProviders>
</EventCollectorId>

See Also

Other Resources

Elements