Windows Dev Center

QueryTrace function

The QueryTrace function retrieves the property settings and session statistics for the specified event tracing session.

The ControlTrace function supersedes this function.

Syntax


ULONG QueryTrace(
  _In_    TRACEHANDLE             SessionHandle,
  _In_    LPCTSTR                 SessionName,
  _Inout_ PEVENT_TRACE_PROPERTIES Properties
);

Parameters

SessionHandle [in]

Handle to the event tracing session for whose properties and statistics you want to query, or NULL. You must specify SessionHandle if SessionName is NULL. However, ETW ignores the handle if SessionName is not NULL. The handle is returned by the StartTrace function.

SessionName [in]

Pointer to a null-terminated string that specifies the name of the event tracing session whose properties and statistics you want to query, or NULL. You must specify SessionName if SessionHandle is NULL.

To specify the NT Kernel Logger session, set SessionName to KERNEL_LOGGER_NAME.

Properties [in, out]

Pointer to an initialized EVENT_TRACE_PROPERTIES structure.

You only need to set the Wnode.BufferSize member of the EVENT_TRACE_PROPERTIES structure. You can use the maximum session name (1024 characters) and maximum log file name (1024 characters) lengths to calculate the buffer size and offsets if not known.

On output, the structure members contain the property settings and session statistics for the event tracing session.

Return value

If the function succeeds, the return value is ERROR_SUCCESS.

If the function fails, the return value is one of the system error codes. The following table includes some common errors and their causes.

Return codeDescription
ERROR_BAD_LENGTH

One of the following is true:

  • The Wnode.BufferSize member of Properties specifies an incorrect size.
  • Properties does not have sufficient space allocated to hold a copy of the session name and log file name (if used).
ERROR_INVALID_PARAMETER

One of the following is true:

  • Properties is NULL.
  • SessionName and SessionHandle are both NULL.
ERROR_ACCESS_DENIED

Only users running with elevated administrative privileges, users in the Performance Log Users group, and services running as LocalSystem, LocalService, NetworkService can query event tracing sessions. To grant a restricted user the ability to query trace sessions, add them to the Performance Log Users group or see EventAccessControl.

Windows XP and Windows 2000:  Anyone can control a trace session.

ERROR_WMI_INSTANCE_NOT_FOUND

The given session is not running.

 

Remarks

Controllers call this function.

To update the property settings and session statistics for an event tracing session, call the UpdateTrace function.

Requirements

Minimum supported client

Windows 2000 Professional [desktop apps | Windows Store apps]

Minimum supported server

Windows 2000 Server [desktop apps | Windows Store apps]

Header

Evntrace.h

Library

Advapi32.lib

DLL

Advapi32.dll

Unicode and ANSI names

QueryTraceW (Unicode) and QueryTraceA (ANSI)

See also

ControlTrace
QueryAllTraces

 

 

Community Additions

ADD
Show:
© 2015 Microsoft