What's New in Event Tracing

This section describes the new features that were added to Event Tracing for Windows in each release.

Windows 10, version 1709

ETW can now optionally track binaries for all providers that are enabled to the session. The tracking applies retroactively for providers that were enabled to the session prior to the call, as well as for all future providers that are enabled to the session. You can also now query for the currently-configured maximum number of system loggers allowed by the operating system. For more information, see the TraceProviderBinaryTracking and TraceMaxLoggersQuery values of the TRACE_INFO_CLASS enumeration, as well as Retrieving Additional Event Tracing Data.

ETW can now filter events based on event name. You can also determine which events get their stacks captured. For more information, see the EVENT_FILTER_TYPE_EVENT_NAME, EVENT_FILTER_TYPE_STACKWALK_NAME , and EVENT_FILTER_TYPE_STACKWALK_LEVEL_KW values of the EVENT_FILTER_DESCRIPTOR structure, as well as the associated EVENT_FILTER_EVENT_NAME and EVENT_FILTER_LEVEL_KW structures.

Windows 10

TraceLogging builds on ETW and provides a simplified way to instrument code for native, .NET and WinRT developers. TraceLogging allows you to include structured data with events, correlate events, and does not require a separate instrumentation manifest XML file.

Provider Traits were added as a method of attaching more data to an individual provider registration. They can be used for manifest-based or TraceLogging providers. This currently includes support for adding a Provider Name and/or a Provider Group to an individual provider registration. Provider Groups are a new feature to allow multiple ETW providers to be controlled in aggregate by the group they belong to.

Periodic capture state is a way to allow capture state notifications to be routinely sent to providers. When this is enabled, notifications will only be sent to provider registrations that have been previously enabled to the current session. Each provider can define its own response (if any) to a notification. For implementation details, see TRACE_PERIODIC_CAPTURE_STATE_INFO.

Windows 8.1 and Windows Server 2012 R2

The following features have been added to Event Tracing on Windows 8.1 and Windows Server 2012 R2.

Functions that support using event payload, scope, and stack walk filters used by the EnableTraceEx2 function and the ENABLE_TRACE_PARAMETERS and EVENT_FILTER_DESCRIPTOR structures to filter on specific conditions in a logger session. For more information, see:

• TdhAggregatePayloadFilters
• TdhCleanupPayloadEventFilterDescriptor
• TdhCreatePayloadFilter
• TdhDeletePayloadFilter

In addition, see the extensively revised documentation for the EnableTraceEx2 function and the ENABLE_TRACE_PARAMETERS and EVENT_FILTER_DESCRIPTOR structures that are used by these features.

A structure that defines an event payload filter predicate that describes how to filter on a single field in a trace session used by the new TdhCreatePayloadFilter function and a new structure used by event ID and stack walk filters. For more information, see:

• EVENT_FILTER_EVENT_ID
• PAYLOAD_FILTER_PREDICATE

Functions that retrieve information on events present in the provider manifest. For more information, see:

• TdhEnumerateManifestProviderEvents
• TdhGetManifestEventInformation

A structure that defines an array of events in a provider manifest used by the new TdhEnumerateManifestProviderEvents function. For more information, see:

• PROVIDER_EVENT_INFO

Windows 8 and Windows Server 2012

The following features have been added to the Event Tracing on Windows 8 and Windows Server 2012.

Functions that performs operations on a registration object, provide event payload parsing, provide trace provider browsing, query event tracing session settings, and process a relogged trace file. For more information, see:

• EventSetInformation
• TdhCloseDecodingHandle
• TdhGetDecodingParameter
• TdhGetWppProperty
• TdhGetWppMessage
• TdhLoadManifestFromBinary
• TdhOpenDecodingHandle
• TdhSetDecodingParameter
• TraceQueryInformation

Interfaces that provide information to the relogger on the tracing process and when events are logged, access to data for a specific event, and access to relogger features that allow the manipulation of Event Trace Log (ETL) files. For more information, see:

• ITraceEvent
• ITraceEventCallback
• ITraceRelogger

Additional enumerations used by the new functions and interfaces. For more information, see:

• EVENT_INFO_CLASS
• TRACE_QUERY_INFO_CLASS

Windows 7 and Windows Server 2008 R2

The following features were added in this release:

• The ability for providers to define filters in the manifest. In Windows Vista, controllers could pass filter data to the provider. However, the layout of the filter data was not defined in the manifest, so the provider would have to use other means to provide the filter definition to controllers. With this release, providers can define the filter definition in the manifest (see the filters attribute of the ProviderType complex type). Controllers can then use the TdhEnumerateProviderFilters function to determine the filter definition. Providers that use filters should use the EventWriteEx function to write the event.
• The ability to use a single buffer to gather events generated on multiple processors. Using a single buffer eliminates events from appearing out of order on multi-processors computers. For details, see the EVENT_TRACE_NO_PER_PROCESSOR_BUFFERING logging mode. By default, ETW uses per-processor buffers.
• The ability to capture a stack trace for events. To enable stack tracing for kernel events, see the TraceSetInformation function. To enable stack tracing for user events, see the EVENT_ENABLE_PROPERTY_STACK_TRACE flag for the EnableProperty member of ENABLE_TRACE_PARAMETERS.
• The ability to specify the EVENT_TRACE_BUFFERING_MODE or EVENT_TRACE_FILE_MODE_NEWFILE logging mode with the EVENT_TRACE_PRIVATE_LOGGER_MODE logging mode (see Logging Mode Constants).
• The ability to enable a provider synchronously. By default, providers are enabled asynchronously. To enable a provider synchronously, set the Timeout parameter of EnableTraceEx2.
• The ability for the controller to request that the provider log its state. For details, see the EVENT_CONTROL_CODE_CAPTURE_STATE flag for the ControlCode parameter of EnableTraceEx2.
• The ability for consumers to format event data using the TdhFormatProperty function.
• The ability to decode manifested events on computers that do not contain the provider. For details, see the TdhLoadManifest function.

The following functions were added in this release:

• EnableTraceEx2
• EventWriteEx
• TdhEnumerateProviderFilters
• TdhFormatProperty
• TdhLoadManifest
• TdhUnloadManifest
• TraceSetInformation

The following structures were added in this release:

• CLASSIC_EVENT_ID
• ENABLE_TRACE_PARAMETERS
• EVENT_EXTENDED_ITEM_STACK_TRACE32
• EVENT_EXTENDED_ITEM_STACK_TRACE64
• EVENT_FILTER_HEADER
• PROVIDER_FILTER_INFO

The following enumerations were added in this release:

• TRACE_INFO_CLASS

The following MOF classes were added in this release:

• StackWalk
• StackWalk_Event