About Event Tracing for Drivers
What is Event Tracing?
Event Tracing for Windows (ETW) is an efficient and effective mechanism for tracing and logging events that are raised by user-mode applications and kernel-mode drivers. ETW consists of three components:
Applications or components that raise event tracing instrumentation.
Applications that start, stop, and configure event tracing sessions.
Applications that receive event tracing sessions (in real time) or from a file.
The ETW Kernel-Mode API
The ETW application programming interface (API) provides a set of functions that are available to kernel-mode components and drivers. Support for Event Tracing was first introduced in Windows 2000. WMI Event Tracing and WPP Software Tracing both use ETW. To unify and simplify the event and logging model, a new API was introduced in Windows Vista. Driver developers can use these functions to register the driver as an ETW provider. ETW providers can raise events and can publish them to the Windows Event Log or can write their events to an ETW session, which gets written to a trace file or delivered to real-time consumer. Events are entities that describe interesting occurrences within the system and are defined by a set of attributes that are determined by the ETW providers.
ETW is implemented in the Windows operating system and provides developers a fast, reliable, and versatile set of event tracing features with very little impact on performance. You can dynamically enable or disable tracing without rebooting your computer, or reloading your application or driver. Unlike debugging statements that you add to your code during development, you can use ETW in your production code.
When to Use Event Tracing
The ETW kernel-mode API was introduced with Windows Vista and is not supported in earlier operating systems. Use the ETW kernel-mode API if you want to publish events that can be consumed by applications interested in administrative, operational and analytical events, in addition to the detailed tracing you might require during development. Use WPP Software Tracing if you are interested in primarily collecting trace data for development and debugging purposes and your driver needs to support this capability in Windows 2000 and later.