Understanding Windows Event Tracing (ETW)
Categories:
- Understanding Windows Event Tracing (ETW)
Understanding ETW
Some unnecessary information has been filtered out; see the complete documentation at: https://docs.microsoft.com/en-us/windows/win32/etw/event-tracing-portal
Understanding the Basics
https://learn.microsoft.com/en-us/windows/win32/etw/about-event-tracing
Session
There are four kinds of sessions:
| Session Type | Usage | Limitations | Characteristics |
|---|---|---|---|
| Event Tracing Session(Standard ETW) | 1. EVENT_TRACE_PROPERTIES 2. StartTrace: create a session 3. EnableTrace 1. EnableTrace for classic providers 2. EnableTraceEx for manifest-based providers 4. ControlTrace stop the session | - A manifest-based provider can deliver events to at most 8 sessions. - A classic provider can only serve one session. - The last session to enable a provider supersedes any earlier sessions. | Standard ETW. |
| SystemTraceProvider Session | 1. EVENT_TRACE_PROPERTIES → EnableFlags 2. StartTrace 3. ControlTrace to stop the session | - SystemTraceProvider is a kernel-mode provider that supplies a set of predefined kernel events. - The NT Kernel Logger session is a predefined system session that records a specified set of kernel events. - Windows 7/Windows Server 2008 R2 only the NT Kernel Logger session may use SystemTraceProvider. - Windows 8/Windows Server 2012 SystemTraceProvider can feed 8 logger sessions, two of which are reserved for NT Kernel Logger and Circular Kernel Context Logger. - Windows 10 20348 and later, individual System providers can be controlled separately. | Obtain kernel predefined events. |
| AutoLogger Session | 1. Edit the registry 2. EnableTraceEx 3. ControlTrace to stop the session | - The Global Logger Session is a special, standalone session that records events during system boot. - Ordinary AutoLogger sessions must explicitly enable providers; Global Logger does not. - AutoLogger does not support NT Kernel Logger events; only Global Logger does. - Impacts boot time—use sparingly. | Record OS boot-time events. |
| Private Logger Session | — | - User-mode ETW - Used only within a process - Not counted toward the 64-session concurrency limit. | Per-process only. |
Tools
- logman
- wevtutil
- XPath query example:
wevtutil qe Security /c:2 /q:"*[System[EventID=5157]]" /f:text
- XPath query example:
- tracelog
- To use the Visual Studio
tracelogtool, you can dynamically add and remove ETW Providers and ETW Sessions at runtime.
- To use the Visual Studio
- mc
- etw-providers-docs