Giter VIP home page Giter VIP logo

etw-samples's Introduction

ETW-Samples

Samples written in the process of studying Event Tracing for Windows(ETW).

Event Tracing Session

https://docs.microsoft.com/en-us/windows/win32/etw/event-tracing-sessions

  • Public Public session is global session, can receive related event globally
  • Private(uncommon) Private session can only receive the event in the process it belongs to

ETW Controller

https://docs.microsoft.com/en-us/windows/win32/etw/controlling-event-tracing-sessions

  • Manage Session and Provider
  • Enable/Disable provider

ETW Provider

https://docs.microsoft.com/en-us/windows/win32/etw/providing-events

  • EnableTraceEx2: connect provider and session, automated registeration

ETW Consumer

https://docs.microsoft.com/en-us/windows/win32/etw/consuming-events

  • OpenTrace:
  • Event trace callback: general callback can be specified in the OpenTrace call, and spepcific callback can be register in the SetTrackCallback call
  • ProcessTrace: using callback to process trace, using an thread
  • CloseTrace: called by Consumer or Controller close session

Useful APIs

  • StartTrace: create event trace session, use the Properties to correlate provider
  • EnableTrace: enable provider
  • ControlTrace: disable provider
  • OpenTrace: build relationship between consumer and event trace session, can specify generic event trace handle callback
  • SetTraceCallback: specific event trace handle callback
  • ProcessTrace: process trace in block way
  • CloseTrace: stop process

Logman

Logman.exe is a native Windows command-line utility, which is considered to be a Controller.

  • List all running event tracing sessions, must excuted from an elevated context 
    logman query -ets
  • List all providers that a trace session is subscribed to 
    logman query "EventLog-Application" -ets
  • List all registered ETW providers, supplying their name and GUID 
    logman query providers
  • View an individual provider 
    logman query providers Microsoft-Windows-PowerShell
  • View all providers that a specific process is sending event to 
    logman query providers -pid <pid_number>
  • Create a tracing session 
    logman create trace <session_name> -ets

Reference

etw-samples's People

Contributors

xindzju avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.