etw

问题 We are observing 4-6 threads on Windows 7 x64 in the application which have 3 threads and behaves normally on any Windows (either 32 or 64 bit) prior Windows 7. Process Explorer shows the following "unknown" thread: ntdll.dll!EtwDeliverDataBlock+offset after random interval the following threads appear: ntdll.dll!TpCallbackIndependent+offset ntdll.dll!TpCallbackIndependent+offset after that application can't create thread (error code 8, hot enough space ...). It seems to me that some system

问题 I want to analyze performance of long process (6-8 hours). I need information about created/finished processes (with command lines) and CPU utilization. I found, that Windows Performance Analyzer (wpa.exe/xperfview.exe) is great tool for analyzing. I create performance data collector, select provider 'Windows Kernel Trace', keyword 'process' and got information about processes. But I can't find how to collect information about CPU utilization with sampling. I know, that xperf.exe -on Base

问题 I´m trying to register a manifest based provider using wevtutil and get the following error: **** Warning: Publisher ExampleProvider resources are not accessible. So I run wevtutil gp ExampleProvider and get the following message: Failed to open metadata for publisher ExampleProvider. Access is denied The user account I´m working with have Administrator privilage and is part of the groups Event Log Readers , Performance Log Users , and Performance Monitor Users . The manifest file is the same

问题 I use ETW to do tracing in my application. So I create a custom EventSource and EventListener . Now I want to use this tracing from a client side. For example, I want my app to dump the tracing log to a file when the app get an unhandled exception, so i will be able to know what happened remotely (so i want a trace dump). Question 1 : Is ETW design for this (dump) or is it just a tracing tool and I have to implement another distinct solution ? Question 2 : (If Question 1 => ETW can do such

问题 I've been investigating ETW for process/file/registry/network monitoring. It looks like it on Win7 it has everything I need. However, on XP it seems to be lacking the same level of detail. Specifcally, with file IO only "FileCreate" events seem to be logged and process creation events don't give a full path. Is it possible to determine when a file is written to on XP with ETW? And how about the full path to a process start event? 回答1: Starting with Vista MS added a lot of ETW providers to

问题 > wevtutil.exe gp <provider-name> /ge /gm /f:xml prints the manifest given a provider, except for its data templates. Is there a tool I am missing that would display the templates defined in an installed provider's manifest? They must be out there in the binary WEVT_TEMPLATE resource, since the Tdh* functions seem to know about them. 回答1: Perfview can do this with this command: PerfView userCommand DumpRegisteredManifest <provider-name> This dumps the complete manifest into an XML. 回答2:

问题 i am trying to listen to ETW kernel events. Step 1: Call OpenTrace, specifying the EventCallback and optional BufferCallback functions that will be called during my call to ProcessTrace: var logFile: EVENT_TRACE_LOGFILE; currentTrace: TRACEHANDLE; begin ZeroMemory(@logFile, sizeof(logFile)); logFile.LoggerName := KERNEL_LOGGER_NAME; logFile.LogFileName := 'C:\Users\Ian\foo.etl'; logFile.ProcessTraceMode := 0; logFile.EventCallback := RealtimeEventCallback; logFile.BufferCallback :=

问题 According to documentation http://msdn.microsoft.com/en-us/library/dn775009%28v=pandp.20%29.aspx current activity id should be handled by TPL. But when I get results, log events from different tasks belong to different activities. To read messages I use out of process SemanticLogging-svc.2.0.1406.1 Workflow is follow: 1. I set activity id, which shall be used. EventSource.SetCurrentThreadActivityId. 2. Then I have some code in same thread, but also can be a lot of code in different threads.

问题 Windows Resource Monitor displays (among other things) which files on disk are currently accessed by which processes. And it does that in realtime. How? I know that it probably uses ETW and that I can generate traces with tools like xperf. But how to get realtime information without having to start, stop and parse a trace file? I need to programmatically access the data, i.e. from C# or C++. 回答1: wOpenTrace/ProcessTrace/StopTrace can get the data in real-time as long as you know the provider

问题 We have just started using Service Fabric and the only pain point so far has been ETW with WAD, which always seems to log out with missing data (message, eventmessage.) Our experience so far has that it always works in visual studio (sometimes you have to add the provider name) and that it rarely works when deployed to a cluster in Azure. When it does work in Azure - versioning & updating a function on the event source or adding another will then log out with empty data points. This is the