Using ETW Tracing

Whenever I've talked about tracing I've always used the System.Diagnostics trace listeners in the example. However, there's a second tracing system that is much more powerful but much less talked about called ETW (Event Tracing for Windows).

ETW is much less talked about because of the way it combines extreme ununsability with a copious lack of documentation. If you can master ETW though, then it can become an extremely valuable tool. ETW is highly performant, can be made very granular, and allows programmatic control for starting and stopping traces. This type of tracing is extremely useful for advanced debugging and performance monitoring tasks.

The history of ETW derives from a need for very fast and general-purpose tracing facilities in the operating system. ETW used kernel level buffering and logging to provide a tracing mechanism for user applications and kernel drivers starting with Windows 2000. Because of this history, ETW developed several useful features such as dynamic control of traces (to avoid having to restart applications or reboot the machine to change tracing options) and very low overhead asynchronous logging. ETW has gotten an overhaul in Windows Vista to define a unified provider model and in Orcas to add some basic managed APIs.

You probably have a large number of ETW providers already on your system. You can run "logman query providers" to see the list.

Defining an ETW provider and listener for use with WCF is fairly complex. There is an ETW tracing sample for WCF though that takes you through defining and registering a provider, defining events, defining and registering a listener, and receiving trace events.

Next time: Common Problems Composing Security with Streaming

Comments

• Anonymous
  September 30, 2008
  I have a schema file that describes a choice between multiple layout formats for a type. How do I build