Επεξεργασία

Κοινή χρήση μέσω


Logging Mode Constants

The following constants represent the possible logging modes for an event tracing session.

The constants are used in the LogFileMode members of EVENT_TRACE_LOGFILE, EVENT_TRACE_PROPERTIES and TRACE_LOGFILE_HEADER structures. These constants are defined in the Evntrace.h header file.

Mode Description
EVENT_TRACE_FILE_MODE_NONE (0x00000000) Same as EVENT_TRACE_FILE_MODE_SEQUENTIAL with no maximum file size specified.
EVENT_TRACE_FILE_MODE_SEQUENTIAL (0x00000001) Writes events to a log file sequentially; stops when the file reaches its maximum size.Do not use with EVENT_TRACE_FILE_MODE_CIRCULAR or EVENT_TRACE_FILE_MODE_NEWFILE.
EVENT_TRACE_FILE_MODE_CIRCULAR (0x00000002) Writes events to a log file. After the file reaches the maximum size, the oldest events are replaced with incoming events.Note that the contents of the circular log file may appear out of order on multiprocessor computers.
Do not use with EVENT_TRACE_FILE_MODE_APPEND, EVENT_TRACE_FILE_MODE_NEWFILE, or EVENT_TRACE_FILE_MODE_SEQUENTIAL.
EVENT_TRACE_FILE_MODE_APPEND (0x00000004) Appends events to an existing sequential log file. If the file does not exist, it is created. Use only if you specify system time for the clock resolution, otherwise, ProcessTrace will return events with incorrect time stamps. When using EVENT_TRACE_FILE_MODE_APPEND, the values for BufferSize, NumberOfProcessors, and ClockType must be explicitly provided and must be the same in both the logger and the file being appended.
Do not use with EVENT_TRACE_REAL_TIME_MODE, EVENT_TRACE_FILE_MODE_CIRCULAR, EVENT_TRACE_FILE_MODE_NEWFILE, or EVENT_TRACE_PRIVATE_LOGGER_MODE.
Windows 2000: This value is not supported.
EVENT_TRACE_FILE_MODE_NEWFILE (0x00000008) Automatically switches to a new log file when the file reaches the maximum size. The MaximumFileSize member of EVENT_TRACE_PROPERTIES must be set.The specified file name must be a formatted string (for example, the string contains a %d, such as c:\test%d.etl). Each time a new file is created, a counter is incremented and its value is used, the formatted string is updated, and the resulting string is used as the file name.
This option is not allowed for private event tracing sessions and should not be used for NT kernel logger sessions.
Do not use with EVENT_TRACE_FILE_MODE_CIRCULAR, EVENT_TRACE_FILE_MODE_APPEND or EVENT_TRACE_FILE_MODE_SEQUENTIAL.
Windows 2000: This value is not supported.
EVENT_TRACE_FILE_MODE_PREALLOCATE(0x00000020) Reserves EVENT_TRACE_PROPERTIES.MaximumFileSize bytes of disk space for the log file in advance. The file occupies the entire space during logging, for both circular and sequential log files. When you stop the session, the log file is reduced to the size needed. You must set EVENT_TRACE_PROPERTIES.MaximumFileSize.
You cannot use the mode for private event tracing sessions.
Windows 2000: This value is not supported.
EVENT_TRACE_NONSTOPPABLE_MODE(0x00000040) The logging session cannot be stopped. This mode is only supported by Autologger.This option is supported on Windows Vista and later.
.
EVENT_TRACE_SECURE_MODE (0X00000080) Restricts who can log events to the session to those with TRACELOG_LOG_EVENT permission. This option is supported on Windows Vista and later.
EVENT_TRACE_REAL_TIME_MODE (0x00000100) Delivers the events to consumers in real-time. Events are delivered when the buffers are flushed, not at the time the provider writes the event. You should not enable real-time mode if there are no consumers to consume the events because calls to log events will eventually fail when the buffers become full. Prior to Windows Vista, if the events were not being consumed, the events were discarded.Do not specify more than one real-time consumer in one process on Windows XP orWindows Server 2003. Instead, have one thread consume events and distribute the events to others.
Prior to Windows Vista: You should not use real-time mode because the supported event rate is much lower than reading from the log file (events may be dropped). Also, the event order is not guaranteed on computers with multiple processors. The real-time mode is more suitable for low-traffic, notification type events.

You can combine this mode with other log file modes; however, do not use this mode with EVENT_TRACE_PRIVATE_LOGGER_MODE. Note that if you combine this mode with other log file modes, buffers will be flushed once every second, resulting in partially filled buffers being written to your log file. For example if you use 64k buffers and your logging rate is 1 event every second, the service will write 64k/second to your log file.
EVENT_TRACE_DELAY_OPEN_FILE_MODE(0x00000200) This mode is used to delay opening the log file until an event occurs.
Note:
On Windows Vista or later, this mode is not applicable, and should not be used.
EVENT_TRACE_BUFFERING_MODE (0x00000400) This mode writes events to a circular memory buffer. Events written beyond the total size of the buffer evict the oldest events still remaining in the buffer. The size of this memory buffer is the product of MinimumBuffers and BufferSize (see EVENT_TRACE_PROPERTIES).As a consequence of this formula, any buffer that uses EVENT_TRACE_BUFFERING_MODE will ignore the MaximumBuffers value.
Events are not written to a log file or delivered in real-time, and ETW does not flush the buffers. To get a snapshot of the buffer, call the FlushTrace function.
This mode is particularly useful for debugging device drivers in conjunction with the ability to view the contents of in-memory buffers with the WMITrace kernel debugger extension.
Do not use with EVENT_TRACE_FILE_MODE_SEQUENTIAL, EVENT_TRACE_FILE_MODE_CIRCULAR, EVENT_TRACE_FILE_MODE_APPEND, EVENT_TRACE_FILE_MODE_NEWFILE, or EVENT_TRACE_REAL_TIME_MODE.
EVENT_TRACE_PRIVATE_LOGGER_MODE (0x00000800) Creates a user-mode event tracing session that runs in the same process as its event trace provider. The memory for buffers comes from the process's memory. Processes that do not require data from the kernel can eliminate the overhead associated with kernel-mode transitions by using a private event tracing session.
If the provider is registered by multiple processes, ETW appends the process identifier to the log file name to create a unique log file name. For example, if the controller specifies the log file names as c:\mylogs\myprivatelog.etl, ETW creates the log file as c:\mylogs\myprivatelog.etl_nnnn, where nnnn is the process identifier. The process identifier is not appended to the first process that registers the provider, it is appended to only the subsequent processes that register the provider.
Private event tracing sessions have the following limitations:
  • A private session can record events only for the threads of the process in which it is executing.
  • There can be up to eight private session per process.
  • Private sessions cannot be used with real-time delivery.
  • Events that are generated by a private session do not include execution time for kernel-mode versus user-mode instructions, or thread-level detail of the CPU time used.
Process ID filters and executable name filters can now be passed in to session control APIs when system wide private loggers are started. For the best results in cross process scenarios, the same filters should be passed to every control operation during the session, including provider enable/diasble calls. Note that the filters have the same format as those consumed by EnableTraceEx2.
You can use this mode in conjunction with the EVENT_TRACE_PRIVATE_IN_PROC mode.
Prior to Windows 10, version 1703: Only LocalSystem, the administrator, and users in the administrator group that run in an elevated process can create a private session. If you include the EVENT_TRACE_PRIVATE_IN_PROC flag, any user can create an in-process private session. Also, in prior versions of Windows, there can only be one private session per process (unless the EVENT_TRACE_PRIVATE_IN_PROC mode is also specified, in which case you can create up to three in-process private sessions).
Prior to Windows Vista: Users in the Performance Log Users group could also create a private session.

Do not use with EVENT_TRACE_REAL_TIME_MODE.
Prior to Windows 7 and Windows Server 2008 R2: Do not use with EVENT_TRACE_FILE_MODE_NEWFILE.
EVENT_TRACE_ADD_HEADER_MODE(0x00001000) This option adds a header to the log file.
Note:
On Windows Vista or later, this mode is not applicable, and should not be used.
EVENT_TRACE_USE_KBYTES_FOR_SIZE(0x00002000) Use kilobytes as the unit of measure for specifying the size of a file. The default unit of measure is megabytes. This mode applies to the MaxFileSize registry value for an AutoLogger session and the MaximumFileSize member of EVENT_TRACE_PROPERTIES. This option is supported on Windows Vista and later.
EVENT_TRACE_USE_GLOBAL_SEQUENCE(0x00004000) Uses sequence numbers that are unique across event tracing sessions. This mode only applies to events logged using the TraceMessage function. For more information, see TraceMessage for usage details.
EVENT_TRACE_USE_GLOBAL_SEQUENCE and EVENT_TRACE_USE_LOCAL_SEQUENCE are mutually exclusive.
Windows 2000: This value is not supported.
EVENT_TRACE_USE_LOCAL_SEQUENCE (0x00008000) Uses sequence numbers that are unique only for an individual event tracing session. This mode only applies to events logged using the TraceMessage function. For more information, see TraceMessage for usage details.
EVENT_TRACE_USE_GLOBAL_SEQUENCE and EVENT_TRACE_USE_LOCAL_SEQUENCE are mutually exclusive.
Windows 2000: This value is not supported.
EVENT_TRACE_RELOG_MODE (0x00010000) Logs the event without including EVENT_TRACE_HEADER.Note:
This mode should not be used. It is reserved for internal use.
Windows 2000: This value is not supported.
EVENT_TRACE_PRIVATE_IN_PROC (0x00020000) Use in conjunction with the EVENT_TRACE_PRIVATE_LOGGER_MODE mode to start a private session. This mode enforces that only the process that registered the provider GUID can start the logger session with that GUID.
You can create up to three in-process private sessions per process.
This option is supported on Windows Vista and later.
EVENT_TRACE_MODE_RESERVED(0x00100000) This option is used to signal heap and critical section tracing. This option is supported on Windows Vista and later.
EVENT_TRACE_STOP_ON_HYBRID_SHUTDOWN(0x00400000) This option stops logging on hybrid shutdown. If neither EVENT_TRACE_STOP_ON_HYBRID_SHUTDOWN or EVENT_TRACE_PERSIST_ON_HYBRID_SHUTDOWN is specified, ETW will chose a default based on whether the caller is coming from Session 0 or not.This option is supported on Windows 8 and Windows Server 2012.
EVENT_TRACE_PERSIST_ON_HYBRID_SHUTDOWN(0x00800000) This option continues logging on hybrid shutdown. If neither EVENT_TRACE_STOP_ON_HYBRID_SHUTDOWN or EVENT_TRACE_PERSIST_ON_HYBRID_SHUTDOWN is specified, ETW will chose a default based on whether the caller is coming from Session 0 or not.This option is supported on Windows 8 and Windows Server 2012.
EVENT_TRACE_USE_PAGED_MEMORY (0x01000000) Uses paged memory. This setting is recommended so that events do not use up the nonpaged memory.Nonpaged buffers use nonpaged memory for buffer space. Because nonpaged buffers are never paged out, a logging session performs well. Using pageable buffers is less resource-intensive.
Kernel-mode providers and system loggers cannot log events to sessions that specify this logging mode.
This mode is ignored if EVENT_TRACE_PRIVATE_LOGGER_MODE is set.
You cannot use this mode with the NT Kernel Logger.
Windows 2000: This value is not supported.
EVENT_TRACE_SYSTEM_LOGGER_MODE(0x02000000) This option will receive events from SystemTraceProvider. If the StartTraceProperties parameter LogFileMode includes this flag, the logger will be a system logger.This option is supported on Windows 8 and Windows Server 2012.
EVENT_TRACE_INDEPENDENT_SESSION_MODE(0x08000000) Indicates that a logging session should not be affected by EventWrite failures in other sessions. Without this flag, if an event cannot be published to one of the sessions that a provider is enabled to, the event will not get published to any of the sessions. When this flag is set, a failure to write an event to one session will not cause the EventWrite function to return an error code in other sessions.
Do not use with EVENT_TRACE_PRIVATE_LOGGER_MODE.
This option is supported on Windows 8.1, Windows Server 2012 R2, and later.
EVENT_TRACE_NO_PER_PROCESSOR_BUFFERING (0x10000000) Writes events that were logged on different processors to a common buffer. Using this mode can eliminate the issue of events appearing out of order when events are being published on different processors using system time. This mode can also eliminate the issue with circular logs appearing to drop events on multiple processor computers.
If you do not use this mode and you use system time, the events may appear out of order on multiple processor computers. This is because ETW buffers are associated with a processor instead of a thread. As a result, if a thread is switched from one CPU to another, the buffer associated with the latter CPU can be flushed to disk before the one associated with the former CPU.
If you expect a high volume of events (for example, more than 1,000 events per second), you should not use this mode.
Note that the processor number is not included with the event.
This option is supported on Windows 7, Windows Server 2008 R2, and later.
EVENT_TRACE_ADDTO_TRIAGE_DUMP(0x80000000) This option adds ETW buffers to triage dumps. This option is supported on Windows 8 and Windows Server 2012.