Defines the information that identifies the provider and how it was enabled, the event, the channel to which the event was written, and system information such as the process and thread IDs.
Identifies the provider that logged the event. The Name and Guid attributes are included if the provider used an instrumentation manifest to define its events; otherwise, the EventSourceName attribute is included if a legacy event provider (using the Event Logging API) logged the event.
The globally unique identifier that uniquely identifies the provider.
KernelTime
unsignedInt
Elapsed execution time for kernel-mode instructions, in CPU time units. If you are using an ETW private session, use the value in the ProcessorTime member instead. Only available for events logged to an event tracing log file (.etl file).
Name
anyURI
The name of the provider.
ProcessID
unsignedInt
Identifies the process that generated the event.
ProcessorID
unsignedByte
The identification number for the processor that processed the event. Only available for events logged to an event tracing log file (.etl file).
ProcessorTime
unsignedInt
For ETW private sessions, the elapsed execution time for user-mode instructions, in CPU ticks. Only available for events logged to an event tracing log file (.etl file).
Qualifiers
unsignedShort
A legacy provider uses a 32-bit number to identify its events. If the event is logged by a legacy provider, the value of EventID element contains the low-order 16 bits of the event identifier and the Qualifier attribute contains the high-order 16 bits of the event identifier.
RawTime
unsignedLong
The raw time stamp value; the format of the time stamp depends on the time source used to collect the trace. The raw time stamp offers higher precision than system time. The rendered event output will only contain raw time if you use TraceRpt.exe with the -rts switch.
A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their ActivityID identifier.
SessionID
unsignedInt
The identification number for the terminal server session in which the event occurred. Only available for events logged to an event tracing log file (.etl file).
SystemTime
dateTime
The system time of when the event was logged.
ThreadID
unsignedInt
Identifies the thread that generated the event.
UserID
string
The security identifier (SID) of the user in string form.
UserTime
unsignedInt
Elapsed execution time for user-mode instructions, in CPU time units. If you are using an ETW private session, use the value in the ProcessorTime member instead. Only available for events logged to an event tracing log file (.etl file).
Remarks
By default, the event contains the fully qualified domain name (FQDN) of a computer. To use the NETBIOS name rather than the FQDN, you must create a DWORD registry value named CompatFlags under the following registry key, and set the value of CompatFlags to 0x2.
HKEY_LOCAL_MACHINE
SOFTWARE
Microsoft
Windows
CurrentVersion
WINEVT