Formatting the StackTracingEventIds Parameter

The StackTracingEventIds of the StartKernelTrace function is an array of STACK_TRACING_EVENT_ID entries, where each entry specifies the type of events on which to enable stack walking. Each STACK_TRACING_EVENT_ID entry in StackTracingEventIds must be formatted in the following way:

  • The EventGuid member is set to the GUID for a specific kernel event that has been enabled to generate call stacks.

    For more information on GUID values for the EventGuid member, see the NT Kernel Logger Constants discussion of NT Kernel Logger Constants. Additionally, EventGuid GUID values are listed in evntrace.h.

  • The Type member is set to the event type for a specific kernel event configured to generate call stacks.

For example, to collect a stack on every new process event, follow these steps:

  1. Set EventGuid to the GUID for the Process_V2 class, {3d6fa8d0-fe05-11d0-9dda-00c04fd7ba7c}.

  2. Set Type to EVENT_TRACE_TYPE_START (1).

Note

If StackTracingEventIds contains STACK_TRACING_EVENT_ID entries that are not enabled in the EVENT_TRACE_PROPERTIES.EnableFlags member or could not be decoded by Kernel Trace Control, those flags are ignored and no error code is returned. For more information, see EVENT_TRACE_PROPERTIES Structure.