(Reposting this, as my original post seems to have vanished.)
Awhile back, I wrote on producing ETW events from your own code.
A reader wrote to me with this nice comment, and a helpful tip (at the end):
Thanks for the two posts on ETW. I am now generating my own events and viewing them through tracerpt output. Huzzah! Yes, more tech detail would be nice but isn’t -necessary- as most of the time a little searching of msdn.microsoft.com will provide further enlightenment.
I would add that the msdn page “Event Tracing Samples” mentions the PSDK contains complete samples and provides a pointer to download them. By so doing I was able to figure out such arcana as the format of a .guid file (for tracerpt) and a more-readily-hacked .MOF file to define my trace block formats. MOF is new to me and way too rich to decipher; tweaking a sample file is definitely the way for a newbie to go.
And there is one important point that should be taught to all potential users who add their own extension to the EVENT_TRACE_HEADER structure: be sure to use #pragma pack(1) or so, so that the trace consumer doesn’t come upon filler material instead of content. I had some nested structs followed by a final string, and the string kept coming out with leading garbage until I realized the garbage was uninitialized filler right where the .MOF file said there should be a string. Sigh…
Anyow, thanks for being such a help!