(Switching away from WHS for the moment…)
In my current work life, I’ve been playing extensively with the Crimson APIs, which in Vista/Longhorn server attempt to unify the NT event log and ETW tracing.
From what I’ve heard, there was a major effort in recent years (i.e., Vista) to dramatically increase the amount of tracing in the OS infrastructure.
I’m not going to try to provide any sort of comprehensive overview here. Instead I’ll throw out a couple of experiments to try on your own. WARNING: All these assume you’re running Vista (and presumably also work on the Longhorn server beta).
If you only learn one thing from this post, it’s this: The Wevtutil program is your new best friend. It’s part of the OS, so no download needed.
- Want to see just how many instrumentation points there are in the OS? Run “wevtutil ep”, which emits a list of “providers”. On my system, well into the hundreds of providers show up.
- Want to see what sort of events a provider can emit? Run “wevtutil gp /ge:true /gm:true <providername>”, where <providername> is one of the providers from the previous “ep” output.
- Bonus fun: Run “Event Viewer” (Eventvwr.exe). Drill down into “Applications and Services Logs”. Keep drilling. In particular, “Microsoft”, then “Windows”. Does anything look familiar?
There’s easily a dozen long blog posts of material from all this goodness. This is in no way a comprehensive post. Instead, consider it a couple of X’s on a treasure map. The ambitious among you will find plenty of gold.