ETW and logging recipes

See also: all the recipes and the intro

I have the other more detailed posts on the other aspects of the ETW logging, and here is a pile of assorted links and examples about it. Some very short introduction: The Windows logging has multiple layers. There are the pre-ETW Classic events (that can also be stored and interpreted by the ETW subsystem), the newer ETW events, and the even newer TraceLogging that does away with the manifests, instead embedding the manifest information into each event. The TraceLogging events are still ETW events and can be stored and interpreted by the ETW subsystem.

By the way, if you’re looking for a way to interpret the ETW events, look for the library called “TDH”.

Some of the tools mentioned here don’t come in-box but need to be downloaded from MSDN.

There also are a couple of tools not mentioned in the recipes but that I feel should be mentioned: the Message Analyzer (downloadable from MSDN) and Setup And Boot Event Collector (an optional feature in Windows Server).


# ETW references
# Exploring ETW
# Windows Events - general
# Writing an Instrumentation Manifest
# Accessing Remote Computers
# Consuming Events
# Processing Event Logs in PowerShell - old style!
# PowerShell events API, new style
# Re-logger
# an example on how to write providers
# Instrumentation manifest for event publishers
# Example of a manifest with many elements

# ETW security and its autologger registry settings

# Autologger
# GlobalLogger
# Example that creates a logger and collects data

# Rendering an ETW event as XML
# EvtRender()
# Event schema

# old-style event logging
# new-style event logging

# Writing an instrumentation manifest
# RegisterEventSource()
# An installation example
# Manifest files reference

# TraceLogging API reference
# TraceLogging C++ quick start

# ETW events control
logman query providers # get the list of providers
wpr.exe -providers # get the list of providers that works on Nano
logman query -ets # get the list of sessions?
logman start "MyBootEvent" -o "c:\tmp\MyBootEvent.etl" -p "Microsoft-Windows-BootEvent-Collector" -ets # start saving to a file
logman stop "MyBootEvent" -ets # stop the recording, flushes the file
# In the Event Viewer, see in "Applications and Services Log/Microsoft/Windows/BootEvent-Collector"
# logman can also be used to collect the performance stats
logman.exe create counter %ComputerName%_30s_interval -f bincirc -v mmddhhmm -max 350 -c "\Cache\*" "\IPv4\*" "\LogicalDisk(*)\*" "\Memory\*" "\Netlogon\*" "\Network Interface(*)\*" "\Paging File(*)\*" "\Per Processor Network Activity Cycles(*)\*" "\Per Processor Network Interface Card Activity(*)\*" "\Processor(*)\*" "\Processor Information(*)\*" "\PhysicalDisk(*)\*" "\Process(*)\*" "\Physical Network Interface Card Activity(*)\*" "\Redirector\*" "\SMB Client Shares\*" "\SMB Server Shares(*)\*" "\SMB Server Sessions\*" "\Server\*" "\Server Work Queues(*)\*" "\System\*" "\TCPv4\*" -si 00:00:30 -s vm154s013791 -u Administrator *
# another tool present on NanoServer
# Installing an ETW manifest (e.g. registering a provider)
wevtutil im lib\ # to use the default from the manifest
wevtutil im lib\ /rf:c:\Temp\bevtcol.exe /mf:c:\Temp\bevtcol.exe # to override the provider binary
# Uninstalling a manifest
wevtutil um lib\
# Exporting an installed manifest back to a file, the manifest is found by the events
tracerpt.exe -export -l trace.etl
# tracerpt can also be used to dump the events from an ETL file

# a rather useless event dump tool:

# Windows Event Collector

# tracelog manual
# Tracelog.exe examples
# Tracelog switches
# Tracelog main page and download with WDK
# How to create the TMF files for parsing the Classic traces from PDB with tracepdb.exe
# enabling the kernel trace events on the target
tracelog.exe -start -rt -kd -nonet -nodisk
tracelog.exe -addautologger -rt -kd -nonet -nodisk # to register as auto-logger
# The default logger is 'NT Kernel Logger'
# adding autologger:
tracelog.exe -addautologger -rt -kd -nonet -nodisk
# list the current sessions
tracelog.exe -l
# Remove a session
tracelog.exe -remove Kernel
# Default file location for tracelog
C:\windows\system32\Logfiles\WMI\NT Kernel Logger.etl

# Autologger logger session permissions
# see
Controlled by entries in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WMI\Security
Value names match the GUID of the session or provider

# printing WMI events in the windbg
!wmitrace.dynamicprint 1
# starting the trace
!wmitrace.start -kd ...
!wmitrace.kdtracing 1
# status
!wmitrace.strdump # list all loggers
!wmitrace.strdump 0x0 # status of logger 0x0

# Autologger is controlled by Registry, here is an example of NT Kernel Logger
reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\NT Kernel Logger" /f /v BufferSize /t REG_DWORD /d 0x40
reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\NT Kernel Logger" /f /v Guid /t REG_SZ /d "{9e814aad-3204-11d2-9a82-006008a86939}"
reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\NT Kernel Logger" /f /v Start /t REG_DWORD /d 1
reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\NT Kernel Logger" /f /v LogFileMode /t REG_DWORD /d 0x02880180
reg add "HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\NT Kernel Logger" /f /v EnableKernelFlags /t REG_BINARY /d 0100000000000000000000000000000000000000000000000000000000000000



Comments (0)

Skip to main content