Event tracing for Windows

Event Tracing for Windows ( ETW ), sometimes briefly Event Tracing (about: event tracking ) means is a software platform under Microsoft Windows to a detailed trace of computer programs to allow. ETW runs in the Windows kernel and is optimized for high performance. ETW is also the successor technology to the previously used performance counters .

ETW offers the possibility to start and stop the recording of events while the program is running. In addition, the events recorded can be filtered to reduce the amount of data to be recorded.

ETW events can be provided by application developers or consumed in their own trace applications. The trace events can be used to debug an application and to perform capacity and performance analyzes.

ETW roles

A basic distinction is made between providers , consumers and controllers in ETW :

Provider: An application that provides ETW events. Providers are registered centrally using wevtutil and can be logman -query providerslisted using. Under PowerShell can be Get-ETWTraceProviderused instead .

Consumer: Records ETW events from ETW sessions. The events can be read directly from the buffer of an ETW session or from a file and are delivered in chronological order.; Windows includes some programs that specialize in recording and displaying certain ETW events. This includes the Windows Performance Monitor , the Task Manager , the Event Viewer , as well as the application and system diagnostics.

Controller: Assigns appropriate consumers to the providers, activates and deactivates event recording and determines which events are recorded. The controller also determines the size of the buffer for the recording and optionally the storage location of the tracelog file. For the benefit of the performance and stability of the operating system, individual ETW events can be lost, for example if the buffer is overfilled. The controller also receives statistics for event recording from ETW.

Event tracing sessions

ETW supports up to 32 simultaneous recordings of ETW events under Windows 2000 and up to 64 with newer Windows systems, the so-called event tracing sessions .

Two sessions are reserved for the system:

Global logger session: Provides logging at the start of the operating system and is used to record device driver events .
NT Kernel Logger Session: Provides recording of operating system kernel events. This includes the status of the CPU, the status of the main memory and information on I / O events.

Applications

Performance Explorer. In: Developer Network. Microsoft, accessed on May 2, 2017 (English, Profiler of .NET applications in Visual Studio , with which ETW events can be recorded and analyzed).
dotTrace .NET Performance Profiler. Jetbrains, accessed on May 2, 2017 (English, Profiler of .NET applications, with which ETW events can be recorded and analyzed).
PerfView. In: GitHub. Microsoft, accessed May 2, 2017 .
Windows Performance Toolkit. In: Hardware Dev Center. Microsoft, accessed on May 2, 2017 (contains the Windows Performance Recorder (WPR) and the Windows Performance Analyzer (WPA) , which evaluate ETW events).

Libraries

Microsoft EventSource Library. In: NuGet Gallery. Microsoft, accessed on May 2, 2017 (Allows ETW providers to implement).
Jon Wagner: EventSourceProxy (ESP). Retrieved May 2, 2017 (Simplifies the implementation of ETW providers).
Microsoft TraceEvent Library. In: NuGet Gallery. Microsoft, accessed May 2, 2017 (Enables ETW consumers to implement).
Microsoft EventRegister Tool. In: NuGet Gallery. Microsoft, accessed on May 2, 2017 (ETW provider registration application).

literature

Ben Watson: Writing High-Performance .NET Code . 2014, ISBN 978-0-9905834-3-1 (280 pages).

swell

↑ ^a ^b ^c ^d About Event Tracing. In: Windows Dev Center. Microsoft, accessed May 2, 2017 .
↑ technet.microsoft.com

[aboutETW-1] About Event Tracing. In: Windows Dev Center. Microsoft, accessed May 2, 2017 .

[2] technet.microsoft.com