user541686
Reputation: 210402
Why isn't my Event Trace for Windows working?
I'm trying to figure out how to use Event Tracing for Windows... but I'm failing.
Why does this code give me the error code ERROR_WMI_INSTANCE_NOT_FOUND?
#include <stdio.h>
#include <tchar.h>
#include <Windows.h>
#include <Wmistr.h>
#include <Evntrace.h>
#include <evntcons.h>
ULONG NTAPI EtpEtwBufferCallback(IN PEVENT_TRACE_LOGFILE Buffer) { return TRUE; }
VOID NTAPI EtpEtwEventCallback(IN PEVENT_TRACE EventTrace) { }
int _tmain()
{
LPCTSTR loggerName = KERNEL_LOGGER_NAME;
EVENT_TRACE_LOGFILE logFile = {0};
logFile.LoggerName = const_cast<LPTSTR>(loggerName);
logFile.ProcessTraceMode = PROCESS_TRACE_MODE_REAL_TIME;
logFile.BufferCallback = EtpEtwBufferCallback;
logFile.EventCallback = EtpEtwEventCallback;
TRACEHANDLE hTrace = OpenTrace(&logFile);
ULONG result = ProcessTrace(&hTrace, 1, NULL, NULL);
// result is ERROR_WMI_INSTANCE_NOT_FOUND
_tprintf(_T("%u\n"), result);
}
Upvotes: 0
Views: 1904
Answers (1)
arx
Reputation: 16896
From the ProcessTrace docs, ERROR_WMI_INSTANCE_NOT_FOUND means "the session from which you are trying to consume events in real time is not running or does not have the real-time trace mode enabled".
You can start the NT Kernel Logger using tracelog from the Windows Driver Kit, though I don't have the WDK to hand so I haven't tried it.
This article explains how to start the NT Kernel Logger yourself.
Upvotes: 1
Related Questions
- Event Tracing for Windows: OpenTrace/ProcessTrace not returning any events - callback not being called
- Sending ETW Events to Global "Application" Log
- Microsoft TraceEvent - How to log to the Event Viewer
- ETW not logging events to channel (event log)
- CreateEventW unexpectedly fails
- Consuming "Event Tracing for Windows" events
- ETW/Eventsource tracing to file (dump)
- ETW EventSource not logging events on Windows Server
- How to debug if windows event object is set or not?
- System.Diagnostic.Tracing.EventSource - no events in EventListener