Reputation: 180
Logging to Event Viewer on Windows RT 8.1
I am working on an LOB (side-loading) app and I need to log events, crashes to ETW (Event Viewer logs). I see that most suggest writing own file IO wrapper.
With Windows 8.1, we have new logging capabilities in "Windows.Foundation.Diagnostics" which has classes for "LoggingChannel" and "LoggingSession". But the code sample for them still write to the isolated local storage as files:
http://code.msdn.microsoft.com/windowsapps/LoggingSession-Sample-ccd52336
Also, earlier than 8.1, we have "EventSource" and "EventListener" and as per a sample project (http://code.msdn.microsoft.com/windowsapps/Logging-Sample-for-Windows-0b9dffd7/sourcecode?fileId=67472&pathId=1214683397), it also writes to the sample isolated storage as files.
So, my questions are:
Can we utilize new "Windows.Foundation.Diagnostics" classes to write to ETW?
Are ("LoggingChannel" and "LoggingSession") equivalent to ("EventSource" and "EventListener") ultimately?
Will I still have to write C++ component for writing to ETW?
Forum of Microsoft just gave this answer: It is not designed with such thing in mind.
I also tried using PInvoke for consuming EventRegister, EventWrite C++ functions. The code runs but I have no idea where find the log. The EventRegister only takes GUID as input and I don't know if it can be mapped to EventViewer application.
Upvotes: 2
Views: 792
Answers (1)
Reputation: 141
Short answer to the questions:
- Windows.Foundation.Diagnostics.LoggingChannel writes events to ETW. However, it does not give you complete control over the event in the way that EventRegister/EventWrite do.
- LoggingChannel is somewhat equivalent to .NET's EventSource. However, LoggingChannel always writes events to ETW, while EventSource can write to ETW but also has capabilities to bypass ETW. LoggingSession is similar in concept to EventListener, except that LoggingSession always receives events from ETW, while EventListener only works with EventSource (bypassing ETW). Note that you can use both LoggingChannel and EventSource in Windows Store apps.
- You will have to write C++ code to use ETW if you need more capabilities than LoggingChannel or EventSource provides.
A few other comments based on things you mentioned:
- Event Viewer shows data from the Event Log. The Event Log is not the same as ETW. Event Viewer records data from various sources, and ETW is one of the sources that Event Viewer supports. However, Event Viewer does not record all ETW events -- there are billions of ETW events every hour, and it would fill your hard disk if all of them were recorded. To send an ETW event to Event Viewer, you first have to make your event follow certain rules, and then you have to update the Event Viewer settings to watch for your specific event.
- Event Log is designed to record events that are of interest to system administrators and system analysis tools. Because of this design, Microsoft requires administrator privileges to change the Event Log configuration. In order to have your events show up in Event Log, you need to have administrator privileges to change Event Log settings to make Event Log listen to your app's ETW events.
- LoggingChannel does not support the necessary settings to make your ETW event look the way Event Log expects, so LoggingChannel cannot be used to write to the Event Log.
- If you use EventRegister and EventWrite, you can write events in the format that Event Log expects, but you would still need to have administrator privileges to change Event Log settings to accept your events.
Note that EventRegister and EventWrite (and LoggingChannel) are for sending data to ETW. You can send anything you want to ETW, but by default ETW will just ignore it and throw it all away. ETW is the system for routing events from the provider to anybody who is interested in the event. If nobody is interested in the event, it gets thrown away by default.
LoggingChannel writes events out to ETW, but ETW will just drop them unless there is a session to record them. From within your app, you can record the events using LoggingSession. From outside your app, you can record the events using a tool such as xperf or tracelog.
You can use Windows.Foundation.Diagnostics.LoggingChannel from Windows 8.1 to write ETW events with some limitations. In particular: all events from all apps will always use the same provider GUID (4bd2826e-54a1-4ba9-bf63-92b73ea1ac4a), there is no way to access the keyword, channel, task, or opcode features of ETW, and you can only write very simple events. The Windows 8.1 LoggingChannel API is mainly focused on providing a simple string-based logging facility.
Windows 10 adds a bunch of new features, removing many of the limitations. You can use a different provider GUID (so it is easier to record just the events from your app), you can set keywords, tasks, and opcodes, and you can write strongly-typed events (i.e. events with strongly-typed field values instead of just a flat string). The Windows 10 LoggingChannel API allows you to use LoggingChannel for fairly advanced ETW scenarios, though it still works for simple logging.
Upvotes: 1
Related Questions
- How do I get MetroLog to start logging in a Windows 8.1 Store App?
- Windows store app user control event handling
- How do I log events in Windows IoT?
- Event logger in Windows 10 Universal Apps
- Logging framework for Windows Store Apps
- How to get windows store app crash logs
- Event Logging in Windows 8.1 application
- How to debug windows store app OnActivated event
- semantic logging work in Windows 8/8.1
- Launching the Windows Store listing from Win RT / Windows 8 app