Reputation: 210455
How to get events in real-time using ETW (StartTrace etc.)?
In Event Tracing for Windows, StartTrace accepts an EVENT_TRACE_PROPERTIES structure that allows for a FlushTimer which specifies how frequently unfull buffers should be flushed.
The thing is, FlushTimer is a ULONG representing seconds, but I want it to be very small so that it's nearly instantaneous (on the order of milliseconds).
I don't know how Process Monitor manages to get ETW events in real-time, but it does, so surely there must be a way to do it.
So the question is: How can I receive real-time events, you know, in real time?
Upvotes: 0
Views: 1500
Answers (1)
Reputation: 3718
ETW does not support real time notifications. Even the so-called EVENT_TRACE_REAL_TIME_MODE isn't really real-time as the documentation clearly says.
The premise of your question is wrong: Sysinternals Process Monitor does not use ETW to get its synchronous kind-of real-time process, thread, module, file and Registry events. You've got two options:
- Use ETW - which is not what ProcMon does - and get events they way ETW provides them to you.
- Do what ProcMon does - which is not consume ETW events - and get events synchronously, like ProcMon gets them.
Upvotes: 4
Related Questions
- Sending ETW Events to Global "Application" Log
- ETW - Realtime consuming of event trace
- Using EventFlow to monitor ETW event on local machine
- ETW event tracing in WPF 4+
- Consuming "Event Tracing for Windows" events
- Real-time display of events from EventProviderTraceListener in traceview
- How do you view ETW events created by EventSource using Windows Performance Analyzer?
- Detect when ETW drops events
- How do I register as a real-time ETW consumer for NT Kernel Events?
- Getting WPF ETW events using XPerf.exe