Reputation: 5189
Is it possible to consume ETW events from an ETL file that's being written to?
If an ETL file is being written to by an active ETW session, is it safe to simultaneously consume events from it via OpenTrace/ProcessTrace?
In the absence of documentation I could find, I had assumed that ETL files were not updated atomically, and that it was first necessary to stop a session before calling OpenTrace to read events from it.
However, OpenTrace does appear to succeed even if the session is still active -- I see from Process Monitor's handle view the ETL files in use by active ETW sessions are opened with a sharing mode of READ|DELETE. Can we infer from this that OpenTrace/ProcessTrace will always return sensible results even for an ETL file used by an active ETW session? Does Windows use locking or some other mechanism to ensure consumers always get a consistent view of the file?
Upvotes: 0
Views: 448
Answers (1)
Reputation: 257001
You can't read events live from a .etl file.
But you can read live events from a named session, and if you specify that you are in fact doing REALTIME reading.
//Initialize an EVENT_TRACE_LOGFILE to indicate the name of the session we want to read from
EVENT_TRACE_LOGFILE trace;
ZeroMemory(&trace, sizeof(trace));
trace.ProcessTraceMode = PROCESS_TRACE_MODE_REAL_TIME; //we're reading a realtime
trace.LoggerName = KERNEL_LOGGER_NAME; //i.e. "NT Kernel Logger"
trace.EventCallback = RealtimeEventCallback;
//Open the tracing session
TRACEHANDLE th = OpenTrace(trace);
if (th == INVALID_PROCESSTRACE_HANDLE)
ThrowLastWin32Error();
//Begin processing events
DWORD res = ProcessTrace(&th, 1, nil, nil);
if (res != ERROR_SUCCESS)
ThrowLastWin32Error();
CloseTrace(th);
There are a couple of these constant named loggers - defined in EvntProv.h:
KERNEL_LOGGER_NAME = "NT Kernel Logger";
GLOBAL_LOGGER_NAME = "GlobalLogger";
EVENT_LOGGER_NAME = "EventLog";
DIAG_LOGGER_NAME = "DiagLog";
The other way you can start a "named" logging session is with:
xperf -start fooLoggerName -on 55F22359-9BEC-45EC-A742-311A71EEC91D
This starts a session named "fooLoggerName" for provider guid 55F22359-9BEC-45EC-A742-311A71EEC91D.
Upvotes: 0
Related Questions
- How to consume real-time ETW events from the Microsoft-Windows-NDIS-PacketCapture provider?
- Sending ETW Events to Global "Application" Log
- ETW - Realtime consuming of event trace
- Is there a Microsoft (built-in) ETW Provider for tracing ETW lifecycle events?
- How to get events in real-time using ETW (StartTrace etc.)?
- Consuming "Event Tracing for Windows" events
- ETW/Eventsource tracing to file (dump)
- Reading circular ETW log file with ETWTraceEventSource
- ETW: Emitting an event through an existing provider
- Detect when ETW drops events