How to register as a real-time ETW consumer for NT kernel events?

Question

How to register as a real-time ETW consumer for NT kernel events?

I was able to successfully use logman to unload some kernel traces. However, I would like to be able to programmatically enable the use of kernel events (mainly creating / deleting threads / processes and file I / O) in my application. What is the best approach to this task?

+3

debugging windows events wmi

wkf May 07, '09 at 4:02

source share

2 answers

Note that StartTrace can fail using ERROR_ALREADY_EXISTS, after which if you need to change session properties, you will want to use ControlTrace. Also note that you need to run your program "as an administrator" if you have UAC enabled; and that if you are debugging, you will also need to start Visual Studio "as an administrator." Your program should also have its own manifest (if you have one) set as "Administrator" for privileges.

If you're browsing the MSDN for OpenTrace, ProcessTrace, and StartTrace, you'll find links to various examples that will give you what you want.

+1

brian Jun 24 '10 at 8:07

source share

Michael · Accepted Answer · 2009-12-03T23:06:20+0000

You include kernel events in StartTrace . In EVENT_TRACE_PROPERTIES you go to StartTrace, EnableFlags contains different flags for different kernel event providers. Set LogFileMode in EVENT_TRACE_PROPERTIES to EVENT_TRACE_REAL_TIME_MODE to be a real-time consumer. Then you can use ProcessTrace events.

How to register as a real-time ETW consumer for NT kernel events?

More articles: