Getting started with Event Tracing for Windows in C#
Introduction
Event Tracing for Windows (ETW) provides a mechanism to trace and log events that are raised by user-mode applications and kernel-mode drivers. ETW is implemented in the Windows operating system and provides developers a fast, reliable, and versatile set of event tracing features.
Event Tracing for Windows® (ETW) is a general-purpose, high-speed tracing facility provided by the operating system. Using a buffering and logging mechanism implemented in the kernel, ETW provides a tracing mechanism for events raised by both user-mode applications and kernel-mode device drivers. Additionally, ETW gives you the ability to enable and disable logging dynamically, making it easy to perform detailed tracing in production environments without requiring reboots or application restarts. The logging mechanism uses per-processor buffers that are written to disk by an asynchronous writer thread. This allows large-scale server applications to write events with minimum disturbance. ETW was first introduced on Windows 2000. Since then, various core OS and server components have
adopted ETW to instrument their activities, and it’s now one of the key instrumentation technologies on Windows platforms. A growing number of third-party applications are using ETW for instrumentation as well, and some take advantage of the events provided by Windows itself. ETW has also been abstracted into the Windows preprocessor (WPP) software tracing technology, which provides a set of easy-to-use macros for tracing “printf” style messages for debugging during development.
From “Improve Debugging And Performance Tuning With ETW” by Dr. Insung Park and Ricky Buch (Original: http://download.microsoft.com/download/3/A/7/3A7FA450-1F33-41F7-9E6D-3AA95B5A6AEA/MSDNMagazineApril2007en-us.chm)
What you’ll need
- Windows Vista or newer
- Visual Studio
Getting started
Load up Visual Studio and create a New Project (Ctrl+Shift+N). We’re going to choose a Console App (.NET Framework) for this.
Once the project is created, you should be looking at the Program.cs source code window that looks something like this (your theme/colors/fonts may be different than mine.)
Next, we will add the required NuGet package to this project by launching the NuGet Package Manager. You can get to it by clicking Tools | NuGet Package Manager | Manage NuGet Packages for Solution.
From there, you will want to click Browse and locate the Microsoft.Diagnostics.Tracing.TraceEvent library which can be found by typing “tracing.traceevent” in the Browse search bar.
Once you find it, click the package and add it to your solution.
Now it is time to start writing actual code. First we want to make sure we have the required libraries needed to instrument the C# code. Let’s add them as seen here. Notice, reading ETW events requires us to be Administrator, so we must add the check into our program as it will not work otherwise. Once you add this code, you will need to exit Visual Studio and then relaunch it by right clicking and choosing “Run as Administrator”.
Now let’s configure our subscription to the Kernel events and setup dummy handlers that we will be populating next.
Now let’s add some basic processing code into the dllLoaded function. Afterwards, let’s hit CTRL+F5 to compile and run our application. Once it is running, we’re going to run any new application and observe the ETW events.
You can explore the other kinds of Keywords that refer to Kernel events you can subscribe to.
As an exercise for the reader, I intentionally left the code for the processStarted and processStopped handler functions blank in order for you to play with those on your own.
Good job reader! If you’ve made it this far, you’re well on your way to having some really cool ideas come to life with ETW in C#!
Useful links and extra reading material
- ETW C# Code Samples: https://github.com/Microsoft/perfview/blob/master/src/TraceEvent/Samples
- ETW Introduction and Overview: https://blogs.msdn.microsoft.com/ntdebugging/2009/08/27/part-1-etw-introduction-and-overview/
- Windows high speed logging: ETW in C#/.NET using System.Diagnostics.Tracing.EventSource: https://blogs.msdn.microsoft.com/vancem/2012/08/13/windows-high-speed-logging-etw-in-c-net-using-system-diagnostics-tracing-eventsource/
- Vance Morrison’s ETW blog posts: https://blogs.msdn.microsoft.com/vancem/tag/etw/