How to consume ETW events from C#

re: How to consume ETW events from C#

meghraj — Sun, 19 Aug 2012 10:19:41 GMT

Hi Daniel,

I want to get the 'UserData' section of Ax Dynamics event and do not know where I can get the event format for that section. Can you help with some c# code to get UserData?

re: How to consume ETW events from C#

Inopia — Mon, 30 Jul 2012 06:08:14 GMT

You use eventRecord.EventHeader.EventDescriptor.Opcode as a key to cache TraceEventInfoWrapper instances. This breaks for a lot of providers (i.e. microsoft-windows-wininet). I had to bypass this caching feature to make it work for me.

re: How to consume ETW events from C#

Eamonn J. Casey — Wed, 01 Feb 2012 21:03:19 GMT

Any chance you could post some code that finds the machine & user name? I think that it is in the UserContext IntPtr, but I can't find how large it is and how to parse it.

Thanks,

Eamonn J.

re: How to consume ETW events from C#

Witali — Tue, 13 Dec 2011 11:24:34 GMT

Hi Daniel,

many thanks for such a great work.

I am currently trying to use your library for consuming real-time events generated by the Microsoft-Windows-Offline provider.

While everything goes well with normal informational events (event id 2002 for instance), I cannot properly read warnings, that is event id 2006. Unfortunately, the UserData section somehow gets cropped and I only get to see a small portion of it, such as "ss denied" as opposed to "Access denied" error message along with additional fields <ResultCode>, <Operations> to name but a few.

Have you got any idea why this is happening?

Thank you very much in advance for your help.

Kind regards,

Witali

re: How to consume ETW events from C#

Mukesh Kumar — Tue, 26 Apr 2011 14:43:41 GMT

Hi Daniel,

I am getting the following error while starting the consumer.exe on Windows 7 machine:

E:\EventTraceWatcher\Consumer\bin\Debug>Consumer.exe

System.ComponentModel.Win32Exception: The filename, directory name, or volume la

bel syntax is incorrect

at Samples.Eventing.EventTraceWatcher.StartTracing() in E:\EventTraceWatcher\

Samples.Eventing\EventTraceWatcher.cs:line 252

at Samples.Eventing.EventTraceWatcher.SetEnabled(Boolean value) in E:\EventTr

aceWatcher\Samples.Eventing\EventTraceWatcher.cs:line 173

at Samples.Eventing.EventTraceWatcher.Start() in E:\EventTraceWatcher\Samples

.Eventing\EventTraceWatcher.cs:line 183

at Program.Run() in E:\EventTraceWatcher\Consumer\Program.cs:line 38

at Program.Main() in E:\EventTraceWatcher\Consumer\Program.cs:line 11

Can somebody let me know what am i missing here?

re: How to consume ETW events from C#

jamlou2 — Wed, 10 Feb 2010 01:27:35 GMT

really great tool, much appreciated.

i wanted to go further than that, what should be done so that this library would also consume WPP messages sent through DoTraceMessage()

considering the event session is already created, and there is an application running and sending WPP messages, what should be changed in the implementation so that it would successfully consume those messages?

Consume IIS ETW tracing

Eok's Blog — Fri, 15 May 2009 19:00:21 GMT

Event Tracing for Windows (ETW) is wonderful mechanism to monitor, log and trouble shoot of your application

re: How to consume ETW events from C#

aractnido — Sat, 14 Mar 2009 08:26:20 GMT

Thank you dixi for your comments, I haven't test it in Windows 7, but I will give it a try as soon as I can.

WalkerC, unfortunately this code won't work for XP, I'm using the field ProcessTraceMode and callback EventRecordCallback http://msdn.microsoft.com/en-us/library/aa363780(VS.85).aspx that are not available prior Windows Vista.

Thank you.

re: How to consume ETW events from C#

dixi — Fri, 06 Mar 2009 20:30:11 GMT

An extraordinary and very useful piece of work. Congrats Daniel. I noticed that some people are having troubles with the class in Win7. Actually, I have been troubles with ETW in Win7. It happens that the same .NET 3.5 code I developed works seamlessly in WS2008 but not in Win7. The Beta I gues? Anyway, still trying...

re: How to consume ETW events from C#

walkerc — Sun, 01 Mar 2009 04:00:22 GMT

OK, new years resolution, become more familar with code before commenting on it...

1) _logFile.EventRecordCallback = EventRecordCallback; is using a delegate.

2) int error = NativeMethods.ProcessTrace(array, 1, IntPtr.Zero, IntPtr.Zero); in ProcessTraceInBackground

blocks.

It does not matter if EventTraceWatcher.enabled (and in turn, StartTracing and NativeMethods.ProcessTrace is called from a separate external thread or as originally implemented.

3) ProcessTrace still fails in XP and reason is still a mystery to me.