For several years now, I have had code called the 'TraceEvent library' that allows you to access ETW files (ETL files) from C#.  

However for over a year now, I have not updated the public version of that library.   Well, that time has ended.

I updated the TraceEvent library as well as the PerfMonitor sample at http://bcl.codeplex.com to sync up with the latest internal versions.   The TraceEvent library is version 1.2.7 (corresponding to the version of PerfView that uses it), and the version of PerfMonitor is Version 2.0. 

For those of you don't know, the TraceEvent library is the power behind the PerfView tool, and that makes it pretty powerful.   With it you can

  1. Use the TraceEventSession class to turn on ETW providers, including the Windows Kernel provider (CPU sampling) and the .NET Runtime providers.  You can turn on capturing stack traces for most events. 
  2. You can tell the sesson to either log the data to a (ETL) file or send it to a in-memory buffer for 'real time' consumption of the events.  
  3. Use the TraceEventSource class to read the resulting data (either ETL files or the in-memory buffer), and parse resulting payloads
  4. The library has built in support for the Kernel and .NET Runtime providers. 
  5. It also built-in support for System.Diagnostics.Tracing.EventSource using he 'DynamicTraceEventParser' class.  Thus you an always properly parse EventSource data. 
  6. As well as support for the RegisteredTraceEventParser, which knows how to decode any 'Manifest Based' provider (basically any OS supplied provider).  
  7. The 'TraceLog' class creates a high level abstraction, which knows about Processes, Threads, Modules, and how to Decode Stacks.  It has a routines (the DiaLib) that know how to look up address in PDBS to get symbolic names as well as get symbolic names for Just in Time (JIT) compiled code.   The result is that you can get at symbolic names for stacks (this is how PerfView works). 

In short, most of what you see PerfView do with an ETL file, you can do yourself.   Now if you just need a 'tweek' of what PerfView does, I recommend using PerfView's extensibility model to do the job (see the Help -> Extending PerfView menu entry in PerfView).  However if you want something 'stand alone'.  TraceEvent is a good choice.

If you have used TraceEvent in the past, there are some small braking changes, but the port should be easy (I updated PerfMonitor in a couple hours).   There have been numerous fixes, as well as the addition of the RegisteredTraceEventParser and much better support for Symbolc resolution The DiaLib stuff is new).   It is worth upgrading to. 

The PerfMonitor utility can be thought of as a 'command line' version of PerfView.   However I don't recommend using it as an actual tool, it almost all cases, PerfView is a better tool than PerfMonitor.   PerfMonitor is more of a sample of how to use TraceEvent in non-trivial ways (it is easier to understand without all the GUI goo cluttering up the logic).  

I will probably post more detailed 'how to's of using ETW with TraceEvent in future blog posts.

Vance