How to consume ETW events from C#

re: How to consume ETW events from C#

logus2k — Sun, 08 Feb 2009 22:47:22 GMT

Daniel,

Thank you for this article.

I'm trying to use EventProviderTraceListener to publish to ETW infrastructure and then read those events from managed code. I still couldn't run your code to test if could use it to a general purpose publisher (instead of only IIS), it always gives me an "access denied" message when I try to run it.

I'm also having some difficulty understanding what can/should I do programmatically to receive the events from an ETW session )and how can I create one from code).

I understand there is no current official support to reading ETW events from managed code...? Is there something else I can use?

Thanks in advance for your help,

António Cruz

re: How to consume ETW events from C#

Daniel Vasquez Lopez — Sat, 14 Feb 2009 23:28:07 GMT

I updated the post to add another example that includes support for custom events.

This is only for Vista/Windows 2008. Make sure to the consumer application with Administrative privileges.

1. Compile everything.

2. Run Producer.exe (it uses EventProviderTraceListener)

3. From command line (as Admin), run 'logman start MySession -p {13D5F7EF-9404-47ea-AF13-85484F09F2A7} -ets'

4. Open 'Reliability and Performance Monitor' and change the stream mode, in MySession's properties, from File to Real Time.

5. Run Consume.exe

6. Type something in the Producer.exe and press <Enter>

Expected: Consume[r].exe should echo what you typed in Producer.exe

When you are done, run 'logman stop MySession -ets' to stop the custom ETW session.

The events produced by EventProviderTraceListener doesn't have any schema, so what I did was to take the UserData 'as is' and convert it to string (be aware that this is just a guess, the data could not be a string).

Hope this helps

re: How to consume ETW events from C#

Adam Machanic — Tue, 17 Feb 2009 05:08:02 GMT

Thanks so much for sharing this library!

I'm using it to consume ETW output from SQL Server 2008 Extended Events, and have hit a couple of issues:

A) The event names do not appear to be populating. If I dump the ETL file they are there, so I assume it would be in the real time output as well?

B) Any chance it can be extended to be a bit more flexible with regard to non-top level properties? For example the trace I'm working with right now sends back 11 top level properties and two non-top level properties (I'm not sure of the right term for "non-top level") -- these are just Unicode strings, so no difficulties with maps, etc. I tried to modify the code to consume them and wound up with all sorts of garbage data; I suspect the pointers are not correct...

I'm happy to send you an example of how to set this up if you're interested in seeing what I'm talking about. Drop me a line at amachanic [at] gmail [dot] com ... it would be great to get this thing fully working so I hope so :-)

Either way, thanks again!

re: How to consume ETW events from C#

walkerc — Fri, 27 Feb 2009 01:26:36 GMT

Hello Daniel,

I am using the EventTraceWater class to consume KernelTrace Events.

I backed the class into .Net 2.0 by replacing ReaderWriterLockSlim with ReaderWriterLock.

The class functions flawlessly on Vista64, on Windows7 (32 bit, build 7000) it ... , on XP 32 bit,

int error = NativeMethods.ProcessTrace(array, 1, IntPtr.Zero, IntPtr.Zero); in ProcessTraceInBackground fails.

I have not been able to find a documented reason for this failure since ProcessTrace is supported on XP.

http://msdn.microsoft.com/en-us/library/aa364093(VS.85).aspx

Any ideas?

I was also considering unwrapping ProcessTraceInBackground out of a delegate and using the entire class from a background thread in order to simplify the code and perhaps reduce failure modes that way. Your thoughts?

Again thanks for the class, hopefully this functionality will make it to the framework sooner rather than later.

re: How to consume ETW events from C#

walkerc — Fri, 27 Feb 2009 01:29:52 GMT

Sorry, I forgot I left a statement hanging:

on Windows7 (32 bit, build 7000) it ...

I was waiting for the error to occur again to be more specific, the class runs for a while and then throws a NullReference exception, just FYI. I don't have a dev environment on Win 7 yet to debug.

re: How to consume ETW events from C#

walkerc — Fri, 27 Feb 2009 01:44:00 GMT

One final question, really I promise.

I noticed that

_logFile.EventRecordCallback = EventRecordCallback;

in StartTracing, was not using a delegate. Would using a delegate here provide some benefit?

I apologize if this seems ignorant, even though I have been programming for 30 years, my C# is pretty shabby.

re: How to consume ETW events from C#

walkerc — Sun, 01 Mar 2009 04:00:22 GMT

OK, new years resolution, become more familar with code before commenting on it...

1) _logFile.EventRecordCallback = EventRecordCallback; is using a delegate.

2) int error = NativeMethods.ProcessTrace(array, 1, IntPtr.Zero, IntPtr.Zero); in ProcessTraceInBackground

blocks.

It does not matter if EventTraceWatcher.enabled (and in turn, StartTracing and NativeMethods.ProcessTrace is called from a separate external thread or as originally implemented.

3) ProcessTrace still fails in XP and reason is still a mystery to me.

re: How to consume ETW events from C#

dixi — Fri, 06 Mar 2009 20:30:11 GMT

An extraordinary and very useful piece of work. Congrats Daniel. I noticed that some people are having troubles with the class in Win7. Actually, I have been troubles with ETW in Win7. It happens that the same .NET 3.5 code I developed works seamlessly in WS2008 but not in Win7. The Beta I gues? Anyway, still trying...

re: How to consume ETW events from C#

Daniel Vasquez Lopez — Sat, 14 Mar 2009 08:26:20 GMT

Thank you dixi for your comments, I haven't test it in Windows 7, but I will give it a try as soon as I can.

WalkerC, unfortunately this code won't work for XP, I'm using the field ProcessTraceMode and callback EventRecordCallback http://msdn.microsoft.com/en-us/library/aa363780(VS.85).aspx that are not available prior Windows Vista.

Thank you.

Consume IIS ETW tracing

Eok's Blog — Fri, 15 May 2009 19:00:21 GMT

Event Tracing for Windows (ETW) is wonderful mechanism to monitor, log and trouble shoot of your application