Consuming "Event Tracing for Windows" events

views:

822

answers:

+1 Q:

Consuming "Event Tracing for Windows" events

An answer to this question has led me to look into using "Event Tracing for Windows" for our tracing needs. I have come across NTrace, which seems to be a good way to produce ETW events from C# code (using the XP-compatible "classic provider" model).

However, I am unable to find an easy way to consume these events - to see them in real-time and/or log them to a file. The only way I have found is that described in the NTrace documentation: using a tool which is only available as part of the Windows DDK.

In the case of a complex problem in the field, we may need to ask the user to produce a file containing a trace. We can't ask users to download the DDK or carry out a number of complex operations in order to do this.

Is there a straightforward, user-friendly way to log ETW events to a file?

Also, is it possible for someone to consume ETW events on Windows Vista/7 if they are not running as administrator?

Windows Event Log reads the ETW. In fact I'd say this is the correct way for a consumer (non program) to view and export the ETW traces.

See here for an example. http://blogs.microsoft.co.il/blogs/applisec/archive/2009/10/12/reading-etw-tracing-using-event-viewer.aspx

This question on msdn Discuses what to do when the logs don't appear. Does anything here help?

Preet Sangha 2010-03-05 02:37:09

Thanks for the link. If I read the blog post correctly, it describes how to use Event Viewer to load a log file produced by logman for a custom provider, and how to bypass logman and see a real-time log for a provider which is already available in Event Viewer. I have managed to do both of these, but cannot see a real-time log for my own provider since it does not show up in Event Viewer. Do you know what I need to do in order to make it appear?

Paul Baker 2010-03-05 03:26:08

Thanks for the additional information. Everything I've read says that the Event Viewer does not in fact display ETW traces - about the only way to see a trace in real-time is to use the DDK's TraceView tool. Nonetheless, this question was mostly about setting up logging of a trace to a file, and I've found several alternative ways to do that. These include the "logman" command-line tool and the "Reliability and Performance Monitor". Unfortunately, all of these methods do seem to require administrator access - I'm still interested in seeing if there is a way to do this as a standard user.

Paul Baker 2010-03-05 23:35:52

+2 A:

TraceView is the easiest out-of-the-box solution, but it is possible to write your own ETW viewer that is specific to your provider. This would give you full control over the presentation and make it much easier on the end user as TraceView is really more of a debugging tool than something you can ask end users to run.

As far as real-time tracing goes, according to the documentation:

Only users with administrative privileges, users in the Performance Log Users group, and services running as LocalSystem, LocalService, NetworkService can consume events in real time. To grant a restricted user the ability to consume events in real time, add them to the Performance Log Users group.

Windows XP and Windows 2000: Anyone can consume real time events.

If you're interested in writing your own ETW viewer (real-time or log file), here is the relevant documentation.

Luke 2010-03-07 21:30:43

Thanks for this information. So, on Windows Vista and above, restricted users cannot consume events in real time. Do you know if it is possible for these users to control logging of events to a file?

Paul Baker 2010-03-07 22:49:08

It seems that restricted users cannot control logging of events to a file. In order to do so, a user would have to employ a trace controller, but http://msdn.microsoft.com/en-us/library/aa364117%28VS.85%29.aspx says "Only users with administrative priveleges ... can control event tracing sessions".

Paul Baker 2010-03-07 22:57:58

Yeah, Vista is kind of a drag. To get around this you could have all of the event tracing stuff done in a service that runs under a privileged account. Probably easier just to have the user elevate, though.

Luke 2010-03-08 02:32:36

+1 A:

ETW tracing was designed to run only by administrators because trace may contain personal identifiable information. And it would pose security threat if a non-admin can capture the trace.

Here is a warning Example from xperf

The trace you have just captured "C:\Windows\system32\kernel.etl" may contain personally identifiable information, including but not necessarily limited to paths to files accessed, paths to registry accessed and process names. Exact information depends on the events that were logged. Please be aware of this when sharing out this trace with other people.

Hope this answers your question

Naveen 2010-03-19 02:02:56

Thanks - that makes sense. The xperf warning reads as though it is making you aware that the trace may contain your own personal information - but I think the bigger issue is that the trace may contain the personal information of other users of the machine (since the kernel combines traces for all users). It is for this latter reason that traces should only be viewed by administrators.

Paul Baker 2010-03-22 09:02:27

Here is how you can get custom ETW traces from your own custom provider and how ETW can be used within managed code

Hope this helps.

Naveen 2010-04-02 04:18:40

ansaurus

tags:

views:

answers:

Consuming "Event Tracing for Windows" events

related questions