DCSIMG
Reading ETW tracing using Event Viewer - Manu Cohen-Yashar's Blog

Manu Cohen-Yashar's Blog

Reading ETW tracing using Event Viewer

I was looking for a tool to read ETW tracing data. It turned out that the tool I need is right under my nose. Event Viewer.

The problem was that ETW (using the logman tool) produces etl files that are not readable by Event Viewer. Fortunately there is a trick. I tried to load the etl file by Event Viewer using open saved log and it failed to load.

Event Viewer

I saved the etl file as an evtx file and now I could see the tracing data.

For WCF and WF you do not need the etl file. All you have to do is follow the following procedure:

  • Enable the analytic and debug logs.

    • In the tree view in Event Viewer, navigate to Event Viewer->Applications and Services Logs->Microsoft. Right-click on Microsoft and select View->Show Analytic and Debug Logs.

      Ensure that the Show Analytic and Debug Logs option is checked.

  • Enable the Analytic log.

    In the tree view in Event Viewer, navigate to Event Viewer->Applications and Services Logs->Microsoft->WCF->WF-Development. Right-click on Analytic and select Enable Log.

    • Activate a WCF service with tracing enabled and all the tracing data will be there.

    Posted: Oct 12 2009, 12:32 PM by Manu Cohen-Yashar | with 2 comment(s)
    תגים:,

    Comments

    Consuming | answers hiwav said:

    Pingback from  Consuming | answers hiwav

    # October 8, 2010 5:29 AM

    Rajeesh said:

    is there any time delay exist between ETW writnig and reading?

    i have a code that write event using EventWrite() and reading using EvtNext().

    But EvtNext() failed to collect the events that i have write previously called EvtWrite(). if i add a Sleep(500) it is fine. why??

    # January 30, 2012 4:11 PM
    Leave a Comment

    (required) 

    (required) 

    (optional)

    (required) 


    Enter the numbers above: