ETW – Consuming events
You may or may not have heard about ETW which is a powerful tool for event tracing, which
one of it’s most significant advantages is it’s performance . At the following SDP, You are more than welcome to hear Yaniv Rodenski and myself talk about it.
At this post I will demonstrate how to consume an event written by an application writes this
events. I will do so by creating Data Collector Set .
There are some ready-made providers for CLR, ASP.Net and more, however in order to simplify I’ve chosen to take a manifest-based application. In order to create it
you can read this post which describe how to do so step by step.
Create a data collector
A data collector is a trace listener for ETW that uses one or more ETW provider and writes
it’s / their events to a .etl file.
In order to have the data collector you can use a command line tool called logman or use the computer management tool. In here I’ll demonstrate the computer management tool:
1. Go to Computer management –> Performance –> Data Collector sets –> User defined
2. Write click –> Choose “New” –> Data collector set, this dialog box will open:
3. Name your data collector and choose “Create manually” (and press “Next”)
4. At the next step, choose “Event trace data”
5. After pressing next, we get to choose our provider (or providers)
Here we choose the provider named “ExampleProvider” .
6. Now, back to the provider’s screen, let’s make sure that the trace will capture events with the keyword set for our provider earlier. we do so by pressing the Keyword(any)
property, pressing the “Edit” button and set the value to 0×8000000000000000.
7. Now we can select the event trace log (etl) file location. I’ve left the default
8. You can have the data collector run on different credentials than the default. |
We’ll leave it as is
Now we have our data collector set ready. Now all we have to do is two things:
1. Run it (Right click –> Start)
2. Run our application
We will see a .etl file on the directory we’ve set earlier. This file is
In this post I’ve shown how to create an ETW Data Collector set to consume an ETW Provider. We’ve gone through all steps in defining the data collector set. This process works also for the classic providers already exist.
Next post, we'll dive into the .etl file and read our events.