locked
Help in getting ETW NTkernal session events with c++ RRS feed

  • Question

  • Hi everyone,

    I'm working on program that should read ETW events in c++. Is there any simple way I can just collect data from the Windows kernel events session such as ProcessTraceData and print them out in the console in real time.

    A demo code will be really helpful.

    Thanks


    Thursday, November 16, 2017 9:41 PM

Answers

  • Hi Xhyuuuu,

    thanks for posting here.

    >>I'm working on program that should read ETW events in c++. Is there any simple way I can just collect data from the Windows kernel events session such as ProcessTraceData and print them out in the console in real time

    Event Tracing for Windows (ETW) provides a mechanism to trace and log events that are raised by user-mode applications and kernel-mode drivers.

    Here is a document and examples for you which describes how to use the Event Tracing for Windows (ETW) kernel-mode API to add event tracing to kernel-mode drivers, you could refer to.

    https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/adding-event-tracing-to-kernel-mode-drivers

    Hope this could be help of you.

    Best Regards,

    Sera Yu


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by Xhyuuuu Friday, November 17, 2017 2:56 PM
    Friday, November 17, 2017 8:34 AM

All replies

  • Hi Xhyuuuu,

    thanks for posting here.

    >>I'm working on program that should read ETW events in c++. Is there any simple way I can just collect data from the Windows kernel events session such as ProcessTraceData and print them out in the console in real time

    Event Tracing for Windows (ETW) provides a mechanism to trace and log events that are raised by user-mode applications and kernel-mode drivers.

    Here is a document and examples for you which describes how to use the Event Tracing for Windows (ETW) kernel-mode API to add event tracing to kernel-mode drivers, you could refer to.

    https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/adding-event-tracing-to-kernel-mode-drivers

    Hope this could be help of you.

    Best Regards,

    Sera Yu


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by Xhyuuuu Friday, November 17, 2017 2:56 PM
    Friday, November 17, 2017 8:34 AM
    • Edited by Castorix31 Friday, November 17, 2017 9:55 AM
    Friday, November 17, 2017 9:54 AM