locked
ETW event descriptor RRS feed

  • Question

  • Hello everyone,

    I'm trying to get ETW events with the help of C++.But instead of getting event names I'm getting event descriptor which only contains id, opcode, chanel, version, etc. So how can I get to know event name from event descriptor. does anyone know what does opcode values ETW is returning means and how can I get event names from opcode. I want detailed knowledge about opcode so I can pull out event names from it. If anyone could help me it would be a big favor.

    Thanks

    Wednesday, November 22, 2017 3:44 PM

Answers

  • Hi Rajat Kinkhabwala,

    thanks for posting here.

    >>So how can I get to know event name from event descriptor. does anyone know what does opcode values ETW is returning means and how can I get event names from opcode. I want detailed knowledge about opcode so I can pull out event names from it. If anyone could help me it would be a big favor.

    Each event has an opcode field. (In classic ETW, the opcode field was called "class".) The opcode attributes are used to group or bucket events, but does not affect ETW routing. A few opcodes have well-defined semantics recognized by analysis tools. Other opcodes can be defined by the user for any purpose.

    For event name, it is common to use tasks to give a name to an event, since manifest-based ETW does not have a first-class concept of an "event name" but it does have a concept of "task name". This is done by assigning the same numeric value for Event ID and Task ID, then setting the Task Name to the desired Event Name.

    Here is a blog for you as a reference.

    https://blogs.msdn.microsoft.com/dcook/2015/09/30/etw-overview/

    Hope this could be help of you.

    Best Regards,

    Baron Bi


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, November 23, 2017 6:07 AM