locked
ETW event descriptor RRS feed

  • Question

  • Hi everyone,

    I'm implementing program that should give ETW information. I'm getting only process id and event descriptor. I just wanted to know event id for event start and event stop which I can filter out from event descriptor i'm getting from ETW provider. Could anyone help me to get correct output and I also want detailed knowledge about event descriptor and all other properties about event.

    Thanks

    Thursday, November 30, 2017 4:41 PM

All replies

  • Hi Rajat Kinkhabwala,

    thanks for posting here.

    >>Could anyone help me to get correct output and I also want detailed knowledge about event descriptor and all other properties about event.

    This EVENT_DESCRIPTOR structure represents an event defined in the manifest. You do not declare and populate this structure, instead you use the Message Compiler (MC.exe) to generate a header file that declares and populates this structure for each event in the manifest.This structure is also included in the EVENT_HEADER structure that is returned with the event record when you consume events using the EventRecordCallback callback. For MOF-defined events, the Opcode member contains the event type value. The Version and Level members contain the expected information.

    Maybe you need a document about the knowledge of Event Trace feature. Please refer to this one below.

    https://msdn.microsoft.com/en-us/library/windows/desktop/bb968803(v=vs.85).aspx

    Or the blog which I have already gave to you.

    https://blogs.msdn.microsoft.com/dcook/2015/09/30/etw-overview/

    Best Regards,

    Baron Bi


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Proposed as answer by Guido Franzke Friday, December 1, 2017 8:16 AM
    Friday, December 1, 2017 7:54 AM
  • Thanks Baron for your reply.

    You're right, I am not trying to populate the EVENT_DESCRIPTOR. Rather it comes to me from the ETW listener. All I need to know is how to determine when a process has STARTed and ENDed. I looked into the values for Opcode, Level, Version on each event, not sure which variable with what value denotes the START and END state of a Process.

    Could you please point to where I can refer for the above task?

    Thanks,

    Rajat

    Friday, December 1, 2017 3:29 PM
  • Hi Rajat,

    thanks for posting here.

    >>I looked into the values for Opcode, Level, Version on each event, not sure which variable with what value denotes the START and END state of a Process.

    Trace events contain an event header and provider-defined data that describes the current state of an application or operation. I'm afraid it doesn't contain the START and END state of a Process.

    For this case, you could use GetProcessTimes function which has the creation time and exit time of the process.

    Hope this could be help of you.

    Best Regards,

    Baron Bi


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Wednesday, December 6, 2017 8:13 AM