ETW tracing


  • I inherit some code run as a tool, which supposed to perform Microsoft TraceLog-liked function, as we cannot ask the customer to download TraceView to generate ETW traces for us to debug problems.
    Here is the brief description of what we want to do:
    We implement ETW trace points in our code to trace some APIs. If there is problem when customers running those APIs, we want to ask the customer to run our tool as trace controller to generate .etl trace file and send it back to us, we will use tracefmt to format the .etl file to get the trace entries, which will help us debug the problem.
    When I run our tool controller, the .etl file generated is always 8K. And when I use tracefmt to format the trace, the trace entry file is empty and I got:

    C:\Program Files\gpmp>tracefmt gpmparmtrace.etl -tmf c:\TMFFOLDER\26f6bfe5-8
    Setting log file to: C:\Program Files\gpmp\gpmparmtrace.etl
    Examining c:\TMFFOLDER\26f6bfe5-84c5-c973-aa5c-cf50ee20ace0.tmf for message form
    ats, 1 found.
    Searching for TMF files on path: \\winseqfe\release\Windows6.0\lh_sp2rtm\6002.18
    Logfile C:\Program Files\gpmp\gpmparmtrace.etl:
    OS version 6.0.6002 (Currently running on 6.0.6002)
    Start Time 2011-06-10-07:57:17.110
    End Time 2011-06-10-07:57:52.095
    Timezone is @tzres.dll,-212 (Bias is 480mins)
    BufferSize 8192 B
    Maximum File Size 50 MB
    Buffers Written Not set (Logger may not have been stopped).
    Logger Mode Settings (2) ( circular
    ProcessorCount 2

    Processing completed Buffers: 1, Events: 1, EventsLost: 0 :: Format Errors: 0,
    Unknowns: 1

    Event traces dumped to FmtFile.txt
    Event Summary dumped to FmtSum.txt

    The FmtFile.txt which supposed to contain all trace entries is empty.

    If I run TraceView, I got all the trace entries. So the trace point in the code is correct. Perhaps the problem is in our tool. I googled and did not find much discussion on the ETW. Our tool uses these APIs:
    ControlStrace (stop tracing).

    I modeled after the sample program on http://msdn.microsoft.com/en-us/library/aa364118(v=vs.85).aspx
    Does anyone know how to debug this problem (Buffers Written Not set (Logger may not have been sstopped)?  I need to get this to work and appreciate any suggestions/tips/guidance. 



    viernes, 10 de junio de 2011 17:44

Todas las respuestas

  • Can anyone answer my question?  How about developers of ETW from Microsoft?  Any suggestions on how to solve the problem?  Thanks. 
    lunes, 13 de junio de 2011 18:22
  • I saw my post being viewed but no one answers my question.

    Here is the code snippet and hope it would give you information to spot the problem.

    My tool runs in Server 2008.

    There is a structure for the ETW APIs:

    typedef struct _LOGGERINFO


        ULONG Status;

        LPTSTR LoggerName;

        LPTSTR LogFileName;

        TRACEHANDLE LoggerHandle;

        GUID TargetGuid;


        ULONG Enable;


    #endif _LOGGERINFO_


    We obtain storage for the Trace Properties and initialized:

     I followed the example at http://msdn.microsoft.com/en-us/library/ee441323(v=vs.85).aspx and generated a session GUID for the trace:

    We gave the Logger a name and the trace file name and other information:


    SizeNeeded = sizeof(EVENT_TRACE_PROPERTIES) + 2 * MAXSTR * sizeof(TCHAR);

    newLogger->LoggerInfo = (PEVENT_TRACE_PROPERTIES) malloc(SizeNeeded);


    RtlZeroMemory(newLogger->LoggerInfo, SizeNeeded);

    newLogger->LoggerInfo->LoggerNameOffset = sizeof(EVENT_TRACE_PROPERTIES);

    newLogger->LoggerInfo->LogFileNameOffset = newLogger->LoggerInfo->ggerNameOffset + MAXSTR * sizeof(TCHAR); 


    newLogger->LoggerName = (LPTSTR)((char*)newLogger->LoggerInfo +


    newLogger->LogFileName = (LPTSTR)((char*)newLogger->LoggerInfo +



     newLogger->LoggerInfo->Wnode.BufferSize = SizeNeeded;

     newLogger->LoggerInfo->Wnode.Flags = WNODE_FLAG_TRACED_GUID;

     newLogger->LoggerInfo->Wnode.Guid = SESSION_GUID;


     _tcscpy(newLogger->LoggerName, LOGGER_NAME);



     newLogger->LoggerInfo->LogFileMode |= EVENT_TRACE_FILE_MODE_CIRCULAR;

     newLogger->LoggerInfo->BufferSize = 8;

     newLogger->LoggerInfo->MaximumBuffers = 26;

     newLogger->LoggerInfo->MinimumBuffers = 4;

     newLogger->LoggerInfo->NumberOfBuffers = 7;

     newLogger->LoggerInfo->AgeLimit = 15;

     newLogger->LoggerInfo->MaximumFileSize = 50;

     newLogger->LoggerInfo->EnableFlags = 0;


    We issue StartTrace:

    currentLogger.Status = StartTrace(&currentLogger.LoggerHandle,



    Set up for EnableTrace:

    currentLogger.TargetGuid = ARM4_GUID;

    currentLogger.Enable = TRUE;


    currentLogger.Status = EnableTrace (currentLogger.Enable,







    The application is running, the tool supposed to write the trace entires.

    The tool goes into sleep.  We use Crtl_C signal to wake up the tool to

    Stop tracing:


    currentLogger.Status = EnableTrace(FALSE, 






    currentLogger.Status = ControlTrace(currentLogger.LoggerHandle,





    The .etl file was generated but when I formatted it, I got:


    C:\SupportFiles>tracefmt gpmpWinTrace.etl -tmf c:\tmffolder\26f6bfe5-84c5-c973-a


    Setting log file to: C:\SupportFiles\gpmpWinTrace.etl

    Examining c:\tmffolder\26f6bfe5-84c5-c973-aa5c-cf50ee20ace0.tmf for message form

    ats,  1 found.

    Searching for TMF files on path: \\winseqfe\release\Windows6.0\lh_sp2rtm\6002.18


    Logfile C:\SupportFiles\gpmpWinTrace.etl:

            OS version              6.0.6002  (Currently running on 6.0.6002)

            Start Time              2011-06-10-21:21:14.140

            End Time                2011-06-108-21:21:55.796

            Timezone is             @tzres.dll,-212 (Bias is 480mins)

            BufferSize              8192 B

            Maximum File Size       50 MB

            Buffers  Written        Not set (Logger may not have been stopped).

            Logger Mode Settings    (2) ( circular

            ProcessorCount          2


    Processing completed   Buffers: 1, Events: 1, EventsLost: 0 :: Format Errors: 0,

     Unknowns: 1


    Event traces dumped to FmtFile.txt

    Event Summary dumped to FmtSum.txt


    I got return code 0 for all the APIs.   Anyone find problems with the API calls?


    I need to get this working and appreciate if someone would give me some help and guidance on the following:

    ·         Are the APIs shown above properly issued?  Are the parameters correct?  Are the API working correctly?

    ·         How to debug the problem?  Is there any tool to check the .etl files?  Can I compare the one generated by my tool to the one generated by TraceView to see if it reveal any hints?

    ·         Is this the right forum for my problem?  How can I get this problem resolved?  What is the official channel? 


    Looking forward for someone to reply, 


    jueves, 16 de junio de 2011 20:16