Event Tracing for Windows (ETW), ETL file and Tracerpt

Event Tracing for Windows (ETW) is cool. There is nothing like it, for instrumenting your app. ETW is interesting because at this time, it is not easy to find your way around. There is an excellent Pluralsight course by Kathleen Dollard and several blog posts and videos by Vance Morrison. .NET 4.5 has made ETW so easy. All you need to do is to create a custom event source by inheriting from the System.Diagnostics.Tracing.EventSource class. You can use the PerfView tool or logman command to start and stop a session and create an ETL file. ETL file is binary and contains pretty much all the info one would ever need but then getting the info out is not an easy task.

There is this TraceEvent API available in the form of NuGet package. This is very powerful and there is even a NuGet package for samples but then what you want to do is what is generally missing from what is available in the public domain or more complex for the time you have.

Then, there is this tracerpt command which generates an XML file from ETL file like this.

tracerpt etw_000001.etl -o etw.xml

The output XML contains all the system data but not the payload that I’m providing to log. It then dawned on me that tracerpt is probably not new enough to use the inline manifest and it might require installed manifest just like the event viewer. So, I set out to create a manifest file and install it.

Eventregister.exe creates the manifest file, which is an XML and a resource assembly. To get this exe, just install the NuGet package Microsoft.Diagnostics.Tracing.EventSource and Eventregister.exe will be in the tools directory.

eventregister.exe /dumpregdlls C:\Path\bin\Debug\MyAssembly.dll -forceall=true

Next step is to use wevtutil.exe and install the manifest using the man file and the dll file produced by eventregister.exe.

wevtutil.exe im C:\Path\bin\Debug\MyAssembly.Badri-MyEventSource.etwManifest.man
/rf:C:\Path\bin\Debug\MyAssembly.Badri-MyEventSource.etwManifest.dll
/mf:C:\Path\bin\Debug\MyAssembly.Badri-MyEventSource.etwManifest.dll

Okay, here is the important thing. Specify the absolute paths with wevtutil. Otherwise, manifest will not be installed correctly and tracerpt will not show your payload. Learnt it the hard way and hope these steps are useful to someone.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s