ETW events are not appearing in the custom channel I defined

NTDEV
1

Hi Expert,

I'm currently working on implementing ETW and have encountered a challenge.
I followed the Microsoft sample from:

general\tracing\evntdrv\Eventdrv\evntdrv.xml

With that, I was able to successfully log events to the System channel and view them in Event Viewer.

However, when I try to redirect the logs to a custom channel, the events no longer appear.
I have confirmed the following:

  • The custom channel appears correctly after using wevtutil im.
  • The channel is enabled (wevtutil gl shows it as enabled: true).
  • Using logman or ETW tracing confirms that events are indeed being fired.

I would like to ask:
To switch logging from the System channel to a custom-defined channel, aside from changing:

to:

What other considerations or modifications are required to make the log entries appear correctly?

Additionally, is it acceptable to use the .sys driver file located under %SystemRoot%\System32\drivers\ for both resourceFileName and messageFileName in the manifest?

Thank you very much for your guidance!

Best regards,
Luke

2

Hi again,

I’d like to provide some follow-up information regarding my previous post about using a custom ETW channel in a WDM driver.

Since my last update, I’ve made further progress and confirmed the following:

  • I’m using a manifest-based ETW setup.
  • The .sys driver file does contain MessageTable and WEVT_TEMPLATE resources (verified via Resource Hacker).
  • The driver logs events using the macros generated from mc.exe, such as:
EventWriteEVT_DRIVER_INITIALIZED(NULL, L"Driver initialized");
  • When using <importChannel chid="SYSTEM" name="System"/>, the log appears correctly in Event Viewer → System.

However, when I switch to a custom channel like this:

<channels>
  <channel name="TEST/port" chid="testport" symbol="PORT_OPERATIONAL" type="Operational" enabled="true"/>
</channels>

...the events no longer show up in Event Viewer, even though:

  • wevtutil im succeeds and the channel appears under Applications and Services Logs
  • The channel is listed as enabled = true
  • I’ve verified using logman/ETW traces that the events are actually being fired

Here is the relevant portion of my manifest:

<?xml version='1.0' encoding="utf-16"?>
<instrumentationManifest ... >
  <instrumentation>
    <events>
      <provider name="Test"
                guid="{D78C1D46-AB12-4EAC-A655-6D0916A52AF1}"
                symbol="TEST_PROVIDER"
                resourceFileName="%SystemRoot%\System32\drivers\test.sys"
                messageFileName="%SystemRoot%\System32\drivers\test.sys">

        <events>
          <event symbol="EVT_DRIVER_INITIALIZED"
                 value="1001"
                 version="0"
                 level="win:Informational"
                 template="tStatusMessage"
                 channel="testport"
                 message="$(string.EVT_DRIVER_INITIALIZED)"
                 opcode="win:Start"/>
        </events>

        <channels>
          <channel name="TEST/port"
                   chid="testport"
                   symbol="PORT_OPERATIONAL"
                   type="Operational"
                   enabled="true"/>
        </channels>

        <templates>
          <template tid="tStatusMessage">
            <data name="Message" inType="win:UnicodeString" outType="xs:string"/>
          </template>
        </templates>

      </provider>
    </events>
  </instrumentation>

  <localization>
    <resources culture="en-US">
      <stringTable>
        <string id="EVT_DRIVER_INITIALIZED" value="Driver initialized: %1"/>
      </stringTable>
    </resources>
  </localization>
</instrumentationManifest>

Questions:

  1. Is there anything else I need to configure (in either the manifest or registry) to make the log entries appear in the custom channel?
  2. Do I need to manually enable or subscribe to the channel after importing the manifest?
  3. Is there a way to confirm whether the Event Viewer is simply not displaying them, or if they're not being properly routed to the channel?

Any help would be greatly appreciated.
Thanks again!

Best regards,
Luke