ETW/WPP Tracer Logs

NTDEV
1

Hi all,

I’ve been trying to enable a simple way for the client to provide me with
some trace logs of my system.
I though of developing a simple UI that provided a simpler interface than
logman.exe, …
But then I realized that Windows already has what I need “Computer
Management -> Trace Logs”.
So I was able to publish my event trace on to the NonSystem Providers.

Now the problem is that, when I start a trace nothing gets written to the
.ETL file except the Header event, can anyone help me with this?
An interesting thing is that if I do a traceview against the same Name
Providers I’m able to see the events.

Kind Regards
Cláudio Albuquerque

2

I just tried this on XP and I think the problem with “Computer Management -> Trace Logs” interface is that it doesn’t allow you to specify Level/Flags for “NonSystem Providers”. Why not just use a simple batch file which uses logman.exe or tracelog.exe to control the tracing?

3

Is this on vista ?

Most likely you did not set the Levels and Flags

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Cl?udio Albuquerque
Sent: Monday, May 28, 2007 12:39 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] ETW/WPP Tracer Logs

Hi all,

I’ve been trying to enable a simple way for the client to provide me with
some trace logs of my system.
I though of developing a simple UI that provided a simpler interface than
logman.exe, …
But then I realized that Windows already has what I need “Computer
Management -> Trace Logs”.
So I was able to publish my event trace on to the NonSystem Providers.

Now the problem is that, when I start a trace nothing gets written to the
.ETL file except the Header event, can anyone help me with this?
An interesting thing is that if I do a traceview against the same Name
Providers I’m able to see the events.

Kind Regards
Cl?udio Albuquerque

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

4

Thanks for the reply.
This is a XP / 2003 system.

I’ve did think of that and then used logman to create the entry on the Trace
Logs snapin:

  • logman create trace teste -p teste.provider 0x00ffffff 0xFFFF
    This command besides creating the trace entry it created two additional
    registry keys (Trace Provider Flags; Trace Provider Levels) under the
    SysmonLog\Log Queries with the values 0x00ffffff 0xFFFF.

Though it still suffers from the same problem as before, I starts the
tracing but captures no information.

Regards
Cláudio Albuquerque

“Jose Sua” wrote in message
news:xxxxx@ntdev…
Is this on vista ?

Most likely you did not set the Levels and Flags

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Cláudio Albuquerque
Sent: Monday, May 28, 2007 12:39 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] ETW/WPP Tracer Logs

Hi all,

I’ve been trying to enable a simple way for the client to provide me with
some trace logs of my system.
I though of developing a simple UI that provided a simpler interface than
logman.exe, …
But then I realized that Windows already has what I need “Computer
Management -> Trace Logs”.
So I was able to publish my event trace on to the NonSystem Providers.

Now the problem is that, when I start a trace nothing gets written to the
.ETL file except the Header event, can anyone help me with this?
An interesting thing is that if I do a traceview against the same Name
Providers I’m able to see the events.

Kind Regards
Cláudio Albuquerque


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

5

Thanks for the reply.

True the “Computer Management -> Trace Logs” interface does not allow for
the specification of Level/Flags. But then used logman to create the entry
on the Trace Logs snapin (ex: logman create trace teste -p teste.provider
0x00ffffff 0xFFFF).
This besides creating the trace entry it created two additional registry
keys (Trace Provider Flags; Trace Provider Levels) under the SysmonLog\Log
Queries with the values 0x00ffffff; 0xFFFF.

Though it still suffers from the same problem as before, I starts the
tracing but captures no information.

Regards
Cláudio Albuquerque

wrote in message news:xxxxx@ntdev…
>I just tried this on XP and I think the problem with “Computer
>Management -> Trace Logs” interface is that it doesn’t allow you to specify
>Level/Flags for “NonSystem Providers”. Why not just use a simple batch file
>which uses logman.exe or tracelog.exe to control the tracing?
>