Skip to content
十月 21, 2009 / wychi

Create your own ETW provider and log it by xperf

There are two ways to develop an ETW event provider.

  1. classic provider: Instrumented using the pre-Vista API
  2. Manifest-based provider: Instrumented using the new Event Tracing API first introduced in Vista

This post will focus on the Manifest-based provider.

Before we start, let take a quick view about the tools we use.

Quoted from “Performance.Analyzer.QuickStart"

Each event has 2 primary components, a header and a provider defined user data.

  • The event header includes event identification information (provider id and event id), a timestamp, process id, thread id, processor number, and CPU usage data of the logging thread.
  • The user data is defined entirely by the provider.  It is essentially a binary blob that could contain any data whatsoever.

ETW accepts all data uncritically and writes this data into the buffers.  Interpretation is left entirely in the hands of the consumer.  This is done to avoid the run time cost of formatting the data.  Typically when a provider is authored, the author will provide a manifest, MOF or TMF file to allow the decoding of the user data.

So, the first step of creating your own event provider is to create a manifest.

Window SDK providers a tool to help you to create the manifest XML file. So that you don’t have to take care of  XML validation.

C:\Program Files\Microsoft SDKs\Windows\v6.0\Bin>ecmangen.exe


(Download, please remove .DOC extension)

You can find some guidance from this document Writing an Instrumentation Manifest.

The manifest must identify the provider and the events that it writes but the other metadata such as channels, levels, and keywords are optional; whether you define the optional metadata depends on who will be consuming the events.

So, I suggest you read those two sections first.

After you finish the manifest, it is time to compile it for future deployment.

This post has a step-by-step instruction. For C# developers, you can reference this post and use the tool he provider to skip the lousy steps.

C# Example:

ecmanaged.exe ecgen /out:SampleProvider.dll /namespace:Sample /class:EventTrace

ecmanaged.exe msglocate SampleProvider.dll

ecmanaged.exe install tmp.xml SampleProvider.dll

Note: here is a bug. you need to add an attribute to the xml you generate to let ecmanaged.exe works.

<instrumentationManifest xsi:schemaLocation=" eventman.xsd" xmlns:win="" xmlns:xsi="" xmlns:xs="" xmlns:trace="" xmlns="">

If you succeed, you can see a embedded resource in your assembly.


Before register, please check the resourceFileName, messageFileName attribute in manifest points to your EXE/DLL file.

This step is important for consumer to know how to interpret your data. If you don’t assign it correctly, you can’t see your trace data correctly.

Now, it is time to register your event provider to ETW system.

wevtutil im

To check if it is succeed.

xperf -providers | findstr -i SampleProvider

Now you can publish an ETW event from your app and the data can be interpreted.

   1:          int idx = 0;
   2:          public void EventProvider_Click(object sender, RoutedEventArgs e)
   3:          {
   4:              EventProvider provider = new EventProvider(new Guid("{f5415100-351d-4b82-bf38-7381b3153c31}"));
   5:              EventDescriptor evtDesc = new EventDescriptor(0x0, 0x0, 0x10, 0x4, 0x0, 0x0, -9223372036854775807L);
   7:              provider.WriteEvent(ref evtDesc, new object[] { string.Format("Msg: {0}", idx), idx });
   8:              idx++;
   9:          }

In this post, I will use XPerf as our ETW consumer.

But, if you want to use XPerf on you produce,  please pay attention.

The xperf tools can  interpret a fixed set of classic events and any manifest-based events, provided that the appropriate information has been registered on the machine and can be interpreted using TDH as explained in MSDN.  If you are adding instrumentation to a component for the first time, please make use of the manifest-based ETW model introduced in Vista.

xperf -on Base
xperf -start MySession -on f5415100-351d-4b82-bf38-7381b3153c31:0xffffffff:5
##do your task##
xperf -stop MySession -d User.etl
xperf -stop -d kernel.etl
xperf -merge User.etl kernel.etl result.etl
xperf result.etl

The result


I bet, you will ask this question “Can we customize xperf’s graph?"

The answer for now is No. Check this thread Custom XPerf Graph


在下方填入你的資料或按右方圖示以社群網站登入: Logo

你正使用 帳號留言。 登出 / 變更 )

Twitter picture

你正使用 Twitter 帳號留言。 登出 / 變更 )


你正使用 Facebook 帳號留言。 登出 / 變更 )

Google+ photo

你正使用 Google+ 帳號留言。 登出 / 變更 )

連結到 %s

%d 位部落客按了讚: