How to implement real-time cosumer of ETW with using TraceEvent

Apr 17, 2012 at 4:39 AM


First oh all, Great thanks for maintaining this project, it is hug help for me.

I am a new guy of ETW studying, and Xperf is the first tool I used. But the etl files always have big size. It is a redundancy work to change them to xml and find useful data to save to excel. Because real-time mode of consumer can do this directly, and of course there is no need to generation the big etl file. This is the purpose I want to implement real-time consumer.

        I have a simply idea. For example, I implement a provider in which there is an ETW event, the operation of the provider is running an application. The consumer is use for collecting the start time of the application, the start time is from the process booting until the application came out to the desk.

        Have you got any idea how can I  implement this work with TraceEvent?



Apr 17, 2012 at 6:43 PM

See the PerfMonitor project

In it you will find an example of a real-time provider using TraceEvent (see MonitorProcs method).

You may also be intrested in lookat the PerfView tool


Apr 27, 2012 at 10:10 AM

It helps me a lot, thanks!

     There is another question I have, If I use real-time consumer to capture the trace event of applications of Microsoft, such as word, IE and so on. More specific, I concern the time of creating a new tab of IE9, how could I get it with ETW? I know xperf can get the time with Microsoft-IEFRAME event, but how get the data from real-time consumer?




Apr 30, 2012 at 4:06 PM

You can turn on other providers like the Microsoft-IEFrame in a real-time session just like for an XPERF session.   You will then get those events in your output...

May 1, 2012 at 8:33 AM

yes, I can get those events in my output, I focus on the event pair like "Microsoft-IEFRAME/ExtensionCreate/Start" and "Microsoft-IEFRAME/ExtensionCreate/Stop"  also focus on "Microsoft-IEFRAME/Tab_shellBrowserOnCreate/Start" and "Microsoft-IEFRAME/Tab_shellBrowserOnCreate/Stop".

 I don`t know the event Id, How can I get the time of these event pairs in real-time cosumer? 

May 2, 2012 at 1:29 PM

The easiest way to 'explore' what you can do is in a debugger, and inspect the 'TraceEvent' class that was returned by the library.   Each event has a 'ProviderName' (eg. Microsoft-IEFrame), a 'TaskName' (eg. ExtensionCreate) and an 'OpcodeName' (e.g. Start, Stop), which allow you to identify particular events.  (although it is more efficient to find the Provider GUID and Task and Opcode (by inspecting in the debugger) and using those small integer values (that never change), to identify the event).   In particular the 'Start' and 'Stop' opcodes are already pre-defined (see TraceEventOpcode).  

Once you have the two events you are intrested in, you can use the TimeStampRelMSec or TimeStamp100ns properties to determine the time between them.   THus your code has to remember the times for the starts so that when the stops happen you know what to subtract.   Thus you need some 'ID' that allows you to match up 'Starts' with the correct 'Stop'   This varies from provider to provider.   Either it is the ThreadID (it is assumed that the start and stop happen on the same thread) or it is an ID that is placed in the 'Start' and 'Stop' event (this is more general, as it does not require the start and stop to happen on the same thread).