ProcessTraceData cannot parse ETL files generated on Windows 8


Windows 8 generates ETL files that where the MOF class version for ProcessTraceData is 4. TraceEvent does not know how to parse this. There's an unknown 4 byte long field between the DirectoryTableBase and UserSID properties. Unfortunately, this throws off parsing of subsequent fields (like image name) too.

file attachments


vancem wrote Nov 13, 2012 at 1:58 PM

Yes, this has been fixed but it has not been propagated to the codeplex site.

Attached is a updated version of the TraceEvent.dll binary and XML docs that fixes this. it also has significant new features (like RegisteredTraceEventSource),

szilvaa wrote Nov 13, 2012 at 3:49 PM

Thank you! I'm hoping that the changes can be propagated soon. I have a few of my own modifications inside traceevent.dll that I'd like to continue to use.

wrote Feb 21, 2013 at 10:46 PM

bobuva wrote Feb 26, 2013 at 5:57 PM

I've downloaded the TraceEvent.zip that was put up here (on Nov 13, 2012 according to the message info), rebuilt my test program which loads an .etl file, and I continue to get the "Not a understood file format" error thrown from the FastSerialization.Deserializer constructor. All I'm doing is creating a new instance of the Diagnostics.Tracing.TraceLog class in the TraceEvent library.

I've tried it with etl files created from the WPR (recorder) and from PerView, with no luck. Is it possible I'm running into a different problem than the Windows 8 issue mentioned in this thread?