Saturday, March 31, 2012

Working with Windows 7 Event Tracing using .NET:- Part 4

 

Download sample code

Links : Part 1, Part 2, Part 3

 

Working with event trace sessions : Create and configuring trace sessions

Let see how to create trace sessions using a GUI based controller application. This GUI based controller application is non other than our perfmon.exe. Use the following steps to create new trace session for your custom provider.

  1. Open performance monitor by running the perfmon.exe in command prompt.

 

  1. Once performance monitor is opened, browse to Event Trace Sessions tree node. You will see Trace Sessions already configured to listen for event from system event providers. Our goal is to create a similar kind of trace session for our custom provider.

 

Machine generated alternative text: ‘a Pertorrnance Monitor<br />(j File Action View Window Help<br />•*hTU IL ___<br />Performance 1 Name Status<br />Monitoring Tools h Circular Kernel Context Logger Running<br />Performance Monitor Audio Running<br />3 Data CollectorSets Running<br />> User Defined<br />> F. System EventLog-Application Running<br />J Event Trace Sessions EventLog-DebugChannel Running<br />Startup Event Trace Sessions EventLog-ForwardedEvents Running<br />> E Reports EventLog-Microsoft-Windows-... Running<br />AppFabric Event Collector Sessi... Running<br />EventLog-Microsoft-Windows-... Running<br />EventLog-Microsoft-Windows-... Running<br />EventLog-System Running<br />Microsoft Security Client Running<br />Microsoft Security Client WMI ... Running<br />NtfsLog Running<br />EventLog-Working With ETW P... Running<br />UBPM Running<br />WcesLog Running<br />WdiContextLog Running<br />WMZuneComm Running<br />MpWppTracing-03112012-1204... Running<br />WUDFTrace Running<br />Trace session for custom provi... Running<br />EMSMQ Running<br />SftFS Running<br />MSDTC_TRAC E_SESSION Running

 

 

  1. Right click on the right panel and  click on New-> Data Collector Set. This will open 'Create New Data Collector  Set' wizard.

 

Machine generated alternative text: MSMQ Running<br />SftFS Running<br />MSDTC_TRACE_SESSION Running<br />New Data CollectorSet<br />Refresh<br />Export List...<br />View<br />Arrange Icons<br />Line up Icons<br />Help

 

 

Wizard window.

 

Machine generated alternative text: —<br />k7j ® Create new Data Collector Set.<br />How would you like to Create this new data Collector set?<br />Name:<br />- Data CollectorI<br />‘ ‘ Create from a template (Recommended)<br />How cIa I ‘nork with templates?<br />G Create manually (Advanced)<br />How do I choose data collectors man n<br />[ Next 1 [ finish [ Cancel j

 

 

  1. Provide Trace session name as 'Trace session for custom provider'. Click on 'Next' to open provider selection wizard view.

 

Machine generated alternative text: —<br />® Create new Data Collector Set.<br />Which event trace providers would you like to enable?<br />Eroviders:<br />[ Afld... ]<br />[ Remove j<br />Properijes:<br />Property value [ edit...<br />Next ] [ Finish j [ Cancel j

 

 

  1. Click on 'Add' and select your custom provider from the list operating system has enumerated for all the registered providers. Our provider will also be listed here as we have already register it with the system. Click Ok to confirm the provider selection.

 

Machine generated alternative text: Event Trace Providers _______<br />Choose Event Trace Provider:<br />LIÎ1 With ETW Provider<br />WPC Trace<br />WPD API Trace<br />WPD APISQM Trace<br />WPD Bluetooth MTP Emumerator Driver Trace<br />WPD BusEnumService Trace<br />WPD ClassExtension Trace<br />WPD Classlnstaller Trace<br />WPD Composite Driver Trace<br />WPD FSDriver Trace<br />WPD ShellExtension Trace<br />WPD ShellServiceObject Trace<br />WPD Types Trace<br />WPD WCNCSvc Trace<br />WPD WCNWizard Trace<br />WPD WiaCompat Trace<br />WPD WMflMCnmnat Trare <br />[ 0K N Cancel J

 

Machine generated alternative text: ® Creat<br />Which event trace providers would you like to enable?<br />Next ] [ Finish j [ Cancel j<br />Eroviders:<br />Working With ETW Provider<br />Properijes:<br />[ Agd... j<br />[ ßemove J<br />Property<br />value<br />Keywords(Any)<br />Keywords(All)<br />Level<br />Properties<br />4 <br />0x0<br />0x0<br />0x00<br />0x00000000<br />‚„

 

 

  1. Configure the trace session by customizing it to listen for specific keywords and verbosity levels.  Select the keywords row from Properties list and click on 'Edit' button to view the available keyword name. In our case we see only two keywords which we defined in instrumentation manifest file.

 

Machine generated alternative text: Property<br />G Authmabc<br />Value Des cription<br />ApplicabonsDevelopedForBankingDomain<br />Working With ET\1 Provider/Analytic<br />[ 0K ] [ Cancel ]<br />Applications Develc<br />Working With ETW<br />“,<br />Manual<br />0x800000000000000 1

 

Enable the check option for both the keywords values.

 

Similarly configure the required levels as well. After the configuration your wizard view show look as following.

 

Machine generated alternative text: ® Creat<br />Which event trace providers would you like to enable?<br />Eroviders:<br />Working with ETW Provider [ Afld... j<br />[ ßemove J<br />Properties:<br />Property value A [tZ]<br />Keywords(Any) 0x8000000000000001<br />Keywords(All) 0x0<br />Level 0x11<br />Properties 0x00000000<br />4 11E<br />Next ] [ Finish j [ Cancel j

 

 

Click on 'Next' button.

 

  1. Provide directory path where your want to save the collected events data. What value you give here is important in case you want to view your events using Windows Event Viewer. To view your events using Event Viewer you must provider following directory path to save the events data.

 

%SystemRoot%\System32\Winevt\Logs\

 

Wizard view after providing the directory path.

 

Machine generated alternative text: —<br />® Create new Data Collector Set.<br />Where would you like the data to be saved?<br />Root directo,y:<br />%SystemRoot%\System32Winevt\Logs\J [srowse.JJ<br />Next Finish 1 [ Cancel j

 

Click on 'Next' button.

 

  1. Change the option to 'Start this collector set now' as show in below image and click 'Finish' button.

 

Machine generated alternative text: Ø i9 Crete new Dite CollectorSt<br />Create the data oellector set?<br />Runas<br />cDetault><br />. Qpen propeitles for this data collector set<br />t Ra.t this data colector set nod<br />•:‘saxeanddose<br />j fiet [ÐnishllCancdl

 

 

We are done with creating trace session and it is up and running. Ready to listen for the event published by your custom provider. 

 

Machine generated alternative text: Name Status<br />Trace session for custom provider Running<br />CircuIar Kernel Context Logger Running<br />P.nn;nn

 

At this point if you run the console application we created, trace session will collect all the published events this application will fire.

Working with Consumer application

 

Once we have create a trace session  for a event provider, all the events from that provider are collected via trace sessions and are logged in log files. We will use Windows Event Viewer as Consumer application to view all the published events from our console application. Use the following steps to view the events.

 

  1. Open Windows Event Viewer by running  eventvwr.exe in command prompt.

 

  1. Expand 'Applications and Services Logs' node. You will see a new entry has been created for the channel you had defined in instrumentation manifest file. Expand 'Working with ETW provider' and select 'Analytic' node to view all the events published by our console application .

 

Machine generated alternative text: Eue Action view Help<br />k Event Viewer (Local)<br />Custom Views<br />E Windows Logs<br />4 Applications and Services Logs<br />BitLocker-Provisioning-Microsoft-IT<br />Hardware Events<br />Internet Explorer<br />fr] Key Management Service<br />frj Media Center<br />> ji Microsoft<br />fr] Microsoft Office Alerts<br />j Microsoft-lE<br />> ji Microsoft-IEDVTOOL<br />[, Microsoft-IEFRAME<br />I MPJLoq<br />Windows PowerShell<br />¿ i Working With ETW Provider<br />IR Analytic<br />fl Saved Logs<br />; Subscriptions<br />Analytic Pagel<br />J<br />Next Page [ ßacktoTop j<br />J_i To make this Analytic, Debug or Classic event log easier to navigate and manipulate, first save it in .evtx format by using the<br />Level<br />Date and Time<br />Source<br />Useful<br />15-03-2012 01:42:07<br />Working With ETW Provider<br />Useful<br />L<br />15-03-2012 17:09:52<br />Working With ETW Provider<br />„<br />Event 1, Working With ETW Provider<br />E &a I D eta<br />Person Eat Event. Person First Name Arun, Person Last Name Malik<br />X<br />Log Name:<br />Source:<br />Event ID:<br />Level:<br />User<br />QpCode:<br />More Information:<br />L<br />Working With ETW Provider/Analytic<br />Working With ETW Provider Logge4: 15-03-2012 01:42:07<br />1 Task Category Component Person<br />Useful Keywords:<br />Computer<br />Operation Eat<br />Event Log Online Help

Posted by at
Labels: , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)