10

I am working with Event Tracing for Windows API, and from time to time, I run my application and it does not manage to close the ETW trace controller session after opening it.

Basically I do ::StartTrace([out] handle...) and do not close that handle when I'm finished with it (closing done by using ::StopTrace() function)

I'm looking for a tool that shows me the active sessions so I can close it manually. Without it I have to restart my PC in order for the controller session to be closed at shutdown.

Also, i the same ETW area (on Win 7), I understand that I should be able to see the data layouts for public MOF descriptions using wbemtest.exe. There I am supposed to enter in 

- Connect -> Namespace = \\root\wmi\EventTrace

to see MOF data. But I get "The RPC server is unavailable". Using in that screen the dafaults values: IWBemLocator(Namespaces), How to interpret passsword = null, Authentication level = packet.

In the credentials area I have user and Password (which I tried) but there is another empty field - Authority. Is there a way to see MOF data ? I runed this elevated under Win 7.

Ian Boyd
  • 246,734
  • 253
  • 869
  • 1,219
Ghita
  • 4,465
  • 4
  • 42
  • 69
  • Regarding the first question, I looked for such API / tool and failed to find any. – Uri Cohen Aug 11 '11 at 21:49
  • Regarding the second question I was able to see classes in root\wmi\EventTrace. I guess here are shown registered MOF-s. Just don't know how to you see the MOF description (like the input file used when compiling with MOF compiler). I used WMI CIM Studio for this. – Ghita Aug 29 '11 at 16:58

3 Answers3

16

You can use the command logman query -ets to see a list of currently running Trace Event Sessions. For example, on Windows 10, you will see something like this:

C:\>logman query -ets

Data Collector Set                      Type                          Status
-------------------------------------------------------------------------------
AppModel                                Trace                         Running
FaceRecoTel                             Trace                         Running
FaceUnlock                              Trace                         Running
LwtNetLog                               Trace                         Running
Microsoft Security Client WMI Providers Trace                         Running
NtfsLog                                 Trace                         Running
TileStore                               Trace                         Running
WiFiSession                             Trace                         Running
SCM                                     Trace                         Running
UserNotPresentTraceSession              Trace                         Running
CldFltLog                               Trace                         Running
SHS-05042018-095434-7-5f                Trace                         Running
WDSC-05042018-095434-7-20               Trace                         Running
Diagtrack-Listener                      Trace                         Running
8696EAC4-1288-4288-A4EE-49EE431B0AD9    Trace                         Running
Cloud Files Diagnostic Event Listener   Trace                         Running

The command completed successfully.

If you have created you own session, for example by using Microsoft.Diagnostics.Tracing.Session.TraceEventSession, you will have given the session a unique name, and if it is running, you should see it in the list.

To kill an existing session, do this, as an administrator:

logman stop <SessionName> -ets

There are also some PowerShell Cmdlets, that can do similar things.

nwsmith
  • 475
  • 4
  • 8
4

The QueryAllTraces function retrieves the properties and statistics for all event tracing sessions started on the computer for which the caller has permissions to query.

May I suggest to post the second part of your question as a seperate question?

Lars Truijens
  • 42,837
  • 6
  • 126
  • 143
  • This is an API to query for traces indeed. And there is also API to close some WMI sessions. I was just wondering if there is out of the box tool that simplifies this for us (like WMI CIM Studio or smth) – Ghita Aug 29 '11 at 16:37
  • 1
    I beleive logman query http://technet.microsoft.com/en-us/library/cc788030(WS.10).aspx or wevutil el http://windowsecurity.com/articles/WEVTUTIL-Manage-Event-Logs.html can do that. Or the Event View GUI – Lars Truijens Aug 29 '11 at 18:40
2

The tracelog command line utility that comes along the Windows SDK allows you to do the same thing as QueryAllTraceswith the tracelog -l command.

Sebastien Pellizzari
  • 1,015
  • 7
  • 10