2

I am trying to set up a simple ETW and EventFlow example that allows specific ETW providers to be monitored. In this case the Service Control Manager ETW provider to monitor when Service Start and Stop messages are issued.

I have the following input configuration for Tracing and ETW.

  "inputs": [
{
  "type": "Trace",
  "traceLevel": "Warning"
},
{
  "type": "ETW",
  "providers": [
    {
      "providerName": "Service Control Manager"
    }
  ]
}]

I have the following code which is starting up monitoring using EventFlow. 

static void Main(string[] args)
    {
        using (var pipeline = DiagnosticPipelineFactory.CreatePipeline("eventFlowConfig.json"))
        {
            System.Diagnostics.Trace.TraceWarning("EventFlow is working!");
            Console.ReadLine();
        }
    }

The trace event is appearing in the console, but when I start and stop a service no ETW events are appearing.

Is EventFlow designed for this scenario on a local machine? If so what am i missing in my configuration or code?

The console process is running as administrator and the account has access to the Performance Log Users and Performance Log Monitors group

abatishchev
  • 98,240
  • 88
  • 296
  • 433
Adrian Russell
  • 3,995
  • 5
  • 25
  • 26

1 Answers1

2

If you want to listen for ETW events from the Service Control Manager, you'll need to listen for the provider named Microsoft-Windows-Services.

Here is what I have in my eventFlowConfig.json

{
"inputs": [
    {
    "type": "ETW",
    "providers": [
        { "providerName": "Microsoft-Windows-Services" }
    ]
    }
],
"filters": [],
"outputs": [
    { "type": "StdOutput" }
],
"schemaVersion": "2016-08-11",
"extensions": []
}

To check that it worked, I stopped and started SQL Server services. The events were output in the console as expected.

As an additional sanity check, you can use the Visual Studio Diagnostic Events viewer to listen for ETW events. Launch the viewer, click the cog to configure, add the provider name in the list of ETW Providers, and apply. You should now be able to see the same events in both the viewer and your console application.

Stringfellow
  • 2,788
  • 2
  • 21
  • 36
  • Finally got around to trying this, worked like a charm. Mentioning the Diagnostic Events viewer as a sanity check was really helpful. – Adrian Russell Nov 24 '17 at 11:02