1

Question: How can I see all open ETW sessions, including their root paths? I'd expect some PowerShell command like Get-EtwTraceSession, but I don't see any.

Background

I work with EventTracing API, and occasionally find myself out of sessions because of stuff installed on my machine.

This answer tells me I can run logman -ets to see the list of sessions, and then logman stop <SessionName> -ets to stop some sessions. That's good, but how can I know what a cryptically-named session is?

I can tediously query individual sessions, and get a clue from their root path:

> logman -ets SensorFramework-{c4eaa67d-dd9a-4fce-0002-000000000000}
(...)
Root Path:            C:\windows\CCM\SensorFramework  <<<< Aha! CCM = System Center Configuration Manager

But I'm looking for a more convenient solution.

Jonathan
  • 6,939
  • 4
  • 44
  • 61
  • The very answer you cross-link to mentions that [there are PowerShell cmdlets for ETW managment](https://learn.microsoft.com/en-us/powershell/module/eventtracingmanagement/?view=win10-ps). – Tomalak May 18 '20 at 07:40
  • 1
    There are, like `Get-EtwTraceSession` that I mentioned, but none of those produces a list. – Jonathan May 18 '20 at 08:30

1 Answers1

4

Solution: Do it through WMI:

Get-WmiObject -Class MSFT_EtwTraceSession -Namespace ROOT/Microsoft/Windows/EventTracingManagement `
| sort -Property LocalFilePath `
| ft -AutoSize -Property Name,LocalFilePath

Note: This only sometimes works (don't know what determines when), and sometimes only shows one session - Circular Kernel Context Logger. When not working, the Get-EtwTraceSession also shows only this session, presumably because it uses the same WMI object underneath.

Jonathan
  • 6,939
  • 4
  • 44
  • 61