0

I have a GUID of a provider, in Dotnet how do I listen to all events generated by that provider? I have two external tools that allow me to listen, one is tracelog from the SDK, I run

tracelog -start <providerName> -b 8192 -seq 2000 -f somefile.bin -guid #00000000,1111,2222,3333,444444555555

this tool simply enables the provider and returns. Then I run another custom/private tool (written in C++) that collects the events and logs them to file in a pretty formatted table. I am trying to port all of this to my dotnet application, but I am not able to listen to the events from this given provider. I tried looking at the MSDN documentation for EventProviderTraceListener, there is a code example in there but I don't understand how that's supposed to enable me to listen to an arbitrary provider. I also saw this post about TraceEventSession, which I used to try the following code:

TraceEventSession traceEventSession = new TraceEventSession("myname");
traceEventSession.EnableProvider(new Guid("00000000-1111-2222-3333-444444555555"), TraceEventLevel.Always);
traceEventSession.Source.Dynamic.AddCallbackForProviderEvents(null, @event =>
{
    System.Windows.Forms.MessageBox.Show("Event " + @event.EventName);
});
traceEventSession.Source.Process();

the callback is invoked, but only twice for a different provider GUID and for event names that my provider is not supposed to send (the event names are EventTrace/BuildInfo and EventTrace/DbgIdRsds). I also looked at this documentation, that shows how to listen in real time to the events from the kernel provider, and it looks like my code does the same things (although for a non-standard provider).

Why am I getting those two events, and how can I

  1. enable the event listening for the provider whose GUID I have, and
  2. capture all the events from that provider only? (the provider may be issuing events from usermode and/or kernelmode, I don't know if this makes a difference)

When I run the separate tools the collection works fine and all the events are captured without issues (they are generated quite frequently, every second, so it's not a matter of me not waiting long enough).

Andy4983948
  • 101
  • with [perfview](https://github.com/microsoft/perfview/releases/latest) you can also capture Events and view them if you know the GUID – magicandre1981 Aug 16 '20 at 12:41
  • Perfview seems to have the same issues: if I use TraceEventSession.Source.ObserveUnhandled in my CS program I do see more "unhandled" events coming from the process that manages the GUID I request, but still they are not the ones I expect (furthermore, they come with an unknown provider). Perfview sees the same "unhandled" events, so it seems my capturing code works correctly (as perfview does), there must be some other issue. – Andy4983948 Aug 16 '20 at 22:03

0 Answers0