Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Windows - see active ETW sessions so that I can close one of them

Tags:

etw

I am working with Event Tracing for Windows API, and from time to time, I run my application and it does not manage to close the ETW trace controller session after opening it.

Basically I do ::StartTrace([out] handle...) and do not close that handle when I'm finished with it (closing done by using ::StopTrace() function)

I'm looking for a tool that shows me the active sessions so I can close it manually. Without it I have to restart my PC in order for the controller session to be closed at shutdown.

Also, i the same ETW area (on Win 7), I understand that I should be able to see the data layouts for public MOF descriptions using wbemtest.exe. There I am supposed to enter in

- Connect -> Namespace = \\root\wmi\EventTrace

to see MOF data. But I get "The RPC server is unavailable". Using in that screen the dafaults values: IWBemLocator(Namespaces), How to interpret passsword = null, Authentication level = packet.

In the credentials area I have user and Password (which I tried) but there is another empty field - Authority. Is there a way to see MOF data ? I runed this elevated under Win 7.

like image 480
Ghita Avatar asked Aug 07 '11 18:08

Ghita


People also ask

How do I disable ETW?

Many ways to disable ETW logging are publicly available from passing a TRUE boolean parameter into a nt! EtwpStopTrace function to finding an ETW specific structure and dynamically modifying it or patching ntdll! ETWEventWrite or advapi32! EventWrite to return immediately thus stopping the user-mode loggers.

What are event trace sessions?

Event tracing sessions record events from one or more providers that a controller enables. The session is also responsible for managing and flushing the buffers.

How do I enable ETW tracing?

The ETW Trace Listener supports circular logging. To enable this feature, go to Start, Run and type cmd to start a command console. In the following command, replace the <logfilename> parameter with the name of your log file. The -f and -max switches are optional.

What is a trace provider?

A trace provider is a component of a user-mode application or kernel-mode driver that uses Event Tracing for Windows (ETW) technology to generate trace messages or trace events. Typically, the trace events and messages report discrete actions of the provider.


1 Answers

You can use the command logman query -ets to see a list of currently running Trace Event Sessions. For example, on Windows 10, you will see something like this:

C:\>logman query -ets

Data Collector Set                      Type                          Status
-------------------------------------------------------------------------------
AppModel                                Trace                         Running
FaceRecoTel                             Trace                         Running
FaceUnlock                              Trace                         Running
LwtNetLog                               Trace                         Running
Microsoft Security Client WMI Providers Trace                         Running
NtfsLog                                 Trace                         Running
TileStore                               Trace                         Running
WiFiSession                             Trace                         Running
SCM                                     Trace                         Running
UserNotPresentTraceSession              Trace                         Running
CldFltLog                               Trace                         Running
SHS-05042018-095434-7-5f                Trace                         Running
WDSC-05042018-095434-7-20               Trace                         Running
Diagtrack-Listener                      Trace                         Running
8696EAC4-1288-4288-A4EE-49EE431B0AD9    Trace                         Running
Cloud Files Diagnostic Event Listener   Trace                         Running

The command completed successfully.

If you have created you own session, for example by using Microsoft.Diagnostics.Tracing.Session.TraceEventSession, you will have given the session a unique name, and if it is running, you should see it in the list.

To kill an existing session, do this, as an administrator:

logman stop <SessionName> -ets

There are also some PowerShell Cmdlets, that can do similar things.

like image 162
nwsmith Avatar answered Oct 31 '22 10:10

nwsmith