microsoft
How to create an ETW session that is both real-time and saved to ETL?
I am writing an ETW viewer (with a focus on real-time viewing), and I am using the Microsoft.Diagnostics.Tracing.TraceEvent .NET library because it looks like it has the most thorough support for parsing trace events. However, the one thing that I can't seem to do is create a real-time session that also logs to an ETL file. I have gotten multiple feature requests for this because my users want to watch their tracing in real-time but also have the ETL available to share if they encounter a bug.
The ability to do this is documented on the EVENT_TRACE_PROPERTIES struct:
If you specify only real-time logging and also provide an offset with a valid log file name, ETW will use the log file name to create a sequential log file and log events to the log file in addition to sending the events to real-time consumers. ETW also creates the sequential log file if LogFileMode is 0 and you provide an offset with a valid log file name.
As far as I can tell, this is not supported by Microsoft.Diagnostics.Tracing.TraceEvent. Is this something that could be added? It's a simple change to support through the Win32 API, but I don't know how much of this library has assumptions that they are mutually exclusive.
@brycehutchings I was not aware that this is possible at the win32 level. Can you point me to the documentation that describes this? Thanks.
@brianrob Sorry for the delay--I missed your response. The documentation from my earlier quote is from here:
https://learn.microsoft.com/en-us/windows/win32/api/evntrace/ns-evntrace-event_trace_properties
Scroll down to the LogFileNameOffset section.
If you specify only real-time logging and also provide an offset with a valid log file name, ETW will use the log file name to create a sequential log file and log events to the log file in addition to sending the events to real-time consumers. ETW also creates the sequential log file if LogFileMode is 0 and you provide an offset with a valid log file name.