Kernel Event Tracing

Various components of the Windows kernel and several core device drivers are instrumented to record trace data of their operations for use in system troubleshooting. They rely on a common infrastructure in the kernel that provides trace data to the user-mode Event Tracing for Windows (ETW) facility. An application that uses ETW falls into one or more of three categories:

Controller A controller starts and stops logging sessions and manages buffer pools.
Provider A provider defines GUIDs (globally unique identifiers) for the event classes it can produce traces for and registers them with ETW. The provider accepts commands from a controller for starting and stopping traces of the event classes for which it’s responsible.
Consumer ...

Get Windows Internals, Fifth Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Windows Internals, Fifth Edition by David A. Solomon Mark E. Russinovich and Alex Ionescu

Kernel Event Tracing

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly