Escape characters in ETW format strings?
c#,event-log,etw,etw-eventsource
The translation performed by the EventSource manifest generator is {0} -> %1 ... {n} -> %(n+1) & -> & < -> < > -> > ' -> ' " -> " For reference, the conversion happens in string EventProviderBase.TranslateToManifestConvention(string). Then you end up at the message compiler. Escapes are as...
How to define names hierarchy in ETW EventSource?
c#,etw,etw-eventsource,perfview
this can't be done because ProviderName/Event/OpCode is the convention to show Events in PerfView. Microsoft-Windows-DotNETRuntime/GC/Start also follows this. Microsoft-Windows-DotNETRuntime is the provider, GC is the Event and Start is the OpCode. You can use Tasks to get a better output: public class Tasks { public const EventTask Connect = (EventTask)0x1;...
Why do strings not show in the event log for my custom log events?
Eureka! I had installed the manifest wrongly, thinking that, of the two switches for wevtutil, one repeated the manifest filename and the other contained the DLL filename. Actually, both should refer to the DLL. I'm now doing this in WiX using this markup: <Component Id="etwManifest.man" Guid="*"> <File Id="File.etwManifest.man" Source="$(var.Project.TargetDir)EventSource.Provider-Name.etwManifest.man" KeyPath="yes"...
How can I capture process names using the TraceEvent library?
I truly believe that process name is not being captured by the ETW log. Etw system event contains only process ID field. Although TraceEvent library declares this one as a part of TraceEvent, this one actually is being populated based on executable image filename and process ID, which is implemented...
Why the restriction on parameter type and count on EventSource Methods
This is required to build the manifest file. The_EventSourceUsersGuide.docx explains it: Event methods must match exactly the types of the WriteEvent overload it calls, in particular you should avoid implicit scalar conversions; they are dangerous because the manifest is generated based on the signature of the ETW event method, but...