Windows Kernel Trace

Apr 18, 2013 at 3:15 AM
I want to do real time processing from the "Windows Kernel Trace" provider, particularly for syscalls. I am using the EtwRaw_RealTime program as a template but can't seem to figure out how to get it working with the Windows Kernel Trace provider. All I ever get is a the following error: "Unhandled Exception: System.ComponentModel.Win32Exception: The instance name passed was not recognized as valid by a WMI data provider".

How can I use tx with the Window Kernel Trace provider?
Coordinator
Apr 24, 2013 at 9:29 PM
After some experimentation, it looks that the session name must be "NT Kernel Logger".
This looks hardcoded either in Windows or at least in logman.exe.

The following worked:
    static void Main()
    {
        Process logman = Process.Start(
            "logman.exe",
            "create trace \"NT Kernel Logger\" -rt -nb 2 2 -bs 1024 -p \"Windows Kernel Trace\" 0xff -ets");
        logman.WaitForExit();

        IObservable<EtwNativeEvent> session = EtwObservable.FromSession("NT Kernel Logger");
        using (session.Subscribe(e => Console.WriteLine("{0} {1} {2}", e.TimeStamp, e.ProviderId, e.Id)))
        {
            Console.ReadLine();
        }
    }
Apr 24, 2013 at 9:41 PM
Excellent! Thank you for this information -- using "Nt Kernel Logger" as the name also matches what I found going through the source code for TraceEvent. It is always the simplest things that trip me up. Many thanks.