Introduction and usage of Windows event tracking (1)

Although most Windows developers know that Windows Event tracking Event Tracing for Windows, ETW is a logging and Event tracking tool, many administrators have never heard of it, simply think that ETW is only part of the event logging and tracking functions provided by the operating system. ETW runs in the kernel to track events caused by user-Mode Applications, operating system kernels, and kernel-mode device drivers.

Some Operating System Core Components and third-party applications use Windows event tracking to provide event logging and tracking. During the first release of Windows, Windows event tracking can only be used in Windows check versions, but now it is a built-in tool for all Windows versions.

Windows event tracking ETW)

There is not much information for troubleshooting and troubleshooting Windows servers. The administrator always tries his best to search for various possible information to identify faults. So we have a variety of tools, such as process monitor, Process Resource Manager, Performance Monitor PerfMon, and performance analysis log PAL, to help us get more information than Event Logs, but unfortunately, sometimes we need more information.

ETW can collect sufficient information without additional devices and has many advantages. For example:

• Use a non-page pool per processor kernel buffer, which will not be affected by application crashes or hangs
• Extremely low CPU consumption
• Applicable to X86, X64, and IA64 system architectures
• Tracing can be enabled and disabled without restarting the application

Windows event tracking seems to be a great tool, but there is another problem with this tool, there is no image interface or User Wizard. In addition, Initialization is required before output of the analysis results.

To output valid results, you need a consumer ). Generate a consumer named tracerpt.exe in Windows serer. As you know, the Tracerpt command provides specific output formats, so it is important to be familiar with Tracerpt and Logman tools, they are built-in tools for Windows 2003 and later systems, such as Windows 7 and Vista.

It is equally important to understand the ETW architecture. Display, the controller is used to start and stop a tracing conversation. In windows Server 2003 and 2008, the Controller tool is logman.exe.

Figure 1. ETW Architecture

Windows Server 2003 also contains a small number of event providers that return specific events, including the following providers related to these active directories:

• Active Directory: Core
• Active Directory: Kerberos
• Active Directory: SAM
• Active Directory: NetLogon

For example, specifying Active Directory: Kerberos as the provider will only return Kerberos-specific events.

The event provider varies with Windows versions. For example, Windows Server 2003 has 22 providers and Windows 2008 has 387 providers. It provides more powerful tracing and more tracking scope. However, when LDAP traffic is involved, the Active Directory: Core as the provider is basically the same for two Windows versions.

You can also bind multiple event providers to one trail. Because Kerberos authentication is mentioned in the above example, I still use Active Directory: Kerberos and Active Directory: Core provider for example here, while using the Logman command and parameter-PL, the following is an example:
Logman Create Trace CoreKerb-pf c: \ etw \ input.txt-o c: \ etw \ coreKerb

Parameter-pf is intended to read an input file such as input.txt in this example ). The format is 2.

Figure 2. Input text file format