New and Updated in May 2020

After a long break both for paid work and to move house, what do I take up? Yes, Event Tracing for Windows!

Regular readers will know ETW as a long-held interest that I keep returning to every few years. Some measure of how long-held is that I resurrect some previously unpublished notes from 2008. It’s not certainly clear to me why I left any of this unpublished—at all, let alone for so long. One of them was both sufficiently correct and complete for publication, albeit only of how things stood for Windows Vista. Apparently I put it aside for lack of having a deserving place for it. The Kernel section of the site did not yet exist, but plainly this page was for programmers and did not belong in the Notes. That’s where the roughly contemporaneous Event Trace Security has languished all these years. Though that page was written for users, it always did deserve more attention than the quick write-up I gave it in 2008. I have now reworked it: the old page is retired.

Very plausibly, I am now letting the pendulum swing too far in the opposite direction: unhappy at seeing how much work I started on ETW well over a decade ago only to leave it unpublished, I am now presenting even very rough material. My inevitable unhappiness with this extreme may, if nothing else, keep prodding me to keep revisiting all this rough work to bring it up to some reasonable quality. If only I had time!

What’s really damning is that even any, let alone much, of this rough work from 2008 has details that are still new to the Internet. It just should not be possible that material I’ve left to go moldy at the bottom of a virtual desk drawer for a decade can have any sense of being new. But please don’t mistake that I call damnation on Microsoft. They do surely deserve some for keeping so much ETW functionality as special to their diagnostic tools instead of being available for a market in third-party tools, but what I damn is a whole industry that meekly or ignorantly lets this happen.

Kernel Mode

Win32