Geoff Chappell - Software Analyst
Windows Vista has a greatly expanded scheme of logging events for performance monitoring and diagnostic analysis. The Windows Shell is a significant participant, but this is typically hidden even from expert users.
The most accessible event provider for the Windows Shell is Microsoft-Windows-Shell-Core. It receives contributions from roughly a dozen different executables. Some of this provider’s possible events are logged to the SQMLogger and some others are logged to the DiagLog and WdiContextLog. The SQMLogger is an auto-logger session that is ordinarily started only if you join the Customer Experience Improvement Program. The others are also auto-loggers, especially for the Windows Diagnostic Infrastructure (WDI). These logs are ordinarily configured to start automatically, but you can disable them, as for any auto-logger, by using the Reliability and Performance Monitor. To see all the possible events, you must either set up your own logging session or contrive to get the Event Viewer to list the default channel which Microsoft has provided for but seems to have decided ought not be fully configured.
All the Windows Shell executables have code for WPP Software Tracing. Some, such as SHELL32.DLL, contribute to two trace providers. In turn, each provider acts for multiple executables. As usual for WPP Software Tracing, these providers are not configured for use with tools such as the Event Viewer. The data they collect is arguably useful only to Microsoft’s own programmers who work on the source code or at least have it available for reference.