Geoff Chappell, Software Analyst
Event Tracing for Windows
The functional interface that supports Event Tracing for Windows (ETW) in user
mode began in ADVAPI32.DLL. The exported functions are all documented. They were
all introduced for version 5.0, i.e., for Windows 2000, unless otherwise noted.
- CloseTrace
- ControlTrace
- EnableTrace
- EnableTraceEx (6.0)
- EnumerateTraceGuids (5.1)
- EnumerateTraceGuidsEx (6.0)
- EventAccessControl (6.0)
- EventAccessQuery (6.0)
- EventAccessRemove (6.0)
- FlushTrace (5.1)
- OpenTrace
- ProcessTrace
- QueryAllTraces
- QueryTrace (5.1)
- RemoveTraceCallback
- SetTraceCallback
- StartTrace
- StopTrace (5.1)
- UpdateTrace (5.1)
Microsoft’s documentation would have it that QueryTrace,
StopTrace and UpdateTrace
are originals. They are not. They are, however, supported as macros if the symbol
__TRACE_W2K_COMPATIBLE is defined before including EVNTRACE.H.
ADVAPI32 also exports the following ETW functions as forwards to NTDLL. Some
of these functions have implementions in ADVAPI32 in early versions. Some have never
existed except as forwards to NTDLL. The target functions in NTDLL are not documented—few
NTDLL functions are—but the highlighted functions are not documented even as exports
from ADVAPI32.
- CreateTraceInstanceId forwarded to
EtwCreateTraceInstanceId (5.2 and higher)
- EventActivityIdControl (6.0) forwarded to
EtwEventActivityIdControl
- EventEnabled (6.0) forwarded to
EtwEventEnabled
- EventProviderEnabled (6.0) forwarded to
EtwEventProviderEnabled
- EventRegister (6.0) forwarded to
EtwEventRegister
- EventUnregister (6.0) forwarded to
EtwEventUnregister
- EventWrite (6.0) forwarded to
EtwEventWrite
- EventWriteEndScenario (6.0) forwarded
to
EtwEventWriteEndScenario
- EventWriteStartScenario (6.0) forwarded
to
EtwEventWriteStartScenario
- EventWriteString (6.0) forwarded to
EtwEventWriteString
- EventWriteTransfer (6.0) forwarded to
EtwEventWriteTransfer
- GetTraceEnableFlags forwarded to
EtwGetTraceEnableFlags (5.2 and higher)
- GetTraceEnableLevel forwarded to
EtwGetTraceEnableLevel (5.2 and higher)
- GetTraceLoggerHandle forwarded to
EtwGetTraceLoggerHandle (5.2 and higher)
- RegisterTraceGuids forwarded to
EtwRegisterTraceGuids (5.2 and higher)
- TraceEvent forwarded to
EtwTraceEvent (5.2 only) or
EtwLogTraceEvent (6.0 and higher)
- TraceEventInstance forwarded to
EtwTraceEventInstance (5.2 and higher)
- TraceMessage (5.1) forwarded to
EtwTraceMessage (5.2 and higher)
- TraceMessageVa (5.1) forwarded to
EtwTraceMessageVa (5.2 and higher)
- UnregisterTraceGuids forwarded to
EtwUnregisterTraceGuids (5.2 and higher)
Some of the functions that are nowadays implemented in ADVAPI32 are forwarded
to NTDLL in version 5.2 only. This is here treated as anomalous. The functionality
was moved to NTDLL and then was restored to ADVAPI32: the target functions do not
exist in NTDLL version 6.0.
- ControlTrace forwarded to
EtwControlTrace (5.2 only)
- EnableTrace forwarded to
EtwEnableTrace (5.2 only)
- EnumerateTraceGuids (5.1) forwarded to
EtwEnumerateTraceGuids (5.2 only)
- FlushTrace (5.1) forwarded to
EtwFlushTrace (5.2 only)
- QueryAllTraces forwarded to
EtwQueryAllTraces (5.2 only)
- QueryTrace (5.1) forwarded to
EtwQueryTrace (5.2 only)
- StartTrace forwarded to
EtwStartTrace (5.2 only)
- StopTrace (5.1) forwarded to
EtwStopTrace (5.2 only)
- UpdateTrace (5.1) forwarded to
EtwUpdateTrace (5.2 only)