Geoff Chappell, Software Analyst
Event Tracing for Windows
Much of the functional interface that supports Event Tracing for Windows (ETW)
in user mode is implemented in NTDLL.DLL. Some, but certainly not all, of these
NTDLL functions are forwarded from ADVAPI32, which exports them with a slight change
of name. Use of the ADVAPI32 functions should be preferred, if not on the principle
of using the highest-level interface for the job, then at least for the practical
reason that where Microsoft documents any of these functions, it is as exports from
ADVAPI32. Put another way, the interface boundary for ETW is at ADVAPI32. That the
actual work is done in NTLL is just an implementation detail. This is not just theory:
functions have moved from ADVAPI32 to NTDLL and back again.
That said, the main reason these notes exist is that parts of the interface are
not documented at all or are sufficiently under-documented to have made it seem
worth attempting to infer properties of the interface from inspection of the implementation.
Because of this, these notes try more to categorise things as they are than as they
are said to be. The list that follows is of ETW functions implemented in NTDLL version
6.0, i.e., for Windows Vista. These functions are all new for version 6.0 unless
otherwise noted. Highlights indicate functions that appear to have no documentation,
even as ADVAPI32 exports, in the Windows SDK dated January 2007 for Windows Vista.
- EtwCreateTraceInstanceId (5.2) forwarded from
CreateTraceInstanceId
- EtwDeliverDataBlock
- EtwEnumerateProcessRegGuids
- EtwEventActivityIdControl forwarded from
EventActivityIdControl
- EtwEventEnabled forwarded from
EventEnabled
- EtwEventProviderEnabled forwarded from
EventProviderEnabled
- EtwEventRegister forwarded from
EventRegister
- EtwEventUnregister forwarded from
EventUnregister
- EtwEventWrite forwarded from
EventWrite
- EtwEventWriteEndScenario
forwarded from EventWriteEndScenario
- EtwEventWriteFull
- EtwEventWriteStartScenario
forwarded from EventWriteStartScenario
- EtwEventWriteString forwarded from
EventWriteString
- EtwEventWriteTransfer forwarded from
EventWriteTransfer
- EtwGetTraceEnableFlags (5.2) forwarded from
GetTraceEnableFlags
- EtwGetTraceEnableLevel (5.2) forwarded from
GetTraceEnableLevel
- EtwGetTraceLoggerHandle (5.2) forwarded from
GetTraceLoggerHandle
- EtwLogTraceEvent forwarded from
TraceEvent
- EtwNotificationRegister
- EtwNotificationUnregister
- EtwpCreateEtwThread
- EtwpGetCpuSpeed
- EtwpNotificationThread
- EtwProcessPrivateLoggerRequest
-
EtwRegisterSecurityProvider
- EtwRegisterTraceGuids (5.2) forwarded from
RegisterTraceGuids
- EtwReplyNotification
- EtwSendNotification
- EtwSetMark
- EtwTraceEventInstance (5.2) forwarded from
TraceEventInstance
- EtwTraceMessage (5.2) forwarded from
TraceMessage
- EtwTraceMessageVa (5.2) forwarded from
TraceMessageVa
- EtwUnregisterTraceGuids (5.2) forwarded from
UnregisterTraceGuids
- EtwWriteUMSecurityEvent
NTDLL version 5.2 exports more functions, which are here treated as discontinued.
Most are forwards from ADVAPI32. Indeed, most have an earlier implementation in
ADVAPI32. They moved to NTDLL for version 5.2 and then back to ADVAPI32 for version
6.0, except for EtwTraceEvent, which was renamed to
EtwLogTraceEvent.
- EtwControlTrace forwarded from
ControlTrace
- EtwEnableTrace forwarded from
EnableTrace
- EtwEnumerateTraceGuids forwarded from
EnumerateTraceGuids
- EtwFlushTrace forwarded from
FlushTrace
- EtwNotificationRegistration forwarded from
WmiNotificationRegistration
- EtwpGetTraceBuffer
- EtwpSetHWConfigFunction
- EtwQueryAllTraces forwarded from
QueryAllTraces
- EtwQueryTrace forwarded from
QueryTrace
- EtwReceiveNotifications forwarded from
WmiReceiveNotifications
- EtwStartTrace forwarded from
StartTrace
- EtwStopTrace forwarded from
StopTrace
- EtwTraceEvent forwarded from
TraceEvent
- EtwUpdateTrace forwarded from
UpdateTrace
Microsoft documents ETW as dating from Windows 2000, which indeed it does, but
ETW in Windows 2000 and Windows XP is not the work of NTDLL.