Trace log
存储一个或者多个trace session中产生的trace message;系统会先把Trace message存放在trace session buffer中,然后将他们deliver到trace consumer或者写到一个trace log。这些message会被压缩。
Trace Provider
Trace Provider是一个应用程序、操作系统组件或者Driver,它们使用ETW技术来产生trace message或者trace event。一个trace session可以包含多个trace provider。一个driver或Application可以创建多个trace provider,同样,多个driver或者Application可以是单个trace provider的一部分或者share某个trace provider的一部分资源。
Trace consumers
Trace consumer是从real-time trace sessions或者trace log中接收message的应用或者工具,然后将它们格式化成readable的形式。
Trace Controllers
Trace Controller管理trace session的应用程序或者工具。Trace controllers enable trace providers; configure, start, and stop trace sessions; and query and update the properties of trace sessions.
Trace Session
Trace Session有三种基本类型:trace log sessions, real-time trace sessions, and buffered trace sessions. A single trace session can be a trace log session, a real-time trace session, or both. Buffered trace sessions are exclusive.
In addition, there are private trace sessions and reserved trace sessions, such as the NT Kernel Logger trace session and Global Logger trace session, which can be run as log sessions or real-time sessions. You can use the standard tools to control these sessions and display the resulting trace messages.
trace log sessions:在一个trace log sessions中,trace message被从trace buffer中写到log file 中,这是默认的、标准的trace session 类型;
real-time trace sessions:在一个real-time trace session中,trace message被直接deliver给trace consumer(例如TraceView或者Tracefmt)
buffered trace sessions:在一个buffered trace sessions中,trace message被保留在trace buffer中;不会写到log中或者deliver给trace consumer;只有在Vista以上支持;
Trace flags
Trace flags are properties of a trace provider, such as a driver, that determine which events the trace provider generates. The provider interprets the flags as conditions for generating the message.
Typically, flags represent increasingly detailed reporting levels, but the provider can use the flags to represent any condition for generating the trace message.
WMI Event Tracing
WPP
The Windows software trace preprocessor (abbreviated WPP; the preprocessor and related support tools are known as WPP Software Tracing) is a preprocessor that simplifies the use of WMI event tracing to implement efficient software tracing in drivers and applications that target Windows 2000 and later operating systems. WPP was created by Microsoft and is included in the Windows DDK. Although WPP is wide in its applicability, it is not included in the Windows SDK, and therefore is primarily used for drivers and driver support software produced by software vendors that purchase the Windows DDK.
Reference:
1. http://msdn.microsoft.com/en-us/library/ff553975.aspx
2. ETW sample: http://www.developer.com/net/cplus/article.php/3624581/Programming-the-Windows-Vista-Event-Log.htm
3. Improve Debugging And Performance Tuning With ETW: http://msdn.microsoft.com/en-us/magazine/cc163437.aspx