Adding a System ETW Provider
As part of its tracing facilities, Message Analyzer retrieves events from system ETW Providers. System ETW Providers that are registered on your system write events that are issued by various Windows components that have been instrumented with ETW technology to write such events. These providers are accessible from a searchable Add Provider drop-down library on the ETW Providers toolbar that is located on the Live Trace tab of the New Session dialog, which in turn is accessible from the Message Analyzer File menu. Many of these providers are based upon managed object format (MOF) schemas to define their events for ETW.
Selecting an ETW Provider
To begin your search for a system ETW Provider, click in the Add Provider search box to display a list of providers that Message Analyzer enumerated on your local system during installation. You can also enter search characters in the search box to quickly locate a system ETW Provider by name.
When you are considering which ETW Provider to add to a Trace Scenario, your familiarity with event tracing can be of significant value. However, if your experience is limited, choosing a provider may be a little more challenging. Many ETW Provider names are somewhat cryptic and may not adequately describe the provider functionality , whereas others are more clearly named. For example, the type of data captured by the Microsoft-Windows-Dhcp-Client provider generally speaking is not too difficult to determine. Moreover, if you review the Keywords for this provider, you will learn that it captures related system events in addition to others that reflect response time and client operational or administrative events. You might also try this approach when assessing other providers.
Configuring System ETW Providers
After you select a system ETW Provider and it displays in the ETW Providers list, you can access the configuration settings for the provider on the ETW Core tab of the Advanced Settings dialog. This dialog displays when you click the Configure link that appears immediately to the right of the Id for any provider that is listed in the ETW Providers list. If you want to further refine the focus of the provider’s data retrieval action, you can modify the provider filtering configuration. For example, you can specify event Keyword and Level filtering settings if the particular system ETW Provider defines such filters. To specify a Level filter from the Advanced Settings dialog, click the Level drop-down list and select an error Level. To enable a Keyword filter from the Advanced Settings dialog, click the ellipsis (…) to the right of the Keywords (Any) or Keywords (All) text boxes to display the ETW Keyword Filter Property dialog. From there, you can place a check mark in one or more of the Keyword check boxes for the selected ETW Provider, to cause the provider to return only the events that they Keyword enables. Whenever you enable a Keyword, you will see that the hexadecimal value in the text box at the bottom of the ETW Keyword Filter Property dialog changes to a new value. The default value is the 16-digit hexadecimal number: 0x0000000000000000, which signifies that all events for which the provider is configured will be delivered to Message Analyzer, that is, if they occur in your trace.
Returning Events Defined by Keywords
The Keywords that you enable will cause the ETW Provider to return only the events that the Keywords define. Keyword definitions and descriptions are usually specified in the manifest of the ETW Provider with which you are working. To be successful at specifying event Keyword configurations, you will need to understand the correlation between Keywords and the types of events that will be returned. You may be able to discover this correlative information by employing some of the methods described in Using System ETW Providers as an Input Source. If you do not specify any Keywords for an ETW Provider, the provider will deliver all events that it is configured to provide, just as some ETW Providers that have no Keyword configurations do.
Support for WPP Trace Providers
Message Analyzer can parse and display events that are generated by a Windows software trace preprocessor (WPP) trace provider. Because these providers write events that can integrate with the ETW framework, Message Analyzer can capture them live or load them from a saved event trace log (ETL) file that is created by an appropriate system tool such as Netsh. To enable parsing of WPP-generated events, users must provide supplemental formatting information, such as a program database (PDB) or trace message format (TMF) file, to define the WPP event structure.
If you want to use Message Analyzer to capture WPP-generated events live, you must have a corresponding managed object format (MOF) provider that is registered on your system. When this is the case, Message Analyzer displays the WPP/MOF provider in the ETW provider list in your Live Trace Session configuration. You can then select the provider and run a trace to capture the events that are generated by the WPP/MOF-based trace provider.
To learn more about the configuration settings for system ETW Providers, including Keyword and Level filter configuration, see System ETW Provider Configuration Settings.
To learn more about Message Analyzer support for MOF-based providers, including how to register and deploy one, see MOF-Based ETW Providers.
To learn more about the ETW framework and system ETW Provider functionality, see the ETW Framework Tutorial.
To learn more about how Message Analyzer supports WPP trace providers, see Loading WPP-Generated Events.