none
Why does ETW EventWriteString have binary payload and can not be printed as message

    Question

  • I wanted to extend my Eventlog (Event Trace for Windows) by an additional component where I just want to log strings. I am using code like the following one.

    #include <Evntprov.h>
    #include <evntrace.h>
    #include <minwindef.h>
    
    // {38F4122A-4D8C-465A-9EFC-F7E632A84ABF}
    static const GUID MyApplicationGuid = { 0x38f4122a, 0x4d8c, 0x465a, { 0x9e, 0xfc, 0xf7, 0xe6, 0x32, 0xa8, 0x4a, 0xbf } };
    
    REGHANDLE regHandle = nullptr;
    EventRegister(MyApplicationGuid, nil, nil, &regHandle);
    
    EventWriteString(regHandle, TRACE_LEVEL_INFORMATION, 0x0, L"Hello");
    EventWriteString(regHandle, TRACE_LEVEL_INFORMATION, 0x0, L", ");
    EventWriteString(regHandle, TRACE_LEVEL_INFORMATION, 0x0, L"world");
    EventWriteString(regHandle, TRACE_LEVEL_INFORMATION, 0x0, L"!");
    
    EventUnregister(regHandle);

    I already have registered a provider with the given guid that shows up correctly and those events are part of the etl logfiles as generic events. To this point everything seems to be fine but when I want to add the message as a column I am not capable to see the logged strings because they are stored in a binary payload element.

    Is there a way to define an event/template to format the traces done with EventWriteString into a message string. Something like "%1"? (There is already a Header Flag STRING_ONLY set.)

    Monday, October 26, 2015 7:05 AM

All replies

  • Figured out that if you add an Event with id 0 and template with one string it shows up.
    But I am not sure if this is the correct way.

    <?xml version="1.0" encoding="UTF-16"?>
    <instrumentationManifest xsi:schemaLocation="http://schemas.microsoft.com/win/2004/08/events eventman.xsd" xmlns="http://schemas.microsoft.com/win/2004/08/events" xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:trace="http://schemas.microsoft.com/win/2004/08/events/trace">
      <instrumentation>
        <events>
          <provider name="COMPANY-PRODUCT-PART" guid="{??????-????-????-????-????????????}" symbol="COMPANY_PRODUCT_PART" resourceFileName="UNKNOWN.dll" messageFileName="UNKNOWN.dll">
            <events>
              <event symbol="DbgStr" value="0" version="0" template="OneStringParamTemplate" message="$(string.Product.1.message)">
              </event>
            </events>
            <templates>
              <template tid="OneStringParamTemplate">
                <data name="param" inType="win:UnicodeString" outType="xs:string">
                </data>
              </template>
            </templates>
          </provider>
        </events>
      </instrumentation>
      <localization>
        <resources culture="en-US">
          <stringTable>
            <string id="Product.1.message" value="%1">
            </string>
          </stringTable>
        </resources>
      </localization>
    </instrumentationManifest>


    • Edited by Totonga Wednesday, October 28, 2015 2:33 PM
    Wednesday, October 28, 2015 2:27 PM
  • I believe this is one way to do it. When Message Analyzer opens an ETL, it searches the system for a manifest. You can also supply one manually to Message Analyzer. This manifest describes the various events and format of any display strings.  Message Analyzer uses these templates as the format for the summary string in the UI.

    Another alternative is to write some OPN code that listens to messages from the ETW provider, and further parsers or formats the Summary as you want. 

    Paul

    Friday, November 13, 2015 6:07 PM
    Owner