Consuming "Event Tracing for Windows" events
An answer to this question has led me to look into using "Event Tracing for Windows" for our tracing needs. I have come across NTrace, which seems to be a good way to produce ETW events from C# code (using the XP-compatible "classic provider" model).
However, I am unable to find an easy way to consume these events - to see them in real-time and/or log them to a file. The only way I have found is that described in the NTrace documentation: using a tool which is only available as part of the Windows DDK.
In the case of a complex problem in the field, we may need to ask the user to produce a file containing a trace. We can't ask users to download the DDK or carry out a number of complex operations in order to do this.
Is there a straightforward, user-friendly way to log ETW events to a file?
Also, is it possible for someone to consume ETW events on Windows Vista/7 if they are not running as administrator?
Answer
Windows Event Log reads the ETW. In fact I'd say this is the correct way for a consumer (non program) to view and export the ETW traces.
See here for an example. http://blogs.microsoft.co.il/blogs/applisec/archive/2009/10/12/reading-etw-tracing-using-event-viewer.aspx
This question on msdn Discuses what to do when the logs don't appear. Does anything here help?