Check out the codes in GitHub.
Getting the logs
Now that I have my modules spitting out logs for me, it’s time to actually consume (or view) them. Most of the time, I use MFTrace and logman tools.
MFTrace
Although MFTrace is primarily a tool for generating logs for Media Foundation apps, it is a great tool for viewing ETW logs in general as well. It is included in the MS SDK.
To view logs in real time, I use this command in either Powershell or command line:
mftrace -c config.xml
To stop the trace collection, press CTRL+C.
logman
logman is a very powerful builtin performance counter and event trace log tool from Microsoft. For more information, have a look at here.
You can use logman as alternative to MFTrace.
Start tracing
logman start <name> -p <provider_guid_or_name> <kw> <level> -o <output.etl> -ets
Examples
logman start lms -p {3A8FD7D2-CAB3-455D-A8E5-9E1741365FEB} 0x1 win:Verbose -o c:\output.etl -ets
logman start lms -p MyProviderName 0x3 win:Informational -o c:\output.etl -ets
logman start lms -p {277c604b-1962-47fa-9307-7ce0855dfea6} 0xffffffffffffffff 0xff -o c:\output.etl -ets
Stop tracing
logman stop <name> -ets
Examples
logman stop lms -ets
Collecting ETW traces from test/production systems
To collect ETW trace logs from test/production systems, manifest file and message/resource file need not be registered.
mftrace -c config.xml -o c:\output.etl
c:\output.etl is just an example. You can use any location and any filename as long as the extension is .etl. The output .etl file can only be read on a system where the manifest file and the resource/message file are registered. To read the traces:
tracerpt -y output.etl
The default readable output file that contains all the trace information will be dumpfile.xml. A summary.txt file will also be generated. For more information about tracerpt, have a look at here.
Check out part 5.