etl.0001, the second time the file name is. The first time the computer is started, the file name is.
For example, if the default log file name is used, the form is %SystemRoot%\System32\LogFiles\WMIIf the log file specified in FileName exists, ETW appends the FileCounter value to the file name. The maximum number of instances of the log file that ETW creates.
If FileName is not specified, events are written to %SystemRoot%\System32\LogFiles\WMIThe fully qualified path of the log file. If the value is not valid, 1 will be assumed.
MS AUTOLOGGER SERIAL NUMBER
This value is the serial number used to increment the log file name if FileMax is specified. The events will then be delivered to the consumer the next time the consumer connects to the session.ĭo not set or modify this value. If real time persistence is enabled, real-time events that were not delivered by the time the computer was shutdown will be persisted. The default is 0 (enabled) for real time sessions. To disable real time persistence, set this value to 1.
MS AUTOLOGGER WINDOWS
Prior to Windows Vista, the default value is 2 (system timer). The default value is 1 (performance counter value) on Windows Vista and later. 1 = Performance counter value (high resolution)įor a description of each clock type, see the ClientContext member of WNODE_HEADER.The timer to use when logging the time stamp for each event.
ETW uses the size of physical memory to calculate this value. If you specify a value that ETW cannot support, ETW will override the value. Typically, you should use the default values. The Start and Guid value are the only values required to start the AutoLogger session all other values have default settings that are used if the value is not present in the registry. You must have administrator privileges to specify these registry values. The following table describes the values that you can define for each AutoLogger session. HKEY_LOCAL_MACHINEįor each session, create a key for each provider that you want to enable to the session. Under the Autologger key create a key for each AutoLogger session that you want to configure as shown in the following example. Add the following registry key, if it is not already present: HKEY_LOCAL_MACHINE You use the registry to configure the AutoLogger session. Use the Global Logger on earlier operating systems. To log NT Kernel Logger events, you must use the Global Logger.įor more information on the Global Logger seesion, see Configuring and Starting the Global Logger Session.ĮTW supports the AutoLogger on Windows Vista and later. The AutoLogger does not support logging NT Kernel Logger events (see the EnableFlags member of EVENT_TRACE_PROPERTIES).The AutoLogger sends an enable notification to the providers when the session starts (the Global Logger did not send an enable notification to the providers, so the providers had to rely on other means to know if the Global Logger session was started in order to begin logging events).You can specify one or more AutoLogger sessions (the Global Logger was a single session to which everyone logged events).The AutoLogger differs from the Global Logger in the following ways: Note that some device drivers, such as disk device drivers, are not loaded at the time the AutoLogger session begins.
MS AUTOLOGGER DRIVERS
Applications and device drivers can use the AutoLogger session to capture traces before the user logs in. The AutoLogger event tracing session records events that occur early in the operating system boot process.
0 kommentar(er)
