Windows API - Win32
A core set of Windows application programming interfaces (APIs) for desktop and server applications. Previously known as Win32 API.
2,428 questions
Event Trace for Windows: update exiting trace with a new file and EVENT_TRACE_FILE_MODE_NEWFILE
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 14.000000000000002%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPA%3C/text%3E%3C/svg%3E)
Przemysław Walkowiak
1
Reputation point
I have a question related to the Event Trace for Windows usage.
I've implemented a logger (controller + session) that handles events and forwards them to the log file with a specific max log file and the EVENT_TRACE_FILE_MODE_NEWFILE flag.
With the flag enabled and %d in the log file name, the index is automatically incremented after the log file reaches the max size.
However, from time to time, I would like to change the increment and the base name. E.g.: log_2022_21_05_%d.etl -> log_2022_21_06_%d.etl. For that purpose, I have the following snippet:
filename = L"log_2022_06_21_%d.etl"; // name is different than the original one
DWORD status = ::ControlTrace(hTrace,
sessionData.name.data(),
props,
EVENT_TRACE_CONTROL_QUERY);
// props contain the up to date data
props->Wnode.BufferSize = static_cast<ULONG>(buffer.size());
props->Wnode.Flags = WNODE_FLAG_TRACED_GUID;
props->MaximumBuffers = 0; // don't want to modify
props->FlushTimer = 0; // don't want to modify
props->EnableFlags = 0; // don't want to modify
props->LoggerNameOffset = sizeof(*props);
// assigning the same mode as during starting the trace
props->LogFileMode = EVENT_TRACE_REAL_TIME_MODE | EVENT_TRACE_FILE_MODE_NEWFILE;
props->LogFileNameOffset = static_cast<ULONG>(sizeof(*props) + maxSessionNameLength * sizeof(wchar_t));
auto propertyLogFileName =
std::span(reinterpret_cast<wchar_t*>(props + 1) + maxSessionNameLength,
filename.size() + 1);
std::ranges::fill(propertyLogFileName, 0);
std::ranges::copy(filename, propertyLogFileName.begin());
status = ::ControlTrace(hTrace,
sessionData.name.data(),
props,
EVENT_TRACE_CONTROL_UPDATE);
Unfortunately, the status returned by the last call of ControlTrace is always 0x87 - INVALID_PARAMETER.
The same result is when:
- I omit
LogFileModemodification (it will have the original, internal value:0x00400109(EVENT_TRACE_STOP_ON_HYBRID_SHUTDOWN | EVENT_TRACE_REAL_TIME_MODE | EVENT_TRACE_FILE_MODE_NEWFILE | EVENT_TRACE_FILE_MODE_SEQUENTIAL- please note, I set onlyREAL_TIME_MODEandNEWFILE, the value was acquired byQUERY. - I keep it as it is in the snippet above
However, If I change LogFileNameOffset to 0 (don't modify filename), the call succeeds, but of course, without changing the name.
The same happens if, instead of NEWFILE, the SEQUENTIAL mode is used, but then there is no way to increment the counter.
The log file name is filled the same way as while starting the trace.
Do Windows support the above scenario (changing filename while in the NEWFILE mode)? Or did I miss something?
Or maybe there is a workaround for it? I was thinking about just stopping the current trace and starting/creating it again, but there is a possibility that some data will be lost in the meantime.
{count} votes
-
Przemysław Walkowiak 1 Reputation point
2022-05-22T01:09:43.263+00:00 While debugging the disassembled code, I also noticed that when the
NtTraceControlfunction was called, the input buffer still had%din it. I'm not sure if this is correct behavior or not.Stacktrace:
ntdll.dll!NtTraceControl() sechost.dll!EtwpUpdateLogger(struct _WMI_LOGGER_INFORMATION *,unsigned long,struct _EVENT_FILTER_DESCRIPTOR *) sechost.dll!ControlTraceW()The return value from
NtTraceControlis0xc000000dwhat is also "invalid parameter".I also looked at some "leaked" unofficial source code for relevant functions for Windows XP, and before calling anything, the file name was parsed by
swprintf, and here, I didn't notice anything similar. -
Junjie Zhu - MSFT 15,061 Reputation points Microsoft Vendor2022-05-23T08:41:29.02+00:00 Have you read this document?
EVENT_TRACE_FILE_MODE_NEWFILE (0x00000008)
Automatically switches to a new log file when the file reaches the maximum size. TheMaximumFileSizemember of EVENT_TRACE_PROPERTIES must be set. -
Przemysław Walkowiak 1 Reputation point
2022-05-23T09:06:48.84+00:00 Yes, I read that one too.
The
MaximumFileSizemember, I tested in a couple of scenarios:- it was set to a certain value while starting the session, then after
QUERYit was also properly set to100(the code from the snippet above) - I zeroed it. This document nf-evntrace-controltracea, mentions that only a few members can be updated by setting a new value, or won't be updated in the case of
0. Thus, this is also what I tried and set it to 0.
Unfortunately, none of this worked and resulted in the error code 87.
The
EVENT_TRACE_PROPERTIESforStartTracelooks like this:props->Wnode.BufferSize = static_cast<ULONG>(buffer.size()); props->Wnode.Flags = WNODE_FLAG_TRACED_GUID; props->Wnode.ClientContext = 1; // QueryPerformanceCounter props->Wnode.Guid = sessionData.guid; props->BufferSize = static_cast<ULONG>(sessionData.bufferSize); props->MaximumFileSize = static_cast<ULONG>(fileSink.fileSizeThreshold); props->MinimumBuffers = 0; props->MaximumBuffers = 0; props->FlushTimer = 0; props->EnableFlags = 0; props->LoggerNameOffset = sizeof(*props); props->LogFileMode = EVENT_TRACE_REAL_TIME_MODE | EVENT_TRACE_FILE_MODE_NEWFILE; props->LogFileNameOffset = static_cast<ULONG>(sizeof(*props) + maxSessionNameLength * sizeof(wchar_t)); - it was set to a certain value while starting the session, then after
-
Junjie Zhu - MSFT 15,061 Reputation points Microsoft Vendor
2022-05-24T07:01:59.26+00:00 Could you provide a minimal code sample that can be reproduced and run? so that I can reproduce your problem on my computer.
ERROR_INVALID_PARAMETER
One of the following is true:
Properties is NULL.
InstanceName and TraceHandle are both NULL.
InstanceName is NULL and TraceHandle is not a valid handle.
The LogFileNameOffset member of Properties is not valid.
The LoggerNameOffset member of Properties is not valid.
The LogFileMode member of Properties specifies a combination of flags that is not valid.
The Wnode.Guid member of Properties is SystemTraceControlGuid, but the InstanceName parameter is not KERNEL_LOGGER_NAME. -
Przemysław Walkowiak 1 Reputation point
2022-05-24T10:20:59.01+00:00 Thank you :)
I've simplified it a bit and shared it on the github gist: 13478beddb580443fd774fa2d7ead499
The dev environment is MSVS 2022 17.2.1, Windows SDK 10.0.22000.0, compiled with
/std:c++latest. -
Junjie Zhu - MSFT 15,061 Reputation points Microsoft Vendor
2022-05-26T08:57:42.043+00:00 After these two days of testing, I think the problem may be memory. I will contact the engineers of the team to solve this problem together. If there is any progress, I will notify you as soon as possible.
-
Przemysław Walkowiak 1 Reputation point
2022-05-26T10:13:46.897+00:00 Thank you very much! :)
-
Junjie Zhu - MSFT 15,061 Reputation points Microsoft Vendor
2022-06-08T02:05:22.97+00:00 I found out during testing, On the basis of ignoring eight-byte alignment. The value of
props->LogFileNameOffsetis wrong between375-491, it is normal outside the range.
What is the specific reason for the error in the Memory, our engineers will continue to research, if there is progress, we will let you know as soon as possible. -
Przemysław Walkowiak 1 Reputation point
2022-10-18T11:27:51.597+00:00 Hi @Junjie Zhu - MSFT ,
do you know if the team was able to find a solution for this issue?
Sign in to comment