EventFilters
EventFilters element specifies event IDs to filter events from a manifest based provider.
Element Hierarchy
- <WindowsPerformanceRecorder>
- <Profiles>
- <EventProvider>
- <EventFilters>
- <Profile>
- <Collectors>
- <EventCollectorId>
- <EventProviders>
- <EventProvider>
- <EventFilters>
- <EventProvider>
- <EventProviders>
- <EventCollectorId>
- <Collectors>
- <EventProvider>
- <Profiles>
Syntax
<EventFilters FilterIn = "true" | "false" Operation = "Set" | "Add" | "Remove" >
<!-- Child elements -->
<EventId>
</EventFilters>
Attributes and Elements
Attributes
| Attribute | Description | Data type | Required | Default |
|---|---|---|---|---|
| FilterIn | Indicates whether to include or exclude the specified events. | boolean | Yes | |
| Operation | Indicates whether keywords should be set or added. | This attribute can have one of the following values:
|
No | Set |
Child Elements
| Element | Description | Requirement |
|---|---|---|
| EventId | The event ID defined in a manifest. | Required, 1 or more. |
Parent Elements
| Element | Description |
|---|---|
| EventProvider | Represents an event provider for the profile. |
Remark
EventFilters element enables event filtering through EVENT_FILTER_DESCRIPTOR, Type EVENT_FILTER_TYPE_EVENT_ID.
Even though ETW supports powerful payload and attribute filtering, events should primarily be filtered based scope filters or via level and keyword for less CPU overhead.
Example
<EventProvider Id="EP_Microsoft-Windows-Win32k" Name="8c416c79-d49b-4f01-a467-e56d3aa8234c" NonPagedMemory="true">
<EventFilters FilterIn="false">
<EventId Value="164" />
<EventId Value="166" />
<EventId Value="167" />
<EventId Value="169" />
</EventFilters>
<StackFilters FilterIn="true">
<EventId Value="88" />
<EventId Value="65" />
</StackFilters>
</EventProvider>