Controlling Event Tracing Sessions

Event tracing sessions record events from one or more providers. The controller defines the session and enables the providers. Defining the session typically includes specifying the session and log file name, type of log file to use, and the resolution of the time stamp used to record the events. Controllers can also update and query event tracing sessions.

The following topics demonstrate how to define and update a session, and enable event trace providers:

For information on flushing and querying sessions, see ControlTrace and QueryAllTraces, respectively.

Only users running with elevated administrative privileges, users in the Performance Log Users group, and applications running as LocalSystem, LocalService or NetworkService can control event tracing sessions. To grant a restricted user the ability to control trace sessions, add them to the Performance Log Users group.

Windows XP and Windows 2000: Anyone can control a trace session.