Configuring and Starting a Private Logger Session
A private event tracing session is a user-mode event tracing session that runs in the same process as its event trace providers—the private session and the providers that it enables must all be in the same process. The benefit of using a private session is that the private session does not count against the maximum of 64 event tracing sessions executing simultaneously.
Configuring and starting a private session is similar to starting a normal event trace session. The difference is that Wnode.Guid member of the EVENT_TRACE_PROPERTIES structure must contain the GUID of the provider, not the session, and the provider must have already registered the GUID. Note that if you also set the EVENT_TRACE_PRIVATE_IN_PROC logging mode, you can use a different GUID for the session and provider. For details on starting a normal event trace session, see Configuring and Starting an Event Tracing Session.
Note that you cannot start, stop, or flush a private trace session from DllMain; you should do so in the initialization and finalization routines of the DLL.
From Windows 8.1 to Windows 10, version 1607, event payload, scope, and stack walk filters can be used by the EnableTraceEx2 function and the ENABLE_TRACE_PARAMETERS and EVENT_FILTER_DESCRIPTOR structures to filter on specific conditions in a logger session. For more information on event payload filters, see the TdhCreatePayloadFilter, and TdhAggregatePayloadFilters functions and the ENABLE_TRACE_PARAMETERS, EVENT_FILTER_DESCRIPTOR, and PAYLOAD_FILTER_PREDICATE structures.
Starting with Windows 10, version 1703, low privilege users can now start a private logger session in processes they started. The provider no longer needs to be registered prior to enabling or starting the private session, meaning the provider is "pre-enabled" similar to how non-private session providers are. There is a limit of 8 system wide private loggers to an individual process. For increased performance in cross process scenarios, it's recommended to use filtering for session APIs (including ControlTrace, QueryTrace, StartTrace, and StopTrace) when starting a system wide private logger. Note that the same filters should be passed to all session APIs. For more information about filters, see EVENT_TRACE_PROPERTIES_V2.
For details on starting an event tracing session, see Configuring and Starting an Event Tracing Session.
For details on starting an NT Kernel Logger session, see Configuring and Starting the NT Kernel Logger Session.
For details on starting a Global Logger session, see Configuring and Starting a Global Logger Session.
For details on starting an AutoLogger session, see Configuring and Starting an AutoLogger Session.