[原]how to view custom provider's events(collected without provider registered) by wpa

最近想使用etw作为高效的日志机制，也不想暴露机密信息(关键信息在msnifest文件中)。也就是不能在客户机器上注册自己的provider，那需要manifest文件。这样采集回来的.etl文件如果直接在wpa中打开，会很难看，基本看不出什么有用的信息，如图1

图1 用wpa打开poor.etl文件（在未注册过provider的机器上采集的，也未经过experf -merge处理的.etl文件）

 

如何使得到的信息能像下图这样详细呢？

 图2 用wpa打开good.etl文件（在注册过provider的机器上采集的）

 

下面一段是我在stackoverflow上给自己的回答

I found answer at msdn forums, here is the same question asked by myself.

xperf -merge is the key!

whole steps as follow:

1. install my software and start collect event data on custom's machine. (no need to register my provider.)
   call xperf -start mysession -on MY_PROVIDER_GUID start collecting event data.

2. after run some time, call xperf -stop mysession -d poor.etl to stop collecting and save to poor.etl file.

3. copy poor.etl to my dev machine(my provider already registered) and callxperf -merge poor.etl good.etl

4. open good.etl with wpa, I can see every details as I expected.

that's all. hope it will help other guy like me. thanks everyone.

具体参考

1. https://social.msdn.microsoft.com/Forums/en-US/efadef6c-85cf-4e39-bd7a-2fa9ba7df9b3/to-what-extend-will-custom-events-integrate-in-wpa?forum=wptkv5

2. 我在stackoverflow上的帖子

http://stackoverflow.com/questions/43083434/how-to-view-custom-providers-eventscollected-without-provider-registered-by-w/43120697#43120697)

 

3. 我在msdn forum上的帖子

https://social.msdn.microsoft.com/Forums/en-US/65662da5-e68c-4052-bdf0-44f569ddf3fd/how-to-view-custom-providers-eventscollected-without-provider-registered-by-wpa?forum=wptkv5)

 

 

 

 

 

null