修改2024-07-15 21:55:50
官方介绍:Event Tracing for Windows (ETW) - Windows drivers | Microsoft Learn

官方示例:Eventdrv - Code Samples | Microsoft Learn

另一篇文章:ETW - 事件提供者

事件消费者(Event Consumer)

事件消费者(Event Consumer): 事件消费者是一个应用程序,它订阅事件提供者生成的事件,并对这些事件进行处理。事件消费者可以实时处理事件,也可以将事件保存到日志文件中以供离线分析。为了实现事件消费者,开发者需要完成以下任务:

  • 订阅事件:事件消费者需要订阅一个或多个事件提供者的事件。订阅过程通常包括指定事件提供者的 GUID、事件级别和关键字等信息。
  • 处理事件:事件消费者需要实现一个回调函数,用于处理收到的事件。回调函数可以实时处理事件,也可以将事件保存到日志文件中以供离线分析。
  • 取消订阅:在不再需要处理事件时,事件消费者需要取消订阅事件提供者的事件。



借助Windows Kits里面的工具,可以从etl文件中导出我们想要的任意数据到csv文件中,借助脚本语言进行进一步分析,这里可以使用python


使用控制器或者Windows Kit自带的WPRUI.exe(C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit\WPRUI.exe)录制etl




命令行:python IdentifyChromeProcesses.py "D:\系统\文档\etwtraces\*.etl" -c

def _IdentifyChromeProcesses(tracename, show_cpu_usage, tabbed_output, return_pid_map):
  if not os.path.exists(tracename):
    print('Trace file "%s" does not exist.' % tracename)

  script_dir = os.path.dirname(sys.argv[0])
  if len(script_dir) == 0:
    script_dir = '.'

  cpu_usage_by_pid = {}
  context_switches_by_pid = {}
  if show_cpu_usage:
    csv_filename = os.path.join(script_dir, 'CPU_Usage_(Precise)_Randomascii_CPU_Usage_by_Process.csv')
    profile_filename = os.path.join(script_dir, 'CPUUsageByProcess.wpaProfile')
      # Try to delete any old results files but continue if this fails.
    # -tle and -tti are undocumented for wpaexporter but they do work. They tell wpaexporter to ignore
    # lost events and time inversions, just like with xperf.
    command = 'wpaexporter "%s" -outputfolder "%s" -tle -tti -profile "%s"' % (tracename, script_dir, profile_filename)
    # If there is no CPU usage data then this will return -2147008507.
      output = str(subprocess.check_output(command, stderr=subprocess.STDOUT))
    except subprocess.CalledProcessError as e:
      if e.returncode == -2147008507:
        print('No CPU Usage (Precise) data found, no report generated.')
    # Typical output in the .csv file looks like this:
    # New Process,Count,CPU Usage (in view) (ms)
    # Idle (0),7237,"26,420.482528"
    # We can't just split on commas because the CPU Usage often has embedded commas so
    # we need to use an actual csv reader.
    if os.path.exists(csv_filename):
      lines = open(csv_filename, 'r').readlines()
      process_and_pid_re = re.compile(r'(.*) \(([\d ]*)\)')
      for row_parts in csv.reader(lines[1:], delimiter = ',', quotechar = '"', skipinitialspace=True):
        process, context_switches, cpu_usage = row_parts
        match = process_and_pid_re.match(process)
        if match:
          _, pid = match.groups()
          pid = int(pid)
          cpu_usage_by_pid[pid] = float(cpu_usage.replace(',', ''))
          context_switches_by_pid[pid] = int(context_switches)
      print('Expected output file not found.')
      print('Expected to find: %s' % csv_filename)
      print('Should have been produced by: %s' % command)

  # Typical output of -a process -withcmdline looks like:
  #        MIN,   24656403, Process, 0XA1141C60,       chrome.exe ( 748),      10760,          1, 0x11e8c260, "C:\...\chrome.exe" --type=renderer ...
  # Find the PID and ParentPID
  pidsRe = re.compile(r'.*\(([\d ]*)\), *(\d*),.*')
  # Find the space-terminated word after 'type='. This used to require that it
  # be the first command-line option, but that is likely to not always be true.
  # Mark the first .* as lazy/ungreedy/reluctant so that if there are multiple
  # --type options (such as with the V8 Proxy Resolver utility process) the
  # first one will win.
  processTypeRe = re.compile(r'.*? --type=([^ ]*) .*')

  # Starting around M84 Chrome's utility processes have a --utility-sub-type
  # parameter which identifies the type of utility process. Typical command
  # lines look something like this:
  # --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial...
  processSubTypeRe = re.compile(r'.*? --utility-sub-type=([^ ]*) .*')

  #-a process = show process, thread, image information (see xperf -help processing)
  #-withcmdline = show command line in process reports (see xperf -help process)
  command = 'xperf -i "%s" -a process -withcmdline' % tracename
  # Group all of the chrome.exe processes by browser Pid, then by type.
  # pathByBrowserPid just maps from the browser Pid to the disk path to chrome.exe
  pathByBrowserPid = {}
  # pidsByParent is a dictionary that is indexed by the browser Pid. It contains
  # a dictionary that is indexed by process type with each entry's payload
  # being a list of Pids (for example, a list of renderer processes).
  pidsByParent = {}
  # Dictionary of Pids and their lines of data
  lineByPid = {}
  # Dictionary of Pids and their types.
  types_by_pid = {}
  # Dictionary of Pids and their sub-types (currently utility-processes only).
  sub_types_by_pid = {}
    output = subprocess.check_output(command, stderr=subprocess.STDOUT)
  except subprocess.CalledProcessError:
    # Try again. If it succeeds then there were lost events or a time inversion.
    #-tle = tolerate lost events
    #-tti = tolerate time inversions
    command = 'xperf -i "%s" -tle -tti -a process -withcmdline' % tracename
    output = subprocess.check_output(command, stderr=subprocess.STDOUT)
    print('Trace had a time inversion or (most likely) lost events. Results may be anomalous.')
  # Extra processes to print information about, when cpu_usage is requested
  extra_processes = []

  for line in output.splitlines():





官方文档:宣布推出 TraceProcessor 预览版 0.1.0 - Windows Developer Blog

发布:使用 Visual Studio 发布 .NET 控制台应用程序 - .NET | Microsoft Learn


使用控制器或者Windows Kit自带的WPRUI.exe(C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit\WPRUI.exe)录制etl


Visual Studio创建C#工程



输入并 搜索包然后安装:Microsoft.Windows.EventTracing.Processing.All


using Microsoft.Windows.EventTracing;
using Microsoft.Windows.EventTracing.Processes;
using System;

namespace TraceProcess
    internal class Program
        static void Main(string[] args)
            if (args.Length != 1)
                Console.Error.WriteLine("Usage: <trace.etl>");

            using (ITraceProcessor trace = TraceProcessor.Create(args[0]))
                // TODO: calL trace.Use..
                IPendingResult<IProcessDataSource> pendingProcessData = trace.UseProcesses();

                Console.WriteLine("TODO: Access data from the trace");
                IProcessDataSource processData = pendingProcessData.Result;
                foreach (IProcess process in processData.Processes)

右键项目属性,发布 + 打包



