ETW Input Format
The ETW input format parses Enterprise Tracing for Windows trace log files (.etl files) and live ETW trace sessions.
Enterprise Tracing for Windows (ETW) is a framework for implementing
tracing providers that can be used for debugging and capacity planning.
An ETW trace log or live session consists of a stream of "Events", each published
by a "Provider". Windows event providers include the Kernel, IIS, COM+, and many
other Windows components.
Each event has its own set of named properties, or fields, containing the event data.
The structure of each event is described by a WMI class derived from the
"EventTrace" class and registered with the WMI repository during the setup of the
provider component. The ETW input format queries the WMI repository for these classes
in order to retrieve information about the structure of each event.
ETW trace log files and live sessions can be controlled through either the PerfMon utility,
or through the tracelog.exe or logman.exe command-line tools.
From-Entity Syntax
Fields
Parameters
Examples