Skip to main content

.NET Programming: Jumpstart ETW (Event Tracking for Windows)

To get started with ETW I highly recommend this pluralsight course by Kathleen Dollard. It gives you a really good introduction, including background and some examples. It will be much harder to succeed just by googling or reading books.

I will not spoil anything from this course. Here I will just give a few more hints and annotations to show where I struggled with ETW, to help you not doing the same mistakes. After finishing the pluralsight course I was really eager to get going with my own implementation but I ran into some annoying trapped doors.

Nuget package for EventSource

The current nuget package for EventSource (Vers. 1.0.16) will create the manifest file automatically (it validates your implementation upfront, only when validation succeeds manifest file will be created. Otherwise there will be no updated or no new manifest file in your bin folder!). Therefore there is no need to create it by hand.


Running wevtutil.exe without parameters to see its help, produces this output on my console:

But all necessary commands are working. I am still investigating into this issue. But it will not effect the needed functionality, all operations worked fine for me.

In the beginning I had some trouble with wevtutil.exe
  • Making spelling mistakes
  • Specifying dll file instead of man file
  • And wrong paths (copy paste issues)
Doing these mistakes will lead into error messages like this:

Seeing these error messages for the first time confused me:

`At column=0, The system cannot locate the resource specified. Failed to load xml document`

The message made me thinking about something was wrong in my implementation in my manifest file. Maybe wrong or missing resources for translation, something in this direction. But its just talking about the parameters for wevtutil and indicates you are specifing a file that is not existing (as already described above spelling mistake in one of the paths or specified dll instead of man file and so on).

EventSource names

I had some issues specifing a “valid” EventSource name. I specified a name like this “MyCompany-MyApplication-MyEvents”. I was wondering why the regarding nested folder was not created. I could just see this entry far in the bottom in the Event Viewer:

But when I tried to open the regarding log I received this message:

The solution was really simple. There was already an existing Eventlog with the name “MyCompany” created by another application:

In this case you cannot create a nested folder with the same name. Makes sense, but a better error message would be helpful.

Maintenance for builds and installed manifests

  • Renaming and building EventSources will create new dll and man files in your build folder but it will not remove the old files. I always delete the content of my build folder when I do changes to keep the overview.
  • You need to keep your custom event sources (dll files) in installation folder (when you remove it, your views in Event Viewer will look strange), you better create a suitable folder for it. Keep man files there too, to be able to uninstall the events (I could not find a way to remove my custom events without man files).

Last but not least

Finally you should definitely checkout this nuget package with more EventSource examples.


Popular posts from this blog

How to delete Azure Active-Directories

When I was trying to delete an Azure Active-irectory by using the management portal I have received the error message “Directory contains one or more applications that were added by a user or administrator” and I was really confused.

Then I found out this is a common issue. The solution was even more confusing, some PowerShell cmdlets are needed. Unfortunately I was not able to proceed, it was not possible to login with my Microsoft-ID to execute the needed commands.

Here I found out I have to install the correct version of the tools. These are located here.

Did you ever think about two-step verification to increase your password security?

My feeling is that two-step verification is still not very common, although a lot of services are listing this feature. Here you will find them:
Facebook Google Microsoft Twitter Evernote Dropbox Apple (currently just available in U.S., UK, Australia, Ireland, and New Zealand) Helpful apps are e.g. Google Authenticator or Authy.
Updated my list on 27.02.2014 with some more services Buffer Yahoo! Apple added, Canada, France, Germany, Italy, Japan, Spain Updated my list on 10.03.2014 with one more Hootsuite Updated my list on 26.03.2014 tumblr Updated my list on 02.04.2014 APP.NET LinkedIn

Have you ever reconsidered your personal iPhone security policy?

Why should I reconsider my iPhone security policy? I have my iPhone four digit pass code and Find my iPhone feature feature is activated. So how should abuse be possible? What could a thief be doing with my stolen iPhone? Well, possibly quite a lot. At least the bold print bullets in this article should be mandatory for everyone. Of course this is no guarantee for invulnerability but it will improve your security. After watching this video you should consider the following actions:
Change your Apple ID rescue mail address and do not add this mail account to your iPhone.Consider to use a proper and usable password policy for your Apple ID like this or this (German article).Consider a complex pass code for your iPhone. As you can see in the video four digit pass codes can be hacked in no time on iPhone 4. For newer iPhone a leak is not yet known but it is properly there. Definitely do not use these pass codes.Alternative to point three: activate delete iPhone after 10 wrong attempts (Go …