From 0ca5b57ba347192ccae4929c3bc0a95af959be64 Mon Sep 17 00:00:00 2001
From: kanwalpreetkaur <100376991+kanwal-kaur@users.noreply.github.com>
Date: Fri, 1 Aug 2025 12:14:00 -0400
Subject: [PATCH] Update etwlogs.md

The command doesn't work as intended.
Explanation for the fix:
1. Windows requires the GUID inside quotes because it's treated as a string (the provider name) in this context. Without quotes, the command parser may interpret the braces or hyphens incorrectly.
2. Passing 0x0 as the only flag after the provider GUID is valid. Supplying two numbers like 0 0 (as in some bad examples) misleads logman, which tries to interpret the second value as outputFormat.
3. The -o trace.etl must be at the end and not mistaken for a different parameter like -f (output format), unless you're also explicitly setting -f to text or xml.
---
 content/manuals/engine/logging/drivers/etwlogs.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/manuals/engine/logging/drivers/etwlogs.md b/content/manuals/engine/logging/drivers/etwlogs.md
index 34a579973e85..98f3960ade70 100644
--- a/content/manuals/engine/logging/drivers/etwlogs.md
+++ b/content/manuals/engine/logging/drivers/etwlogs.md
@@ -25,7 +25,7 @@ before the provider has been registered with the system.
 Here is an example of how to listen to these events using the logman utility program
 included in most installations of Windows:
 
-1. `logman start -ets DockerContainerLogs -p {a3693192-9ed6-46d2-a981-f8226c8363bd} 0 0 -o trace.etl`
+1. `logman start -ets DockerContainerLogs -p "{a3693192-9ed6-46d2-a981-f8226c8363bd}" 0x0 -o trace.etl`
 2. Run your container(s) with the etwlogs driver, by adding
    `--log-driver=etwlogs` to the Docker run command, and generate log messages.
 3. `logman stop -ets DockerContainerLogs`