Skip to content
A simple manifest-based ETW wrapper library for Rust in Windows.
C Roff C++ Rust Objective-C
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Build status


This library provides Rust bindings to ETW event call APIs generated from an ETW manifest file. Currently, three functions are provided in the manifest for reference: __rt_trace, __rt_init, and __rt_cleanup. These functions are then exposed in libtrace.dll to be called in Rust.


Install the manifest file

A simple manifest file is provided. For more information on how to create the manifest file, check out this link. To install the manifest file, run the following command in administrator mode:

wevtutil im /rf:"<full_path_to_libtrace.dll>" /mf:"<full_path_to_libtrace.dll>"

The header file rtrace.h was generated using mc.exe using the command mc.exe -um This header file is then used in libtrace.dll.

libtrace.dll is written in Visual Studio 2015. The ETW provider registration/deregistration is done during dll load/unload events. Pre-built binaries are already provided in the bin folder.

Build the test binary

A is provided alongside for testing. To build, just run cargo build in the root folder. This should generate a rusttrace.exe binary in target/debug folder. Do not forget to copy libtrace.dll to the binary location.

Real-time event capture

For real-time log capture, I usually use mftrace.exe. You can find this tool from the Windows SDK bin folder (usually in C:\Program Files (x86)\Windows Kits\10\bin\x86). Note that this tool needs mfdetours.dll as well, in case you copy it to a different location. To start capture, run the following command in either command prompt or Powershell in administrator mode:

mftrace.exe -c config.xml

*** config.xml is also provided.


Using PerfView

For analysis, I use both PerfView and Windows Performance Analyzer tools. To capture using PerfView:

  1. Run PerfView.exe.
  2. Go to Collect menu and select Collect (or Alt+C).
  3. Expand Advanced Options and click Provider Browser, search for RustTrace under Provider Filter, make sure Verbose level is selected, and click Add Provider.
  4. Click Start Collection.
  5. Run rusttrace.exe binary.
  6. Click Stop Collection in PerfView. This will generate, by default, a zip file called in the same directory as PerfView.exe binary.


Analysis using Windows Performance Analyzer

When you unzip the file generated from PerfView, there is a file called PerfViewData.etl that you can open using Windows Performance Analyzer.



I don't need the provider anymore. How do I uninstall it?

wevtutil um


The MIT License

You can’t perform that action at this time.