This library provides Rust bindings to ETW event call APIs generated from an ETW manifest file. Currently, three functions are provided in the manifest for reference: __rt_trace
, __rt_init
, and __rt_cleanup
. These functions are then exposed in libtrace.dll
to be called in Rust.
A simple manifest file is provided. For more information on how to create the manifest file, check out this link. To install the manifest file, run the following command in administrator mode:
wevtutil im rtrace.man /rf:"<full_path_to_libtrace.dll>" /mf:"<full_path_to_libtrace.dll>"
The header file rtrace.h
was generated using mc.exe
using the command mc.exe -um rtrace.man
. This header file is then used in libtrace.dll
.
libtrace.dll
is written in Visual Studio 2015. The ETW provider registration/deregistration is done during dll load/unload events. Pre-built binaries are already provided in the bin
folder.
A main.rs
is provided alongside lib.rs
for testing. To build, just run cargo build
in the root folder. This should generate a rusttrace.exe
binary in target/debug
folder. Do not forget to copy libtrace.dll
to the binary location.
For real-time log capture, I usually use mftrace.exe
. You can find this tool from the Windows SDK bin folder (usually in C:\Program Files (x86)\Windows Kits\10\bin\x86
). Note that this tool needs mfdetours.dll
as well, in case you copy it to a different location. To start capture, run the following command in either command prompt or Powershell in administrator mode:
mftrace.exe -c config.xml
*** config.xml
is also provided.
Using PerfView
For analysis, I use both PerfView and Windows Performance Analyzer tools. To capture using PerfView:
- Run
PerfView.exe
. - Go to
Collect
menu and selectCollect
(or Alt+C). - Expand
Advanced Options
and clickProvider Browser
, search forRustTrace
underProvider Filter
, make sureVerbose
level is selected, and clickAdd Provider
. - Click
Start Collection
. - Run
rusttrace.exe
binary. - Click
Stop Collection
in PerfView. This will generate, by default, a zip file calledPerfViewData.etl.zip
in the same directory asPerfView.exe
binary.
Analysis using Windows Performance Analyzer
When you unzip the file generated from PerfView, there is a file called PerfViewData.etl
that you can open using Windows Performance Analyzer.
wevtutil um rtrace.man