This library provides Rust bindings to ETW event call APIs generated from an ETW manifest file. Currently, three functions are provided in the manifest for reference:
__rt_cleanup. These functions are then exposed in
libtrace.dll to be called in Rust.
Install the manifest file
wevtutil im rtrace.man /rf:"<full_path_to_libtrace.dll>" /mf:"<full_path_to_libtrace.dll>"
The header file
rtrace.h was generated using
mc.exe using the command
mc.exe -um rtrace.man. This header file is then used in
libtrace.dll is written in Visual Studio 2015. The ETW provider registration/deregistration is done during dll load/unload events. Pre-built binaries are already provided in the
Build the test binary
main.rs is provided alongside
lib.rs for testing. To build, just run
cargo build in the root folder. This should generate a
rusttrace.exe binary in
target/debug folder. Do not forget to copy
libtrace.dll to the binary location.
Real-time event capture
For real-time log capture, I usually use
mftrace.exe. You can find this tool from the Windows SDK bin folder (usually in
C:\Program Files (x86)\Windows Kits\10\bin\x86). Note that this tool needs
mfdetours.dll as well, in case you copy it to a different location. To start capture, run the following command in either command prompt or Powershell in administrator mode:
mftrace.exe -c config.xml
config.xml is also provided.
For analysis, I use both PerfView and Windows Performance Analyzer tools. To capture using PerfView:
- Go to
Collectmenu and select
Advanced Optionsand click
Provider Browser, search for
Provider Filter, make sure
Verboselevel is selected, and click
Stop Collectionin PerfView. This will generate, by default, a zip file called
PerfViewData.etl.zipin the same directory as
When you unzip the file generated from PerfView, there is a file called
PerfViewData.etl that you can open using Windows Performance Analyzer.
I don't need the provider anymore. How do I uninstall it?
wevtutil um rtrace.man