问题
I can't seem to find an ETW provider for tracing ETW lifecycle events, such as:
- when is a trace event session created (name, options)
- when is a trace event session disposed
- when is a provider enabled for a trace event session (provider name, guid, options)
- when is a provider disabled for a trace event session (provider name, guid, options)
This is self-tracing - using ETW to trace itself. I can't just make such an ETW provider, it has to have been made already by Microsoft, as the events must originate from within the Windows kernel.
回答1:
Microsoft-Windows-Kernel-EventTracing is the provider for ETW lifecycle events
来源:https://stackoverflow.com/questions/54105897/is-there-a-microsoft-built-in-etw-provider-for-tracing-etw-lifecycle-events