EventWriteTransfer - NtDoc
Native API online documentation, based on the System Informer
(formerly Process Hacker) phnt
headers
// evntprov.h
ULONG EVNTAPI EventWriteTransfer(
[in] REGHANDLE RegHandle,
[in] PCEVENT_DESCRIPTOR EventDescriptor,
[in, optional] LPCGUID ActivityId,
[in, optional] LPCGUID RelatedActivityId,
[in] ULONG UserDataCount,
[in, optional] PEVENT_DATA_DESCRIPTOR UserData
);
View the official Win32 API referenceNo description available.
Writes an ETW event with an activity ID and an optional related activity ID.
RegHandle [in]Registration handle of the provider. The handle comes from EventRegister. The generated event will use the ProviderId associated with the handle.
EventDescriptor [in]EVENT_DESCRIPTOR with event information (metadata) including ID, Version, Level, Keyword, Channel, Opcode, and Task.
[!Important] ProviderId, Level and Keyword are the primary means for filtering events. Other kinds of filtering are possible but have much higher overhead. Always assign a nonzero level and keyword to every event.
ActivityId [in, optional]An optional pointer to a 128-bit activity ID for this event. If this is non-NULL, EventWriteTransfer will use the specified value for the event's activity ID. If this is NULL, EventWriteTransfer will use the current thread's activity ID.
Trace processing tools can use the event's activity ID to organize events into groups called activities. For additional information about the activity ID, see EventActivityIdControl.
RelatedActivityId [in, optional]An optional pointer to a 128-bit activity ID that is the parent of this event's activity. If this is non-NULL, EventWriteTransfer will use the specified value for the event's related activity ID. If this is NULL, the event will not have a related activity ID. The related activity ID is usually set on the activity's START event (the first event of the activity, logged with Opcode = START).
Trace processing tools can use the event's related activity ID to determine the relationship between activities, e.g. the related activity is the parent of the newly-started activity. For additional information about the related activity ID, see EventActivityIdControl.
UserDataCount [in]Number of EVENT_DATA_DESCRIPTOR structures in _UserData_. The maximum number is 128.
UserData [in, optional]An array of _UserDataCount_ EVENT_DATA_DESCRIPTOR structures that describe the data to be included in the event. _UserData_ may be NULL if _UserDataCount_ is zero.
Each EVENT_DATA_DESCRIPTOR describes one block of memory to be included in the event. The specified blocks will be concatenated in order with no padding or alignment to form the event content. If using manifest-based decoding, the event content must match the layout specified in the template associated with the event in the manifest.
Returns ERROR_SUCCESS if successful or an error code. Possible error codes include the following:
The error code is primarily intended for use in debugging and diagnostic scenarios. Most production code should continue to run and continue to report events even if an ETW event could not be written, so release builds should usually ignore the error code.
Most event providers will not call EventWriteTransfer directly. Instead, most event providers are implemented using an ETW framework that wraps the calls to EventRegister, EventWriteTransfer, and EventUnregister. For example, you might write an event manifest and then use the Message Compiler to generate C/C++ code for the events, or you might use TraceLogging to avoid the need for a manifest.
EventWriteTransfer will route the event to the appropriate trace sessions based on the ProviderId (determined from the _RegHandle_), Level, Keyword, and other event characteristics. If no trace sessions are recording this event, this function will do nothing and return ERROR_SUCCESS.
To reduce the performance impact of events that are not recorded by any trace session, you can call EventEnabled to determine whether any trace session is recording your event before preparing the data and calling EventWriteTransfer.
EventWriteTransfer is equivalent to EventWriteEx with 0 for _Filter_ and 0 for _Flags_.
Writing Manifest-based Events.