Filtering ETW Events RRS feed

  • Question

  • Is there any way to filter ETW Event callbacks?

    I am getting all of the events I need by starting a trace with a keyword; unfortunately some keywords enable many many event ids (for example, FILEIO keyword for Microsoft-Windows-Kernel-File provider gives me all IO events, when I just need file close events). I can filter these within the callback but I'd rather not even receive the callback for certain event IDs. I've tried the PEVENT_FILTER_DESCRIPTOR with EnableTraceEx2 but without any luck (filters seem to have no effect).

    • Do those filters work on Window 7?
    • Are there other ways to filter callbacks?


    • Moved by Shu 2017 Monday, February 23, 2015 2:37 AM
    Friday, February 20, 2015 3:16 PM


All replies

  • Hi Surra,

    Thanks for posting in MSDN forum.

    VC++ forum discusses and ask questions about the Visual C++ IDE, libraries, samples, tools, setup, and Windows programming using MFC and ATL. So your post may off-topic here. I will move this to Where is the forum for...? Forum to help you find a right forum for this issue. Thanks for your understanding.

    Best regards,

    Shu Hu

    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Monday, February 23, 2015 2:36 AM
  • Might try them over here.





    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Proposed as answer by Mike Laughlin Monday, February 23, 2015 2:11 PM
    • Marked as answer by Just Karl Wednesday, March 4, 2015 9:48 PM
    Monday, February 23, 2015 3:05 AM