Windows - 查看活动的 ETW 会话,以便我可以关闭其中之一
我正在使用 Windows API 的事件跟踪,有时,我运行我的应用程序,但它在打开 ETW 跟踪控制器会话后无法关闭它。
基本上我做 ::StartTrace([out] handle...) 并且在完成后不关闭该句柄(通过使用 ::StopTrace() 关闭完成 code> function)
我正在寻找一个工具来显示活动会话,以便我可以手动关闭它。如果没有它,我必须重新启动电脑才能在关机时关闭控制器会话。
另外,在相同的 ETW 区域(在 Win 7 上),我知道我应该能够使用 wbemtest.exe 查看公共 MOF 描述的数据布局。我应该进入那里
- Connect -> Namespace = \\root\wmi\EventTrace
查看 MOF 数据。但我得到“RPC 服务器不可用”。在该屏幕中使用默认值:IWBemLocator(命名空间)、如何解释密码 = null、身份验证级别 = 数据包。
在凭据区域中,我有用户和密码(我尝试过),但还有另一个空字段 - 权限。有没有办法查看 MOF 数据?我在 Win 7 下运行了这个提升版。
I am working with Event Tracing for Windows API, and from time to time, I run my application and it does not manage to close the ETW trace controller session after opening it.
Basically I do ::StartTrace([out] handle...) and do not close that handle when I'm finished with it (closing done by using ::StopTrace() function)
I'm looking for a tool that shows me the active sessions so I can close it manually. Without it I have to restart my PC in order for the controller session to be closed at shutdown.
Also, i the same ETW area (on Win 7), I understand that I should be able to see the data layouts for public MOF descriptions using wbemtest.exe. There I am supposed to enter in
- Connect -> Namespace = \\root\wmi\EventTrace
to see MOF data. But I get "The RPC server is unavailable". Using in that screen the dafaults values: IWBemLocator(Namespaces), How to interpret passsword = null, Authentication level = packet.
In the credentials area I have user and Password (which I tried) but there is another empty field - Authority. Is there a way to see MOF data ? I runed this elevated under Win 7.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
您可以使用命令 logman query -ets 来查看当前正在运行的跟踪事件会话的列表。
例如,在 Windows 10 上,您将看到如下内容:
如果您创建了自己的会话,例如通过使用 Microsoft.Diagnostics.Tracing.Session.TraceEventSession,
您将为会话指定一个唯一的名称,如果它正在运行,您应该在列表中看到它。
要终止现有会话,请以管理员身份执行此操作:
还有一些 PowerShell Cmdlet,可以执行类似的操作。
You can use the command
logman query -etsto see a list of currently running Trace Event Sessions.For example, on Windows 10, you will see something like this:
If you have created you own session, for example by using Microsoft.Diagnostics.Tracing.Session.TraceEventSession,
you will have given the session a unique name, and if it is running, you should see it in the list.
To kill an existing session, do this, as an administrator:
There are also some PowerShell Cmdlets, that can do similar things.
QueryAllTraces 函数检索属性并调用者有权查询的计算机上启动的所有事件跟踪会话的统计信息。
我可以建议将您问题的第二部分作为单独的问题发布吗?
The QueryAllTraces function retrieves the properties and statistics for all event tracing sessions started on the computer for which the caller has permissions to query.
May I suggest to post the second part of your question as a seperate question?
Windows SDK 附带的
tracelog命令行实用程序允许您使用tracelog -l命令执行与QueryAllTraces相同的操作。The
tracelogcommand line utility that comes along the Windows SDK allows you to do the same thing asQueryAllTraceswith thetracelog -lcommand.