In the previous hint, I explained that CSwitch events alone would not be sufficient for completing the challenge. To make progress, I suggested you’d need a way to force ETW to produce PMC events at very specific points in a program’s execution. Achieving this takes a fair bit of ingenuity.

Today’s hint is about where to start. Putting PMCs aside for a moment, if you just want ETW to produce an event at a precise point in a program, there’s a way to do that: call TraceEvent.

TraceEvent instructs ETW to generate an event in the event log. By calling TraceEvent once at the start of a code block, and again at the end, you can ensure that ETW will record events at precisely those times in the execution of a program.

That concludes today’s hint. Until tomorrow, good luck making progress on the Spooktacular Challenge!

I will post additional hints here every day until Halloween. If you’d like the rest of the Spooktacular Challenge to be delivered automatically to your inbox, you can select a subscription option here: