Today’s hint reveals the kernel event to use for marking the start of a profiling block. As far as I was able to determine after extensive testing, SysCallExit events are the best-suited events you can use for this purpose.

Specifically, as luck would have it, calls to TraceEvent are themselves recorded as system calls by ETW. This means that, if you request SysCallExit events when you start your trace, every one of your custom TraceEvent events will be immediately followed by a SysCallExit event. Because SysCallExit events are kernel events, and they happened to be one of the kernel events that support PMC collection, you can use this to get PMC counter values at the point in a program where your TraceEvent returns.

In your collection thread, you can watch for your custom event, then read the PMC values attached to the SysCallExit event that immediately follows it. Combined, the two events give you both the UserData that specifies which collection point you’re processing, and the PMC data to know what the counter values are at that collection point.

Remember, to enable SysCallExit events with PMCs attached, you must do two things: ensure EVENT_TRACE_FLAG_SYSTEMCALL is in your EVENT_TRACE_PROPERTIES_V2 EnableFlags field, and add the proper GUID and opcode to the event listing you pass to TraceSetInformation. You can find the GUID and opcode on MSDN.

That concludes today’s hint. Until tomorrow, good luck making progress on the Spooktacular Challenge!

I will post additional hints here every day until Halloween. If you’d like the rest of the Spooktacular Challenge to be delivered automatically to your inbox, you can select a subscription option here: