With luck, by now you have discovered that, to receive events from ETW, you must both “start” and “open” a trace. The Spooktacular Challenge requires you to provide PMC counter data to a running program, so you’ll need to open your trace in real-time mode.

To that end, here is today’s hint: when you open your trace with OpenTraceW, make sure you pass the right set of flags for a real-time trace. These flags will ensure you receive event records, properly timestamped, shortly after they are generated by ETW.

The flags go in the ProcessTraceMode member of the EVENT_TRACE_LOGFILEW structure — something like this:

EVENT_TRACE_LOGFILEW Log = {};

Log.ProcessTraceMode = PROCESS_TRACE_MODE_EVENT_RECORD | PROCESS_TRACE_MODE_RAW_TIMESTAMP | PROCESS_TRACE_MODE_REAL_TIME;

// ... fill out other members of Log here ...

TRACEHANDLE TraceSession = OpenTraceW(&Log);

With those flags set, assuming you’ve done everything else right, you will receive ETW events directly in your running program instead of ETW writing them to a logfile.

That concludes today’s hint. Until tomorrow, good luck making progress on the Spooktacular Challenge!

I will post additional hints here every day until Halloween. If you’d like the rest of the Spooktacular Challenge to be delivered automatically to your inbox, you can select a subscription option here: