As suggested in the first hint, you will need to tell ETW which PMCs to collect using TraceSetInformation. It’s tricky figuring out how it’s supposed to work, but even if you do, you will find that you still don’t get any PMCs with your ETW events.
CLASSIC_EVENT_ID led me way off track before I figured out the valid values. To avoid spoiling anything unnecessarily, here's a base64 encoded link I found with valid values (and some remarks on what I tried before I found it):
It looks like that TracePmcEventListInfo can only be used of kernel ETW session (with name "NT Kernel Logger"). So does this mean that for capturing PCM counters, we need to trigger a kernel ETW event?I guess we can not just register new kernel event, so we would need to "abuse" a current one - preferably one that does not burn too many CPU cycles - such as Kernel/FileCreate :-)
CLASSIC_EVENT_ID led me way off track before I figured out the valid values. To avoid spoiling anything unnecessarily, here's a base64 encoded link I found with valid values (and some remarks on what I tried before I found it):
aHR0cHM6Ly9sZWFybi5taWNyb3NvZnQuY29tL2VuLXVzL3dpbmRvd3Mvd2luMzIvZXR3L250LWtlcm5lbC1sb2dnZXItY29uc3RhbnRzCgpXaHkgd2FzIHRoaXMgbm90IGxpbmtlZCBpbiB0aGUgQ0xBU1NJQ19FVkVOVF9JRCBtc2RuIHBhZ2U/ISBJbnN0ZWFkIHRoZXkgc3VnZ2VzdCBsb29raW5nIGF0IHJvb3Rcd21pLCB3aGljaCBJIHdvdWxkbid0IHJlY29tbWVuZC4gSSB3YXMgdXNpbmcgd2JlbXRlc3QgYW5kIGxvb2tlZCB0aHJvdWdoICVTeXN0ZW1Sb290JVxTeXN0ZW0zMlx3YmVtLCBtYXliZSB5b3UncmUgc3VwcG9zZWQgdG8gbG9vayBlbHNld2hlcmUuCgpFRElUOiBJIGRpZCBmaW5kIHRoaXMgaGFuZHkgbGluayB0byB0aGUgTU9GIGZpbGUgdGhhdCBzZWVtcyB0byBkZWZpbmUgdmlydHVhbGx5IChpZiBub3QpIGFsbCB0aGUgcmVsZXZhbnQgR1VJRCdzIGFuZCB0aGVpciBFdmVudCBUeXBlcy4gRXZlbiB0aG9zZSBub3QgaW5jbHVkZWQgb24gTVNETjoKaHR0cHM6Ly9naXN0LmdpdGh1Yi5jb20vamR1MjYwMC9hMmIwM2U0ZTljZjE5MjgyYTQxYWQ3NjYzODhjOTg1Ng==
Oh, I found an even better resource:
aHR0cHM6Ly9naXN0LmdpdGh1Yi5jb20vamR1MjYwMC9hMmIwM2U0ZTljZjE5MjgyYTQxYWQ3NjYzODhjOTg1Ng==
It looks like that TracePmcEventListInfo can only be used of kernel ETW session (with name "NT Kernel Logger"). So does this mean that for capturing PCM counters, we need to trigger a kernel ETW event?I guess we can not just register new kernel event, so we would need to "abuse" a current one - preferably one that does not burn too many CPU cycles - such as Kernel/FileCreate :-)