Halloween Spooktacular Day 6: PMCs Only Work for A Subset of Event Types
As explained in the previous hint, ETW will only collect PMCs for the event types that you explicitly request. However, not all event types support PMC collection.
In fact, only a few very specific event types support PMC collection. But which ones?
Unfortunately, as far as I’m aware, Microsoft does not document which event types support PMC collection. They do suggest that only kernel events support them, but they don’t say which kernel events. To figure out which ones supported PMCs, I had to write test code that would try all the different event types to see which ones worked.
No, I’m not kidding. I resorted to wardialing the API like it was 1983.
Which brings me to today’s hint: in order to collect any PMCs, you will have to use trial-and-error to find at least one event GUID and opcode you can pass to TraceSetInformation that will successfully cause PMCs to be collected for the ETW events you receive.
Fortunately, Microsoft does list all the kernel event GUIDs and opcodes in MSDN. For example, if you open the page for Thread_V2, the documentation will show both the GUID and the table of opcodes under that GUID. The table helpfully includes a brief description of what each opcode means.
Furthermore, if you look at the contents pane on the left of MSDN, you can see that Thread_V2 is just one entry in a list of all the kernel event types. You can click on the others — like Process_V2 or Registry_V1 — to see their GUIDs and opcodes.
And while we’re on the subject of event types, here’s a bonus hint: don’t forget that ETW won’t send you a kernel event type at all — with or without PMCs — unless you set its corresponding flag in the EnableFlags member of the EVENT_TRACE_PROPERTIES_V2 data you pass to StartTraceW!
That concludes today’s hints. Until tomorrow, good luck making progress on the Spooktacular Challenge!
I will post additional hints here every day until Halloween. If you’d like the rest of the Spooktacular Challenge to be delivered automatically to your inbox, you can select a subscription option here: