Prev: sector and cylinder Information
Next: CreateProcessAsUser fails with error code 2 (file not found)
From: nickdu on 28 Nov 2008 14:52
Not sure if this is the best newsgroup for this question.

Someone gave me an ETL file that they generated on some server. I have a
program which enumerates all the traces in an ETL file (via
OpenTrace()/ProcessTrace()/CloseTrace()). When I ran this program on my XP
laptop against the ETL file my EventTrace callback was only called once. No
errors were reported. When I run my ETL trace enumerator program (same
binary) on Windows 2003 using the same ETL file the callback gets called
thousands of times (as there are thousands of events in the ETL file). Why
might I be experiencing this difference?

--
Thanks,
Nick

nicknospamdu(a)community.nospam
remove "nospam" change community. to msn.com
From: "Jialiang Ge [MSFT]" on 1 Dec 2008 04:59
Hello Nick

I tried to reproduce the issue in my Windows XP and 2003 machines, but
with no luck. The following is what I have done:

1. I queried the symptom in our support database that only one EventTrace
callback in Windows XP but many in Windows 2003, and found a possibly
relevant case. In that case, the customer wrote a ETW provider/controller.
When testing the app on Windows XP, TraceEvent() fails with
ERROR_MORE_DATA; but it succeeds in Windows 2003. Based on our research, we
found that the issue is with the buffer size of the tracing session from
the controller. The default size on Windows XP SP2 is 8K, and the buffer
the customer set is 8K but the string he was logging is about 10K
characters which is why TraceEvent fails. In Windows 2003, the default
buffer size is larger, thus, the problem does not occur. Nick, in your
case, we are opening an existing ETL, and processing the trace. Could it be
also related to the buffer size?

2. I tried to reproduce the problem on my side with these code (test.etl is
attached). But it works as expected in my Windows XP and 2003 boxes.

#include <iostream>
#include <windows.h>
#include <Wmistr.h>
#include <evntrace.h>

#pragma comment(lib, "advapi32.lib")

#define LOGFILE_PATH L"test.etl"

using namespace std;

void ProcessBuffers(PEVENT_TRACE_LOGFILE pBuffer)
{ cout << "Process buffer..." << endl; }

void WINAPI ProcessEvents(PEVENT_TRACE pEvent)
{ cout << "Processing event..." << endl; }

int main() {
EVENT_TRACE_LOGFILE trace;
ULONG ulSize = 0;
ULONG rc = ERROR_SUCCESS;
TRACEHANDLE handles[1];

ZeroMemory(&trace, sizeof(EVENT_TRACE_LOGFILE));
trace.LogFileName = (LPWSTR) LOGFILE_PATH;
trace.BufferCallback = (PEVENT_TRACE_BUFFER_CALLBACK) (ProcessBuffers);
trace.EventCallback = (PEVENT_CALLBACK) (ProcessEvents);

handles[0] = OpenTrace(&trace);
if ((TRACEHANDLE)INVALID_HANDLE_VALUE == handles[0]) {
cout << "Error in OpenTrace" << endl;
} else {
cout << "Succeed in open trace" << endl;
rc = ProcessTrace(handles, 1, 0, 0);
if (rc != ERROR_SUCCESS && rc != ERROR_CANCELLED) {
cout << "Error in ProcessTrace" << endl;
} else if (rc == ERROR_SUCCESS) {
cout << "Succeed in process trace" << endl;
}
rc = CloseTrace(handles[0]);
}
return 0;
}

Nick, do you mind sending your etl and a test project to my mailbox
jialge(a)microsoft.com? Being able to reproduce the problem is very helpful
for me to perform further researches of the problem.

Thanks,
Jialiang Ge (jialge(a)online.microsoft.com, remove 'online.')
Microsoft Online Community Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg(a)microsoft.com.

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

MSDN Managed Newsgroup support offering is for non-urgent issues where an
initial response from the community or a Microsoft Support Engineer within
2 business day is acceptable. Please note that each follow up response may
take approximately 2 business days as the support professional working with
you may need further investigation to reach the most efficient resolution.
The offering is not appropriate for situations that require urgent,
real-time or phone-based interactions. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

From: "Jialiang Ge [MSFT]" on 2 Dec 2008 22:42
Hello Nick

Thank you for the ETL file that can reproduce the problem.

I get these information from the product group:

ETL file format has changed between Windows XP and Windows Server 2003.
Consequently, Windows XP is not able to decode traces collected on the
Windows Server 2003. It works the other way around (Windows XP traces are
decodable on Windows Server 2003). Unfortunately, there is no publicly
available utility that can convert the new format to an ETL file that can
be recognized by Windows XP, thus, your ETL file generated in other server
cannot be analyzed in Windows XP.

Does the above information answer your question? If you have any other
questions or concern, please feel free to tell me.

Have a nice day!
Regards,
Jialiang Ge (jialge(a)online.microsoft.com, remove 'online.')
Microsoft Online Community Support

=================================================
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
msdnmg(a)microsoft.com.

This posting is provided "AS IS" with no warranties, and confers no rights.
=================================================

 | 
Pages: 1
Prev: sector and cylinder Information
Next: CreateProcessAsUser fails with error code 2 (file not found)