{ "id": "cb5d5630-b9f8-4d75-8ba9-e25cce8ea08b", "created_at": "2026-04-06T01:31:40.127741Z", "updated_at": "2026-04-10T13:11:48.927763Z", "deleted_at": null, "sha1_hash": "9c786c234636dc1ce64ef75aecbc2f2532743cfd", "title": "Consuming Events (Event Tracing) - Win32 apps", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47150, "plain_text": "Consuming Events (Event Tracing) - Win32 apps\r\nBy Karl-Bridge-Microsoft\r\nArchived: 2026-04-06 00:19:46 UTC\r\nEvent trace consumers can process events from one or more providers. Consumers can process events from a log\r\nfile or in real time. You can consume events in real time only if the controller specifies the real time logging mode\r\nfor the session. For performance reasons, real-time processing is not recommended prior to Windows Vista.\r\nTo specify the trace session from which you want to process events, you use the EVENT_TRACE_LOGFILE\r\nstructure. You must initialize a copy of this structure for each log file or real time session that you want to process.\r\nTo consume events from a log file, set the LogFileName member to the name of the log file. To consume events\r\nfrom real time session, set the LoggerName member to the session name. You also use this structure to specify\r\nthe BufferCallback callback and the EventCallback or EventRecordCallback callback used to process the events.\r\nEventRecordCallback—Receives and processes all events (including the header event) from one or more\r\nlog files and a real-time session. You implement this callback if you use the trace data helper functions to\r\nparse the event data or you want to retrieve metadata about the event.\r\nEventCallback—Receives and processes all events (including the header event) from one or more log files\r\nand a real-time session.\r\nBufferCallback—Receives and processes summary information about the current buffer, such as events\r\nlost. ETW calls the callback after delivering all events in the buffer to the consumer. The consumer can\r\nalso use this callback to cancel event processing; however, if you are consuming events in real time, ETW\r\ndelivers events until the controller stops the session.\r\nAfter defining one or more trace sessions, call the OpenTrace function for each trace session that you want to\r\nprocess; you can process events from one or more log files, but from only one real-time session. You then pass the\r\nlist of trace session handles that OpenTrace returns to the ProcessTrace function. The ProcessTrace function\r\ncombines the events, sorts them into chronological order, and then delivers them to the callbacks one at a time.\r\nThe events can be filtered to include only those that fall into a specific time frame using the StartTime and\r\nEndTime parameters. The ProcessTrace function blocks the thread until your consumer processes all events in the\r\ntrace sessions, the BufferCallback returns FALSE, or you call CloseTrace.\r\nPrior to Windows Vista: You can call CloseTrace only after ProcessTrace returns.\r\nFor an example that shows how to consume events published using a manifest, MOF, or TMF files, see Retrieving\r\nEvent Data Using TDH. Note that beginning with Windows Vista, you should use the trace data helper (TDH)\r\nfunctions to consume events.\r\nFor an example that shows how to consume events published using MOF, see Retrieving Event Data Using MOF.\r\nhttps://docs.microsoft.com/en-us/windows/desktop/etw/consuming-events\r\nPage 1 of 2\n\nSource: https://docs.microsoft.com/en-us/windows/desktop/etw/consuming-events\r\nhttps://docs.microsoft.com/en-us/windows/desktop/etw/consuming-events\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://docs.microsoft.com/en-us/windows/desktop/etw/consuming-events" ], "report_names": [ "consuming-events" ], "threat_actors": [], "ts_created_at": 1775439100, "ts_updated_at": 1775826708, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9c786c234636dc1ce64ef75aecbc2f2532743cfd.pdf", "text": "https://archive.orkl.eu/9c786c234636dc1ce64ef75aecbc2f2532743cfd.txt", "img": "https://archive.orkl.eu/9c786c234636dc1ce64ef75aecbc2f2532743cfd.jpg" } }