Establishing a real time event trace consumer in Windows 10

Question

I am trying to use software like "Message Analyzer" and "TraceView" to receive event from "Microsoft-Windows-Security-Auditing" or "Microsoft-Windows-Eventlog" Providers, but I had no luck with receiving any events.

What I have done:

• I tested these software in Windows 10 and 7
• software executed as administrator
• also as SYSTEM account

Other observation and input:

• I could get other events for example kernel events or NDIS events but not the mentioned providers which I specifically configured to receive.

• I am interested in the approach which the mentioned software using (making a real-time trace session) and no other solution like querying the events ...

UPDATE 1

The provider GUIDs I used in the mentioned software

Microsoft-Windows-Security-Auditing: {54849625-5478-4994-A5BA-3E3B0328C30D}
Microsoft-Windows-Eventlog: {fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}

UPDATE 2

I also did more investigation with EventLogChannelsView from NirSoft and some other tools, I realized there are some Channels and Providers/Publishers. Providers notify any Consumers who want to know about new events on the channels.

Interestingly the EventLogChannelsView didn't event list the name of some of the Providers which probably mean there are not active at all (like the one I mentioned). And also there are channels which don't have any Provider.

I was curious how Event Viewer become aware of new events because it instantly show the message 'New events available'. Well I find out Event Viewer using EvtSubscribe API to receive events on channels instead of providers.

I don't know why software like 'Message Analyzer' and 'TraceView' which both created by Microsoft are act very numb about the state of Providers.

Answer 1

Warning: The following methods use some tools which require administrative permission. Please use these tools with some prior knowledge about event tracing in Windows and all associated options.

To capture real-time event logs, I use tools from WDK and SDK. You may find these programs in %ProgramFiles(x86)%\Windows Kits\10\bin\<SDK-Version>\<bitness> path. Here are two methods:

• With Command Line Interface: Run all the commands as administrator. Place the GUID in the command as shown below.

  • Start a real-time session without saving ETL file: tracelog.exe -start MyTraceSession -rt -guid #{place-guid-here}
  • Display the Event Logs in real-time: tracefmt.exe -displayonly -rt MyTraceSession
  • Stop the session: tracelog.exe -stop MyTraceSession

Used options:

Usage: tracelog [actions] [options] | [-h | -help | -?]
-start         <LoggerName> Starts the <LoggerName> trace session.
-stop          <LoggerName> Stops the <LoggerName> trace session.
-guid #<guid>               Enable tracing for a provider by guid.
-rt                         Enable tracing in real time mode.

Usage: tracefmt [<EtlFile>|-rt [<SessionName>]] [-tmf [<TMFFiles>]|-p <TMFPath>|-pdb <PdbPath>] [Options]
-rt <SessionName> - Format messages from the named real-time trace session.
-displayonly      - Print formatted traces messages only to console (no output file).

• With Graphical User Interface: Double click on the TraceView program to open. Follow these steps: File > Create New Log Session > Manually Entered Control GUID > OK > Auto > Next > Real Time Display > Finish.

Right click on the session name in TraceView window to stop or delete the session.

Further Readings:

• Event Tracing
• TraceLog
• TraceFmt
• TraceView

To know what and how these tools works with Windows API, see my open-source project TraceEvent in GitHub.