An answer to this question has led me to look into using "Event Tracing for Windows" for our tracing needs. I have come across NTrace, which seems to be a good way to produce ETW events from C# code (using the XP-compatible "classic provider" model).
However, I am unable to find an easy way to consume these events - to see them in real-time and/or log them to a file. The only way I have found is that described in the NTrace documentation: using a tool which is only available as part of the Windows DDK.
In the case of a complex problem in the field, we may need to ask the user to produce a file containing a trace. We can't ask users to download the DDK or carry out a number of complex operations in order to do this.
Is there a straightforward, user-friendly way to log ETW events to a file?
Also, is it possible for someone to consume ETW events on Windows Vista/7 if they are not running as administrator?
TraceView is the easiest out-of-the-box solution, but it is possible to write your own ETW viewer that is specific to your provider. This would give you full control over the presentation and make it much easier on the end user as TraceView is really more of a debugging tool than something you can ask end users to run.
As far as real-time tracing goes, according to the documentation:
Only users with administrative privileges, users in the Performance Log Users group, and services running as LocalSystem, LocalService, NetworkService can consume events in real time. To grant a restricted user the ability to consume events in real time, add them to the Performance Log Users group.
Windows XP and Windows 2000: Anyone can consume real time events.
If you're interested in writing your own ETW viewer (real-time or log file), here is the relevant documentation.