Search code examples
c#etweventsourceetw-eventsource

Uninstall event source (ETW) without manifest file?

What is the best way to uninstall / delete previously installed event sources without using manifest?

For example. If I have something like:


    [EventSource(Name = "Corporation-Module-X")]
    public sealed class XEventSource : EventSource
    {
        //...
    }

For installing event source I am using wevtutil {im | install-manifest}

For uninstall is easy if I have the manifest. But could I uninstall event source without having manifest file?

I will try to clarify how I am using event sources and why I would like to remove it.

After installing event source using wevtutil, event source is visible as event trace provider. So I can create new Data Collector Set in Performance Monitor where I am adding my event source (together with some performance counters). It looks like this:

ETW EventSource in new collector set

What could happen is that event source get renamed or deleted. E.g. after rename and install using wevtutil.


    [EventSource(Name = "Corporation-Module-Y")]
    public sealed class XEventSource : EventSource
    {
        //...
    }

Old one is still there in event trace providers:

ETW New event source

What I would like is to query all installed event providers that start with Corporation* and to delete them before installing new one.

enter image description here

Thanks!

Solution

  • There is no need to uninstall anything, because a manifest is not registered if you EventSource. The manifest is sent the ManifestData Event

    enter image description here

    to the listener tool (Perfview, Windows Performance Toolkit) so that they can interpret the recorded data.

    When you registered the provider, you can dump the manifest and use again wevtutil to remove it.