I'm trying to create the real-time consumer for the TraceLogging provider which declared in driver:
TRACELOGGING_DECLARE_PROVIDER(g_etwProvider);
TRACELOGGING_DEFINE_PROVIDER(g_etwProvider, "TraceLoggingProvider",
(/*my guid*/));
User-mode provider:
EVENT_TRACE_LOGFILEA etwTraceSettings{};
char loggerName[]{"TraceLoggingProvider"};
etwTraceSettings.LoggerName = loggerName;
etwTraceSettings.ProcessTraceMode = PROCESS_TRACE_MODE_REAL_TIME | PROCESS_TRACE_MODE_EVENT_RECORD;
etwTraceSettings.EventRecordCallback = MyCallback;
TRACEHANDLE traceHandle = OpenTraceA(&etwTraceSettings);
ProcessTrace(&traceHandle, 1, nullptr, nullptr);
ProcessTrace returns ERROR_WMI_INSTANCE_NOT_FOUND. What am I doing wrong?
I tried to call ProcessTrace before and after TraceLoggingRegister in the driver. Result is the same.
And, for example, logman can create session before provider registration. I want to do the same. What I must do?
You must create ETW session before OpenTrace by StartTrace and EnableTrace functions.