If you don't know what ETW is or how it works, I can thoroughly recommend Doug E. Cook's ETW Overview.
This is what happens when you ask etwprof to take a sample (super roughly):
- A real-time ETW kernel session is created. It's configured to produce sampled profile data (amongst other things like module loads/unloads, thread creation/destruction, etc.).
- A
TraceReloggerinstance is created. The kernel ETW session is "redirected" into this relogger instance. The relogger instance is instructed to write its output to a file (.etl). - Since the kernel ETW session will produce events globally (for every thread/process on the system), filtering is required. This is the core of etwprof's functionality. Filtering is done by examining each event (properties such as provider ID, thread ID, etc.) that passes through the relogger, and retaining/discarding it based on whether it's relevant or not (this logic is contained in ProfilerCommon.cpp, if you'd like to have a look).
- After the session ends (
CTRL+Cis pressed, or the target processes exit), so-called trace merging is performed on the result.etlfile. The kernel providers do not emit metadata that enables tools to symbolize call stacks contained in the trace (e.g. RSDS GUIDs and ages to match PDBs with binaries). This information is added after profiling ends, with the help of a redistributable DLL from the Windows SDK,kerneltracecontrol.dll.
