QueryAllTracesW function (evntrace.h)
The QueryAllTraces function retrieves the properties and statistics for all event tracing sessions for which the caller has permissions to query.
Syntax
ULONG WMIAPI QueryAllTracesW(
[out] PEVENT_TRACE_PROPERTIES *PropertyArray,
[in] ULONG PropertyArrayCount,
[out] PULONG LoggerCount
);
Parameters
[out] PropertyArray
An array of pointers to EVENT_TRACE_PROPERTIES structures that receive session properties and statistics for the event tracing sessions.
You only need to set the Wnode.BufferSize, LoggerNameOffset , and LogFileNameOffset members of the EVENT_TRACE_PROPERTIES structure. The other members should all be set to zero.
[in] PropertyArrayCount
Number of structures in the PropertyArray array. This value must be less than or equal to 64, the maximum number of event tracing sessions that ETW supports.
Windows 10: PropertyArrayCount may be larger than 64 and some systems may support more than 64 tracing sessions.
[out] LoggerCount
Actual number of event tracing sessions started on the computer.
Return value
If the function succeeds, the return value is ERROR_SUCCESS.
If the function fails, the return value is one of the system error codes. The following are some common errors and their causes.
ERROR_INVALID_PARAMETER
One of the following is true:
- PropertyArrayCount is zero or greater than the maximum number of supported sessions
- PropertyArray is NULL
ERROR_MORE_DATA
The property array is too small to receive information for all sessions (SessionCount is greater than PropertyArrayCount). The function fills the property array with the number of property structures specified in PropertyArrayCount.
Remarks
Event trace controllers call this function.
This function retrieves the trace sessions that the caller has permissions to query. Users running with elevated administrative privileges, users in the Performance Log Users group, and services running as LocalSystem, LocalService, NetworkService can view all tracing sessions.
This function does not return private logging sessions.
To retrieve information for a single session, use the ControlTrace function and set the ControlCode parameter to EVENT_TRACE_CONTROL_QUERY.
Examples
The following example shows how to call this function.
#include <windows.h>
#include <evntrace.h>
#include <vector>
const unsigned MAX_SESSION_NAME_LEN = 1024;
const unsigned MAX_LOGFILE_PATH_LEN = 1024;
const unsigned PropertiesSize =
sizeof(EVENT_TRACE_PROPERTIES) +
(MAX_SESSION_NAME_LEN * sizeof(CHAR)) +
(MAX_LOGFILE_PATH_LEN * sizeof(CHAR));
int main()
{
ULONG status;
std::vector<EVENT_TRACE_PROPERTIES*> sessions; // Array of pointers to property structures
std::vector<BYTE> buffer; // Buffer that contains all the property structures
ULONG sessionCount; // Actual number of sessions started on the computer
// The size of the session name and log file name used by the
// controllers are not known, therefore create a properties structure that allows
// for the maximum size of both.
try
{
sessionCount = 64; // Start with room for 64 sessions.
do
{
sessions.resize(sessionCount);
buffer.resize(PropertiesSize * sessionCount);
for (size_t i = 0; i != sessions.size(); i += 1)
{
sessions[i] = (EVENT_TRACE_PROPERTIES*)&buffer[i * PropertiesSize];
sessions[i]->Wnode.BufferSize = PropertiesSize;
sessions[i]->LoggerNameOffset = sizeof(EVENT_TRACE_PROPERTIES);
sessions[i]->LogFileNameOffset = sizeof(EVENT_TRACE_PROPERTIES) + (MAX_SESSION_NAME_LEN * sizeof(CHAR));
}
status = QueryAllTracesA(&sessions[0], sessionCount, &sessionCount);
} while (status == ERROR_MORE_DATA);
if (status != ERROR_SUCCESS)
{
printf("Error calling QueryAllTraces: %u\n", status);
}
else
{
printf("Actual session count: %u.\n\n", sessionCount);
for (ULONG i = 0; i < sessionCount; i++)
{
WCHAR sessionGuid[50];
(void)StringFromGUID2(sessions[i]->Wnode.Guid, sessionGuid, ARRAYSIZE(sessionGuid));
printf(
"Session GUID: %ls\n"
"Session ID: %llu\n"
"Session name: %s\n"
"Log file: %s\n"
"min buffers: %u\n"
"max buffers: %u\n"
"buffers: %u\n"
"buffers written: %u\n"
"buffers lost: %u\n"
"events lost: %u\n"
"\n",
sessionGuid,
sessions[i]->Wnode.HistoricalContext,
(PCSTR)((LPCBYTE)sessions[i] + sessions[i]->LoggerNameOffset),
(PCSTR)((LPCBYTE)sessions[i] + sessions[i]->LogFileNameOffset),
sessions[i]->MinimumBuffers,
sessions[i]->MaximumBuffers,
sessions[i]->NumberOfBuffers,
sessions[i]->BuffersWritten,
sessions[i]->LogBuffersLost,
sessions[i]->EventsLost);
}
}
}
catch (std::bad_alloc const&)
{
printf("Error allocating memory for properties.\n");
status = ERROR_OUTOFMEMORY;
}
return status;
}
Note
The evntrace.h header defines QueryAllTraces as an alias which automatically selects the ANSI or Unicode version of this function based on the definition of the UNICODE preprocessor constant. Mixing usage of the encoding-neutral alias with code that not encoding-neutral can lead to mismatches that result in compilation or runtime errors. For more information, see Conventions for Function Prototypes.
Requirements
Requirement | Value |
---|---|
Minimum supported client | Windows 2000 Professional [desktop apps only] |
Minimum supported server | Windows 2000 Server [desktop apps only] |
Target Platform | Windows |
Header | evntrace.h |
Library | Sechost.lib on Windows 8.1 and Windows Server 2012 R2; Advapi32.lib on Windows 8, Windows Server 2012, Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Vista and Windows XP |
DLL | Sechost.dll on Windows 8.1 and Windows Server 2012 R2; Advapi32.dll on Windows 8, Windows Server 2012, Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Vista and Windows XP |