New Windows Event Log: Gateway to Native Windows Functionality in Vista, Page 2

Event Tracing Under the Hood

The new Event Logging in Vista is built on top of ETW. ETW was the most comprehensive and robust logging framework in the NT5.x kernel, and building on top of it allowed the Vista team to concentrate on adding new functionality rather than re-inventing an existing logging framework.

The Windows Event Log uses channels to deliver events to a log file. Vista ships with a number of pre-defined channels for Application, Security, Setup, and System Windows Event logs (these are visible in the left pane in Figure 1), and new applications that target Vista will each add a new channel. The bottom of the left pane in Figure 1 also shows custom channels created by the various components of the Vista operating system.

Channels come in two distinct types: serviced channels and direct channels. Having two different types satisfies the two distinct reasons you may log an event. For high-performance, high-volume logging to inspect events on a log console as they flow past, use the direct channel. Direct channel events are not processed by the Event Logging framework, and you cannot subscribe to an event from a direct channel. In contrast, serviced channels offer the reliable delivery of messages that you can subscribe to via an XPath query. Serviced channel events can be either:

• Admin Events. These are top-level issues that an administrator may need to act on, such as the inability to acquire an IP address, and they are accompanied by instructions on how to rectify the problem.
• Operational Events. These notify an administrator or user that an expected or usual event has happened. Successfully acquiring an IP address is an example of an operational event.

About the Author

Nick Wienholt is an independent Windows and .NET consultant based in Sydney, Australia. He is the author of Maximizing .NET Performance from Apress, and specializes in system-level software architecture and development with a particular focus on performance, security, interoperability, and debugging. Nick can be reached at NickW@dotnetperformance.com.