Microsoft Platform SDK.An event represents any activity of interest, especially with respect to performance. It is typically an activity related to the usage of a resource such as the processor or disk, for example. Examples of operating system events are disk I/O and page fault events. Examples of application events are the start and end of a certain transaction (in the case of the directory service it could be the start and end of a search operation).
A trace is a continuous snapshot of the system performance. Along with each snapshot, information related to that event is also recorded simultaneously. Therefore Event tracing is an ordered set of events, generally recorded to a buffer.
Event tracing works on the WMI model. There exists a provider, a controller and a consumer, which act independently of each other.
Note
For WMI model details, see the Microsoft Platform SDK.
A provider could be the Operating System or the Directory service, which registers its events (those that can be traced). Each event is associated with a specific GUID (which is unique). A list of all the events and their GUIDs can be obtained by running WBEMTest from the Run window (for details refer to SDK documentation on 'using WBEMTest'). After registering, the provider carries on with its usual activity.
When tracing has to be started, the controller takes over. It creates a buffer, where the event traces are to be recorded. Tracing is then enabled for those events that the controller would like to monitor (this is usually done by supplying the GUID of that event). The controller can be made more complex by giving it the ability to control various parameters with respect to the buffer, the log file, the type of tracing, and so on.
The consumer takes the traces that are logged, and converts them to a human readable form for further analysis. Once again, the consumer could as well have been something more sophisticated such as an application, which could trigger some kind of an event based on some value in the event trace log.
Event tracing has a number of uses. It supplements counters, in that it allows one to derive various metrics not possible using simple raw counters. A specific example is the response time metric. Event tracing allows more detailed analysis of system events and therefore can be useful for capacity planning. Event tracing can also be used (potentially by developers) for initial problem identification and the detection of system bottlenecks.
Note
Because event tracing is more resource-intensive than regular performance counters, it should not be used on a full-time basis.