Search notes:

Event Tracing for Windows (ETW)

Event Tracing for Windows is a logging infrastructure.
ETW provices applications and services an interface with which these can log events.
These logged events can later be analyzed with tools such as
ETW is primarily used in diagnostic and performance analysis.
Two important functions for ETW are NtTraceControl (manage tracing functions) and NtTraceEvent (write events) 
NTSTATUS
NtTraceControl (
    ULONG FunctionCode,
    PVOID InBuffer,
    ULONG InBufferLen,
    PVOID OutBuffer,
    ULONG OutBufferLen,
    ULONG *ReturnSize);

NTSTATUS
NtTraceEvent (
    HANDLE TraceHandle,
    ULONG Flags,
    ULONG FieldSize,
    PVOID Fields);

See also

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WINEVT 
get-counter -ListSet 'Event Tracing for Windows'
get-counter -ListSet 'Event Tracing for Windows Session'
ETW is static and needs to be built into the traced code. A dynamic variant of ETW is dtrace.exe.
wpr.exe: the Windows Performance Recorder

Links

EtwConsumerNT (github) is simple project that demonstrates how an ETW consumer can be created just by using ntdll.dll.
The author's (Petr Beneš) goal was to understand how functions like StartTrace, OpenTrace, EnableTrace and ProcessTrace work internally.

Index