New or Updated in December 2018

After some weekend work for new research didn’t get far enough in November to produce anything that I regard as publishable (and, worse, left me to realise that much of what I prepared in October is a mess), I’ve been determined to make more time.

Regular readers will know of my off-and-on interest over more than a decade in Event Tracing for Windows (ETW). My last round of writing on this, almost exactly two years ago, was not only hurried (for I surely had already run out of time to indulge in unpaid research) but has looked ever since like it had been yet another exercise in writing to a void, with nobody asking me about it for years. On the plus side, at least it hasn’t brought me the experience of finding that people have since presented on the subject at conferences without having noticed my prior work or thought it worth citing. (Should I let this remind me to look again at my work on the API Set Schema from 2010?)

Then, in the last few months of 2018, multiple correspondents asked about ETW. This got me thinking again about the subject. No, that’s not right, for the subject is too useful not to be always on the mind. What it got me thinking about was writing on the subject. In some ways, my thinking doesn’t seem to have moved on from my diary notes of December 2016, but let’s see what comes of a revisit. As yet another plus, this even brought me to complete a page that I had left unpublished way back in 2008. I have too much such stuff lying around, going mouldy at the bottom of the virtual desk drawer.

Kernel Mode


High in my priorities for updating has been to get (and convey) a better sense of the history. It amazes me that Microsoft attracts positive comment not so much for the large (and welcome) expansion of Windows instrumentation but for its supposed openness with all this new functionality. I see it rather differently.