ETW tracing
Real-time sessions, controllers, and consumers for higher-volume tracing.
Related labs
Hands-on exercises for this area — in the browser or on a Windows machine.
View all labsOfficial Microsoft docs
Closest official references related to this topic on Microsoft Learn.
Why it matters
ETW is where Windows diagnostics becomes high-resolution. It is the next step after Event Log when you need timing, sequence, and deeper performance visibility.
Mental model
Event Log is durable history; ETW is a live tracing bus that can be configured and consumed in many ways.
How it works
- 1Controllers start and configure ETW sessions.
- 2Providers emit tracing events into those sessions.
- 3Consumers read and analyze the resulting stream.
Key terms
- ETW session
- A configured tracing session that collects events from providers.
- Consumer
- A tool or component that reads ETW output.
Tracking a slow boot
Event Log might tell you something failed; ETW can tell you what happened when, in what order, and for how long.
Common misconception
ETW is not 'just another log file'. It is a configurable tracing mechanism with different retention and performance trade-offs.
You should read next
Ranked from your current topic, related links, branch depth, and any active guided path.