Available since Windows 2000, ETW provides more detailed information on the operating system environment and application interaction than other logging services on Windows.
In addition, ETW does this with less overhead and higher efficiency.
The architecture of ETW is straightforward, an event provider (any user-mode application, managed application, or driver) writes events to ETW sessions.
When events are written, ETW adds supplementary information about the event time, the process and thread ID that generated the event, the processor ID, and the CPU usage data of the logging thread.
This information is then ingested by event consumers, either from log files and/or by listening to tracing sessions in real-time.
Consumers then continue with any other configured processing activities.
The following three, independently functioning component types determine what is logged, when it is logged, and where the log events are collected, all with relatively little system overhead.
Together these components define an event tracing session.
Controllers enable providers to log events to a session.
They start, stop, and define event trace sessions as well as specify the session/log file name, location, and type, and define the way of resolving date-time stamps.
Providers are applications equipped with event tracing instrumentation.
When they are enabled by a controller, they send log events to a consumer.
Consumers consume events from one or more event tracing sessions and retrieve events stored in log files along with logs from other real-time sessions.
In this context, the log collector(s) act as consumers, ingesting generated events from enabled providers.
Apart from regular event tracing sessions, special purpose tracing sessions are also available, such as Private Logger, System Trace, NT Kernel Logger, AutoLogger, and Global Logger.
These sessions have predefined data and location settings and often provide the only way to access certain data, such as when events are created early in the boot process of a system.