'Is it possible to use EvtSubscribe() to subscribe to Microsoft-Windows-WMI-Activity/Trace event logs?

I want to register a callback so my code can receive and process all new event logs for Microsoft-Windows-WMI-Activity/Trace.

To clarify, the log path for Microsoft-Windows-WMI-Activity/Trace is %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-WMI-Activity%4Trace.etl, and in the Windows Event Viewer, these events can be found in the tree under Application and Services Logs > Microsoft > Windows > WMI-Activity > Trace.

I know EvtSubscribe() can be used to subscribe to events on channels, but I want to know if this function can also be used for subscribing to events on Microsoft-Windows-WMI-Activity/Trace.

I know for the ChannelPath parameter, it says on the function's docs page that

you cannot subscribe to Analytic or Debug channels

When I view the properties for Microsoft-Windows-WMI-Activity/Trace in Event Viewer, I see the log is of type Analytic, so it seems I cannot subscribe with this function:

screenshot of log properties with type highlighted

My questions:

  1. Can I use this function to subscribe to Microsoft-Windows-WMI-Activity/Trace?
  2. If I cannot with this function, is there some other function in the Windows API that I can use instead that will allow me to subscribe?
cwindowswinapievent-log


Solution 1:[1]

As you can see in the article

you cannot subscribe to Analytic or Debug channels

EvtSubscribe() cannot subscribe to Microsoft-Windows-WMI-Activity/Trace.

Explained in the introduction to the Event Types

-Direct channel

You cannot subscribe to a direct channel, but you can query a direct channel.

A direct channel is performance-oriented. Events are not processed in any way by the eventing system. This allows the direct channel to support high volumes of events.

Direct channels have the following types:

Analytic

Analytic events are published in high volume. They describe program operation and indicate problems that cannot be handled by user intervention.

At present, in the officially provided method, seems to only be viewable through the Event Viewer.

https://docs.microsoft.com/en-us/windows/win32/wmisdk/tracing-wmi-activity#obtaining-wmi-events-through-event-viewer

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Junjie Zhu - MSFT

Related Questions

Implicit declaration of functions srand, rand and system

Implicit declaration of functions srand, rand and system

Implicit declaration of functions srand, rand and system

hex code implementation for spawning a shell

hex code implementation for spawning a shell

hex code implementation for spawning a shell

warning: format ‘%s’ expects type ‘char *’, but argument 2 has type ‘char (*)’

Minimal implementation of sprintf or printf

warning: format ‘%s’ expects type ‘char *’, but argument 2 has type ‘char (*)’

Minimal implementation of sprintf or printf

How to hide helper functions from public API in c

VS Code C Error - Invalid Active Developer Path

In C is it faster to use the standard library or write your own function?

Finding consecutive bit string of 1 or 0

What is the simplest way of implementing bigint in C?