RickStrahl

using System;
using System.Text;
using System.Text.RegularExpressions;

namespace MainColorConsole
{
    class Program
    {
        static void Main(string[] args)
        {

Donpedro13

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<InstrumentationManifest>
	<Instrumentation>
		<Regions>
			<RegionRoot Guid="{EFA7A927-BAE3-48F6-92E1-000000000000}" Name="WMI-Regions">
				<Region Guid="{45EEAD74-5B56-4B38-8CEC-CF66312D6F9B}" Name="WMI-Operations">
					<Start>
						<Event Provider="{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}" Id="11" Version="0" />
					</Start>
					<Stop>

Zhentar

ETW Stack Caching

"Stack Caching" (or Stack Compression as PerfView calls it) is a feature of ETW designed to reduce trace buffer & etl file sizes by de-duplicating stack traces. Naturally, as an ETW feature it is documented solely through obtuse (likely accidental) references and hints in Microsoft tooling. And so the documentation is left to stubborn reverse engineers dedicated ETW enthusiasts such as myself.

The Windows version studied for this was Windows 10 1809 64-bit. I do not think this feature has changed significantly since its introduction, but I have not verified that.

Basics

In trace buffers, the compressed stacks are emitted with the Stackwalk task guid, like regular stackwalks, but with opcodes for events (as labeled by WPA) like "Stack Walk: Delete Definition" and "Stack Walk: Reference [User]". "Reference" entries contain a 'StackKey' value that uniquely identifies a stack trace definition. "Stack Walk: Delete Definition" is logged when cached stacks are evicted; from the MOF def

Zhentar

using System;
using System.Runtime.InteropServices;

namespace StartTraceExtended
{
	static class Program
	{
		static unsafe void Main()
		{
			var trace_props = new EVENT_TRACE_PROPERTIES();