TraceView is the easiest out-of-the-box solution, but it is possible to write your own ETW viewer that is specific to your provider. This would give you full control over the presentation and make it much easier on the end user as TraceView is really more of a debugging tool than something you can ask end users to run.

TraceView 是最简单的开箱即用解决方案，但可以编写您自己的特定于您的提供商的 ETW 查看器。这将使您完全控制演示文稿，并使最终用户更轻松，因为 TraceView 实际上更像是一种调试工具，而不是您可以要求最终用户运行的工具。

As far as real-time tracing goes, according to the documentation:

就实时跟踪而言，根据文档：

Only users with administrative privileges, users in the Performance Log Users group, and services running as LocalSystem, LocalService, NetworkService can consume events in real time. To grant a restricted user the ability to consume events in real time, add them to the Performance Log Users group.

Windows XP and Windows 2000: Anyone can consume real time events.

只有具有管理权限的用户、Performance Log Users 组中的用户以及作为 LocalSystem、LocalService、NetworkService 运行的服务才能实时消费事件。要授予受限用户实时使用事件的能力，请将它们添加到性能日志用户组。

Windows XP 和 Windows 2000：任何人都可以使用实时事件。

If you're interested in writing your own ETW viewer (real-time or log file), here is the relevant documentation.

如果您有兴趣编写自己的 ETW 查看器（实时或日志文件），请参阅相关文档。

Windows Event Log reads the ETW. In fact I'd say this is the correct way for a consumer (non program) to view and export the ETW traces.

Windows 事件日志读取 ETW。事实上，我会说这是消费者（非程序）查看和导出 ETW 跟踪的正确方法。

See here for an example. http://blogs.microsoft.co.il/blogs/applisec/archive/2009/10/12/reading-etw-tracing-using-event-viewer.aspx

有关示例，请参见此处。http://blogs.microsoft.co.il/blogs/applisec/archive/2009/10/12/reading-etw-tracing-using-event-viewer.aspx

This question on msdnDiscuses what to do when the logs don't appear. Does anything here help?

msdn 上的这个问题讨论了未出现日志时该怎么办。这里有什么帮助吗？

ETW tracing was designed to run only by administrators because trace may contain personal identifiable information. And it would pose security threat if a non-admin can capture the trace.

ETW 跟踪旨在仅由管理员运行，因为跟踪可能包含个人身份信息。如果非管理员可以捕获跟踪，它将构成安全威胁。

Here is a warning Example from xperf

这是来自 xperf 的警告示例

The trace you have just captured "C:\Windows\system32\kernel.etl" may contain personally identifiable information, including but not necessarily limited to paths to files accessed, paths to registry accessed and process names. Exact information depends on the events that were logged. Please be aware of this when sharing out this trace with other people.

您刚刚捕获的跟踪“C:\Windows\system32\kernel.etl”可能包含个人身份信息，包括但不一定限于访问的文件路径、访问的注册表路径和进程名称。确切信息取决于记录的事件。与其他人分享此痕迹时请注意这一点。

Hope this answers your question

希望这能回答你的问题

Here is how you can get custom ETW traces from your own custom providerand how ETW can be used within managed code

以下是如何从自己的自定义提供程序获取自定义 ETW 跟踪 以及如何在托管代码中使用 ETW

Hope this helps.

希望这可以帮助。

IMO Perfviewis one of the best tools available to control and view ETW traces. It can also provide managed call-stacks. The best part of it is you could xcopy on to any server and collect traces.

IMO Perfview是可用于控制和查看 ETW 跟踪的最佳工具之一。它还可以提供托管调用堆栈。最好的部分是您可以将 xcopy 复制到任何服务器并收集跟踪信息。

Perfview uses TraceEvent library and here the sampleshow you could use it using an API and C#

Perfview 使用 TraceEvent 库，这里是如何使用 API 和 C# 使用它的示例