Add a trace interface to enable ignoring MOF events

microsoft / krabsetw

KrabsETW provides a modern C++ wrapper and a .NET wrapper around the low-level ETW trace consumption functions.

Other

610 stars 149 forks source link

Add a trace interface to enable ignoring MOF events #210

Open acyr opened 1 year ago

acyr commented 1 year ago

MOF events all require a (slow) TDH lookup which can fail if schema is not available. Since these are generally legacy events, many applications may not require them and ignoring them can provide a significant performance increase, particularly for large trace files.

acyr commented 1 year ago

Ignoring MOF events for some ETL traces provide orders of magnitudes speed improvements.

Real Example: ~500MB ETL trace is parsed in 146s with MOF events -> 6s without MOF events.

Problem seems rooted in that reading from an ETL file does not seem to obey event filters, making it possible for undesired events to be read in regardless of provider filter settings.

swannman commented 1 year ago

@acyr We're happy to merge this pending the feedback above. Are you still working on this?