I'm interested in getting custom ETW events to display Start Time and End Time, like some default windows events do, in order to present it in gantt form, like so:
I've hacked around Bruce Dawson's demo manifest and multi-provider files, to add Start Time and End Time fields to one of the event templates.
However, I can't get it to even recognize the field as a Time field.
I compose the template for the event payload as described in Microsoft's specification as follows
<data inType="win:FILETIME" outType="xs:dateTime" name="Start Time" />
<data inType="win:FILETIME" outType="xs:dateTime" name="End Time" />
And convert my QueryPerformanceCounter variables accordingly :
//start is LARGE_INTEGER
//end is LARGE_INTEGER
FILETIME ftStart;
ftStart.dwLowDateTime = start.LowPart;
ftStart.dwHighDateTime = start.HighPart;
FILETIME ftEnd;
ftEnd.dwLowDateTime = end.LowPart;
ftEnd.dwHighDateTime = end.HighPart;
WPA says "Unable to parse data" in the relevant fields:
Then I look at Microsoft WPA documentation:
If the graph is a Gantt chart, each column that you move to the graphing elements area must contain only timestamp values. A mark in one of the horizontal bars in the Gantt chart represents one timestamp value.
So I look and see that timestamps are simply LARGE_INTs so I go back to original format and write the manifest like so:
<data inType="win:UInt64" outType="win:ETWTIME" name="Start Time" />
<data inType="win:UInt64" outType="win:ETWTIME" name="End Time" />
Then the data is presented as a large count of nanoseconds instead of time. And I'm unable to select either field as "Start Time" or "End Time".
What am I doing wrong?