Warning: ETW sessions are expensive

[idigdoug]

This library does not follow best practices for ETW sessions, resulting in excessive memory usage. In addition, this library can cause substantial problems for the target system but does not appear to have any warnings that would alert users to the possible problems that might be caused by this library.

References:

• StartTrace
• EVENT_TRACE_PROPERTIES

Issues:

• Even not counting memory usage, ETW sessions are a limited resource (usually a system-wide limit of 64 sessions). See the "IMPORTANT" note at the top of the StartTrace documentation.
• The minimum memory usage of a normal ETW session is BufferSize x 2 x CpuCount.
• Since your default BufferSize is 1MB, the minimum memory usage of the pywintrace session is 1MB x 2 x CpuCount, and this is NON-PAGED memory. Even on a small 8-core system, that's 16MB of non-paged memory. Since it's non-paged, the memory must be allocated even if it is never used.
• If the python program exits without closing the session (e.g. if the program crashes or is killed), the session will continue running and will continue using CPU, memory, and (since the events get written to disk if the consumer gets behind) disk space.

Users of this library need to be made aware of these issues and given guidance on how to minimize their impact on the target system.

In addition, it would be very helpful to improve the defaults to use less memory, and to provide additional ways for users to avoid using too much memory.

• Lower the default buffer size. This library defaults to 1024KB buffers, but this is almost always too large and is almost always very wasteful of non-paged memory. As described in the documentation for EVENT_TRACE_PROPERTIES, most trace sessions should use a buffer size of 64KB or less. There is almost never any reason to use buffer sizes larger than 128KB. (If your user needs more memory allocated, larger memory allocations should occur via a larger MaximumBuffers count, not via a larger BufferSize.)
• Provide an option (maybe the default?) for setting the EVENT_TRACE_NO_PER_PROCESSOR_BUFFERING flag. This flag is appropriate for low-event-rate sessions (less than a few hundred events per second) and significantly reduces the memory usage (you don't need separate buffers for each CPU).
• Provide an option for setting the EVENT_TRACE_USE_PAGED_MEMORY flag. By default, ETW sessions use non-paged memory so that they can receive events from the kernel. Non-paged memory means you're reserving the memory even if it is never used. If the session user knows they won't receive any events from the kernel, they should set EVENT_TRACE_USE_PAGED_MEMORY so that the memory can be paged-out.
• For reliability, your session should probably just always set EVENT_TRACE_INDEPENDENT_SESSION_MODE. This just opts-in to a better ETW behavior that should have been the default.