Reading from Event Log is > 20 times too slow

[Alois-xx]

The "new" way to read event logs is to use EventLogReader which is with .NET since a long time. Some people have been wondering why it is so much slower than the plain Eventlog class. Besides the different Win32 APIs which are called there is a huge difference in the EventLogReader class which is responsible for the really bad perf:

runtime/src/libraries/System.Diagnostics.EventLog/src/System/Diagnostics/Reader/ProviderMetadataCachedInformation.cs

Line 159 in 6d395de

pm.CheckReleased();

According to the docu two lines above this will throw when while the process is running an ETW provider was uninstalled. Not sure if we really need such a rigor error handling but this results in hugely degraded performance.

This innocent looking call calls into

this.GetProviderListProperty(_handle, UnsafeNativeMethods.EvtPublisherMetadataPropertyId.EvtPublisherMetadataTasks);

which will format into an array all named Tasks of the given ETW provider. For some providers there are only a few but e.g. the Security Event Log has over 60 of them which are all string formatted in a localized manner and then thrown immediately away.

Check out that simple application:

using System;
using System.Diagnostics;
using System.Diagnostics.Eventing.Reader;


namespace ConsoleApp1
{
    class Program
    {
        static void Main(string[] args)
        {
                string log = "Security";
                if (args.Length > 0)
                {
                    log = args[0];
                }
                var reader = new EventLogReader(log, PathType.LogName);

                EventRecord record = null;
                for (int i = 0; i < 1 && ((record = reader.ReadEvent()) != null); i++)
                {
                    Console.WriteLine("Got {0} {1} {2}", record.FormatDescription(), record.Task, record.ProviderName);
                    const int Runs = 1000;
                    var sw = Stopwatch.StartNew();
                    for (int k = 0; k < Runs; k++)
                    {
                        var tmp = record.FormatDescription();
                    }
                    sw.Stop();
                    Console.WriteLine($"Did format message {Runs} times in {sw.Elapsed.TotalSeconds:F3}s");
                }
            }
    }
}

On my machine I get for reading a single Security Event Log message:
...
Did format message 1000 times in 12.861s

When I remove CheckReleased then it is over 26 times faster:
...Did format message 1000 times in 0.453s

The screenshot below shows that while reading and formatting a single event we will read all task properties which are 60 for this event log:

Whatever the reason for this error check was it makes reading event log messages over a magnitude slower than it should and could be. I know the compat bar is high but is there a chance to remove this safety check. I see no real reason to keep this.

[Dotnet-GitSync-Bot]

I couldn't figure out the best area label to add to this issue. Please help me learn by adding exactly one area label.

[Alois-xx]

I think Diagnostics is your profession:
@tommcdon @krwq

[tommcdon]

@Anipik

[Anipik]

cc @maryamariyan

[Alois-xx]

Any chance to fix this? Also the performance of FormatMessage of the Win32 API is really bad because on every call it reads from the registry the current culture settings (no cache!). This would be in my opinion a Windows perf issue which is the main reason why everything in the EventLog viewer .msc is so slow. But I do not know where I can put this where it will be not ignored.

[danmoseley]

@Alois-xx it may be some time before we could look at this (I guess it has been this way for a while). If you are interested in offering a PR (that would not break existing code) we could take a look.

[Alois-xx]

@danmosemsft: I can offer two options:

1. Total non breaking.
   Make CheckReleased much faster by not formatting the ETW provider task names but only retrieve the task list. If the provider was uninstalled while we are reading it will already throw when the task list size is tried to fetch
2. I am not sure why this check is there at all. I have removed the check and uninstalled an ETW provider writing to the application event log. This results in an EventLogProviderDisabledException as before.
   The check in the catch handler will only work if an ETW provider has been moved to different event log file. There it is tried to re-add the cache entry with no log file name in case it gets an EventLogNotFoundException.

             // check Provider metadata to be sure it's hasn't been
                // uninstalled since last time it was used.

                try
                {
                    pm.CheckReleased();
                    UpdateCacheValueInfoForHit(cacheItem);
                }
                catch (EventLogException)
                {
                    DeleteCacheEntry(key);
                    try
                    {
                        pm = new ProviderMetadata(key.ProviderName, _session, key.TheCultureInfo, _logfile);
                    }
                    catch (EventLogNotFoundException)
                    {
                        pm = new ProviderMetadata(key.ProviderName, _session, key.TheCultureInfo);
                    }
                    AddCacheEntry(key, pm);
                }

That scenario is unlikely. It is much more likely that someone did play around with ETW providers and did choose to deploy his provider to a different log file but did not remove the messages from the "old" log. In that case you can still read the old logged but no longer registered provider messages with the updated provider meta data key.
If the CheckReleased would be removed then you could potentially break reading the old log files because the Provider cache key construction uses the same logic. When the cached provider metadata was not used for longer than 10ms it will be removed from the cache. That would open a potential breaking change for strange ETW providers which write with one provider to several EventLog files.

Based on that I think the comment above in the code is misleading because the mentioned issue is a non issue and will break the reading anyway. The only thing why the check is there if some, I would consider them broken, providers exist which write to multiple event logs but have registered their metadata only with one event log in the registry. Then the fallback enables reading these messages as well without bailing out early.

Playing with BCL assemblies is a bit daunting. If someone wants to play. I have copied the entire code of Event Log Reader into a console .NET Core 5 application, created a local git repo and made some changes. That feels pretty efficient to play around with these things. I could not get the latest Preview 3 compiled with VS2010 preview but the older baseline did still compile so I used that one.

[Anipik]

@tarekgh can you guide on what extra investigation needs to be done here before taking this change ?

[tarekgh]

@Anipik

can you guide on what extra investigation needs to be done here before taking this change?

We need to understand the effect of any change here. @Alois-xx analysis is very helpful but we need to know if we go with either proposed solution, what that will break? and what can go wrong?
Removing the check CheckReleased will be more concerned as there should be a good reason this check was there in the first place. I am inclining to look more at the first proposed solution and find out if it will help in the perf and at the same time guarantee, nonthing will break. Or look more at GetProviderListProperty and try to find if there is anything else can be optimized.

[danmoseley]

If we think the possibly-breaking change is the right one, we still have a number of previews to go, and 5.0 isn't an LTS release, so there is some possibility of reversing such a change if we discover problems.