I am encountering an "Access is denied" error when opening an .etl file on Windows using C++.

I do not understand why this is happening.

From the docs for the OpenTrace() function, it says

ERROR_ACCESS_DENIED

Only users with administrative privileges, users in the Performance Log Users group, and services running as LocalSystem, LocalService, NetworkService can consume events in real time. To grant a restricted user the ability to consume events in real time, add them to the Performance Log Users group.

I tried running the program as Administrator, as the user who is the owner of the file, and as the SYSTEM user. I would expect running as Administrator would work, since it meets the condition of having "administrative privileges".

My code is based on this example in the Microsoft docs.

I log the error message with std::cout << message << std::endl.

Below is my code. I compile using Visual Studio 2019, using the C++14 standard.

//Turns the DEFINE_GUID for EventTraceGuid into a const.
#define INITGUID

// These #defines enable secure template overloads
// (see last part of Examples() below)
#define _CRT_SECURE_CPP_OVERLOAD_STANDARD_NAMES 1
#define _CRT_SECURE_CPP_OVERLOAD_STANDARD_NAMES_COUNT 1

#include <windows.h>
#include <stdio.h>
#include <wbemidl.h>
#include <wmistr.h>
#include <evntrace.h>
#include <tdh.h>
#include <in6addr.h>
#include <system_error> // Requires C++11 or newer
#include <iostream>
#include <string>

#pragma comment(lib, "tdh.lib")

#define LOGFILE_PATH L"C:\\Users\\user\\Downloads\\PerfViewData.etl"

TRACEHANDLE g_hTrace = 0;

VOID WINAPI ProcessEvent(PEVENT_RECORD pEvent) { /* Placeholder */ }

int wmain(void) {
    TDHSTATUS status = ERROR_SUCCESS;
    EVENT_TRACE_LOGFILE trace;
    TRACE_LOGFILE_HEADER* pHeader = &trace.LogfileHeader;

    ZeroMemory(&trace, sizeof(EVENT_TRACE_LOGFILE));
    trace.LogFileName = (LPWSTR)LOGFILE_PATH;
    trace.EventRecordCallback = (PEVENT_RECORD_CALLBACK)(ProcessEvent);
    trace.ProcessTraceMode = PROCESS_TRACE_MODE_EVENT_RECORD;

    g_hTrace = OpenTrace(&trace);
    if (INVALID_PROCESSTRACE_HANDLE == g_hTrace) {
        DWORD lastError = GetLastError();
        wprintf(L"OpenTrace failed with %lu\n", lastError);

        std::string message = std::system_category().message(lastError);
        std::cout << message << std::endl;
    } else {
        CloseTrace(g_hTrace);
    }
}

I looked at the process using Sysinternal Process Monitor, but I only saw two events for the process: a successful "Process Start" and a successful "Process Create" event. There were no events related to opening files or traces.

When I use L"C:\\Windows\\System32\\winevt\\Logs\\Microsoft-Windows-WMI-Activity%4Trace.etl" for LOGFILE_PATH instead, I don't get the "Access is denied" error.