Analyze Windows Boot - microsoft/MSO-Scripts GitHub Wiki
The Windows AutoLogger can track virtually any type of system activity as the OS initializes and signs you in.
MSO-Scripts makes it easy to analyze Windows start-up for a variety of system resources:
CPU, Memory, Network, File & Disk I/O, Handles, Registry, etc.
It uses the Windows Performance Recorder (WPR, built-in to Windows 10/11+), which sets up a Windows AutoLogger session to track system activity during the next OS restart and sign-in.
To capture system activity during Windows start-up/restart, simply add a -Boot switch to the MSO-Scripts' Start, Stop, Status, or Cancel command:
Either download and unzip a recent Release, or clone the Repository:
<> Code ↓Open an Administrator Terminal or PowerShell or CMD window.
Configure the Windows Autologger to start an ETW trace of CPU activity during the next OS restart.
MSO-Scripts\TraceCPU Start -Boot -LiteRestart Windows immediately.
shutdown -r -t 0Back in the Administrator command window...
Stop tracing, reset the AutoLogger, and capture the ETW Log.
MSO-Scripts\TraceCPU Stop -BootLaunch the Windows Performance Analyzer (WPA) to view the sources of all the CPU activity.
MSO-Scripts\TraceCPU View
Try it also with the other scripts: TraceNetwork, TraceFileDiskIO, etc.
Important
If the PowerShell script does not run, you can instead run the Batch script: MSO-Scripts\TraceCPU.BAT ...
See: What if I can't run PowerShell scripts in my environment?
Early in the Windows start-up sequence, the Windows AutoLogger system enumerates the subkeys the Windows Registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WMI\Autologger\...
For each subkey which contains the value Start=1, the AutoLogger reads its configuration and enables the defined ETW tracing.
Note
On some systems there may be dozens of AutoLogger traces pre-enabled, and if any of them are configured for high-traffic ETW logging, that itself could contribute to resource contention and system slowness.
The Windows Performance Recorder (WPR) is able to simplify setting up an AutoLogger session by automatically configuring the Windows Registry.
MSO-Scripts uses WPR and the AutoLogger to easily capture an ETW trace during Windows start-up, and simplifies viewing it in the Windows Performance Analyzer.
Log and view the Network activity that happens during Windows restart.
BETA\TraceNetwork Start -Boot
ShutDown -r -t 0
BETA\TraceNetwork Stop -Boot
BETA\TraceNetwork View
Log and view the File and Disk I/O activity that happens during Windows restart.
TraceFileDiskIO Start -Boot
ShutDown -r -t 0
TraceFileDiskIO Stop -Boot
TraceFileDiskIO View
Log and view the Windows Heap activity of SomeStartupApp.exe, which launches automatically during Windows restart.
TraceHeap Start -Boot -EXE SomeStartupApp.exe
ShutDown -r -t 0
TraceHeap Stop -Boot
TraceHeap View
You can further customize what ETW data providers MSO-Scripts enables. See: Customize Tracing
Caution
After running TraceCPU Start -Boot ..., DO NOT FORGET to eventually run TraceCPU Stop -Boot to capture the trace and delete the AutoLogger session, or run TraceCPU Cancel -Boot at any time.
Failing to do so might have a substantial impact on the system, particularly if the AutoLogger is tracing in file mode (TraceCPU's default mode), which could create a log file of unbounded size on the disk.
Likewise for the other Trace* scripts, or if you are using the raw WPR commands: -BootTrace, -AddBoot, -StopBoot, -CancelBoot
See: List AutoLogger Entries
See: List Running ETW Logging Sessions
See: Alternate Ways to Trace Windows Start-up
When a Windows Startup trace is started using the -Boot switch, it captures events necessary to chart the startup sequence.
From within the Windows Performance Analyzer (WPA):
- Profiles > Apply > Browse Catalog > FullBoot.Boot.wpaProfile > Open
- Select the "Deep Analysis" tab and the expand the top chart: "Regions of Interest - FullBoot"
Windows Startup Sequence Chart
How It Works
- MSO-Scripts captures an extra set of ETW Providers via: MSO-Scripts\WPRP\WindowsProviders.wprp!WindowsStartup
- WPR loads the WPA View Profile: .\CustomDataSources\Event_Tracing_for_Windows\Catalog\FullBoot.Boot.wpaProfile
- The WPA View Profile references a Regions of Interest file: FullBoot.Boot.Regions.xml
MSO-Scripts is able to capture multiple traces simultaneously.
For example, to capture and view traces of both CPU and Network activity during Windows restart:
.\TraceCPU Start -Boot -Lite
BETA\TraceNetwork Start -Boot
shutdown -r -t 0
.\TraceCPU Stop -Boot
BETA\TraceNetwork Stop -Boot
.\TraceCPU View
BETA\TraceNetwork View
The traces are kept separate using WPR's -InstanceName option.
Tip
Similarly created ETW Trace Log (.ETL) files can be merged into one with this command:
WPR -merge <1st file>.etl <2nd file>.etl [<3rd file>.etl] <merged file>.etl -compress
For example:
WPR -merge "c:\PerfLogs\Trace-CPU.etl" "c:\PerfLogs\Trace-Network.etl" "c:\PerfLogs\Merged-CPU-Network.etl" -compress
See: WPR -Merge ...
Many Windows System Services launch during System start-up/restart. Most of them run within instances of the same executable: SvcHost.exe
There are two ways that the Windows Performance Analyzer (WPA) is able to expose the system services associated with each process (usually SvcHost.exe):
- Many WPA data tables make available the column: "Display Name" or "Service Display Name". The Display Name is the full name of the system service.
You can use the WPA View Editor to set the first three columns to this convenient arrangement:
| Process Name | Service Display Name | Process | ...
View Editor - Display Name
Data Table - System Service Display Name
- If the WPA data table does not provide a [Service] Display Name column, then you can look up the service name by Process ID.
- In WPA: Trace > System Configuration
- Select: "Services" (in the left column of the "System Configuration" tab)
- Move the "Process" column header to be the first column of the table, and sort by that column.
- Look up the Process Name (Process ID) to find the corresponding "Display Name" & "Service Name" in the same row.
Table of System Services grouped by Running Process
How to use MSO-Scripts to capture a trace during Windows Shutdown:
- Within a CMD/PowerShell/Terminal (Administrator) window:
Set the environment variable WPT_Mode:$Env:WPT_Mode='Shutdown'orset WPT_Mode=Shutdown
- Run (for example):
TraceCPU Start -Lite
It should report: "WPT_Mode: Able to trace System Shutdown."
- Restart Windows manually, or run:
Shutdown -r -t 0
Back in a CMD/PowerShell/Terminal (Admin) window:
- Run:
TraceCPU Stop
- View the final trace:
TraceCPU View
See: Alternate Ways to Trace Windows Shutdown
Note
- Initiate the Shutdown trace in File mode, not Memory mode (MSO-Scripts: No -LOOP switch).
- When ETW tracing starts, one or more (usually two) .ETL collector files are created in the "-RecordTempTo" folder.
- When Windows shuts down, tracing stops and those collector files are closed automatically.
- For a Shutdown trace, the Stop command (WPR: -Stop) remembers and reopens the collector files and merges them into a final .ETL trace.
When a Windows Shutdown trace is started using WPT_Mode=Shutdown, it captures events necessary to chart the shutdown sequence.
From within the Windows Performance Analyzer (WPA):
- Profiles > Apply > Browse Catalog > FullBoot.Shutdown.wpaProfile > Open
- Select the "Deep Analysis" tab and the expand the top chart: "Regions of Interest - FullBoot" [sic]
Windows Shutdown Sequence Chart
How It Works
- MSO-Scripts captures an extra set of ETW Providers via: MSO-Scripts\WPRP\WindowsProviders.wprp!WindowsShutdown
- WPR loads the WPA View Profile: .\CustomDataSources\Event_Tracing_for_Windows\Catalog\FullBoot.Shutdown.wpaProfile
- The WPA View Profile references a Regions of Interest file: FullBoot.Shutdown.Regions.xml