ETW Encyclopedia - microsoft/MSO-Scripts GitHub Wiki

The MSO-Scripts script-set aims to provide simple command-line tools which harness the power of Event Tracing for Windows (ETW) without requiring deep technical knowledge. Yet, for completeness, we present here an annotated collection of the many tools and techniques for making use of ETW.

• Classic/MOF: Binary format for logging Kernel events.
• Manifested ETW: Extensible logging format described by a manifest from a module resource and registered with the system.
• TraceLogging: Extensible, self-describing logging format.
• Windows Trace PreProcessor (WPP): Unformatted binary data in a log file, converted to human-readable form by a postprocessor, and mainly intended for debugging code during development.
• Windows Management Infrastructure (WMI) Event Tracing: ETW-based replacement for WMI log files.

See also:

• Instrumenting Your Code with ETW
• About Event Tracing - Providers

• Windows Performance Recorder (WPR): a command line tool built into Windows 10/11+
• Windows Performance Recorder UI (WPRUI): a User Interface version of WPR
• XPerf.exe: an older command-line tool, usually adjacent to WPA, or it's in the Windows Performance Toolkit.
• PerfView: an open-source tool for collecting and viewing both time and memory performance data.
• PowerShell (v5.1+): Event Tracing Management
• TraceView: configures and controls trace sessions.
• TraceLog: an event tracing controller
• LogMan: Performance Monitor - on the command line
• XBootMgr (deprecated): On/Off Transition Trace Capture tool in the Windows Performance Toolkit

See Also:

• Tools for Software Tracing
• Choosing among VS Profiler, Windows Performance Toolkit, and PerfView

• Windows Performance Analyzer (WPA): the modern tool for analyzing ETW traces via charts and pivotable data tables.
• PerfView: an open-source tool for collecting and viewing both time and memory performance data.
• Event Viewer: Translates WMI events to readable format.
• TraceView: Displays formatted trace messages from real-time trace sessions and trace logs.
• Message Analyzer (Deprecated): Open a wide variety of log file types.
• XPerfView (Obsolete)

See also: Describe Windows Server Event Logs

• Windows Performance Recorder:
  WPR -Providers
• XPerf:
  XPerf -Providers I
• LogMan:
  LogMan Providers
• WEvtUtil:
  WEvtUtil EP
• PowerShell:
  Get-NetEventProvider -ShowInstalled | Select-Object -Property Name,Guid
• RegEdit:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers

• LogMan:
  LogMan Providers <Provider Name>
• WEvtUtil:
  WEvtUtil GP <Provider Name>
• PowerShell:
  Get-NetEventProvider -ShowInstalled <Provider Name> | Select-Object -Property *

• User Interface:
  Run: PerfMon.msc
  Data Collector Sets > Event Trace Sessions > dbl-click a session
• LogMan:
  logman -ets query
logman -ets query | findstr WPR
• PowerShell (v5.1+):
  Get-ETWTraceSession -Name *
• XPerf:
  xperf -Loggers | findstr -v Flags
xperf -LoggersWithNames

† Administrator Privilege Required

• User Interace:
  PerfMon (above) gives the most detailed info on ETW Logging Sessions.
• LogMan:
  logman -ets query "<Session Name>"
  
• PowerShell (v5.1+):
  Get-ETWTraceSession -Name "<Session Name>" | Select-Object -Property *
• XPerf:
  xperf -LoggersWithNames "<Session Name>"

• User Interface:
  Run: PerfMon.msc
  Data Collector Sets > Startup Event Trace Sessions > dbl-click a session
• PowerShell (v5.1+):
  Get-AutoLoggerConfig
• RegEdit:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger

AutoLogger entries are disabled when: Start=0

• User Interace:
  PerfMon (above) gives the most detailed info on AutoLogger entries.
• PowerShell (v5.1+):
  Get-AutoLoggerConfig "<Config Name>" | Select-Object -Property *

• PowerShell (v5.1+):
  Set-AutoLoggerConfig -Name "<Config Name>" -Start 1 or 0

The AutoLogger Start state may be regularly re/set by its originating service.

See: Configuring and Starting an AutoLogger Session

• Create a Recording Profile from scratch.

  • Authoring Recording Profiles
  • Authoring Custom Profiles: Part 1 & Part 2

• Modify one of the MSO-Scripts Recording Profiles, found at:
      MSO-Scripts\WPRP\
      MSO-Scripts\BETA\WPRP\

• Create a custom Recording Profile using 'XPerf -on' notation in PowerShell‡:
      $Env:WPT_PATH="$Env:LocalAppData\MSO-Scripts"
    $Env:WPT_XPERF="Microsoft-Windows-TCPIP + e53c6823-7bb8-44bb-90dc-3f86090d48a6:0x00A4:4:Stack"
    cd MSO-Scripts\
      & { . .\Include.ps1; WPRPFromProviderString $Env:WPT_XPERF }
      Find the custom Recording Profile ! Profile_Name at: $Env:WPT_PATH\WPR_XPERF_Profile.wprp ! AUX_Profile

• Let MSO-Scripts create a custom Recording Profile (in PowerShell syntax‡, Admin Privilege):
      $Env:WPT_PATH="$Env:LocalAppData\MSO-Scripts"
    $Env:WPT_XPERF="Microsoft-Windows-TCPIP + e53c6823-7bb8-44bb-90dc-3f86090d48a6:0x00A4:4:Stack"
      MSO-Scripts\TraceCPU Start -Lean -Loop -Verbose
      MSO-Scripts\TraceCPU Cancel
      Find the custom Recording Profile ! Profile_Name at: $Env:WPT_PATH\WPR_XPERF_Profile.wprp ! AUX_Profile

• Export (and modify) a Recording Profile built into WPR with: -ExportProfile
      WPR -Profiles
    WPR -ExportProfile CPU.Verbose <path>\MyCPU.wprp -FileMode

See also:

• Recording-Profile XML Reference
• Filtering Events using WPR
• Writing Events

• MSO-Scripts
      MSO-Scripts\TraceCPU Start -Boot
    shutdown -r -t 0
      MSO-Scripts\TraceCPU Stop -Boot
      MSO-Scripts\TraceCPU View

• Windows Performance Recorder (WPR) with Built-in Recording Profile‡
      wpr -BootTrace -AddBoot CPU.Verbose -FileMode -InstanceName Trace-CPU.Boot
    shutdown -r -t 0
    wpr -BootTrace -StopBoot "$Env:TEMP\Trace-CPU.Boot.etl" -InstanceName Trace-CPU.Boot
    wpa "$Env:TEMP\Trace-CPU.Boot.etl"

• Windows Performance Recorder UI (WPRUI)
  Run: wprui > More Options > Choose:

  • Performance Scenario = Boot
  • Detail Level = Verbose (or Light)
  • Logging Mode = File
  • Number of Iterations = 1
  • Resource Analysis: CPU Usage (etc.)
  • Start ...and follow the directions.
  • Finally, choose: Open in WPA

• On/Off Capture Transition Tool (XBootMgr)‡
      xbootmgr -trace boot -traceflags base+latency+dispatcher -stackwalk profile+cswitch+readythread
        -notraceflagsinfilename -postbootdelay 10 -resultpath $Env:TEMP

  List available Kernel Flags / Groups (for -traceflags):
      xperf -providers K

  Finally, open in WPA:
      wpa "$Env:TEMP\boot_1.etl"

See Also:

• Setting Up an AutoLogger with WPR
• Track Driver Footprint and Dynamic Allocations During Boot

• MSO-Scripts‡
      $Env:WPT_Mode="Shutdown" or set WPT_Mode=Shutdown
      MSO-Scripts\TraceCPU Start
    shutdown -r -t 0
      MSO-Scripts\TraceCPU Stop
      MSO-Scripts\TraceCPU View

• Windows Performance Recorder (WPR) with Built-in Recording Profile‡
      wpr -Start CPU.Verbose -Shutdown -FileMode -InstanceName Trace-CPU.Shutdown
    shutdown -r -t 0
    wpr -Stop "$Env:TEMP\Trace-CPU.Shutdown.etl" -InstanceName Trace-CPU.Shutdown
    wpa "$Env:TEMP\Trace-CPU.Shutdown.etl"

• Windows Performance Recorder UI (WPRUI)
  Run: wprui > More Options > Choose:

  • Performance Scenario = Shutdown
  • Detail Level = Verbose (or Light)
  • Logging Mode = File
  • Number of Iterations = 1
  • Resource Analysis: CPU Usage (etc.)
  • Start ...and follow the directions.
  • Finally, choose: Open in WPA

• On/Off Capture Transition Tool (XBootMgr)‡
      xbootmgr -trace shutdown -traceflags base+latency+dispatcher -stackwalk profile+cswitch+readythread
        -notraceflagsinfilename -noprepreboot -resultpath $Env:TEMP

  List available Kernel Flags / Groups (for -traceflags):
      xperf -providers K

  Finally, open in WPA:
      wpa "$Env:TEMP\shutdown_1.etl"

Commands herein use PowerShell format.

PowerShell: $Env:TEMP
CMD Window: "%TEMP%"

PowerShell:   $Env:WPT_Mode="Shutdown"
CMD Window: set WPT_Mode=Shutdown