Troubleshooting - microsoft/MSO-Scripts GitHub Wiki
MSO-Scripts is designed to recognize and handle most problems that may arise. Others are documented here.
Once WPA is launched, its warnings/errors are not visible to MSO-Scripts.
WPA reports this error: "Time inversion was detected in the trace. Aborting processing."
A time inversion is an inconsistency within the time stamps of the ETW events. Depending on the type of analysis, it's likely inconsequential, but it could show up as a substantial misrepresentation.
Solutions:
- Recreate the trace.
- OR: Suppress the error with the switch -WarningAction:Silent : MSO-Scripts\
TraceCPU View -WarningAction:Silent - OR: If launching WPA directly, add the -tti switch (Tolerate Time Inversions) before any -profile switches:
WPA <path>\MyTrace.etl -symbols -tti -profile <path>\MyProfile.wpaProfile
WPA warns: "Event Tracing for Windows noticed that # events and # buffers were lost in this trace."
Having lost events or buffers means that not all of the ETW data collected could be included in the trace, usually because of a data bottleneck. If the number of lost events is small (and zero lost buffers), then it is likely inconsequential, and you can choose 'Yes' to continue analyzing the trace.
Other Solutions:
- Recreate the trace with less system activity: fewer apps running, etc.
- OR: Capture the trace using a recording profile with reduced data logging.
(MSO-Scripts, use -Lean or -Lite:TraceCPU Start -Lite) - OR: Capture the trace in Memory mode.
(MSO-Scripts, Start with -Loop:TraceCPU Start -Loop, Raw WPR: omit-FileMode) - OR: Suppress the alert with the switch -WarningAction:Silent :
TraceCPU View -WarningAction:Silent - OR: If launching the WPA viewer directly, add the -tle switch (Tolerate Lost Events) before any -profile switches:
WPA <path>\MyTrace.etl -symbols -tle -profile <path>\MyProfile.wpaProfile - OR: (Advanced) Increase the count of buffers for the corresponding Collector definition referenced by the active profile within the WPR Profile (.wprp) file.
(This will also increase the amount of logging data retained when running in Memory mode.)
See the TIP below:
Tip
To see the number of lost events & buffers from within WPA:
- Trace > System Configuration > Traces > See: Number of Lost Buffers / Events
To analyze precisely which events are getting dropped:
- Create this environment variable in CMD:
set WPT_XPERF=Microsoft-Windows-Kernel-EventTracing
OR PowerShell:$Env:WPT_XPERF="Microsoft-Windows-Kernel-EventTracing"
- Use MSO-Scripts (TraceCPU, etc.) to create a trace, and open/view it in WPA, as usual.
- Profiles > Apply > Browse Catalog... > DiagnoseDroppedEvents.wpaProfile > Open
This lists the session name with the lost events, their GUIDs, Event IDs, status codes, etc.
ADVANCED: To increase the size of the data collector which may be dropping events:
- Determine the WPR Profile(s) being used to capture the trace:
In the WPR command to start tracing, find:WPR -Start <file>.wprp!<Profile>
(MSO-Scripts, run the Start command with: -Verbose)
- Using the information from DiagnoseDroppedEvents above,
increase (double) the buffer count of either the <SystemCollector> or the <EventCollector>
referenced by the <Profile> within <file>.wprp.
<SystemCollector Id=... > <Buffers Value="64"/> </SystemCollector>
<EventCollector Id=... > <Buffers Value="32"/> </EventCollector>
(Each buffer is configured to consume 1024 KB = 1 MB of memory.)
- Repeat the above steps until you've (mostly) eliminated the lost events.
Events when throw an exception (or some other error) while being collected are counted as "lost."