Event Tracing for Windows (ETW) Simplified

Article ID: 2593157 - View products that this article applies to.
Expand all | Collapse all

SUMMARY

Event Tracing for Windows (ETW) was first introduced in Windows 2000. It serves the purpose of providing component level logging. As mentioned in the article Improve Debugging and Performance Tuning with ETW, ETW provides:

A tracing mechanism for events raised by both user-mode applications and kernel-mode device drivers. Additionally, ETW gives you the ability to enable and disable logging dynamically, making it easy to perform detailed tracing in production environments without requiring reboots or application restarts. This allows large-scale server applications to write events with minimum disturbance.”

As a quick overview: an event provider writes events to an ETW session (it can be any user-mode application, managed application, driver etc). When events are written, ETW adds more information about the time it took place, process and thread ID that generated it, processor number, and CPU usage data of the logging thread. This info is used by the event consumers; application that reads log files or listen to a session for real time events and processes them.

A sample output from the logman query providers command

Provider                                 GUID
-------------------------------------------------------------------------------
.NET Common Language Runtime             {E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}
ACPI Driver Trace Provider               {DAB01D4D-2D48-477D-B1C3-DAAD0CE6F06B}
Active Directory Domain Services: SAM    {8E598056-8993-11D2-819E-0000F875A064}
Active Directory: Kerberos Client        {BBA3ADD2-C229-4CDB-AE2B-57EB6966B0C4}
Active Directory: NetLogon               {F33959B4-DBEC-11D2-895B-00C04F79AB69}
Application-Addon-Event-Provider         {A83FA99F-C356-4DED-9FD6-5A5EB8546D68}
ASP.NET Events                           {AFF081FE-0247-4275-9C4E-021F3DC1DA35}
ATA Port Driver Tracing Provider         {D08BD885-501E-489A-BAC6-B7D24BFE6BBF}
AuthFw NetShell Plugin                   {935F4AE6-845D-41C6-97FA-380DAD429B72}
BFE Trace Provider                       {106B464A-8043-46B1-8CB8-E92A0CD7A560}
BITS Service Trace                       {4A8AAA94-CFC4-46A7-8E4E-17BC45608F0A}
Certificate Services Client CredentialRoaming Trace {EF4109DC-68FC-45AF-B329-CA2825437209}
Certificate Services Client Trace        {F01B7774-7ED7-401E-8088-B576793D7841}
Circular Kernel Session Provider         {54DEA73A-ED1F-42A4-AF71-3E63D056F174}
Classpnp Driver Tracing Provider         {FA8DE7C4-ACDE-4443-9994-C4E2359A9EDB}
Critical Section Trace Provider          {3AC66736-CC59-4CFF-8115-8DF50E39816B}
Device Task Enumerator                   {0E9E7909-00AA-42CF-9502-2C490471E598}
Disk Class Driver Tracing Provider       {945186BF-3DD6-4F3F-9C8E-9EDD3FC9D558}
Downlevel IPsec API                      {94335EB3-79EA-44D5-8EA9-306F49B3A041}



Various utilities are available at the Microsoft Download Center in order to parse .etl files, for instance Network Monitor v3.4. However, the sample script below would not need an installation of any of those.

MORE INFORMATION

The script below will generate an ETL trace; in this example data for the Provider - Microsoft-Windows-TerminalServices-RemoteConnectionManager.


----Begin batch
@echo off
ECHO These commands will enable tracing:
@echo on
logman create trace admin_wmi -ow -o c:\admin_wmi.etl -p "Microsoft-Windows-TerminalServices-RemoteConnectionManager" 0xffffffffffffffff 0xff -nb 16 16 -bs 1024 -mode 0x2 -max 2048
logman start admin_wmi
@echo off
echo
ECHO Reproduce your issue and enter any key to stop tracing
@echo on
pause
logman stop admin_wmi
logman delete admin_wmi
@echo off
echo Tracing has been captured and saved successfully at c:\admin_wmi.etl
 ---End batch

Save the above mentioned script as a batch file (.bat) and run it with elevated privilege to generate an the .etl file.

Note

This script can be modified to generate traces for any provider depending on the need. You can get the provider name from the logman query providers command as mentioned above.You may replace the highlighted field with any event provider, and it will generate an issue-specific trace within minutes.

In order to parse the resultant .etl trace, use the built-in tracerpt.exe utility to generate an .evtx file which can be used for further interpretation. 

An example of this command is:

tracerpt c:\admin_wmi.etl -o c:\admin_wmi.etl.evtx -of EVTX



Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 2593157 - Last Review: September 7, 2011 - Revision: 4.0
APPLIES TO
  • Windows Server 2008 R2 Service Pack 1
  • Windows Server 2008 R2 Standard
  • Windows Server 2008 Service Pack 2
  • Windows Server 2008 Standard
  • Windows Server 2008 Enterprise
  • Windows Server 2008 R2 Enterprise
Keywords: 
KB2593157

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com