How to create Trace (ETW) Provider Logs for Windows Component Debugging using Perfmon

News Knowledge Base
1

How to create Trace (ETW) Provider Logs for Windows Component Debugging Using Perfmon?

In some scenarios we have timeouts or issues waiting on code execution from different windows components and cannot catch the exceptions.
This document describes step by step how you can create a Trace Log using Perfmon in order to get Event Tracing for Windows traces of different components.

Step-by-step guide

  1. Press 'Win' + R and type 'Perfmon' to start 'Perfmon'
  2. Click on the 'User Defined' folder under 'Data Collector Sets'
    1.png
  3. Click on the 'New Data Collector' icon
    2.png
  4. Name your 'Collector' and select 'Create manually' (Advanced)
    3.png
  5. Press 'Next'
  6. Check the 'Event trace data checkbox'
    4.png
  7. Press 'Next'
  8. Click 'Add next' to 'Providers'
    5.png
  9. Select your providers from the list and press 'OK'. You can add multiple ones
    6.png

  10. Select the provider from the list and edit the 'Properties' by pressing 'Edit' next to each one. Leave them as the default and this will collect all the information
    7.png

  11. Provider Properties

    Each provider has a set of 5 properties. All of these can be explored with the WPExplorer which reads the provider metadata: Windows Events Providers Explorer

    • Keywords(Any) - Filter messages containing any of the keywords from that provider and direct them into the trace
    • Keywords(All) - Filter messages containing All of the keywords from that provider and direct them into the trace
    • Level
      • LogAlways (0x0)
      • Critical (0x1)
      • Error (0x2)
      • Warning (0x3)
      • Information (0x4)
      • Verbose (0x5)
    • Properties - optional ETW properties that can be specified when writing the event.
    • Filter - Additional filtering
  12. Press 'Next'
  13. Select where the data will be saved. Make sure the user under which the provider will run has access to that folder path
    8.png
  14. Press 'Next'
  15. Select an user under which the 'Data Collector' set will 'run'. Note this user needs access if you're monitoring processes or services outside of the user's session or privileges. If possible use a Local Administrator user account
  16. Select 'Start' this data collector set now and press 'Finish'
  17. Click on the 'Data Collector' under 'User Defined'. Press the 'Play' button to start collecting
    9.png
  18. Replicate your problem
  19. Open 'Perfmon' after replicating the issue and click the collector under the 'User defined'. Press 'Stop' to stop collecting
  20. The logs (.etl) will be in the Output folder
  • You can use PerfView or EventViewer to view the logs.