Using TraceLogger

NTDEV
1

So I’ve been experimenting with TraceLogger tracing and have had a pretty mixed experience so far.

On the plus side, TraceLogger was really easy to initially use, like 20 minutes. It’s performance seems fairly decent, like I can log interrupt events happening less than a microsecond apart, although each event does contain a data block with the formatting data, so the size of traces is larger than you get with WPP or manifest based tracing. One thought was why don’t they only write the metadata every X events, and get the viewer to cache it. This would save a bunch of space, and still have the self describing logs. Or perhaps group all the metadata together in memory (it might already be like this) , and just write it out once when the logger starts.

The biggest problem is how to display TraceLogger data. I have the Win 10 WDK and VS 2015 running on my corporate Win 7 workstation, and I can activate trace session with the !wmitrace common in windbg, but it has no idea how to format the binary messages. There were some online comments saying you can get get a patch for older OS to decode the new log format, but I could not find any sign of where to get that patch, and Win 10 WDK windbg seems to not come with updated ETW event decoding DLLs.

So I tried using the latest MessageAnalyzer running on the target Server 2012 R2 system, which will open TraceLogger log files, but seems to have bugs in how it displays the data, like integer event parameters only display the lower 8-bits. Looking at the actual ETW event you can see the raw data, and it claims the field is the correct type/size, but it’s always truncated to 8-bits.

So I then tried installing the Win 10 ADK version of the Windows Performance Analyzer on my target Server 2012 R2 system. It can record a log file with WPR, if you make a control file describing the event provider. It’s really unclear how to do keyword/level filtering with WPR. That version of WPA seems to malfunction if I try to run it on Server 2012 R2 though, as the timeline only shows the last few seconds of the trace, and there seems to be no way to get it to display the part of the trace with actual events. The older WPA seems to open the trace logs, and shows the whole timeline, but has no idea how to decode the TraceLogger metadata, so just shows unformatted ETW events.

Am I missing some important detail or is TraceLogger ONLY useful on Windows 10, and if used with the latest tools running on Windows 10. MessageAnalyzer sort of works, but not really correctly.

TraceLogging is temptingly close to useful, but I can’t guarantee customers or our corporate environment will be on Windows 10. Its a lot less useful if it can’t be used easily with OS versions in common use. The raw event logging is supposed to work on Win 7.

Any hints on how solve these issues?

Thanks,
Jan

2

Can’t inbox tracerpt.exe and logman.exe help?

Also I think WDK has TraceView and similar tools.


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com
“Jan Bottorff” wrote in message news:xxxxx@ntdev…
So I’ve been experimenting with TraceLogger tracing and have had a pretty mixed experience so far.

On the plus side, TraceLogger was really easy to initially use, like 20 minutes. It’s performance seems fairly decent, like I can log interrupt events happening less than a microsecond apart, although each event does contain a data block with the formatting data, so the size of traces is larger than you get with WPP or manifest based tracing. One thought was why don’t they only write the metadata every X events, and get the viewer to cache it. This would save a bunch of space, and still have the self describing logs. Or perhaps group all the metadata together in memory (it might already be like this) , and just write it out once when the logger starts.

The biggest problem is how to display TraceLogger data. I have the Win 10 WDK and VS 2015 running on my corporate Win 7 workstation, and I can activate trace session with the !wmitrace common in windbg, but it has no idea how to format the binary messages. There were some online comments saying you can get get a patch for older OS to decode the new log format, but I could not find any sign of where to get that patch, and Win 10 WDK windbg seems to not come with updated ETW event decoding DLLs.

So I tried using the latest MessageAnalyzer running on the target Server 2012 R2 system, which will open TraceLogger log files, but seems to have bugs in how it displays the data, like integer event parameters only display the lower 8-bits. Looking at the actual ETW event you can see the raw data, and it claims the field is the correct type/size, but it’s always truncated to 8-bits.

So I then tried installing the Win 10 ADK version of the Windows Performance Analyzer on my target Server 2012 R2 system. It can record a log file with WPR, if you make a control file describing the event provider. It’s really unclear how to do keyword/level filtering with WPR. That version of WPA seems to malfunction if I try to run it on Server 2012 R2 though, as the timeline only shows the last few seconds of the trace, and there seems to be no way to get it to display the part of the trace with actual events. The older WPA seems to open the trace logs, and shows the whole timeline, but has no idea how to decode the TraceLogger metadata, so just shows unformatted ETW events.

Am I missing some important detail or is TraceLogger ONLY useful on Windows 10, and if used with the latest tools running on Windows 10. MessageAnalyzer sort of works, but not really correctly.

TraceLogging is temptingly close to useful, but I can’t guarantee customers or our corporate environment will be on Windows 10. Its a lot less useful if it can’t be used easily with OS versions in common use. The raw event logging is supposed to work on Win 7.

Any hints on how solve these issues?

Thanks,
Jan