Global Logger Trace Session
A Global Logger trace session records events that occur during the boot process before the system is fully operational, such as events generated by device drivers. It is a reserved trace session that is built into Windows.
Global Logger trace sessions always write messages to a trace log. Global Logger does not support real-time trace sessions or buffered trace sessions.
Because Global Logger must be available early in the operating system boot process, it is started and configured by using registry entries (in the HKLM\SYSTEM\CurrentControlSet\Control\WMI\GlobalLogger subkey), instead of function calls. After starting, the Global Logger behaves like a regular event tracing session.
The Global Logger trace session uses a reserved session name, "GlobalLogger." The control GUID is represented by the constant, GlobalLoggerGuid. You create a Global Logger trace session, and then restart the computer to start the trace session. Only one Global Logger trace session can run on the computer at a time.
To create a Global Logger trace session, use Tracelog. It automatically creates the registry subkey and entries that store trace session options. The Global Logger trace session starts when you restart the computer. For more information, see Tracelog Command Syntax.
To format the trace messages from a Global Logger trace session, use Tracefmt with system.tmf, a trace message format file included in the WDK.
Because the Global Logger session is triggered by registry entries, it runs every time that the entries appear in the registry. To prevent the Global Logger session from starting every time the system starts, set the value of the Start entry to 0 or delete all of the registry entries.
You can convert a Global Logger trace session to an NT Kernel Logger trace session, thereby tracing the kernel during the boot process. For information, see Boot-time Global Logger Session
Trace providers, such as kernel-mode drivers and user-mode applications, can log to the Global Logger trace session. This enables you to trace a driver or other trace provider during system boot. For information, see Logging to the Global Logger Session
Limitations of the Global Logger Trace Session
The Global Logger trace session is very useful, but it's important to be aware of its limitations:
You can run only one Global Logger session at a time.
The Global Logger session does not send enable notification to providers.
The Global Logger registry entries remain in the registry and are effective until you reset or delete them manually, or use the tracelog -remove command. Until you reset them, the Global Logger session starts every time you start the system.
The Windows ACPI logger is permanently enabled for the Global Logger trace session. The trace messages from this logger appear in the trace log.
If a standard trace session starts while a driver is logging to the Global Logger session, the driver switches and starts logging to the standard trace session.
Global Logger Registry Entries
The following table shows the registry entries that configure the Global Logger session. These entries are in the HKLM\SYSTEM\CurrentControlSet\Control\WMI\GlobalLogger subkey. Only the Start entry is required.
In addition to the registry entries in this table, you can also add a ControlGUID subkey under the GlobalLogger subkey to represent a trace provider, such as a driver, that logs to the Global Logger trace session. For information, see Logging to the Global Logger Session.
| Entry | Data type | Description |
|---|---|---|
Start |
REG_DWORD |
When set to 1 (on), the Global Logger session starts the next time the system starts. 0 = off, 1=on |
BufferSize |
REG_DWORD |
Specifies the size of each buffer (in KB). The default value is 0x40 (64 KB). |
ClockType |
REG_DWORD |
Specifies the timer used for trace message time stamps. Beginning with Windows Vista, the default value is 1. On operating systems prior to Windows Vista, the default value is 2. 1 = Performance counter value (high resolution) 2 = System timer 3 = CPU cycle clock |
EnableKernelFlags |
REG_BINARY |
Converts the Global Logger session to an NT Kernel Logger trace session and specifies the events included in the kernel trace. For information, see Boot-time Global Logger Session. |
FileCounter |
REG_DWORD |
Stores the number of event trace log files generated by Global Logger sessions. The system increments this value until it reaches the value of FileMax. Then, it resets the value to 0. This counter prevents the system from overwriting a Global Logger trace log file. |
FileMax |
REG_DWORD |
Specifies the maximum number of event trace log files permitted on the system. When the number of trace logs reaches the specified maximum, the system begins to overwrite the logs, beginning with the oldest. The default value is 0, meaning that there is no maximum. |
FileName |
REG_SZ |
Path (optional) and file name of the event trace log file. The default is %SystemRoot%\System32\LogFiles\WMI\trace.log. |
FlushTimer |
REG_DWORD |
Specifies how often (in seconds) the trace buffers are forcibly flushed. This forced flush is in addition to the automatic flush that occurs whenever a buffer is full and when the trace session stops. The default value is 0. By default, buffers are flushed only when they are full. The minimum flush time is 1 second. |
LogFileMode |
REG_DWORD |
Specifies log session options. Supported only in Windows Vista and later versions of Windows. |
MaximumBuffers |
REG_DWORD |
Specifies the maximum number of buffers that can be allocated for the session. The default value is 0x19 (25). |
MaximumFileSize |
REG_DWORD |
Specifies the maximum size of the event trace log file. By default, there is no maximum file size. |
MinimumBuffers |
REG_DWORD |
Specifies the number of buffers allocated when the session starts. The default value is 0x3. |
Status |
REG_DWORD |
Stores the return code from the attempt to start a Global Logger trace session. If the session failed to start, the value of this entry is a Win32 error code. If the session started, the value of this entry is ERROR_SUCCESS. |
These registry entries that you create remain in the registry and are effective until you delete them or change their values. Therefore, after the Global Logger session has run, use the tracelog -remove GlobalLogger command to set the value of the Start entry to 0 and delete the other Global Logger registry entries. Otherwise, the Global Logger session runs every time that you restart the computer, and the resulting log file can grow very large.
Logging Mode Constants
The following table displays the valid values for the LogFileMode registry entry in the HKLM\System\CurrentControlSet\Control\WMI\GlobalLogger subkey. This entry is used to set options for a Global Logger trace session, including those for real-time trace sessions, private trace sessions, circular logging, and buffering (no log). This registry entry is supported only in Windows Vista and later versions of Windows.
This registry entry corresponds to the LogFileMode member of the EVENT_TRACE_PROPERTIES structure. Its values correspond to the Logging Mode Constants. The EVENT_TRACE_PROPERTIES structure and the Logging Mode Constants are described in the Microsoft Windows SDK documentation.
This table is displayed here to show the hexadecimal values of the constants. Use these values or a sum of these values to represent the constant in the LogFileMode registry entry.
| Value | Constant | Description |
|---|---|---|
0x0 |
EVENT_TRACE_FILE_MODE_NONE |
No event trace log files are created. |
0x1 |
EVENT_TRACE_FILE_MODE_SEQUENTIAL |
Event trace log files are sequential. |
0x2 |
EVENT_TRACE_FILE_MODE_CIRCULAR |
Event trace log files are circular. |
0x4 |
EVENT_TRACE_FILE_MODE_APPEND |
Append trace messages to an existing log file. This mode is valid only with sequential files. |
0x8 |
EVENT_TRACE_FILE_MODE_NEWFILE |
Create a new event trace log file whenever the existing file reaches the value of the MaximumFileSize entry (see the table above). |
0x20 |
EVENT_TRACE_FILE_MODE_PREALLOCATE |
Reserves space for the event trace log file. Valid only with EVENT_TRACE_FILE_MODE_SEQUENTIAL or EVENT_TRACE_FILE_MODE_CIRCULAR, and not valid with EVENT_TRACE_FILE_MODE_NEWFILE. |
0x40 |
EVENT_TRACE_NONSTOPPABLE_MODE |
A call to StopTrace does not stop the trace session. This feature prevents users from stopping trace sessions that the system requires for diagnosis and tuning. |
0x100 |
EVENT_TRACE_REAL_TIME_MODE |
Specifies a real-time trace session. |
0x200 |
EVENT_TRACE_DELAY_OPEN_FILE_MODE |
For internal use only. |
0x400 |
EVENT_TRACE_BUFFERING_MODE |
Events are retained in the buffers. They are never written to a log file or delivered to a trace consumer. |
0x800 |
EVENT_TRACE_PRIVATE_LOGGER_MODE |
Specifies a private trace session. This flag is not valid for a Global Logger trace session. |
0x1000 |
EVENT_TRACE_ADD_HEADER_MODE |
For internal use only. |
0x2000 |
EVENT_TRACE_USE_KBYTES_FOR_SIZE |
Interpret the value of MaximumFileSize in KB, instead of MB. |
0x4000 |
EVENT_TRACE_USE_GLOBAL_SEQUENCE |
Generates global sequence numbers for trace messages. These numbers are unique for all trace sessions on the computer. By default, trace messages do not have any sequence numbers. |
0x8000 |
EVENT_TRACE_USE_LOCAL_SEQUENCE |
Generates local sequence numbers for trace messages. These numbers are unique within the trace session. By default, trace messages do not have any sequence numbers. |
0x10000 |
EVENT_TRACE_RELOG_MODE |
For internal use only. |
0x80000 |
EVENT_TRACE_KD_FILTER_MODE |
Redirects the trace messages to the kernel debugger and sets the trace buffer size to 3 KB, the maximum buffer size for the debugger. |
0x1000000 |
EVENT_TRACE_MODE_RESERVED |
Not valid for a Global Logger trace session. |
0x01000000 |
EVENT_TRACE_USE_PAGED_MEMORY |
Allocate trace session buffers from pageable memory. By default, the buffers are allocated from nonpageable memory. |