XPerf Tool – Why Can’t You Live Without It?

Israel Burman (Israel is one of the ADPlus creators and the guy who taught me the XPerf tool) and Mario Hewardt told me I should blog about the XPerf tool.

Although I’m new to this tool I decided to follow their suggestions because I believe you’re going to wonder how you could live without using this tool after using it for the first time. J

So, when starting to write this article I decided to browse the internet to see how many articles from Microsoft I could find because I didn’t want to be redundant. As a matter of fact I found several great articles. (Am I late to the party? J) Some of these articles are very didactic and similar to what I had in mind.

That said, I’m not going to be redundant here, likewise I’m going to give you just an overview about the tool and mention those articles that details the configuration and usage of XPerf so you can get the necessary details from these articles without having to research the internet all over again.


WHAT’S XPERF?

- XPerf is based on ETW (Event Tracing for Windows) which is a very efficient tracing infrastructure.

- The overhead caused by XPerf is about ~2.5% CPU, in other words, very minimum.

- The tracing can be dynamically enabled or disabled and it doesn’t require a reboot.

- XPerf enables you to collect logs, create reports and see charts from the collected data.


WHEN SHOULD YOU USE XPERF?

- When you need to isolate performance problems.

- To get a better understanding of the Operating System.

- Probably other scenarios where you can benefit for tracing the Windows components.


WHERE CAN YOU DOWNLOAD XPERF?

From here or here.


HOW CAN YOU START USING IT?

- Collect logs from a few seconds to 5 minutes.

- Start just before reproducing the symptom.

- Don’t forget to setup the symbols.


BASIC COMMANDS

After installing XPerf open a Command Prompt using RunAs Administrator.

Setup symbols:

set _NT_SYMBOL_PATH= srv*C:\symbols*https://msdl.microsoft.com/downloads/symbols

 

Start XPerf, collecting just general information:

XPerf -on DiagEasy

Reproduce the symptom.

After that use this command to stop the tracing, creating a log file:

XPerf -d trace.etl

To visualize the charts from the data you just collected use:

XPerf trace.etl

 

XPerf can collect different information for different scenarios.

To do that you need to change the provider. Providers are the Windows components that have the ability to log information.

Sintax:

XPerf –on <provider>

To get a list of all available providers use:

XPerf -providers k

 

To get call stack information you need to specify the Kernel events that should log the call stack.

This is the way to do that:

Xperf -on <provider> -stackwalk <flags>

Example using provider = diageasy and stackwalk = profile:

XPerf -on diageasy -stackwalk profile

If you want to see other types of flags use:

XPerf -help stackwalk

To send the information to a CSV file use:

 

XPerf -i trace.etl > output.csv

You can create a PowerShell script which parses the output from the CSV file.

It’s possible to create a CSV file with filtered information. To do that use:

XPerf –i trace.etl –a <action_name> > output.csv

Example:

XPerf –i trace.etl –a registry > output.csv

Or:

XPerf –i trace.etl –o output.txt –a registry

Notice the –o parameter above to specify the output file.

 

In my machine XPerf is in the C:\ETL folder.

Considering that, here is one possible way to use the tool:

C:\ETL>set _NT_SYMBOL_PATH= srv*C:\symbols*https://msdl.microsoft.com/downloads/symbols

C:\ETL>XPerf -on DiagEasy

# Reproduce symptom here…

C:\ETL>XPerf -d trace.etl

# At this point you may want to create a CSV file. See instructions above.

C:\ETL>XPerf trace.etl

Ok, you’re probably wondering where the screenshots are. I decided to not use screenshots because some of the links below have all screenshots you need.


REFERENCES

https://msdn.microsoft.com/en-us/library/cc305187.aspx

 

https://blogs.msdn.com/pigscanfly/archive/tags/xperf/default.aspx

 

https://msdn.microsoft.com/en-us/performance/default.aspx (download)

 

https://blogs.msdn.com/ntdebugging/archive/2008/04/03/windows-performance-toolkit-xperf.aspx

 

XPerf rocks!