Collecting WinRM Traces

This blog entry explains how to collect WinRM ETW and WPP traces:

WinRM ETW Traces:

You can use EventViewer to look at WinRM ETW events:

· They are under Application and Services Logs à Microsoft àWindowsàWindows Remote Management

 

Operational channel is enabled by default. Analytic needs to be enabled

Use the following to show and enable Analytic log:

· Menu à View àShow Analytic and Debug Logs

· Rightclick on Analytic log and Enable Log

Alternatively one can enable Analytic logs using:

· Wevtutil.exe sl Microsoft-Windows-Winrm/Analytic /e:true /q

               

Here’s a way to collect ETW log dump using logman.exe

· Start the provider: logman.exe start winrmtrace -p Microsoft-Windows-Winrm -o winrmtrace.etl -ets

· Run the repro.

· Stop the provider: logman.exe stop winrmtrace -ets

Here’s a way to convert the etl log to various formats

· XML: tracerpt.exe winrmtrace.etl -of XML -o winrmtrace.xml

· CSV: tracerpt.exe winrmtrace.etl -of CSV -o winrmtrace.csv

· TXT: netsh trace convert winrmtrace.etl dump=TXT

 

Note that these are just operational and analytic logs. If there is a low level design/implementation problem that couldn’t be figured out using these logs, WPP traces may be required. Following are steps on how to generate WinRM WPP traces.

WinRM WPP Traces:

Launch a PowerShell console with the elevated admin credentials and run the following commands:

· Import-Module psdiagnostics

· Enable-WSManTrace

· Now reproduce the problem by sending the subscription packets from the client. Continue with the next step after the problem stops.

· Disable-wsmantrace

· Send us the file %windir%\system32\wsmtraces.log