Episode

Defrag Tools: #29 - WinDbg - ETW Logging

In this episode of Defrag Tools, Andrew Richards, Chad Beeder and Larry Larsen continue looking at the Debugging Tools for Windows (in particular WinDbg). WinDbg is a debugger that supports user mode debugging of a process, or kernel mode debugging of a computer.

This installment goes over the Event Tracing for Windows (ETW) buffers in a kernel mode dump or live session. The ETW buffers can be extracted from the dump and viewed using the Windows Performance Toolkit (WPT). The buffers give you insight in to what has beem happening recently on the computer.

We use these commands:

  • !wmitrace.strdump
  • !wmitrace.logsave 0xNN c:\example.etl
  • !wmitrace.eventlogdump 0xNN
  • !wmitrace.help

Make sure you watch Defrag Tools Episode #1 and Defrag Tools Episode #23 for instructions on how to get the Debugging Tools for Windows and how to set the required environment variables for symbol and source code resolution. This episode shows how install the Windows Performance Toolkit.

Timeline:
[00:00] - Event Tracing for Windows (ETW)
[02:18] - Windows Performance Toolkit (WPT)
[03:48] - !wmitrace.strdump
[04:53] - !wmitrace.logsave 0xNN c:\example.etl
[05:50] - Windows Performance Analyzer (WPA) & xPerfView
[07:57] - _NT_SYMCACHE_PATH
[10:24] - !wmitrace.eventlogdump 0xNN
[12:16] - Used for logging and performance by many teams
[15:35] - Private PDBs are needed to decode some entries
[20:00] - Windows Performance Recorder (wprui.exe)
[20:35] - Disable Paging Executive
[23:40] - WPR adds the NT Kernel Logger
[24:19] - 10min run-through of the data collected with the General, CPU and Disk providers