ETW Trace providers – when to use what
You may perhaps have used Event Tracing Feature of Windows aka ETW for debugging many server side problems related to IIS. When I first learnt about ETW and started using it, I found it to be really cool! Unfortunately there’s not a lot of documentation around using it. For Eg: When to use which provider. it will be helpful to know which providers emit what information so that we can use a specific set of providers rather than a whole bunch of them, which of course will generate a ton of data. Looking through lots of data can sometimes be painful. Take an example where you want to enable ETW tracing but it may take a day or two for the problem to reproduce. Parsing the generated log can be a nightmare! So… I decided to put together this blog that gives information about some of the providers, if not all.
For a list of providers available on your machine, execute the following from a command prompt:
Logman Query Providers
The following table lists the details about providers (that I use usually) & their trace areas (where available). Use any combination of these providers depending on what problem you are troubleshooting.
| Provider | Trace Areas |
| IIS: WWW Server | IISAuthentication, IISSecurity, IISFilter, IISStaticFile, IISCGI, IISCompression, IISCache, IISAll |
| IIS: IISADMIN Global | Startup, Shutdown |
| IIS: WWW Global | Startup, Shutdown, All |
| IIS: SSL Filter | SSL related events |
| IIS: Request Monitor | - |
| IIS: Active Server Pages (ASP) | Events from ASP ISAPI |
| IIS: WWW Isapi Extension | - |
| HTTP Service Trace | - |
| ASP.NET Events | All ASP.net events |
NOTE: ETW tracing is also very helpful when you want to view what is happening on the server side over a SSL connection.
I already have a blog post on using ETW providers to capture data & parsing ETW traces.