Collecting WinRM Traces
This blog entry explains how to collect WinRM ETW and WPP traces:
WinRM ETW Traces:
You can use EventViewer to look at WinRM ETW events:
· They are under Application and Services Logs à Microsoft àWindowsàWindows Remote Management
Operational channel is enabled by default. Analytic needs to be enabled
Use the following to show and enable Analytic log:
· Menu à View àShow Analytic and Debug Logs
· Rightclick on Analytic log and Enable Log
Alternatively one can enable Analytic logs using:
· Wevtutil.exe sl Microsoft-Windows-Winrm/Analytic /e:true /q
Here’s a way to collect ETW log dump using logman.exe
· Start the provider: logman.exe start winrmtrace -p Microsoft-Windows-Winrm -o winrmtrace.etl -ets
· Run the repro.
· Stop the provider: logman.exe stop winrmtrace -ets
Here’s a way to convert the etl log to various formats
· XML: tracerpt.exe winrmtrace.etl -of XML -o winrmtrace.xml
· CSV: tracerpt.exe winrmtrace.etl -of CSV -o winrmtrace.csv
· TXT: netsh trace convert winrmtrace.etl dump=TXT
Note that these are just operational and analytic logs. If there is a low level design/implementation problem that couldn’t be figured out using these logs, WPP traces may be required. Following are steps on how to generate WinRM WPP traces.
WinRM WPP Traces:
Launch a PowerShell console with the elevated admin credentials and run the following commands:
· Import-Module psdiagnostics
· Enable-WSManTrace
· Now reproduce the problem by sending the subscription packets from the client. Continue with the next step after the problem stops.
· Disable-wsmantrace
· Send us the file %windir%\system32\wsmtraces.log
Comments
Anonymous
March 18, 2010
Hello, What is the difference between "WinRM" and "WSMan" ? What is "WPP" ? thanks, MarcAnonymous
March 18, 2010
Hi Marc, WinRM and WSMan are synonymns and refer to Microsoft's implementation of Web Services for Management. I'll change the wordings to WinRM to make it less confusing. WPP (Windows software trace preprocessor) is a tracing technology that is provided by OS (Windows). It is generally used to log highly verbose dev/debug traces. Traces generated by WPP require special files to decode (these are called tmf files) that are not availble to external customers. http://msdn.microsoft.com/en-us/library/ms793164.aspx has more information on WPP tracing. ETW traces on the other hand can be viewed directly in Event Viewer and are good enough to diagnose a majority of customer issues. Manoj.Anonymous
August 06, 2010
How to retrieve WMI property qualifiers using WINRM? Example: By using below query we can disk read rate, so how we can get countertype property qualifier of "DiskReadsPerSec ".? "select DiskReadsPerSec from Win32_PerfRawData_PerfDisk_LogicalDisk" Thanks in Advance. VJAnonymous
July 13, 2012
How do you read wsmtraces.log?