[Part 4] Log collection

2016-03-07

Code

2 minutes

Check out the codes in GitHub.

Getting the logs

Now that I have my modules spitting out logs for me, it’s time to actually consume (or view) them. Most of the time, I use MFTrace and logman tools.

MFTrace

Although MFTrace is primarily a tool for generating logs for Media Foundation apps, it is a great tool for viewing ETW logs in general as well. It is included in the MS SDK.

To view logs in real time, I use this command in either Powershell or command line:

mftrace -c config.xml

To stop the trace collection, press CTRL+C.

logman

logman is a very powerful builtin performance counter and event trace log tool from Microsoft. For more information, have a look at here.

You can use logman as alternative to MFTrace.

Start tracing

logman start <name> -p <provider_guid_or_name> <kw> <level> -o <output.etl> -ets

Examples

logman start lms -p {3A8FD7D2-CAB3-455D-A8E5-9E1741365FEB} 0x1 win:Verbose -o c:\output.etl -ets
logman start lms -p MyProviderName 0x3 win:Informational -o c:\output.etl -ets
logman start lms -p {277c604b-1962-47fa-9307-7ce0855dfea6} 0xffffffffffffffff 0xff -o c:\output.etl -ets

Stop tracing

logman stop <name> -ets

Examples

logman stop lms -ets

Collecting ETW traces from test/production systems

To collect ETW trace logs from test/production systems, manifest file and message/resource file need not be registered.

mftrace -c config.xml -o c:\output.etl

c:\output.etl is just an example. You can use any location and any filename as long as the extension is .etl. The output .etl file can only be read on a system where the manifest file and the resource/message file are registered. To read the traces:

tracerpt -y output.etl

The default readable output file that contains all the trace information will be dumpfile.xml. A summary.txt file will also be generated. For more information about tracerpt, have a look at here.

Check out part 5.