By Philip Froese [MSFT]

Previous blog posts have described in detail how to capture and read USB ETW, and WPP traces.  This post is a supplement to those, and aggregates the trace capture commands into a condensed reference.  Please continue to refer back to the previous posts for more details on the two tracing mechanisms and parsing the respective traces.

The following commands will generate traces from the USB 3.0 and USB 2.0 driver stacks as well as other related components: WinUSB, USBCCGP, and PCI.  We recommend that you capture the complete set of traces, but if you are certain that a specific component is not relevant to the scenario you want to analyze, you may omit the commands that pertain to that component.

Capturing USB ETW and WPP event traces:

You can capture USB event traces without installing any additional software.

1)     Open an elevated command prompt window.  One way is to right click on the Start button and select Command Prompt (Admin).

2)     Disconnect the USB devices that you are not interested in.  Fewer devices result in smaller traces making it easier to read and analyze.

3)     Start a capture session by pasting this sequence of commands into the elevated command prompt: 

 

logman create trace -n usbtrace -o %SystemRoot%\Tracing\usbtrace.etl –ct perf -nb 128 640 -bs 128

logman update trace -n usbtrace -p Microsoft-Windows-USB-USBXHCI (Default,PartialDataBusTrace,StateMachine)

logman update trace -n usbtrace -p Microsoft-Windows-USB-UCX (Default,PartialDataBusTrace,StateMachine)

logman update trace -n usbtrace -p Microsoft-Windows-USB-USBHUB3 (Default,PartialDataBusTrace,StateMachine)

logman update trace -n usbtrace -p Microsoft-Windows-USB-USBPORT

logman update trace -n usbtrace -p Microsoft-Windows-USB-USBHUB

logman update trace -n usbtrace -p Microsoft-Windows-Kernel-IoTrace 0 2

logman start -n usbtrace

logman start -ets usbhub3 -ct perf -p {6e6cc2c5-8110-490e-9905-9f2ed700e455} 0xffffffff 0xff  -o %SystemRoot%\Tracing\usbhub3.etl

logman start -ets ucx01000 -ct perf -p {6fb6e467-9ed4-4b73-8c22-70b97e22c7d9}  0xffffffff 0xff  -o %SystemRoot%\Tracing\ucx01000.etl

logman start -ets usbxhci -ct perf -p {9F7711DD-29AD-C1EE-1B1B-B52A0118A54C} 0xffffffff 0xff  -o %SystemRoot%\Tracing\usbxhci.etl

logman start -ets usbhub -ct perf -p {b10d03b8-e1f6-47f5-afc2-0fa0779b8188} 0xffffffff 0xff  -o %SystemRoot%\Tracing\usbhub.etl

logman start -ets usbport -ct perf -p {d75aedbe-cfcd-42b9-94ab-f47b224245dd} 0xffffffff 0xff  -o %SystemRoot%\Tracing\usbport.etl

logman start -ets usbccgp -ct perf -p {bc6c9364-fc67-42c5-acf7-abed3b12ecc6} 0xffffffff 0xff  -o %SystemRoot%\Tracing\usbccgp.etl

logman start -ets winusb -ct perf -p {ef201d1b-4e45-4199-9e9e-74591f447955} 0xffffffff 0xff  -o %SystemRoot%\Tracing\winusb.etl

logman start -ets pci -ct perf -p {47711976-08c7-44ef-8fa2-082da6a30a30} 0xffffffff 0xff  -o %SystemRoot%\Tracing\pci.etl

 

(Note: these provider-specific GUIDs correspond to those that can be obtained from the provider’s symbol file using Tracepdb.exe as described in the previous WPP blog post)

 

4)     Perform the action that you want to capture.  For example, plug in USB device that fails to enumerate properly.  The session captures device enumeration activities.  Keep the command prompt window open.

5)     Stop the capture session when you are finished by pasting this sequence of commands into the elevated command prompt:

 

logman stop -n usbtrace

logman delete -n usbtrace

logman stop -ets usbhub3

logman stop -ets ucx01000

logman stop -ets usbxhci

logman stop -ets usbhub

logman stop -ets usbport

logman stop -ets usbccgp

logman stop -ets winusb

logman stop -ets pci

move /Y %SystemRoot%\Tracing\usbtrace_000001.etl %SystemRoot%\Tracing\usbtrace.etl

 

 

The preceding capture session generates a set of etl files stored at %SystemRoot%\Tracing\ (for example, C:\Windows\Tracing).  Once complete, move these files to another location or rename them in order to avoid overwriting them when you capture another session. 

As described in the blog post on WPP tracing linked above, symbol files are required to parse these traces properly.  When capturing a set of traces, it is necessary to record the Windows version on which they were taken so that the traces can be mapped to the correct symbols for analysis.  One way to do this is to run the following command from an elevated prompt and save the resulting BuildNumber.txt file along with the traces:

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v BuildLabEX > %SystemRoot%\Tracing\BuildNumber.txt