How to control ETW sessions and collect traces


In this section I will describe how to work with an ETW sink. ETW stands for “Event Tracing for Windows”. It is a high speed tracing facility provided by the OS. It uses buffering and logging mechanism implemented in the OS kernel. The buffers used are written to the disk. The user can later retrieve these events in a human-readable format. Please follow these steps to subscribe to Microsoft project code named “Velocity” ETW sink.

·         For the first time logging metadata has to be registered for the machine. ‘Logs’ folder (under the installation folder: Microsoft Distributed Cache\V1.0\Logs) contains the following files:

Ø - manifest file for events for Microsoft Windows Vista and above.

Ø  Provider.mof - manifest file for events for downlevel (Microsoft Windows XP, Microsoft Windows Server 2K3).

Ø  ProviderUninstall.mof - manifest file to uninstall “Velocity” provider from WMI repository.

Ø  ProviderGUID.txt - text file which contains the GUID for “Velocity” session provider and is used internally.

Moving/deleting these files can break the functionality and is not supported.

From command prompt:

Ø  Downlevel users would have to do “mofcomp Provider.mof

Ø  Users having Microsoft Windows Vista and above would have to do “wevtutil im” (this requires elevation).

·         For an ETW sink, logs would go to ETW session and can be retrieved by command line utilities. Sessions can also be controlled in the same way.

·         The utilities required are ‘tracelog.exe’ and ‘tracerpt.exe’. These are standard Windows utilities and are publicly available.

·         Start collecting logs: first, an ETW session has to be started with a definite log level. Logs generated would be pumped to it. The log level can be changed dynamically.

tracelog -start <sessionName> -f <logFile> -guid ProviderGUID.txt -level <level>

o   sessionName: name of the ETW session.

o   logFile: file in which the logs would go to.

o   level: the desired Log level.

§  2 - Error

§  3 - Warning

§  4 - Information

§  5 - Verbose

o   To disable logging, log level should be given as 1.

·         Change log level: it can be changed dynamically by

tracelog -enable <sessionName> -guid ProviderGUID.txt -level <level>

·         Stop collecting logs: now, the ETW session needs to be stopped.

tracelog -stop <sessionName>

·         Trace dump can be viewed by : tracerpt <logFile> -y

Ø  Downlevel users would get a .csv file.

Ø  Users having Microsoft Windows Vista would get an .xml file. To get a .csv file, the switch ‘-of CSV’ would have to be added. Command then would be “tracerpt <logFile> -of CSV -y”.


This was all about ETW sink on a cache host. However, if you want this functionality on the client side, you need to copy, Provider.mof, ProviderUninstall.mof and ProviderGUID.txt from the ‘Logs’ folder (under the installation folder: Microsoft Distributed Cache\V1.0\Logs) onto the client machine before executing the steps mentioned above.


Amit Kumar Yadav

(Microsoft project code named “Velocity” team)