This blog entry explains how to collect WinRM ETW and WPP traces:

WinRM ETW Traces:

You can use EventViewer to look at WinRM ETW events:

·         They are under Application and Services Logs à Microsoft àWindowsàWindows Remote Management


Operational channel is enabled by default. Analytic needs to be enabled

Use the following to show and enable Analytic log:

·         Menu à View àShow Analytic and Debug Logs

·         Rightclick on Analytic log and Enable Log


Alternatively one can enable Analytic logs using:

·         Wevtutil.exe sl Microsoft-Windows-Winrm/Analytic /e:true /q


Here’s a way to collect ETW log dump using logman.exe

·         Start the provider: logman.exe start winrmtrace -p Microsoft-Windows-Winrm -o winrmtrace.etl -ets

·         Run the repro.

·         Stop the provider: logman.exe stop winrmtrace -ets


Here’s a way to convert the etl log to various formats

·         XML: tracerpt.exe winrmtrace.etl -of XML -o winrmtrace.xml

·         CSV: tracerpt.exe winrmtrace.etl -of CSV -o winrmtrace.csv

·         TXT: netsh trace convert winrmtrace.etl dump=TXT



Note that these are just operational and analytic logs. If there is a low level design/implementation problem that couldn’t be figured out using these logs, WPP traces may be required. Following are steps on how to generate WinRM WPP traces.


WinRM WPP Traces:

Launch a PowerShell console with the elevated admin credentials and run the following commands:

·         Import-Module psdiagnostics

·         Enable-WSManTrace

·         Now reproduce the problem by sending the subscription packets from the client. Continue with the next step after the problem stops.

·         Disable-wsmantrace

·         Send us the file %windir%\system32\wsmtraces.log