Collecting WinRM Traces
This blog entry explains how to collect WinRM ETW and WPP traces:
WinRM ETW Traces:
You can use EventViewer to look at WinRM ETW events:
· They are under Application and Services Logs à Microsoft àWindowsàWindows Remote Management
Operational channel is enabled by default. Analytic needs to be enabled
Use the following to show and enable Analytic log:
· Menu à View àShow Analytic and Debug Logs
· Rightclick on Analytic log and Enable Log
Alternatively one can enable Analytic logs using:
· Wevtutil.exe sl Microsoft-Windows-Winrm/Analytic /e:true /q
Here’s a way to collect ETW log dump using logman.exe
· Start the provider: logman.exe start winrmtrace -p Microsoft-Windows-Winrm -o winrmtrace.etl -ets
· Run the repro.
· Stop the provider: logman.exe stop winrmtrace -ets
Here’s a way to convert the etl log to various formats
· XML: tracerpt.exe winrmtrace.etl -of XML -o winrmtrace.xml
· CSV: tracerpt.exe winrmtrace.etl -of CSV -o winrmtrace.csv
· TXT: netsh trace convert winrmtrace.etl dump=TXT
Note that these are just operational and analytic logs. If there is a low level design/implementation problem that couldn’t be figured out using these logs, WPP traces may be required. Following are steps on how to generate WinRM WPP traces.
WinRM WPP Traces:
Launch a PowerShell console with the elevated admin credentials and run the following commands:
· Import-Module psdiagnostics
· Enable-WSManTrace
· Now reproduce the problem by sending the subscription packets from the client. Continue with the next step after the problem stops.
· Disable-wsmantrace
· Send us the file %windir%\system32\wsmtraces.log