ETW tracing and command line tools(Logman.exe, TraceRpt.exe)

Posted on

Hi, I hope this page will help to find the answer how logman and tracerpt tools is used to process ETW logs.
You can find general information about ETW usage visiting

tracerpt.exe { <filename [filename …]> | -rt <session_name [session_name …]> } [options]

  <filename [filename …]>     Event Trace log file to process.

  -?                            Displays context sensitive help.
  -o [filename]                 Text (CSV) output file. Default is dumpfile.csv.
  -summary [filename]           Summary report text file (CSV) file. Default is summary.txt.
  -report [filename]            Text output report file. Default is workload.txt.
  -rt <session_name [session_name …]>   Real-time Event Trace Session data source.
  -config <filename>            Settings file containing command options.
  -y                            Answer yes to all questions without prompting.
  -f <XML|TXT|HTML>             Report format.

  tracerpt logfile1.etl logfile2.etl -o -report
  tracerpt logfile.etl -o logdmp.csv -summary logdmp.txt -report logrpt.txt
  tracerpt -rt EVENT_SESSION_1 EVENT_SESSION_2 -o logfile.csv


Logman manages the “Performance Logs and Alerts” service for creating and managing Event Trace Session logs and
Performance logs.

logman VERB <collection_name> [options]

  create <counter|trace>        Create a new collection.
  start                         Start an existing collection and set the begin time to manual.
  stop                          Stop an existing collection and set the end time to manual.
  delete                        Delete an existing collection.
  query [collection_name|providers]  Query collection properties. If no collection_name is given all collections are
                                listed. The keyword ‘providers’ will list all of the registered Event Trace providers.
  update                        Update an existing collection properties.

  <collection_name>             Name of the collection.

  -?                            Displays context sensitive help.
  -s <computer>                 Perform the command on specified remote system.
  -config <filename>            Settings file containing command options.
  -b <M/d/yyyy h:mm:ss[AM|PM]>  Begin the collection at specified time.
  -e <M/d/yyyy h:mm:ss[AM|PM]>  End the collection at specified time.
  -m <[start] [stop]>           Change to manual start or stop rather than a scheduled begin or end time.
  -[-]r                         Repeat the collection daily at the specified begin and end times.
  -o <path|dsn!log>             Path of the output log file or the DSN and log set name in a SQL database.
  -f <bin|bincirc|csv|tsv|sql>  Specifies the log format for the collection.
  -[-]a                         Append to an existing log file.
  -[-]v [nnnnnn|mmddhhmm]       Attach file versioning information to the end of the log name.
  -[-]rc <filename>             Run the command specified each time the log is closed.
  -[-]max <value>               Maximum log file size in MB or number of records for SQL logs.
  -[-]cnf [[[hh:]mm:]ss]        Create a new file when the specified time has elapsed or when the max size is exceeded.
  -c <path [path …]>          Performance counters to collect.
  -cf <filename>                File listing performance counters to collect, one per line.
  -si <[[hh:]mm:]ss>            Sample interval for performance counter collections.
  -ln <logger_name>             Logger name for Event Trace Sessions.
  -[-]rt                        Run the Event Trace Session in real-time mode.
  -p <provider [flags [level]]> A single Event Trace provider to enable.
  -pf <filename>                File listing multiple Event Trace providers to enable.
  -[-]ul                        Run the Event Trace Session in user mode.
  -bs <value>                   Event Trace Session buffer size in kb.
  -ft <[[hh:]mm:]ss>            Event Trace Session flush timer.
  -nb <min max>                 Number of Event Trace Session buffers.
  -fd                           Flushes all the active buffers of an existing Event Trace Session to disk.
  -[-]u [user [password]] &nbs
p;     User to Run As. Entering a * for the password produces a prompt for the password. The
                                password is not displayed when you type it at the password prompt.
  -rf <[[hh:]mm:]ss>            Run the collection for specified period of time.
  -y                            Answer yes to all questions without prompting.
  -ets                          Send commands to Event Trace Sessions directly without saving or scheduling.
  -mode <trace_mode [trace_mode …]>   Event Trace Session logger mode.
  -ct <perf|system|cycle>       Event Trace Session clock type.

  Where [-] is listed, an extra – negates the option.
  For example –r turns off the -r option.

  logman create counter perf_log -c “\Processor(_Total)\% Processor Time”
  logman create trace trace_log -nb 16 256 -bs 64 -o c:\logfile
  logman start perf_log
  logman update perf_log -si 10 -f csv -v mmddhhmm
  logman update trace_log -p “Windows Kernel Trace” (disk,net)