ETW Input Format Examples
Parsing an IIS 6.0 ETW Trace Log File
This example shows how to start a trace session containing events from the IIS 6.0 providers, how to stop the session, and how to parse the resulting trace log file.The example commands shown here apply to Windows Server 2003.
- List the GUIDs of the providers registered with the system using the following command
from a command-line window:
C:\>logman query providers
The output of this command will look like the following sample:Provider GUID ------------------------------------------------------------------------------- IIS: WWW Global {d55d3bc9-cba9-44df-827e-132d3a4596c2} ACPI Driver Trace Provider {dab01d4d-2d48-477d-b1c3-daad0ce6f06b} Active Directory: Kerberos {bba3add2-c229-4cdb-ae2b-57eb6966b0c4} IIS: SSL Filter {1fbecc45-c060-4e7c-8a0e-0dbd6116181b} IIS: Request Monitor {3b7b0b4b-4b01-44b4-a95e-3c755719aebf} IIS: WWW Server {3a2a4e84-4c21-4981-ae10-3fda0d9b0f83} IIS: Active Server Pages (ASP) {06b94d9a-b15e-456e-a4ef-37c984a2cb4b} Local Security Authority (LSA) {cc85922f-db41-11d2-9244-006008269001} IIS: IISADMIN Global {DC1271C2-A0AF-400f-850C-4E42FE16BE1C} Windows Kernel Trace {9e814aad-3204-11d2-9a82-006008a86939} ASP.NET Events {AFF081FE-0247-4275-9C4E-021F3DC1DA35} NTLM Security Protocol {C92CF544-91B3-4dc0-8E11-C580339A0BF8} IIS: WWW Isapi Extension {a1c2040e-8840-4c31-ba11-9871031a19ea} Active Directory: SAM {8e598056-8993-11d2-819e-0000f875a064} HTTP Service Trace {dd5ef90a-6398-47a4-ad34-4dcecdef795f} Active Directory: NetLogon {f33959b4-dbec-11d2-895b-00c04f79ab69} Spooler Trace Control {94a984ef-f525-4bf1-be3c-ef374056a592} The command completed successfully.
- Identify the providers needed for the trace session; in this example, the trace session
will be enabled for the "IIS: WWW Server" and "IIS: Active Server Pages (ASP)"
providers.
- Create a text file containing the GUID of each selected provider on a line, followed
by the tracing flags and tracing level values for the provider. For more information
on the available flags and levels for a provider, consult the component documentation.
The following example shows a text file named "MyProviders.guid" containing the "IIS: WWW Server" and "IIS: Active Server Pages (ASP)" providers:{3a2a4e84-4c21-4981-ae10-3fda0d9b0f83} 0xfffffffe 5 {06b94d9a-b15e-456e-a4ef-37c984a2cb4b} 0xffffffff 5
- Start the tracing session using the providers text file as the argument of the "-pf"
logman command-line parameter:
C:\>logman start ExampleTrace -pf MyProviders.guid -ets
- The tracing session has now started, and the selected providers will be logging events for each request to the IIS Web Server.
- When desired, the tracing session can be stopped with the following command:
C:\>logman stop ExampleTrace -ets
- After the tracing session has been stopped, the ETW trace log file named
"ExampleTrace.etl" is available for use.
The following Log Parser command parses the ETW trace log file and displays the logged events:C:\>LogParser "SELECT * FROM ExampleTrace.etl" -i:ETW
The output of this command will look like the following sample:EventNumber EventName EventTypeName Timestamp UserData ----------- ---------- ---------------------------- ------------------------------ ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 2 IISGeneral GENERAL_REQUEST_START 2004-10-14 20:27:26.624.399000 ContextId={00000000-0000-0000-1200-0060000000fc}|SiteId=1|AppPoolId=DefaultAppPool|ConnId=-288230375077969904|RawConnId=0|RequestURL=http://localhost:80/|RequestVerb=GET 3 IISFilter FILTER_START 2004-10-14 20:27:26.624.399000 ContextId={00000000-0000-0000-1200-0060000000fc}|FilterName=C:\WINNT\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll 4 IISFilter FILTER_PREPROC_HEADERS_START 2004-10-14 20:27:26.624.399000 ContextId={00000000-0000-0000-1200-0060000000fc} 5 IISFilter FILTER_PREPROC_HEADERS_END 2004-10-14 20:27:26.624.399000 ContextId={00000000-0000-0000-1200-0060000000fc} 6 IISFilter FILTER_END 2004-10-14 20:27:26.624.399000 ContextId={00000000-0000-0000-1200-0060000000fc} 7 IISFilter FILTER_START 2004-10-14 20:27:26.624.399000 ContextId={00000000-0000-0000-1200-0060000000fc}|FilterName=C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\50\bin\fpexedll.dll 8 IISFilter FILTER_PREPROC_HEADERS_START 2004-10-14 20:27:26.624.399000 ContextId={00000000-0000-0000-1200-0060000000fc} 9 IISFilter FILTER_PREPROC_HEADERS_END 2004-10-14 20:27:26.624.399000 ContextId={00000000-0000-0000-1200-0060000000fc} 10 IISFilter FILTER_END 2004-10-14 20:27:26.624.399000 ContextId={00000000-0000-0000-1200-0060000000fc} 11 IISCache URL_CACHE_ACCESS_START 2004-10-14 20:27:26.624.399000 ContextId={00000000-0000-0000-1200-0060000000fc}|RequestURL=/
Parsing a live IIS 6.0 ETW Trace Session
This example shows how to start a live trace session containing events from the IIS 6.0 providers, how to start a Log Parser command that shows the events in real-time, and how to stop the session.The example commands shown here apply to Windows Server 2003.
- Execute steps 1-3 from the example above.
- Start the tracing session using the providers text file as the argument of the "-pf"
logman command-line parameter, specifying also the "-rt" flag to enable a
real-time tracing session:
C:\>logman start ExampleTrace -pf MyProviders.guid -ets -rt
- The tracing session has now started, and the selected providers will be logging events for each request to the IIS Web Server.
- From a separate command-line shell window, execute the following Log Parser command
to parse the live tracing session in real-time:
C:\>LogParser "SELECT * FROM ExampleTrace" -i:ETW
This Log Parser command will output the trace events indefinitely, until the command is manually aborted, or until the tracing session is stopped. - When desired, the tracing session can be stopped with the following command:
C:\>logman stop ExampleTrace -ets