none
WPR Additional Profiles RRS feed

  • Question

  • Beginners question, but what do the addition profiles provide in WPR?

    I have done a capture with just the First Level Triage selected and then did the same capture with First Level triage and CPU usage. When I look at the traces in WPA, I can't see any extra graphs or information.

    Presumably, the second trace is capturing more detailed information about the CPU, but how do I see this?

    Thanks

    Mark

    Wednesday, November 19, 2014 10:09 AM

All replies

  • I've had a bit of a look at this using the following commands which can reveal the details of currently active ETW sessions:

    xperf -loggers
    tracelog -q "WPR_initiated_WprApp_WPR System Collector"
    tracelog -q "WPR_initiated_WprApp_WPR Event Collector"

    The xperf one gives good details for all but secured sessions, for those tracelog -q tends to be more informative. Tracelog doesn't seem to give much useful info for the non-secured WPR session.

    From these results, one can determine (I'm basing these results on WPRUI.exe - Windows Performance Recorder 6.3.9600.16384) that First Level Triage is a superset of CPU Only. The only effect of enabling both as compared to only running Triage is that the maximum buffer counts of the sessions will be increased.

    Specifically, CPU Only enables these kernel provider flags:
    Process Thread ImageLoad CxtSwap Profile Power MemInfo Priority Dispatcher CpuConfig KernelQueue

    and collects stacks for:
    CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile

    whereas FirstLevelTriage enables:
    Process Thread ProcCounters ImageLoad DiskIo HardFaults CxtSwap Dpc Isr Profile Power MemInfo MemInfoWs Priority Dispatcher CpuConfig KernelQueue WdfDriverDpc WdfDriverInterrupt

    with stacks on:
    DiskRead DiskWrite DiskFlush ThreadDCEnd CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile

    Doing a diff gives the additional flags enabled by Triage:
    ProcCounters DiskIo HardFaults Dpc Isr MemInfoWs WdfDriverDpc WdfDriverInterrupt

    and for stack collection:
    DiskRead DiskWrite DiskFlush ThreadDCEnd

    Edit: Forgot about the user mode providers, First Level Triage enables the following additional providers:

    9580d7dd-0379-4658-9870-d5be7d52d6de:0x200:0xff
    0a002690-3839-4e3a-b3b6-96d8df868d99:0xffffffffffffffff:0x5
    "Microsoft-Windows-COMRuntime":0x3:0xff
    49c2c27c-fe2d-40bf-8c4e-c3fb518037e7:0xffffffffffffffff:0xff
    751ef305-6c6e-4fed-b847-02ef79d26aef:0xffffffffffffffff:0xff
    cfeb0608-330e-4410-b00d-56d8da9986e6:0xffffffffffffffff:0xff
    8e92deef-5e17-413b-b927-59b2f06a3cfc:0xffffffffffffffff:0xff
    e4b70372-261f-4c54-8fa6-a5a7914d73da:0xffffffffffffffff:0xff

    (no idea what they do, but you can do things like searching for .man files containing the GUIDs or querying running executables with logman providers -pid to find what providers they expose, that might give hints as to their function)

    Also, some extra flags are enabled on the Immersive-Shell, Kernel-Pore and NCSI providers.

    The common subset of user providers between them is:

    "Microsoft-Windows-PowerCpl":0x1000000000000:0x4
    "Microsoft-Windows-WinINet":0x1000000000000:0x4
    "Microsoft-Windows-UIAutomationCore":0x1000000000000:0x4
    "Microsoft-Windows-ntshrui":0x1000000000000:0x4
    "Microsoft-Windows-Kernel-PnP":0x1000000000000:0x4
    "Microsoft-Windows-NlaSvc":0x1000000000000:0x4
    "Microsoft-Windows-Diagnosis-MSDE":0x1000000000000:0x4
    "Microsoft-Windows-Diagnosis-WDC":0x1000000000000:0x4
    "Microsoft-Windows-AppHost":0x1000000000000:0x4
    "Microsoft-Windows-PushNotifications-Platform":0x1000000000000:0x4
    "Microsoft-Windows-ErrorReportingConsole":0x1000000000000:0x4
    "Microsoft-Windows-IME-KRTIP":0x1000000000000:0x4
    "Microsoft-Windows-RPCSS":0xffffffffffffffff:0x4
    "Microsoft-Windows-Network-and-Sharing-Center":0x1000000000000:0x4
    "Microsoft-Windows-WPDClassInstaller":0x1000000000000:0x4
    e7ef96be-969f-414f-97d7-3ddb7b558ccc:0x2000:0xff
    "Microsoft-PerfTrack-MSHTML":0x1000000000000:0x4
    "Microsoft-Windows-DiagCpl":0x1000000000000:0x4
    "Microsoft-Windows-stobject":0x1000000000000:0x4
    "Microsoft-Windows-DeviceSetupManager":0x1000000000000:0x4
    "Microsoft-Windows-Kernel-BootDiagnostics":0x1000000000000:0x4
    "Microsoft-Windows-Diagnostics-Networking":0x1000000000000:0x4
    "Microsoft-Windows-Immersive-Shell":0x1000000000000:0x4
    "Microsoft-PerfTrack-IEFRAME":0x1000000000000:0x4
    "Microsoft-Windows-WindowsUpdateClient":0x1000000000000:0x4
    "Microsoft-Windows-VAN":0x1000000000000:0x4
    "Microsoft-Windows-NetworkGCW":0x1000000000000:0x4
    "Microsoft-Windows-Netshell":0x1000000000000:0x4
    "Microsoft-Windows-ThemeUI":0x1000000000000:0x4
    "Microsoft-Windows-DxgKrnl":0x1000000000000:0x4
    "Microsoft-Windows-Diagnosis-AdvancedTaskManager":0x1000000000000:0x4
    "Microsoft-Windows-User-ControlPanel":0x1000000000000:0x4
    "Microsoft-Windows-Documents":0x1000000000000:0x4
    "Microsoft-Windows-PDC":0x1000000000000:0x4
    "Microsoft-Windows-Shell-AuthUI":0x1000000000000:0x4
    36b6f488-aad7-48c2-afe3-d4ec2c8b46fa:0x10000:0xff
    "Microsoft-Windows-Dwm-Core":0x1000000000000:0x4
    "Microsoft-Windows-ProcessStateManager":0xffffffffffffffff:0xff
    "Microsoft-Windows-DXP":0x1000000000000:0x4
    "Microsoft-Windows-UserPnp":0x1000000000000:0x4
    "Microsoft-Windows-AppXDeployment-Server":0x1000000000000:0x4
    "Microsoft-Windows-MediaEngine":0x1000000000000:0x4
    "Microsoft-Windows-HealthCenter":0x1000000000000:0x4
    "Microsoft-Windows-Ncasvc":0x1000000000000:0x4
    "Microsoft-Windows-Kernel-Power":0x1000000000000:0x4
    "Microsoft-JScript":0x1:0xff
    "Microsoft-Windows-VolumeControl":0x1000000000000:0x4
    "Microsoft-Windows-PrimaryNetworkIcon":0x1000000000000:0x4
    "Microsoft-Windows-IME-SCTIP":0x1000000000000:0x4
    "Microsoft-Windows-NetworkProfile":0x1000000000000:0x4
    ".NET Common Language Runtime":0x98:0x5
    "Microsoft-Windows-IME-TIP":0x1000000000000:0x4
    "Microsoft-Windows-DxpTaskRingtone":0x1000000000000:0x4
    "Microsoft-Windows-IME-TCTIP":0x1000000000000:0x4
    "Microsoft-Windows-MediaFoundation-MFCaptureEngine":0x1000000000000:0x4
    "Microsoft-Windows-DisplaySwitch":0x1000000000000:0x4
    "Microsoft-Windows-LUA":0x1000000000000:0x4
    "Microsoft-Windows-DateTimeControlPanel":0x1000000000000:0x4
    "Microsoft-Windows-TabletPC-InputPanel":0x1000000000000:0x4
    "Microsoft-Windows-TaskScheduler":0x1000000000000:0x4
    "Microsoft-Windows-Help":0x1000000000000:0x4
    "Microsoft-Windows-Audio":0x1000000000000:0x4
    "Microsoft-Windows-MediaFoundation-Performance":0x1000000000000:0x4
    "Microsoft-Windows-UserAccountControl":0x1000000000000:0x4
    "Microsoft-Windows-IME-JPTIP":0x1000000000000:0x4
    "Microsoft-Windows-WMP":0x1000000000000:0x4
    "Microsoft-Windows-Graphics-Printing":0x1000000000000:0x4
    "Microsoft-Windows-Dwm-Udwm":0x1000000000000:0x4
    "Microsoft-Windows-ComDlg32":0x1000000000000:0x4
    "Microsoft-Windows-Dhcp-Client":0x1000000000000:0x4
    "Microsoft-Windows-Display":0x1000000000000:0x4
    "Microsoft-Windows-UxTheme":0x1000000000000:0x4
    "Microsoft-Windows-DxpTaskSyncProvider":0x1000000000000:0x4
    "Microsoft-Windows-NCSI":0x1000000000000:0x4
    "Microsoft-Windows-DeviceUx":0x1000000000000:0x4
    "Microsoft-Windows-HealthCenterCPL":0x1000000000000:0x4
    "Microsoft-Windows-User Profiles Service":0x1000000000000:0x4
    "Microsoft-Windows-Networking-Correlation":0xffffffffffffffff:0xff
    "Microsoft-Windows-Store-Client-UI":0x1000000000000:0x4
    "Microsoft-Windows-Immersive-Shell-API":0x1000000000000:0x4
    "Microsoft-Windows-WindowsUIImmersive":0x1000000000000:0x4
    "Microsoft-Windows-Winlogon":0x1000000000000:0x4
    "Microsoft-Windows-PrintDialogs":0x1000000000000:0x4
    "Microsoft-Windows-All-User-Install-Agent":0x1000000000000:0x4
    "Microsoft-Windows-PowerShell":0x1000000000000:0x4
    "Microsoft-Windows-Services":0x1000000000000:0x4
    "Microsoft-Windows-RPC":0xffffffffffffffff:0x4
    "Microsoft-Windows-ThemeCPL":0x1000000000000:0x4
    "Microsoft-Windows-AltTab":0x1000000000000:0x4
    "Microsoft-Windows-Win32k":0x1000000402000:0xff
    "Microsoft-Windows-Shell-Core":0x1000000000000:0x4
    "Microsoft-Windows-BrokerInfrastructure":0x1000000000001:0xff
    "Microsoft-Windows-Superfetch":0x1000000000000:0x4
    "Microsoft-Windows-SystemSettings":0x1000000000000:0x4
    "Microsoft-Windows-DriverFrameworks-UserMode":0x1000000000000:0x4
    "Microsoft-Windows-DHCPv6-Client":0x1000000000000:0x4


    • Edited by Cam Sinclair Tuesday, December 9, 2014 10:21 AM
    • Proposed as answer by Cam Sinclair Tuesday, December 9, 2014 10:22 AM
    Tuesday, December 9, 2014 10:06 AM