ETW Input Format Examples

Parsing an IIS 6.0 ETW Trace Log File

1. List the GUIDs of the providers registered with the system using the following command from a command-line window:

   C:\>logman query providers
   

   The output of this command will look like the following sample:

   Provider								 GUID
   -------------------------------------------------------------------------------
   IIS: WWW Global						{d55d3bc9-cba9-44df-827e-132d3a4596c2}
   ACPI Driver Trace Provider			 {dab01d4d-2d48-477d-b1c3-daad0ce6f06b}
   Active Directory: Kerberos			 {bba3add2-c229-4cdb-ae2b-57eb6966b0c4}
   IIS: SSL Filter						{1fbecc45-c060-4e7c-8a0e-0dbd6116181b}
   IIS: Request Monitor					 {3b7b0b4b-4b01-44b4-a95e-3c755719aebf}
   IIS: WWW Server						{3a2a4e84-4c21-4981-ae10-3fda0d9b0f83}
   IIS: Active Server Pages (ASP)		 {06b94d9a-b15e-456e-a4ef-37c984a2cb4b}
   Local Security Authority (LSA)		 {cc85922f-db41-11d2-9244-006008269001}
   IIS: IISADMIN Global					 {DC1271C2-A0AF-400f-850C-4E42FE16BE1C}
   Windows Kernel Trace					 {9e814aad-3204-11d2-9a82-006008a86939}
   ASP.NET Events						 {AFF081FE-0247-4275-9C4E-021F3DC1DA35}
   NTLM Security Protocol				 {C92CF544-91B3-4dc0-8E11-C580339A0BF8}
   IIS: WWW Isapi Extension				 {a1c2040e-8840-4c31-ba11-9871031a19ea}
   Active Directory: SAM					{8e598056-8993-11d2-819e-0000f875a064}
   HTTP Service Trace					 {dd5ef90a-6398-47a4-ad34-4dcecdef795f}
   Active Directory: NetLogon			 {f33959b4-dbec-11d2-895b-00c04f79ab69}
   Spooler Trace Control					{94a984ef-f525-4bf1-be3c-ef374056a592}
   
   The command completed successfully.
   

2. Identify the providers needed for the trace session; in this example, the trace session will be enabled for the "IIS: WWW Server" and "IIS: Active Server Pages (ASP)" providers.
   
3. Create a text file containing the GUID of each selected provider on a line, followed by the tracing flags and tracing level values for the provider. For more information on the available flags and levels for a provider, consult the component documentation.
   The following example shows a text file named "MyProviders.guid" containing the "IIS: WWW Server" and "IIS: Active Server Pages (ASP)" providers:

   {3a2a4e84-4c21-4981-ae10-3fda0d9b0f83} 0xfffffffe 5
   {06b94d9a-b15e-456e-a4ef-37c984a2cb4b} 0xffffffff 5
   

4. Start the tracing session using the providers text file as the argument of the "-pf" logman command-line parameter:

   C:\>logman start ExampleTrace -pf MyProviders.guid -ets
   

5. The tracing session has now started, and the selected providers will be logging events for each request to the IIS Web Server.
6. When desired, the tracing session can be stopped with the following command:

   C:\>logman stop ExampleTrace -ets
   

7. After the tracing session has been stopped, the ETW trace log file named "ExampleTrace.etl" is available for use.
   The following Log Parser command parses the ETW trace log file and displays the logged events:

   C:\>LogParser "SELECT * FROM ExampleTrace.etl" -i:ETW
   

   The output of this command will look like the following sample:

   EventNumber EventName  EventTypeName				Timestamp					UserData
   ----------- ---------- ---------------------------- ------------------------------ -------------------------------------------------------------------------------------------------------------------------------------------------------------------------
   2		 IISGeneral GENERAL_REQUEST_START		2004-10-14 20:27:26.624.399000 ContextId={00000000-0000-0000-1200-0060000000fc}|SiteId=1|AppPoolId=DefaultAppPool|ConnId=-288230375077969904|RawConnId=0|RequestURL=http://localhost:80/|RequestVerb=GET
   3		 IISFilter  FILTER_START				 2004-10-14 20:27:26.624.399000 ContextId={00000000-0000-0000-1200-0060000000fc}|FilterName=C:\WINNT\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
   4		 IISFilter  FILTER_PREPROC_HEADERS_START 2004-10-14 20:27:26.624.399000 ContextId={00000000-0000-0000-1200-0060000000fc}
   5		 IISFilter  FILTER_PREPROC_HEADERS_END   2004-10-14 20:27:26.624.399000 ContextId={00000000-0000-0000-1200-0060000000fc}
   6		 IISFilter  FILTER_END				 2004-10-14 20:27:26.624.399000 ContextId={00000000-0000-0000-1200-0060000000fc}
   7		 IISFilter  FILTER_START				 2004-10-14 20:27:26.624.399000 ContextId={00000000-0000-0000-1200-0060000000fc}|FilterName=C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\50\bin\fpexedll.dll
   8		 IISFilter  FILTER_PREPROC_HEADERS_START 2004-10-14 20:27:26.624.399000 ContextId={00000000-0000-0000-1200-0060000000fc}
   9		 IISFilter  FILTER_PREPROC_HEADERS_END   2004-10-14 20:27:26.624.399000 ContextId={00000000-0000-0000-1200-0060000000fc}
   10		IISFilter  FILTER_END				 2004-10-14 20:27:26.624.399000 ContextId={00000000-0000-0000-1200-0060000000fc}
   11		IISCache   URL_CACHE_ACCESS_START	 2004-10-14 20:27:26.624.399000 ContextId={00000000-0000-0000-1200-0060000000fc}|RequestURL=/
   

Parsing a live IIS 6.0 ETW Trace Session

1. Execute steps 1-3 from the example above.
4. Start the tracing session using the providers text file as the argument of the "-pf" logman command-line parameter, specifying also the "-rt" flag to enable a real-time tracing session:

   C:\>logman start ExampleTrace -pf MyProviders.guid -ets -rt
   

5. The tracing session has now started, and the selected providers will be logging events for each request to the IIS Web Server.
6. From a separate command-line shell window, execute the following Log Parser command to parse the live tracing session in real-time:

   C:\>LogParser "SELECT * FROM ExampleTrace" -i:ETW
   

   This Log Parser command will output the trace events indefinitely, until the command is manually aborted, or until the tracing session is stopped.
7. When desired, the tracing session can be stopped with the following command:

   C:\>logman stop ExampleTrace -ets
   

© 2004 Microsoft Corporation. All rights reserved.