In 2008, I blogged about the just-released Windows Performance Toolkit, and the xperf tool that collects ETW events (including stack traces) and displays them in a form that allows basic analysis. Since then, ETW generation and collection have taken a huge leap forward. Microsoft has released a great library for creating ETW providers, and a set of tools (PerfMonitor, PerfView) for analyzing ETW traces in .NET apps.
With the release of the Windows 8 SDK, xperf has been superseded by two new tools: WPR (Windows Performance Recorder), which enables ETW providers and captures traces, and WPA (Windows Performance Analyzer), which displays traces in graphical form including graphs and detail tables.
I wouldn’t want to sound like a broken record, but ETW is truly one of the most incredible instrumentation and diagnostic tools on Windows. The wealth of information you can discern from a properly captured ETW trace is overwhelming, and many seemingly-impossible problems have been solved in the past with simple ETW traces. For example, check out this story about identifying a faulty Western Digital hard disk driver that was doing 4GB memory allocations, or this story about performance issues in Windows Live Photo Gallery.
Getting started with WPA can be a little intimidating, but in the end it displays the same set of information. Moreover, you can use WPA to open ETW traces recorded with xperf – the file format is, of course, completely interoperable. As an example, let’s record a trace with the Base kernel group (that group includes sampling profiling events) and stackwalks for the Profile kernel flag:
xperf –on Base –stackwalk Profile
Now, after performing some activity (I chose to run a dir /s command in a command prompt window), turn off the data collection and merge the log:
xperf –d profile.etl
Finally, open the resulting file in WPA:
The window looks a bit empty, so go ahead and expand some graphs on the left. When you encounter an interesting graph, drag it to the main view. In my case, I would like to see the stack activity for the cmd.exe and conhost.exe processes, so I’ll drag out the System Activity > Stacks Counts and System Activity > Processes Lifetime graphs:
Notice how after selecting a process in the lower graph, I get the same time interval highlighted in the upper graph. That’s a feature I was direly missing in xperfview.
Finally, to see detailed stack information for the relevant processes, click the toolbar icon on the upper left that says “Display graph and table”. The resulting table is quite similar to what xperf had to offer – you can drag columns to the left of the gold bar for grouping, and expand stack traces (after loading symbols with Trace > Load Symbols) to see the weight for each individual function. For example, after drilling down into the conhost.exe process, I found that it spends most of its time asking gdi32.dll to draw text on the screen – what a surprise!
To conclude, ETW is still very awesome and WPR/WPA make it somewhat easier to record and analyze ETW traces. For managed applications, you really should consider looking at PerfMonitor and PerfView, and Vance Morrison has a great set of blog posts and videos covering their various features. Chapter 2 of the Pro .NET Performance book covers some of these tools and concepts as well.
I am posting short links and updates on Twitter as well as on this blog. You can follow me: @goldshtn