Using Event Tracing for Windows to Log CLR Events
[This documentation is for preview only, and is subject to change in later releases. Blank topics are included as placeholders.]
Event Tracing for Windows (ETW) can be used to record common language runtime (CLR) events. You can use the tools in the Windows Performance Toolkit (WPT) to record and view ETW logs. Use the trace capture, processing, and command-line analysis tool (Xperf.exe) to record CLR events, and use the Performance Analyzer tool to view the resulting logs.
To capture CLR event information, the CLR provider must be installed on your computer.
On Windows Vista and later platforms, install the provider by using the Windows Wevtutil tool. The command to install the CLR providers is: wevtutil im CLR-ETW.man.
On Windows operating systems before Windows Vista, install the provider by using the Windows mofcomp tool. The command to install the CLR providers is: mofcomp CLR.mof.
Both CLR.mof and CLR-ETW.man are in the %WINDIR%\Microsoft.NET\Framework[64]\v4.<.NET version>\ directory.
You can confirm that the provider is installed by starting the command prompt and typing logman query providers. A list of providers is displayed. This list should contain an entry for the .NET Framework common language runtime, as follows.
Provider GUID
-------------------------------------------------------------------------------
.NET Common Language Runtime {E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}
ACPI Driver Trace Provider {DAB01D4D-2D48-477D-B1C3-DAAD0CE6F06B}
Active Directory Domain Services: SAM {8E598056-8993-11D2-819E-0000F875A064}
Active Directory: Kerberos Client {BBA3ADD2-C229-4CDB-AE2B-57EB6966B0C4}
Active Directory: NetLogon {F33959B4-DBEC-11D2-895B-00C04F79AB69}
ASP.NET Events {AFF081FE-0247-4275-9C4E-021F3DC1DA35}
…………………………………………….
If the CLR provider is not listed, you can register it by placing the command prompt at the .NET Framework 2.0 installation directory, for example, C:\Windows\Microsoft.NET\Framework\v2.0.50727. Type the command mofcomp CLR.mof to register the provider and its event handlers. On Windows Vista, the command prompt must be run as an administrator.
On Windows XP and Windows Server 2003, you must enable .NET Framework processes to be ETW event providers. You can do that by setting the environment variable COMPlus_ETWEnabled=1 or by setting the registry key HKLM\Software\Microsoft\.NetFramework\ETWEnabled to 1. Ensure that either the environment variable or the registry key is set before recording events.
Capturing CLR ETW Events
You can use logmantracerptxperf, tracerptxperf, or xperf to capture and decode ETW events.
To capture CLR ETW Events using logman and tracerpt
Create a file called clr.guid containing the content: {Provider GUID} flag level. For example, for the CLR provider: {e13c0d23-ccbc-4e12-931b-d9cc2eee27e4} 0xffffffff 5. The GUID is the CLR ETW provider GUID. 0xffffffff means include everything, and 5 is the highest level including all levels.
Set this environment variable to enable ETW in CLR (pre-Vista systems only): set complus_etwenabled=1.
Start ETW tracing: logman start clrevents -pf CLR.guid -ets -ct perf. The -ct perf parameter means to use QueryPerformanceCounter to log the time stamp for each event.
To stop logging the events: logman stop clrevents –ets. This creates an .etl file named clrevents.etl.
To decode the events using .mof: Tracerpt clrevents.etl. This will create two files: dumpfile.csv and summary.txt. The former has all the events, the latter provides a summary of the events. On Windows Vista, tracerpt will generate dumpfile.xml instead of dumpfile.csv.
To capture CLR ETW Events using xperf
Set this environment variable to enable ETW in CLR (pre-Vista systems only): set complus_etwenabled=1.
Start ETW tracing: xperf –start clr –on e13c0d23-ccbc-4e12-931b-d9cc2eee27e4:0x50:5 –f clr.etl. The GUID is the CLR ETW provider GUID. 0x50:5 indicates trace everything at and below level 5 (verbose), in other words, all levels.
Stop tracing: xperf –stop clr. This creates the .etl file clr.etl.
For a description of the events, see CLR ETW Events.