.NET Framework 4
Logging CLR Events with ETW

[This documentation is for preview only, and is subject to change in later releases. Blank topics are included as placeholders.]

You can use event tracing for Windows (ETW) to record common language runtime (CLR) events. You can use the tools in the Windows Performance Toolkit to record and view ETW logs. Use the trace capture, processing, and command-line analysis tool (Xperf.exe) to record CLR events, and use the Performance Analyzer tool to view the resulting logs.

To capture CLR event information, you must install the CLR provider on your computer.

  • On Windows Vista and later operating systems, install the provider by using the Windows Wevtutil command-line tool. The command to install the CLR provider is: wevtutil im CLR-ETW.man.

  • On Windows operating systems before Windows Vista, install the provider by using the Windows mofcomp command-line tool. The command to install the CLR provider is: mofcomp CLR.mof.

Both CLR.mof and CLR-ETW.man are in the %WINDIR%\Microsoft.NET\Framework[64]\v4.<.NET version>\ directory.

To confirm that the provider is installed, type logman query providers at the command prompt. A list of providers is displayed. This list should contain an entry for the .NET Framework common language runtime, as follows. 

Provider                                 GUID
-------------------------------------------------------------------------------
.NET Common Language Runtime    {E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}
ACPI Driver Trace Provider      {DAB01D4D-2D48-477D-B1C3-DAAD0CE6F06B}
Active Directory Domain Services: SAM    {8E598056-8993-11D2-819E-0000F875A064}
Active Directory: Kerberos Client        {BBA3ADD2-C229-4CDB-AE2B-57EB6966B0C4}
Active Directory: NetLogon               {F33959B4-DBEC-11D2-895B-00C04F79AB69}
ASP.NET Events                           {AFF081FE-0247-4275-9C4E-021F3DC1DA35}
…………………………………………….

If the CLR provider is not listed, you can register it as follows:

  1. At the command prompt, change to the .NET Framework 2.0 installation directory, for example: cd C:\Windows\Microsoft.NET\Framework\v2.0.50727.

  2. At the command prompt, type: mofcomp CLR.mof. This command registers the CLR provider and its event handlers.

On Windows Vista, you must open the Command Prompt window as an administrator.

On Windows XP and Windows Server 2003, you must enable .NET Framework processes to be ETW event providers. You can do that in one of three ways:

  • Use the <etwEnable> element in the application configuration file.

  • Set the COMPlus_ETWEnabled environment variable to 1. At the command prompt, type: set COMPlus_ETWEnabled=1.

  • Set the registry key HKLM\Software\Microsoft\.NetFramework\ETWEnabled to 1.

NoteNote

Both the environment variable and the registry key enable event tracing for the entire computer. To avoid slower performance, be sure to turn off the registry key or environment variable when tracing is complete.

Capturing CLR ETW Events

You can use the LogmanTracerptXperf, TracerptXperf, and Xperf command-line tools to capture and decode ETW events.

To capture CLR ETW events using logman and tracerpt

  1. Create a file called clr.guid that contains the content: {Provider GUID} flag level. For example, for the CLR provider, this file will contain the following:

    {e13c0d23-ccbc-4e12-931b-d9cc2eee27e4} 0xffffffff 5

    where the GUID is the CLR ETW provider GUID, and 0xffffffff 5 means trace everything at and below level 5, which is the highest level (verbose mode); that is, trace everything at all levels.

  2. On pre-Vista computers, make sure that CLR ETW tracing is enabled as described in the previous section.

  3. Start ETW tracing. At the command prompt, type: logman start clrevents -pf clr.guid -ets -ct perf. The -ct perf parameter specifies that the QueryPerformanceCounter function will be used to log the time stamp for each event.

  4. To stop logging the events, type: logman stop clrevents –ets. This command creates a trace file named clrevents.etl.

  5. To decode the events using the Managed Object Format (MOF), type: tracerpt clrevents.etl. This command will create two files: dumpfile.csv and summary.txt. dumpfile.csv lists all the events, and summary.txt provides a summary of the events. On Windows Vista, tracerpt will generate dumpfile.xml instead of dumpfile.csv.

To capture CLR ETW events using xperf

  1. Set the complus_etwenabled environment variable to enable ETW in CLR (pre-Vista systems only). At the command prompt, type: set complus_etwenabled=1.

  2. Start ETW tracing. At the command prompt, type: xperf –start clr –on e13c0d23-ccbc-4e12-931b-d9cc2eee27e4:0x50:5 –f clr.etl. The GUID is the CLR ETW provider GUID, and 0x50:5 means trace everything at and below level 5 (verbose mode); that is, trace everything at all levels.

  3. To stop tracing, type: xperf –stop clr. This command creates a trace file named clr.etl.

For a description of the events, see CLR ETW Events.
See Also

Other Resources

Windows Performance Toolkit
Page view tracker