[This documentation is for preview only, and is subject to change in later releases. Blank topics are included as placeholders.]
Event tracing for Windows (ETW) is a high-performance, low overhead, scalable tracing system provided by Windows operating systems.
The common language runtime (CLR) provides useful ETW diagnostic information through a large variety of debugging and profiling events. CLR ETW events leverage the Windows ETW tracing system to augment the existing profiling and debugging support provided by the common language runtime.
CLR ETW events can be used for troubleshooting and production diagnostics of a variety of scenarios and offer the following advantages:
ETW logging is available in all Windows operating systems since Windows 2000. Windows comes with ETW tools such as TraceRpt, and additional free tools such as Xperf are provided in the Windows Performance Toolkit and are available for download.
ETW offers a lightweight deployment scheme for production diagnostics. The application being profiled does not have to be instrumented or interfered with for profiling. For example, a server application can continue to run while ETW logging is activated; it is not necessary for the application to be taken offline for logging.
ETW supports attach/detach scenarios: ETW logging can be started and stopped any time while the process is executing.
The information that can be gathered through ETW logging can range from highly detailed to very coarse-grained, allowing for troubleshooting a wide variety of scenarios.
More information about ETW is available in the article Improve Debugging and Performance Tuning with ETW on MSDN. Information about Xperf can be found in the entry Windows Performance Toolkit - Xperf in the NTDebugging blog.
Additional CLR ETW tools now in development will be provided on the CodePlex Web site as they become available.
The following sections describe events and their specific event data. The remainder of the event header (see the Appendix) remains similar in structure for all ETW events.
ETW consists of three major diagnostics components: the provider, the controller, and the consumer.
The provider is the infrastructure that raises events. For example, the runtime provider can raise events every time a method is just-in-time (JIT) loaded. The code to support this is included in the runtime. The CLR has two providers - the runtime provider and the rundown provider.
The runtime provider raises events belonging to a category only if keywords that turn on ETW logging for those events are enabled. The tool that is used to control which events are raised is called the controller. Tools, including XPerf and logman (which is shipped with Windows), can be used as the controller to select which categories of events are raised. For example, you can collect loader events by enabling the LoaderKeyword.
The ETW events are logged into a file that has an .etl extension. The tool that reads these logs and provides a user-readable output to the end user is called the consumer. Many tools that serve as controllers also serve as consumers; for example, XPerf can both select the events to be raised and provide the event logs.
Event keywords enable the filtering of events by category. The keywords are designed to be combined with a bitwise OR operation to generate values. In practice, you use the hexadecimal values of the keywords instead of the keyword name when you call the command-line utilities . The following tables lists the CLR ETW keywords, their values, and an explanation of their purpose.
Runtime keywords
Keyword name | Value | Purpose |
|---|
GCKeyword | 0x00000001 | Enables the collection of garbage collection events |
LoaderKeyword | 0x00000008 | Enables the collection of Loader events, including AppDomain Load/Unload, Assembly Load/Unload, and Module Load/Unload. |
JitKeyword | 0x00000010 | Enables the collection of just-in-time (JIT) events. |
NGenKeyword | 0x00000020 | Enables the collection of Native Image Generator (Ngen.exe) events, and is used with the StartEnumerationKeyword and EndEnumerationKeyword. |
StartEnumerationKeyword | 0x00000040 | Enables the enumeration of all the methods whenever created in the runtime and when used in conjunction with the NgenKeyword. |
EndEnumerationKeyword | 0x00000080 | Enables the enumeration of all the methods whenever they are destroyed in the runtime and when used in conjunction with the JitKeyword and the NgenKeyword. |
SecurityKeyword | 0x00000400 | Enables the collection of security events, including strong name and Authenticode verification. |
AppDomainResourceManagementKeyword | 0x00000800 | Enables the collection of resource monitoring events at an application domain level. |
JitTracingKeyword | 0x00001000 | Enables the collection of JIT tracing events. |
InteropKeyword | 0x00002000 | Enables the collection of interop events. |
ContentionKeyword | 0x00004000 | Enables the collection of contention events. |
ExceptionKeyword | 0x00008000 | Enables the collection of exception events. |
ThreadingKeyword | 0x00010000 | Enables the collection of thread events such as Thread Start. |
StackKeyword | 0x40000000 | Enables the collection of stack trace events. |
Rundown keywords
Keyword name | Value | Purpose |
|---|
LoaderRundownKeyword | 0x00000008 | Enables the collection of Loader events, including AppDomain, Assembly, and Module DCStart and DCEnd when used with StartRundownKeyword and EndRundownKeyword |
JitRundownKeyword | 0x00000010 | Enables the collection of method DCStart and DCEnd events for JIT-compiled methods when used with StartRundownKeyword and EndRundownKeyword |
NGenRundownKeyword | 0x00000020 | Enables the collection of Method DCStart and DCEnd events for NGENed methods when used with the StartRundownKeyword and EndRundownKeyword. |
StartRundownKeyword | 0x00000040 | Enables the enumeration of system state during a start rundown. |
EndRundownKeyword | 0x00000100 | Enables enumeration of system state during an end rundown. |
AppDomainResourceManagementRundownKeyword | 0x00000800 | Enables the collection of events for resource monitoring at an AppDomain level when used with the StartRundownKeyword or the EndRundownKyeword. |
StackKeyword | 0x40000000 | Enables the collection of stack trace events |
The runtime provider provides the raising of events while a process is running. These events are the source of information about the process. Keywords can be used to filter the logged information.
In addition to keywords such as NGenKeyword or LoaderKeyword, additional keywords can be enabled for obtaining a select set of events. By default, certain categories of events are not always useful (but are voluminous) and are turned off because the frequency of these events can result in some loss of events in the log file. The StartEnumerationKeyword and the EndEnumerationKeyword enable these events, which are summarized in Table 1 in the appendix. These flags add additional filters to those already provided by event keywords.
The CLR runtime provider GUID is e13c0d23-ccbc-4e12-931b-d9cc2eee27e4. For example, to enable logging of all sets of events in the runtime provider, use the following command in XPerf:
xperf –start clr –on e13c0d23-ccbc-4e12-931b-d9cc2eee27e4:0xFFFFFFFF:0x5 –f clr.etl
To enable logging of all events except for the enumeration and stack events, use the following command in XPerf:
xperf –start clr –on e13c0d23-ccbc-4e12-931b-d9cc2eee27e4:0x1FC1F:0x5 –f clr.etl
ETW logging can be enabled before a process launches, and the logging can be turned off after the process exits. However, if ETW logging is turned on while the process is executing, additional information is needed about the process. For example, for symbol resolution you need method events for methods that were already loaded before logging was turned on.
The data collection (DC) events DCStart and DCEnd enable a process to be monitored when ETW logging is started while the process is executing. These events can provide information about what has already happened on the process, for example, which methods were just-in-time loaded, and so on. The DCStart and DCEnd events capture the state of the process when data collection was started and stopped.
For example, assume that profiling is enabled at the middle of a process, and the rundown provider is enabled in addition to the runtime provider. If profiling is stopped before the process ends, it is not possible to determine what percentage of the process lifetime was profiled.
However, you can turn off profiling but still generate events until the process has exited. That is done with the DCEnd events signaling the end of data collection for that process. When a profiling detach is signaled through a tool (for example, by using the stop clrrundown command), the tool does not need to turn profiling off. The ability to do this is tool-dependent, but the capability exists.
The CLR Rundown provider GUID is A669021C-C450-4609-A035-5AF59AF4DF18.
In addition to the event keyword filters, the rundown provider also supports additional flags to provide targeted filtering. For example, you may only want the DCStart for JIT events – this filter can be set by enabling both the Jit keyword and the StartRundown keyword.
Start Rundown
A start rundown occurs when the rundown provider is enabled with the StartRundownKeyword. This causes the DCStart event to be raised, and captures the state of the system by enumerating all the methods and modules that were already loaded. This is useful when profiling is enabled while a process is already executing.
Before the start of the enumeration, the DCStartComplete event is logged.
End Rundown
An end rundown occurs when the rundown provider is enabled with the EndRundownKeyword. This causes the DCEnd event to be raised, and captures the state of the system when profiling is started by enumerating all the methods and modules that were already loaded.
End rundown used to stop profiling on a process that continues to execute.
ETW is asynchronous, so when a provider is disabled, the data channel (the profiling) is shut down immediately. However, the DCEnd events might still be needed for managed symbol resolution.
Therefore, when you want to stop profiling a process, an ETW rundown session is started with the EndRundownKeyword and other keywords enabled. Finally, all ETW sessions are terminated.
Before the start of the enumeration, the DCEndInit event is raised. At the end of the enumeration, the DCEndComplete event is raised to notify the controller that data collection terminated normally.
Start rundown and end rundown, which raise the DCStart and DCEnd events, are primarily used for managed symbol resolution. When using the DC events for managed symbol resolution, we recommend that you use the EndRundownKeyword (which supplies DCEnd events) instead of the StartRundownKeyword (which supplies DCStart events) to minimize the impact of the enumeration on the profiling of the application.
Only the events with DCStart, DCEnd, or DCInit in their names are raised under the rundown provider; and these events are raised only under the rundown provider.
ETW events can also be filtered by levels. If the level is set at 5 (0x5), events of all levels, including 0x5 and below (those events belonging to categories enabled through keywords), are raised. If the level is set at 0x2, only events that belong to level 0x2 and below are raised.
The levels are determined as follows:
0x5 - Verbose
0x4 - Informational
0x3 - Warning
0x2 - Error
0x1 - Critical
0x0 - LogAlways
As mentioned in the previous section, there are two CLR providers – the runtime provider and the rundown provider - to support attach/detach scenarios.
The following illustration shows how ETW data collection occurs over a process lifetime. The DCStart events capture diagnostic information when profiling is turned on (and the process is already executing); the runtime events under the runtime provider capture diagnostic events related to the execution of the process as it happens; and the DCEnd events capture diagnostic information when profiling is turned off (although the process may continue to execute).
.png)
Many DCStart and DCEnd events contained in the runtime provider exist in the rundown provider to support the profiler attach and profiler detach scenarios respectively.
A typical session while the process has already started would be as follows:
xperf –start clr –on e13c0d23-ccbc-4e12-931b-d9cc2eee27e4:0x1FC1F:0x5 –f clr1.etl (turn on runtime session)
When you want to stop profiling:
xperf –start clr –on A669021C-C450-4609-A035-5AF59AF4DF18:0x138:0x5 –f clr2.etl (enable collection of DCEnd events to start a rundown session, and wait for 30 seconds for all events to be collected)
xperf -stop (stop all profiling)
xperf -merge -d clr1.etl clr2.etl merged.etl (stop all profiling)
The file merged.etl will contain the events from the runtime and the rundown provider sessions.
Runtime Information Events
Startup events provide details about the runtime during startup, including the SKU, version number, the manner in which the runtime was activated, the command-line parameters it was started with, the GUID (if applicable), and so on. These events help you in debugging (for example, in debugging the command-line parameters the runtime was invoked with). In addition, if multiple runtimes are executing, this information becomes critical.
Keywords under which event is raised: Any keyword or mask will work
Level: Informational (4)
Event | Provider | Description |
|---|
RuntimeInformationEvent | CLRRuntime | Raised when a runtime is loaded. |
RuntimeInformationDCStart | CLRRundown | Enumerating the runtimes loaded. |
Event data
Field name | Data type | Description |
|---|
ClrInstanceID | UCHAR | Unique ID for the instance of CLR or CoreCLR. |
SKU | UCHAR | 1 – Desktop CLR. 2 – CoreCLR. |
BclVersion – Major Version | USHORT | Major version of mscorlib.dll. |
BclVersion – Minor Version | USHORT | Minor version number of mscorlib.dll. |
BclVersion – Build Number | USHORT | Build number of mscorlib.dll. |
BclVersion – QFE | USHORT | QFE version number of mscorlib.dll. |
VMVersion – Major Version | USHORT | Version of clr.dll or coreclr.dll, depending on SKU. |
VMVersion – Minor Version | USHORT | Minor version of clr.dll or coreclr.dll, depending on SKU. |
VMVersion – Build Number | USHORT | Build number of clr.dll or coreclr.dll. |
VMVersion – QFE | USHORT | QFE version number of clr.dll or coreclr.dll. |
StartupFlags | DWORD | As defined in mscoree.h. |
ClrInstanceID | UCHAR | Unique ID for the instance of clr/coreclr. |
SKU | UCHAR | 1 – Desktop CLR. 2 – CoreCLR. |
BclVersion – Major Version | USHORT | Major version of mscorlib.dll. |
BclVersion – Minor Version | USHORT | Minor version number of mscorlib.dll. |
StartupMode | UCHAR | 0x01 - Managed executable. 0x02 - Hosted CLR. 0x04 - IJW. 0x08 - COM-activated. |
CommandLine | WCHAR * | Non-null only if StartupMode=0x01 |
ComObjectGUID | GUID | Non-null only if StartupMode=0x08 |
RuntimeDLLPath | WCHAR * | Path to the CLR .dll file that was loaded into the process. |
The event payload contains details about exceptions, including helpful messages, the type of exception, the instruction pointer of the managed code that threw the exception, and so on. For example, when an exception is thrown, it is helpful to determine which code threw the exception, and what the exception type was.
Keywords under which event is raised: ExceptionKeyword (0x8000)
Level: Warning (2)
Event | Description |
|---|
Exception | A managed exception is thrown. |
Event data
Field name | Data type | Description |
|---|
Exception Type | WCHAR* | Type of the exception; for example, NullPointerException. |
Exception Message | WCHAR* | Actual exception message. |
EIPCodeThrow | SIZE_T | Instruction pointer where exception occurred. |
ExceptionHR | UINT32 | Exception HResult. |
ExceptionFlags | UINT8 | Bit 0: HasInnerException? Bit 1: IsNestedException? Bit 2: IsRethrownException? Bit 3: IsCorruptedStateException? Bit 4: IsCLSCompliant? |
This event is raised whenever there is contention for a native or a managed lock.
Keywords under which event is raised:ContentionKeyword (0x4000)
Level: Informational (4)
Event | Description |
|---|
ContentionStart_V1 | Raised when the contention starts. |
ContentionStop | Raised when the contention ends. |
Event data
Field name | Data type | Description |
|---|
Flags | UINT8 | Bit 0 – 0 for managed, 1 – for native (CRST). |
These events relate to the CLR's thread pool and provides notification on various events, including when a thread is created or stopped. These can be used to understand how an application is using the thread pool.
Keywords under which event is raised: ThreadingKeyword (0x10000)
Level: Informational
Thread Pool Suspension
Event | Description |
|---|
ThreadpoolSuspensionSuspendThread | A worker thread is suspended. |
ThreadpoolSuspensionResumeThread | A worker thread is resumed. |
Event data
Field name | Data type | Description |
|---|
Thread ID | Win:UInt32 | Thread ID. |
CPU Utilization | Win:UInt32 | CPU utilization. |
Thread Pool Worker Thread Start/Stop
Event | Description |
|---|
ThreadPoolWorkerThreadStart | A worker thread is created. |
ThreadPoolWorkerThreadStop | A worker thread is stopped. |
ThreadPoolWorkerThreadRetirementStart | A worker thread retires. |
ThreadPoolWorkerThreadRetirementStop | A retired worker thread becomes active again. |
Event data
Field name | Data type | Description |
|---|
ActiveWorkerThreadCount | Win:UInt32 | Number of active worker threads. |
RetiredWorkerThreadCount | Win:UInt32 | Number of retired worker threads. |
Thread Pool Worker Thread Adjustment Sample
Event | Description |
|---|
ThreadPoolWorkerThreadAdjustmentSample | A sample refers to the collection of the information for one sample, that is, a measurement of throughput with a certain concurrency level, in an instant of time. |
Event data
Field name | Data type | Description |
|---|
Throughput | Win:Double | Number of completions per unit of time. |
Thread Pool Worker Thread Adjustment
Event | Description |
|---|
ThreadPoolWorkerThreadAdjustmentAdjustment | Records a change in control, when the thread injection (hill climbing) algorithm determines that a change in concurrency level is in place. |
Event data
Field name | Data type | Description |
|---|
AverageThroughput | Win:double | Average throughput of a sample of measurements. |
NewWorkerThreadCount | Win:UInt32 | Number of worker threads added. |
Reason | Win:UInt32 | Reason for the adjustment. |
These events track information pertaining to loader events, including the number of assemblies that were loaded. These can be used for diagnostics/debugging; for example, by tracking the number of assemblies loaded on startup, you can obtain information to reduce startup times.
All loader events are level Informational (0x4).
All loader events are raised under the LoaderKeyword (0x8). The DCStart and the DCEnd events are raised under the LoaderRundownKeyword (0x8) with StartRundown/EndRundown enabled.
Loader events are subdivided into the following:
AppDomain events.
Assembly events.
Module events.
AppDomainModule events.
AppDomain Events
Event | Description |
|---|
AppDomainLoad | AppDomain Load event, which is raised whenever a domain is created during the lifetime of a process. |
AppDomainUnLoad | AppDomain Unload event, which is raised whenever a domain is destroyed during the lifetime of a process. |
AppDomainDCStart | Enumerates the application domains during a start rundown. |
AppDomainDCEnd | Enumerates the application domains during a end rundown. |
Event data
Field name | Data type | Description |
|---|
AppDomainID | UINT64 | Used to identify the assembly which this module belongs to. |
AppDomainFlags | UINT32 | Bit 0: Set to 1 for the default domain; otherwise, 0. Bit 1: Set to 1 if executable; otherwise, 0. Bit 2: Set to 1 if an application domain, 0 if a shared domain. Bit 28-31: Sharing policy of this domain. Currently 0 for a shared domain. |
AppDomainName | WCHAR* | Friendly application domain name. Might change during the lifetime of the process. |
CLR Loader Assembly Events
Event | Description |
|---|
AssemblyLoad | An assembly is loaded during the lifetime of a process. |
AssemblyUnload | An assembly is unloaded during the lifetime of a process. |
AssemblyDCStart | Enumerates assemblies during a start rundown. |
AssemblyDCEnd | Enumerates assemblies during an end rundown. |
Event data
Field name | Data type | Description |
|---|
AssemblyID | UINT64 | Unique ID for the assembly. |
AppDomainID | UINT64 | ID of the domain of this assembly. |
AssemblyFlags | UINT32 | Bit 0: 1 for a domain neutral assembly; 0 for a non-domain neutral assembly. Bit 1: 1 for a dynamic assembly; 0 for a non-dynamic assembly. |
AssemblyName | WCHAR | Fully qualified assembly name. |
Module Events
Event | Description |
|---|
ModuleLoad | A module is loaded during the lifetime of a process. |
ModuleUnload | A module is unloaded during the lifetime of a process. |
ModuleDCStart | Enumerates modules during a start rundown. |
ModuleDCEnd | Enumerates modules during an end rundown. |
Event data
Field name | Data type | Description |
|---|
ModuleID | UINT64 | Identifies the assembly which this module belongs to. |
AssemblyID | UINT64 | ID of the assembly in which this module resides. |
ModuleFlags | UINT64 | Bit 0: 1 for a domain neutral assembly; 0 for a non-domain neutral assembly. Bit 1: 1 if the module has a native image; 0 if not. Bit 2: 1 for a dynamic assembly; 0 for a non-dynamic assembly. Bit 3: 1 for for a manifest module; otherwise, 0. Bit 4: 1 if IBC optimized; otherwise, 0. |
ModuleILPath | WChar | Path of the module IL image or dynamic module name if dynamic assembly (null-terminated). |
ModuleNativePath | WChar | Path of the module native image if present (null-terminated). |
CLR Domain Module Events
Event | Description |
|---|
DomainModuleLoad | A module is loaded for an application domain. |
DomainModuleDCStart | Enumerates modules loaded for an AppDomain during a start rundown. |
DomainModuleDCEnd | Enumerates modules loaded for an AppDomain during an end rundown. |
Event data
Field name | Data type | Description |
|---|
ModuleID | UINT64 | Identifies the assembly which this module belongs to. |
AssemblyID | UINT64 | ID of the assembly in which this module resides. |
AppDomainID | UINT64 | ID of the application domain in which this module is used. |
ModuleFlags | UINT64 | Bit 0: 1 for a domain neutral assembly; 0 for a non-domain neutral assembly. Bit 1: 1 if the module has a native image; otherwise, 0. Bit 2: 1 for a dynamic assembly; 0 for a non-dynamic assembly. Bit 3: 1 for for a manifest module; otherwise, 0. Bit 4: 1 if IBC optimized; otherwise, 0. |
ModuleILPath | WChar | Path of the module IL image or dynamic module name if dynamic assembly (null-terminated). |
ModuleNativePath | WChar | Path of the module Native image if present (null-terminated). |
Method Events
These events collect information specific to methods. For example, this information can be used to reduce working sets by reducing the number of methods that were called. In addition, these events will provide helpful information such as the number of times a method was called.
All method events have Level "Informational (4)".
All method events are raised by the JITKeyword (0x10) or the NGENKeyword (0x20) under the runtime provider, or the JitRundownKeyword (0x10) or the NGENRundownKeyword (0x20) under the rundown provider.
CLR method events are further subdivided into the following:
CLR Method Events
Event | Description |
|---|
MethodLoad | A method is JIT-loaded or an NGEN image is loaded. Dynamic and generic methods always use this version for method loads. JIT helpers always use this version. |
MethodUnLoad | A dynamic method is destroyed, a module is unloaded, or an application domain is destroyed. Dynamic methods always use this version for method unloads. |
MethodDCStart | Enumerate methods during a start rundown. |
MethodDCEnd | Enumerate methods during an end rundown. |
Event data
Field name | Data type | Description |
|---|
MethodIdentifier | UINT64 | MethodDesc (unique processwide). For JIT helper methods, set to the start address of the method. |
ModuleId | UINT64 | Identifies the module to which this method belongs (0 for JIT helpers). |
MethodStartAddress | UINT64 | Start address. |
MethodSize | UINT32 | Method length. |
MethodToken | UINT32 | 0 for dynamic methods and JIT helpers. |
MethodFlags | UINT32 | Bit 0: 1 for a dynamic method that is generated at run time and that has no module or assembly associated with it; otherwise, 0. Bit 1: 1 for a generic method; otherwise, 0. Bit 2: 1 when the method has a shared generic method that is shared by generic method instantiations; otherwise, 0. Bit 3: 1 when a method is a JITed method; 0 when a method is an NGENed method. Bit 4: 1 for a helper method; otherwise, 0. Bits 28-31: The range number for the method: 0: Hot section 1: Cold section |
MethodNameSpace | WChar* | Namespace of the method. |
MethodName | WChar* | Name of the method. |
MethodSignature | WChar* | Signature of the method. |
CLR Method Marker Events
These events occur only under the rundown provider. They signify the end of method enumeration during a start or end rundown (raised when the NGENRundownKeyword, JitRundownKeyword, LoaderRundownKeyword, or AppDomainResourceMonitoringRundownKeyword is enabled).
Event | Desciption |
|---|
DCStartComplete | This event is sent before the start of the enumeration during a start rundown. |
DCEndInit | This event is sent before the start of the enumeration during an end rundown. |
DCEndComplete | This event is sent at the end of the enumeration during an end rundown. |
These events have no event payload.
These events collect information pertaining to garbage collection. These events help in diagnostics/debugging, including obtaining how many times garbage collection was performed, how much memory was freed during garbage collection, and so on.
GC Start Event
Keywords under which event is raised: GCKeyword (0x1)
Level: Informational (4)
Event | Description |
|---|
GCStart | A garbage collection has started. |
Event data
Field name | Data type | Description |
|---|
Count | UINT32 | The nth garbage collection. |
Depth | UINT32 | Generation. |
Reason | ENUM | Why the GC was triggered: by an allocation, memory pressure, or an induced GC: 0– GC_ALLOC_SOH GC_INDUCED GC_LOWMEMORY GC_EMPTY GC_ALLOC_LOH GC_OOS_SOH GC_OOS_LOH SOH – Small object heap LOH – Large object heap ALLOC – Allocation OOS – Out of space |
Type | ENUM | 0 – GC_NGC 1 – GC_BGC 2 – GC_FGC |
GC End Event
Keywords under which event is raised: GCKeyword (0x1)
Level: Informational (4)
Event | Description |
|---|
GCEnd | The garbage collection has ended. |
Event data
Field name | Data type | Description |
|---|
Count | UINT32 | The nth garbage collection. |
Depth | UINT32 | Generation. |
GC Heap Statistics
Keywords under which event is raised: GCKeyword (0x1)
Level: Informational (4)
Event | Description |
|---|
GCHeapStats | Shows the heap statistics at the end of each garbage collectcion. |
Event data
Field name | Data type | Description |
|---|
GenerationSize0 | UINT64 | The size of generation 0 memory. |
TotalPromotedSize0 | UINT64 | The size of promoted generation 0 memory. |
GenerationSize1 | UINT64 | The size of generation 1 memory. |
TotalPromotedSize1 | UINT64 | The size of promoted generation 1 memory. |
GenerationSize2 | UINT64 | The size of generation 2 memory. |
TotalPromotedSize2 | UINT64 | The size of promoted generation 2 memory. |
GenerationSize3 | UINT64 | The size of generation 2 memory. |
TotalPromotedSize3 | UINT64 | The size of promoted generation 3 memory. |
FinalizationPromotedSize | UINT64 | The size of the finalization promoted objects. |
FinalizationPromotedCount | UINT64 | The count of the finalization promoted objects. |
PinnedObjectCount | UINT32 | The count of pinned (unmovable) objects. |
SinkBlockCount | UINT32 | The number of synchronization blocks in use. |
GCHandleCount | UINT32 | The number of garbage collection handles in use. |
Create Segment
In the .NET Framework version 3.5 Service Pack 1 and the .NET Framework version 4 Beta 2.
Keywords under which event is raised: GCKeyword (0x1)
Level: Informational (4)
Event | Description |
|---|
CreateSegment | A new garbage collection segment has been created. Also when tracing is enabled on a process that is already running, this event is raised for each existing segment. |
Event data
Field name | Data type | Description |
|---|
Address | UINT64 | The address of the segment. |
Size | UINT64 | The size of the segment. |
Type | ENUM | SMALL_OBJECT_HEAP = 0, LARGE_OBJECT_HEAP=1, READ_ONLY_HEAP = 2 |
Free Segment
In the .NET Framework version 3.5 Service Pack 1 and the .NET Framework version 4 Beta 2.
Keywords under which event is raised: GCKeyword (0x1)
Level: Informational (4)
Event | Description |
|---|
FreeSegment | A garbage collection segment has been released. |
Event data
Field name | Data type | Description |
|---|
Address | UINT64 | The address of the segment. |
Resume from Suspension
In the .NET Framework version 3.5 Service Pack 1 and the .NET Framework version 4 Beta 2.
Keywords under which event is raised: GCKeyword (0x1)
Level: Informational (4)
Event | Description |
|---|
ResumeFromSuspension | Resume from common language runtime suspension has begun. |
No event data.
End Resume from Suspension
In the .NET Framework version 4 Beta 2.
Keywords under which event is raised: GCKeyword (0x1)
Level: Informational (4)
Event | Description |
|---|
EndResumeFromSuspension | Resume from common language runtime suspension has ended. |
No event data.
Suspend EE
In the .NET Framework version 4 Beta 2.
Keywords under which event is raised: GCKeyword (0x1)
Level: Informational (4)
Event | Description |
|---|
Suspend EE_V1 | Start of suspension of the execution engine for garbage collection. |
Event data
Field name | Data type | Description |
|---|
Reason | UINT16 (ENUM) | SUSPEND_OTHER = 0 SUSPEND_FOR_GC =1 SUSPEND_FOR_APPDOMAIN_SHUTDOWN = 2 SUSPEND_FOR_CODE_PITCHING = 3 SUSPEND_FOR_SHUTDOWN = 4 SUSPEND_FOR_DEBUGGER = 5 SUSPEND_FOR_GC_PREP = 6 SUSPEND_FOR_DEBUGGER_SWEEP= 7 |
Count | UINT32 | The number of threads suspended. |
End Suspend EE
In the .NET Framework version 4 Beta 2.
Keywords under which event is raised: GCKeyword (0x1)
Level: Informational (4)
Event | Description |
|---|
SuspendEEEnd | End of suspension of the execution engine for garbage collection. |
No event data.
Allocation Tick
In the .NET Framework version 3.5 Service Pack 1 and the .NET Framework version 4 Beta 2.
Keywords under which event is raised: GCKeyword (0x1)
Level: Verbose (5)
Event | Description |
|---|
AllocationTick | Occurs each time approximately 100 kilo bytes is allocated. |
Event data
Field name | Data type | Description |
|---|
AllocationSize | UINT32 | The allocation size. |
Kind | UINT32 (ENUM) | AllocationSmall= 0 AllocationLarge= 1 |
Begin Finalizers
In the .NET Framework version 4 Beta 2.
Keywords under which event is raised: GCKeyword (0x1)
Level: Informational (4)
Event | Description |
|---|
BeginFinalizers | Start of running finalizers. |
No event data
End Finalizers
In the .NET Framework version 4 Beta 2.
Keywords under which event is raised: GCKeyword (0x1)
Level: Informational (4)
Event | Description |
|---|
EndFinalizers | End of running finalizers. |
Event data
Field name | Data type | Description |
|---|
Count | UINT32 | The number of finalizers that were run. |
Create Concurrent Thread
In the .NET Framework version 4 Beta 2.
Keywords under which event is raised: GCKeyword (0x1), ThreadingKeyword(0x10000)
Level: Informational (4)
Event | Description |
|---|
CreateConcurrentThread | Concurrent garbage collection thread created. |
No event data
Terminate Concurrent Thread
In the .NET Framework version 4 Beta 2.
Keywords under which event is raised: GCKeyword (0x1), ThreadingKeyword(0x10000)
Level: Informational (4)
Event | Description |
|---|
TerminateConcurrentThread | Concurrent garbage collection thread terminated. |
No event data
GC Setting
Keywords under which event is raised: GCKeyword (0x1)
Level: Informational (4)
Event | Description |
|---|
GCSetting | Describe garbage collection settings on startup. |
Event data
Field name | Data type | Description |
|---|
ServerGC | Bool | TRUE for server garbage collection settings; FALSE for workstation settings. |
SegmentSize | UInt64LONG | |
LargeObjectSegmentSize | UInt64LONG | |
Create Worker Thread
Keywords under which event is raised: GCKeyword (0x1), ThreadingKeyword(0x10000)
Level: Informational (4)
Event | Description |
|---|
CreateWorkerThread | Occurs when a worker thread is created in the thread pool. |
Event data
Field name | Data type | Description |
|---|
Count | UInt64 | Number of worker threads, including the newly created one. |
NumRetired | UInt64 | Number of retired worker threads. |
Terminate Worker Thread
Keywords under which event is raised: GCKeyword (0x1), ThreadingKeyword(0x10000)
Level: Informational (4)
Event | Description |
|---|
TerminateWorkerThread | Occurs when a worker thread is terminated in the thread pool. |
Event data
Field name | Data type | Description |
|---|
Count | UInt64 | Number of worker threads remaining in the thread pool. |
NumRetired | UInt64 | Number of retired worker threads. |
Create IO Thread
Keywords under which event is raised: GCKeyword (0x1), ThreadingKeyword(0x10000)
Level: Informational (4)
Event | Description |
|---|
CreateIOThread | Occurs when an I/O thread is created in the thread pool. |
Event data
Field name | Data type | Description |
|---|
Count | UInt64 | Number of I/O threads, including the newly created one. |
NumRetired | UInt64 | Number of retired worker threads. |
Terminate IO Thread
Keywords under which event is raised: GCKeyword (0x1), ThreadingKeyword(0x10000)
Level: Informational (4)
Event | Description |
|---|
CreateIOThread | Occurs when an I/O thread is created in the thread pool. |
Event data
Field name | Data type | Description |
|---|
Count | UInt64 | Number of I/O threads remaining in the thread pool. |
NumRetired | UInt64 | Number of retired I/O threads. |
Retire Worker Thread
Keywords under which event is raised: GCKeyword (0x1), ThreadingKeyword(0x10000)
Level: Informational (4)
Event | Description |
|---|
RetireWorkerThread | Occurs when a worker thread becomes a retirement candidate. |
Event data
Field name | Data type | Description |
|---|
Count | UInt64 | Number of worker threads remaining in the thread pool. |
NumRetired | UInt64 | Number of retired worker threads. |
Unretire Worker Thread
Keywords under which event is raised: GCKeyword (0x1), ThreadingKeyword(0x10000)
Level: Informational (4)
Event | Description |
|---|
UnretireWorkerThread | Occurs when a worker thread is un-retired due to work arriving within a waiting period after the thread became a retirement candidate. |
Event data
Field name | Data type | Description |
|---|
Count | UInt64 | Number of worker threads in the thread pool, including this one. |
NumRetired | UInt64 | Number of retired worker threads. |
Retire IO Thread
Keywords under which event is raised: GCKeyword (0x1), ThreadingKeyword(0x10000)
Level: Informational (4)
Event | Description |
|---|
RetireIOThread | Occurs when an I/O thread becomes a retirement candidate. |
Event data
Field name | Data type | Description |
|---|
Count | UInt64 | Number of I/O threads remaining in the thread pool. |
NumRetired | UInt64 | Number of retired I/O threads. |
Unretire IO Thread
Keywords under which event is raised: GCKeyword (0x1), ThreadingKeyword(0x10000)
Level: Informational (4)
Event | Description |
|---|
UnretireIOThread | Occurs when an I/O thread is unretired because of I/O arriving within a waiting period after the thread became a retirement candidate. |
Event data
Field name | Data type | Description |
|---|
Count | UInt64 | Number of I/O threads in the thread pool, including this one. |
NumRetired | UInt64 | Number of retired IO threads. |
Suspend Thread/Resume Thread
Keywords under which event is raised: GCKeyword (0x1), ThreadingKeyword(0x10000)
Level: Informational (4)
Event | Description |
|---|
SuspendThread | Occurs when a worker thread is suspended due to high CPU utilization. |
ResumeThread | Occurs when CPU utilization drops within a wait period after the worker is suspended. |
Event data
Field name | Data type | Description |
|---|
ThreadID | UInt64 | The thread ID. |
CPUUtil | UInt64 | The amount of CPU utilization. |
Method Jit Inlining Failed
Keywords under which event is raised: JITKeyword (0x10)
Level: Verbose (5)
Event | Description |
|---|
MethodJitInliningFailed | The just-in-time inlining failed. |
Event data
Field name | Data type | Description |
|---|
MethodBeingCompiledNameSpace | UnicodeString | Namespace of method being compiled. |
MethodBeingCompiledName | UnicodeString | Name of method being compiled. |
InlinerNamespace | UnicodeString | The name of the namespace the just-in-time compiler is attempting to generate code for. |
InlinerName | UnicodeString | The name of the code the compiler is attempting to generate code for. This might not be the same as MethodBeingCompiledName if the compiler is attempting to inline code into MethodBeingCompiledName instead of generating a call to InlinerName. |
InlinerNameSignature | UnicodeString | The signature for Inliner. |
InlineeName | UnicodeString | The method the compiler is trying to inline, not generate a call to. |
InlineeNameSignature | UnicodeString | The signature for the inlinee. |
FailAlways | Boolean | A hint to the just-in-time compiler that inlining will always fail for the inlinee. |
FailReason | UnicodeString | INLINE_NEVER means inlining will never succeed; otherwise, free-form text. |
Method Jit Inlining Succeeded
Keywords under which event is raised: JITKeyword (0x10)
Level: Verbose (5)
Event | Description |
|---|
MethodJitInliningSucceeded | The method inlining suceeded. |
Event data
Field name | Data type | Description |
|---|
MethodBeingCompiledNameSpace | UnicodeString | The namespace of the method requested to be compiled. |
MethodBeingCompiledName | UnicodeString | The name of the method requested to be compiled. |
InlinerNamespace | UnicodeString | The name of the namespace the just-in-time compiler is attempting to generate code for. |
InlinerName | UnicodeString | The name of the code the compiler is attempting to generate code for. This might not be the same as MethodBeingCompiledName if the compiler is attempting to inline code into MethodBeingCompiledName instead of generating a call to InlinerName. |
InlinerNameSignature | UnicodeString | The signature for the inliner. |
InlineeName | UnicodeString | The method the compiler is trying to inline, not generate a call to. |
InlineeNameSignature | UnicodeString | The signature for the inlinee. |
IL Stub Generated
Keywords under which event is raised: InteropKeyword (0x2000)
Level: Informational(4)
Event | Description |
|---|
ILStubGenerated | The intermediate language stub has been generated. |
Event data
Field name | Data type | Description |
|---|
ModuleID | UInt16 | The module identifier. |
StubMethodID | UInt64 | The stub method identifier. |
StubFlags | UInt64 | The flags for the stub. |
ManagedInteropMethodToken | UInt32 | The token for the managed interop method. |
ManagedInteropMethodNameSpace | UnicodeString | The name of the managed interop method namespace. |
ManagedInteropMethodName | UnicodeString | The name of the managed interop method. |
ManagedInteropMethodSignature | UnicodeString | The signature of the managed interop method. |
NativeMethodSignature | UnicodeString | The native method signature. |
StubMethodSignature | UnicodeString | The stub method signature. |
StubMethodILCode | UnicodeString | The stub method intermediate language code. |
IL Stub Cache Hit
Keywords under which event is raised: InteropKeyword (0x2000)
Level: Informational(4)
Event | Description |
|---|
ILStubCacheHit | The intermediate language cache has been accessed. |
Event data
Field name | Data type | Description |
|---|
ModuleID | UInt16 | The module identifier. |
StubMethodID | UInt64 | The stub method identifier. |
ManagedInteropMethodToken | UInt32 | The token for the managed interop method. |
ManagedInteropMethodNameSpace | UnicodeString | The name of the managed interop method namespace. |
ManagedInteropMethodName | UnicodeString | The name of the managed interop method. |
ManagedInteropMethodSignature | UnicodeString | The signature of the managed interop method. |
AppDomain Resource Monitoring Events
These events provide detailed diagnostic information about the state of an AppDomain. Using these events or the AppDomain Resource Monitoring feature APIs are two different ways of obtaining the same information.
Thread Created
Keywords under which event is raised: AppDomainResourceManagementKeyword (0x800)
Level: Informational (4)
This event is also raised under the rundown provider as ThreadDC (under the AppDomainResourceManagementRundownKeyword). This is the only event that is raised under the rundown provider in this category.
Event | Description |
|---|
ThreadCreated | A thread was created for the application domain. |
Event data
Field name | Data type | Description |
|---|
ThreadID | UInt64 | |
AppDomainID | UInt64 | |
Flags | UInt32 | |
ManagedThreadIndex | UInt32 | |
OSThreadID | UInt32 | |
AppDomain Memory Allocated
Keywords under which event is raised: AppDomainResourceManagementKeyword (0x800)
Level: Informational (4)
Event | Description |
|---|
AppDomainMemAllocated | Occurs for every 100 MB of memory allocated in the application domain. |
Event data
Field name | Data type | Description |
|---|
AppDomainID | UInt64 | |
Allocated | UInt64 | |
AppDomain Memory Survived
Keywords under which event is raised: AppDomainResourceManagementKeyword (0x800)
Level: Informational (4)
Event | Description |
|---|
AppDomainMemSurvived | Occurs at the end of each garbage collection. |
Event data
Field name | Data type | Description |
|---|
AppDomainID | Uint64 | |
Survived | UInt64 | |
ProcessSurvived | UInt64 | |
Thread AppDomain Enter
Keywords under which event is raised: AppDomainResourceManagementKeyword (0x800), ThreadingKeyword (0x10000)
Level: Informational (4)
Event | Description |
|---|
ThreadAppDomainEnter | Occurs when a thread enters an application domain. |
Event data
Field name | Data type | Description |
|---|
ThreadID | UInt64 | The thread identifier. |
AppDomainID | UInt64 | The application domain identifier. |
ThreadTerminated
Keywords under which event is raised: AppDomainResourceManagementKeyword (0x800), ThreadingKeyword (0x10000)
Level: Informational (4)
Event | Description |
|---|
ThreadTerminated | Occurs when a thread terminates. |
Event data
Field name | Data type | Description |
|---|
ThreadID | UInt64 | The thread identifier. |
AppDomainID | UInt64 | The application domain identifier. |
These events are raised during strong name verification and Authenticode verification.
Strong Name Verification Start/Stop
Keywords under which event is raised: SecurityKeyword (0x400)
Level: Informational (4)
Event | Description |
|---|
StrongNameVerificationStart_V1 | Start of Authenticode verification. |
StrongNameVerificationStop_V1 | End of Authenticode verification. |
Event data
Field name | Data type | Description |
|---|
VerificationFlags | Uint32 | The verification flags. |
ErrorCode | UInt32 | The error code. |
FullyQualifiedAssemblyName | UnicodeString | The fully qualified assembly name. |
Authenticode Verification Start/Stop
Keywords under which event is raised: SecurityKeyword (0x400)
Level: Informational (4)
Event | Description |
|---|
AuthenticodeVerificationStart_V1 | Start of Authenticode verification. |
AuthenticodeVerificationStop_V1 | End of Authenticode verification. |
Event data
Field name | Data type | Description |
|---|
VerificationFlags | Uint32 | The verification flags. |
ErrorCode | UInt32 | The error code. |
ModulePath | UnicodeString | The module path. |
This event is raised under the stack keyword (0x4000000) and is to be used in conjunction with other events to generate stack traces after an event is fired. It is raised under both the runtime and rundown providers.
Level: LogAlways(0)
Keywords: StackKeyword (0x40000000)
Event | Description |
|---|
StackTrace | Occurs in conjunction with other events to generate stack traces following an event. |
Event data
Field name | Data Type | Description |
|---|
ClrInstanceID | Uint16 | Unique runtime identifier. |
Reserved1 | UInt8 | |
Reserved2 | UInt8 | |
FrameCount | UInt32 | |
Stack | Pointer | Multiple pointer addresses with the actual stack trace. |
Manifest Information
The manifest contains the following information for all events:
<EventHeader>
<Provider Guid="{e13c0d23-ccbc-4e12-931b-d9cc2eee27e4}" />
<EventID>0</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>0</Task>
<Opcode>5</Opcode>
<Keywords>0x0</Keywords>
<TimeCreated SystemTime="2008-0612T09:34:09.233579200Z" />
<Correlation ActivityID="{00000000-0000-0000-0000000000000000}" />
<Execution ProcessID="4294967295" ThreadID="4294967295" ProcessorID="0" KernelTime="0" UserTime="0" />
<Channel />
</EventHeader>
<EventSpecificEvent Data>
<!--Our event structure -->
</EventSpecificEvent Data>
<UniqueIdentifier>0x00</UniqueIdentifier>
The UniqueIdentifier field distinguishes the runtimes in an in-process side-by-side setup.
Table 1: ETW keyword combinations for symbol resolution for the runtime provider
Keywords and flags | AppDomain, assembly, module load/unload events | Method load/unload events (except dynamic events) | Dynamic method load/destroy events |
|---|
LoaderKeyword | Load and Unload events | None | None |
JitKeyword (+ StartEnumerationKeyword does not add anything) | None | Load events | Load and unload events |
JitKeyword + EndEnumerationKeyword | None | Load and unload events | Load and Unload events |
NgenKeyword | None | None | Not applicable |
NgenKeyword + StartEnumerationKeyword | None | Load events | Not applicable |
NgenKeyword + EndEnumerationKeyword | None | Unload events | Not applicable |
Table 2: ETW keyword combinations for symbol resolution for the rundown provider
Keywords and flags | AppDomain, assembly, module DCStart/DCEnd events | Method DCStart/DCEnd events (including dynamic method events) |
|---|
LoaderRundownKeyword | None | None |
LoaderRundownKeyword + StartRundownKeyword | DCStart events | None |
LoaderRundownKeyword + EndRundownKeyword | DCEnd events | None |
JITKeyword | None | None |
JitKeyword + StartRundownKeyword | None | DCStart events |
JitKeyword + EndRundownKeyword | None | DCEnd events |
NGenKeyword | None | None |
NgenKeyword + StartRundownKeyword | None | DCStart events |
NgenKeyword + EndRundownKeyword | None | DCEnd events |