Tracing WMI Activity
Starting with Windows Vista, the WMI service does not use the WMI Log Files. Instead, it uses Event Tracing for Windows (ETW) and events are available through Event Viewer or the Wevtutil command-line tool.
The following sections are discussed in this topic:
- Obtaining WMI Events Through Event Viewer
- Enabling WMI Tracing at Command Prompt
- Using WPP-based WMI Tracing
- Related topics
The WMITracing.log file contains the events that WMI traces. However, this is a binary file. To see these events in a format readable by humans, use the Event Viewer.
By default, WMI events are not traced. This procedure describes how to use Event Viewer to enable WMI event tracing and locate WMI events. You can do the same operations through the wevtutil command-line tool.
To view WMI Events in Event Viewer
- Open Event Viewer. On the View menu, click Show Analytic and Debug Logs. Locate the Trace channel log for WMI under Applications and Service Logs | Microsoft | Windows | WMI Activity.
- Right-click the Trace log and select Log Properties. Click the Enable Logging check box to start the WMI event tracing. For more information about channels, see Event Logs and Channels in Windows Event Log.
- WMI events appear in the event window for WMI-Activity. Double-click an event in the list to see the detailed information. You can view an event in XML View or in Friendly View format.
The Event ID field displays a value that contains the following information.
Start of the event sequence for a specific operation. One occurrence for each sequence.
The event fields for an Event 1 are:
For example, a script may request all the instances of a WMI class, such as Win32_Service. The first operation may be a connection to WMI.
Events that make up the operation. One or more occurrences in the sequence.
The event fields for an Event 2 are:
For example, the operation may be an enumeration of Win32_Service.
End of the event sequence for a specific operation. One occurrence for each sequence.
Only the GroupOperationID is shown.
You can also enable WMI event tracing through the Wevtutil command-line tool. Use the following command: Wevtutil.exe sl Microsoft-Windows-WMI-Activity/Trace /e:true. The WMI event source is Microsoft-Windows-WMI. For more information about Wevtutil.exe, see About Windows Event Log.
In Windows operating systems starting with Windows Vista, WMI creates an active trace channel during the boot process. The name of the channel is WMI_Trace_Session. Only errors are logged to the channel.
The Windows software trace preprocessor (WPP) records information in a binary file. To read the file, you must first translate it into a readable, text format. You use a tool called tracefmt.exe from the Windows Driver Kit (WDK) to do the translation. The tool requires information stored in some associated files. The files are located in the %SystemRoot%\System32\wbem\tmf directory and have a .tmf file name extension. The tool actually requires a single .tmf file . You make that single file by concatenating all of the .tmf files into another .tmf file.
After installing the Windows Driver Kit (WDK) to get the tracelog.exe and tracefmt.exe command-line tools, perform the following steps to collect a WPP-based WMI trace.
To view a WPP-based WMI trace
To create the single .tmf file, open an elevated Command Prompt window and navigate to the %SystemRoot%\System32\wbem\tmf directory.
Type copy /y %SystemRoot%\System32\wbem\tmf\*.tmf %SystemRoot%\System32\wbem\tmf\wmi.tmf. This will create a file named wmi.tmf that includes the contents of all of the other .tmf files.
- Type tracelog -flush WMI_Trace_Session. This will flush the WPP buffers on the disk.
- Type set TRACE_FORMAT_PREFIX = [%9!d!]%8!04X!.%3!04X!.%3!04X!::%4!s![%1!s!](%!COMPNAME!:%!FUNC !:%2!s!). The tracefmt tool adds some default information to each trace message. You can configure what information is included by setting the TRACE_FORMAT_PREFIX environment variable. To learn about the syntax used, see Trace Message Prefix.
- Type tracefmt -tmf %systemroot%\system32\wbem\tmf\wmi.tmf -o OUTPUT.TXT %systemroot%\system32\wbem\logs\WMITracing.log. This performs the translation from binary format to readable text format.
- Type notepad %systemroot%\system32\wbem\tmf\OUTPUT.TXT. This will open the trace file in Notepad.
The following are some other WPP-related tasks you might need to perform.
To stop WPP-based WMI tracing
- Type tracelog -stop WMI_Trace_Session.
To start WPP-based WMI tracing
- Type tracelog -start WMI_Trace_Session -guid #1FF6B227-2CA7-40f9-9A66-980EADAA602E -rt -level 5 -flag 0x7 -f MYTRACE.BIN
Windows Vista: By default, WPP-based WMI tracing is set to level 2 which includes only error messages. To include informational messages as well, set the level to 4. All areas of WMI are traced by default. There are three distinct areas that can be traced: Core (flag=0x1), ESS (flag=0x2) and Prov (flag=0x4). In the start command above, flag 0x7 causes all three areas to be traced.
Windows 7: By default, WPP-based WMI tracing is disabled and set to level 0. To use WPP-based WMI tracing, this feature must be enabled and set to either level 2 for error messages or level 4 for both error and informational messages.
To list all WPP trace sessions
- Type tracelog -l.
To list info about the WMI WPP trace session
- Type tracelog -l | findstr /i "wmi_trace".
To view the WMI WPP trace session parameters
- Type tracelog -q WMI_Trace_Session.
Build date: 10/15/2013