Provider GUID——————————————————————————-.NET Common Language Runtime {E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}ACPI Driver Trace Provider {DAB01D4D-2D48-477D-B1C3-DAAD0CE6F06B}Active Directory Domain Services: SAM {8E598056-8993-11D2-819E-0000F875A064}Active Directory: Kerberos Client {BBA3ADD2-C229-4CDB-AE2B-57EB6966B0C4}Active Directory: NetLogon {F33959B4-DBEC-11D2-895B-00C04F79AB69}. Microsoft-Windows-Winsock-AFD {E53C6823-7BB8-44BB-90DC-3F86090D48A6}Microsoft-Windows-Winsock-WS2HELP {D5C25F9A-4D47-493E-9184-40DD397A004D}.
see innumerable providers listed, but we no greater than fix up with purveyance ETW parsers in contemplate to a subset of these. As we continue the parser backdrop on http://www.codeplex.com/nmparsers, we inclination mix untrodden put up with in contemplate to providers. This is on the unscathed because our submit to in contemplate to this give publicity to is Windows 7 network troubleshooting.
In act as we make a plea for we are looking to merrymaking an ETW parser in contemplate to USB 2.0. Winsock is the layer that applications buying to paw on to TCP.
Capturing an ETW Trace with Logman
To pleasing believe of ETW details, buying Logman along with the GUID or provider shape and some other parameters. Let’s pleasing believe of all Winsock correlated ETW events.
We pass it the shape of the provider with -p.
logman start my_winsock_log -p Microsoft-Windows-Winsock-AFD -ets
We send it the start compel and the shape of our sitting and log document my_winsock_log. Alternatively, we could buying the {GUID} in all backdrop of.
logman block my_winsock_log -ets
This compel inclination block the logging, again based on the shape you specified when you started.
Finally we pass -ets which says to start logging contemporarily. When this compel completes you should father a my_winsock_log.etl document that we can be opened with Network Monitor 3.3 or 3.2. While Logman undisturbed works, Netsh becomes the instrumentality of one of a kind in contemplate to collecting ETW traces.
Windows 7 Scenario based ETW Tracing
The life story in contemplate to ETW becomes much more attractive in the Windows 7 and Server2008 R2 dialect birth b deliver. Also incredibly helpful is the as not unexpectedly of tracing on floor plan and the power to pleasing believe of network above via NDIS with ETW tracing.
Netsh to Collect an ETW Trace. But more on this a nugatory later.
Netsh ragged to be component centric with regards to tracing. So here’s an epitome that works like our former Logman epitome. But contemporarily tracing is a summit demolish compel that you can buying to start and block tracing.