Jaa


Decode ETL file generated by Manifest-based ETW Provider from different machine

ETW is a powerful trace method in Windows platform. See following articles about the ETW:

-
Improve Debugging And Performance Tuning With ETW

https://msdn.microsoft.com/en-us/magazine/cc163437.aspx

-
ETW (Event Tracing For Windows) – what it is and useful tools

https://blogs.msdn.com/b/oanapl/archive/2009/08/05/etw-event-tracing-for-windows-what-it-is-and-useful-tools.aspx

There are hundreds of inbox ETW providers installed. It became a popular method to troubleshoot Windows issues because collecting ETW trace doesn’t need to install any tools (using logman.exe) or to restart machine. There are lots of document about how to collect and analyze ETW trace file for scenario based problem. There are also many applications and drivers which generates Manifest-based events.

 

However, to decode the trace file generated from these ETW providers correctly, we have to run Events Consumers (any tools to convert the ETL file to a human readable text file) in the same machine where the ETL file are captured because the Manifest of the ETW providers had been installed to the machine. If an ETL file is
copied from a test machine to another machine, you may encounter situation in which your machine misses the Event Schema or the Manifest of ETW Provider which are only installed in the test machine.

For example, this Microsoft-Windows-wmbclass provider is not installed by default on a Windows 8.1 system until you install a Mobile Broadband device. To decode the ETL file from Microsoft-Windows-wmbclass provider, you must install this provider on your machine or the trace file will not be decoded successfully. The easiest
way is to plug a Mobile Broadband device on your machine and the driver installation will also install this ETW provider properly.

There are scenarios in which we can’t install the ETW provider easily to our working machine. In this case, we have to capture the Schema at the same time when capturing the ETL file. There are tools for this purpose. Tracerpt.exe is an inbox tool to capture the schema which is used to decode Manifest-based events.

For example: we are capturing the trace from an ETW provider which is only installed on a test machine:

Logman.exe start test_trace -o .\test.etl -p "Sample Driver" 0xffffffffffffffff 0xff -nb 16 16 -bs 1024 -mode Circular -f bincirc -max 4096 -ets

Logman.exe stop test_trace -ets

After stopping the trace, we can export the schema which is used to decode those Manifest-based events in the ETL file to a schema file (run this command in the test machine)

Tracerpt.exe .\test.etl -export schema.man

 

We copied the ETL file and schema.man file to another machine. Then we are able to decode those Manifest-based events successfully by referencing the schema copied from test machine:

Tracerpt.exe .\test.etl -o test.xml -of xml -import schema.man

 

The current Message Analyzer is able to accept the etl file and man file as the input to show correct messages. see https://technet.microsoft.com/en-us/library/jj674809.aspx for details.