Tracelog
Tracelog (Tracelog.exe) is an event tracing controller that runs in a Command Prompt window. This section describes Tracelog, explains its command syntax, and provides practical examples for its use.
Tracelog (Tracelog.exe) is included when you install the WDK, Visual Studio, and the Windows SDK for desktop apps. For information about downloading the kits, see Windows Hardware Downloads.
After installation TraceLog.exe will be located in the bin directory of that version of the kit. Select the processor you desire. For example for the x64 version: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64>
What you can do with Tracelog
You can use Tracelog in a Command Prompt window as an event tracing controller.
Note To control a trace session you must be a member of the Performance Log Users group or the Administrators group on the computer (Run as administrator).
Tracelog features include:
Starts and stops trace sessions, including private trace sessions, NT Kernel Logger trace sessions, and Global Logger trace sessions
Configures and changes the properties of trace sessions
Enables and disables trace providers
Flushes trace session buffers
Lists running (real-time) trace sessions
Measures time spent in deferred procedure calls (DPCs) and interrupt service routines (ISRs)
Tracelog produces an event trace log (.etl) file that contains the trace messages generated by the provider during the trace session. The messages are stored in binary format in the file. To display the trace messages in a readable format, use TraceView or Tracefmt.
Tracelog controls kernel-mode and private (user-mode) trace sessions, and special sessions such as the NT Kernel Logger trace session and the Global Logger trace session.
Tracelog runs on Windows 7 and later versions of Windows.
Many of the features of Tracelog are also available in TraceView, a tool included in the Windows Driver Kit (WDK) that has a graphical user interface in addition to a command-line interface.