ETW Trace providers – when to use what
You may perhaps have used Event Tracing Feature of Windows aka ETW for debugging many server side problems related to IIS. When I first learnt about ETW and started using it, I found it to be really cool! Unfortunately there’s not a lot of documentation around using it. For Eg: When to use which provider. it will be helpful to know which providers emit what information so that we can use a specific set of providers rather than a whole bunch of them, which of course will generate a ton of data. Looking through lots of data can sometimes be painful. Take an example where you want to enable ETW tracing but it may take a day or two for the problem to reproduce. Parsing the generated log can be a nightmare! So… I decided to put together this blog that gives information about some of the providers, if not all.
For a list of providers available on your machine, execute the following from a command prompt:
Logman Query Providers
The following table lists the details about providers (that I use usually) & their trace areas (where available). Use any combination of these providers depending on what problem you are troubleshooting.
|IIS: WWW Server||IISAuthentication, IISSecurity, IISFilter, IISStaticFile, IISCGI, IISCompression, IISCache, IISAll|
|IIS: IISADMIN Global||Startup, Shutdown|
|IIS: WWW Global||Startup, Shutdown, All|
|IIS: SSL Filter||SSL related events|
|IIS: Request Monitor||-|
|IIS: Active Server Pages (ASP)||Events from ASP ISAPI|
|IIS: WWW Isapi Extension||-|
|HTTP Service Trace||-|
|ASP.NET Events||All ASP.net events|
NOTE: ETW tracing is also very helpful when you want to view what is happening on the server side over a SSL connection.
I already have a blog post on using ETW providers to capture data & parsing ETW traces.