ETW Trace providers – when to use what

You may perhaps have used Event Tracing Feature of Windows aka ETW for debugging many server side problems related to IIS. When I first learnt about ETW and started using it, I found it to be really cool! Unfortunately there’s not a lot of documentation around using it. For Eg: When to use which provider. it will be helpful to know which providers emit what information so that we can use a specific set of providers rather than a whole bunch of them, which of course will generate a ton of data. Looking through lots of data can sometimes be painful. Take an example where you want to enable ETW tracing but it may take a day or two for the problem to reproduce. Parsing the generated log can be a nightmare! So… I decided to put together this blog that gives information about some of the providers, if not all.

For a list of providers available on your machine, execute the following from a command prompt:

Logman Query Providers

The following table lists the details about providers (that I use usually) & their trace areas (where available). Use any combination of these providers depending on what problem you are troubleshooting.

Provider Trace Areas
IIS: WWW Server IISAuthentication, IISSecurity, IISFilter, IISStaticFile, IISCGI, IISCompression, IISCache, IISAll
IIS: IISADMIN Global Startup, Shutdown
IIS: WWW Global Startup, Shutdown, All
IIS: SSL Filter SSL related events
IIS: Request Monitor -
IIS: Active Server Pages (ASP) Events from ASP ISAPI
IIS: WWW Isapi Extension -
HTTP Service Trace -
ASP.NET Events  All events

NOTE: ETW tracing is also very helpful when you want to view what is happening on the server side over a SSL connection.

I already have a blog post on using ETW providers to capture data & parsing ETW traces.