Survey of Software Tracing Tools

The following software tracing tools are included in either the Windows Driver Kit (WDK) or the Windows operating system.

Enabling WPP tracing in a trace producer

• TraceWPP (TraceWPP.exe) is a command-line tool that runs the Windows software trace preprocessor (WPP) on the source files of trace providers, such as a kernel-mode driver or user-mode application.

  TraceWPP provides an alternative to setting the WPP options when you build your driver or application using the WDK and Visual Studio. This tool processes trace macros in a source file and creates a header file to enable WPP tracing.

  The command-line options for TraceWPP are the same as those used when the TraceWPP task is passed to MSBuild. For more information about these options, see WPP Preprocessor.

  TraceWPP is located in the bin\<Platform> directory of the WDK.

Controlling trace sessions (trace controllers)

• TraceView (TraceView.exe) is a GUI-based trace controller and trace consumer, and is designed especially for the real-time display of trace messages. It enables, configures, starts, updates, and stops trace session. This tool also formats, filters, and displays trace messages from real-time trace sessions and trace logs.

  TraceView combines and extends the features of Tracepdb, Tracelog, and Tracefmt. For information, start TraceView and, from the Help menu, choose Help Topics.

  TraceView is located in the tools\<Platform> subdirectory of the WDK, where <Platform> is either x86 or x64.

• Tracelog (Tracelog.exe) is a command-line trace controller that enables, configures, starts, updates, and stops real-time and log sessions. Tracelog supports user-mode and kernel-mode trace sessions, as well as NT Kernel Logger trace sessions and the Global Logger (boot) trace session. This tool also supports tracing to measure time spent in deferred procedure calls (DPCs) and interrupt service routines (ISRs).

  Tracelog is located in the tools\<Platform> subdirectory of the WDK, where <Platform> is either x86 or x64.

• Logman (Logman.exe) is a fully functional, GUI-based trace controller that is designed especially to control the logging of performance counters and event traces.

  Logman is included in Windows XP and later versions of Windows. For more information about how to use this tool, see Logman.

Creating TMF files

• Tracepdb (Tracepdb.exe) is a command-line support tool that creates trace message format (TMF) files from the trace message formatting instructions in PDB symbol files.

  The tools that display trace messages, Tracefmt(Tracefmt.exe) and TraceView(TraceView.exe), can use the formatting instructions from the TMF files to format and display trace messages.

  Tracefmt can also create TMF files from PDB symbol files.

  Tracepdb and Tracefmt are located in the tools\tracing\<Platform> subdirectory of the WDK, where <Platform> is either x86 or x64.

Formatting and displaying trace messages (trace consumers)

• Tracefmt is a command-line trace consumer that formats trace messages (TraceMessage) from real-time trace sessions or trace logs, and writes them to files or displays them in the Command Prompt window.

• Tracerpt (Tracerpt.exe) is a command-line trace consumer that formats trace events (TraceEvent) and performance counters and writes them to CSV or XML files. It also analyzes the events and generates summary reports.

  Tracerpt is included in Windows XP and later versions of Windows. For more information about how to use this tool, see Tracerpt.

• TraceView, a GUI tool, that is a trace controller and a trace consumer, also formats and displays trace messages (TraceMessage) from real-time trace sessions or trace logs. It displays the trace messages in a tabular form, making them easier to filter and browse.

Viewing trace events in a debugger

• Debugging Tools for Windows includes !wmitrace, a specialized debugger extension that displays the trace messages in the trace session buffers before they are written to log files or delivered for display.

• Tracelog and TraceView can redirect trace messages to KD or Windbg, whichever is attached. For more information, see the Tracelog -kd parameter and the TraceView Windbg option.

Analyzing DPC and ISR execution times

• On Windows XP with Service Pack 2 (SP2) and later, you can use Tracelog to log deferred procedure call (DPC) and interrupt service routine (ISR) events in the NT Kernel Logger trace session and then use Tracerpt to create summary reports from the logs. For more information about how to use this tool, including an example, see Tracelog.