Tools for Software Tracing

The Microsoft Windows Driver Kit (WDK) includes a set of applications and command-line tools for software tracing. These tools are designed to support Event Tracing for Windows (ETW) and to supplement the tracing tools that are included in Windows.

What are the tracing tools?

The tools include trace controllers that configure, start, update, and stop trace sessions, and trace consumers that receive trace messages generated during the sessions and convert the binary data into human-readable format for files or display.

The tools support a variety of trace providers, including user-mode applications and kernel-mode drivers, which are instrumented for software tracing by using WPP software tracing or (Event Tracing for Windows (ETW). For a comparison of the two approaches to instrumenting your code, see When to Use WPP Software Tracing and Event Tracing for Windows (ETW).

The tools also can access reserved trace sessions that are built into Windows, such as the Global Logger trace session / NT Kernel Logger trace session.

Some of these tools are located in the tools\<Platform> subdirectory of the Windows Driver Kit (WDK), where <Platform> is either x86 or x64. Other tools are either included with Windows or are located in the bin\<Platform> subdirectory of the WDK.

When should I use WPP Software Tracing or the Event Tracing for Windows (ETW) API?

Use WPP Software Tracing if you are interested in primarily collecting trace data for development and debugging purposes. Use Event Tracing for Windows (ETW) for other types of tracing.

WPP software tracing Manifested/TraceLogging ETW
Supported on Windows 2000 and later. Supported on Windows Vista and later.
Tracing events for development and debugging. Mostly internal developer focused. Tracing events for administrative, operational, analytical and debugging purposes.
Needs TMF files to decode the events, which are extracted from the logging binary's PDB. The metadata to decode the events is contained in a local binary or in the event payload.
Can be only one active session per trace provider. Events can be multiplexed to multiple consumers.
Message strings cannot be localized. Strings can be localized.
Provider security is limited to not sharing the control GUID or TMF files required to enable and decode the events, respectively. Provider can have ACLs applied to restrict which users can collect events from it.

For information about using Windows software trace preprocessor (WPP) macros to add software tracing to a driver or application, see WPP Software Tracing.

For information about the using the kernel-mode ETW API for drivers, see Event Tracing for Windows (ETW).

For information about using the Windows Management Instrumentation (WMI) extensions to the Windows Driver Model (WDM) to add software tracing to any driver, see WMI Event Tracing.

Note   ETW and WPP support most types of kernel-mode drivers and user-mode applications. However, ETW and WPP use types that are not available for certain types of drivers, such as miniport drivers. To determine whether a particular driver type is supported, add basic WPP macros to the driver, such as WPP_INIT_TRACING and WPP_CLEANUP. If the code does not compile because the types that are used are not defined, then ETW and WPP cannot support the driver type. 

What's in this section

This section begins with a survey of software tracing tools, discusses the concepts underlying the tools, and then includes documentation of the software tracing tools in the WDK.

This section includes:

Survey of Software Tracing Tools

Tracing Tool Concepts





Tracing During Boot

WPP Software Tracing

Software Tracing FAQ

Event Tracing for Windows (ETW)

Kernel Mode Performance Monitoring

For conceptual information About Event Tracing, see the Microsoft Windows SDK documentation.