Here is some information on how I have been collecting disk access traces on Windows using Tracelog. Tracelog utilizes the ETW which I believe is only supported by NT5 based kernels (Win2k, XP, some server versions). Please let me know if you find this information useful.
I use the Windows TRACELOG.EXE for collecting traces and the Windows TRACEDMP.EXE program for processing the dumps. They can be found here:
Tracelog: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=55e51b3b-6c26-4ca0-abf1-0e51d92b8298
Tracedmp: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=8b7ee632-fb8c-4770-bf37-eed586469b2f
There is a reasonable writeup by a UCSC student here:
http://users.soe.ucsc.edu/~jrybz/winTrace.pdf
My basic procedure looks like this:
1. > TRACELOG.EXE -start -noprocess -nothread -nonet 2. Run some load on the disk 3. > TRACELOG.EXE -stop 4. > TRACEDMP.EXE C:\LogFile.Etl 5. Event summary is Summary.txt and trace is in DumpFile.csv
To interpret the CSV file, see the MOFDATA.GUID file in the C:\Program Files\Resource Kit where the TRACELOG and TRACEDMP programs reside. I have reproduced the relevant portion of that file below:
3d6fa8d4-fe05-11d0-9dda-00c04fd7ba7c DiskIo
#type Read 10
#type Write 11
{
Disk Number, ItemULong
Irp Flags, ItemULongX
Transfer Size, ItemULong
QueueDepth, ItemULong
Byte Offset, ItemLongLong
File Object, ItemPtr
}
If you wish to control this functionality programmatically, you could check out the MSDN articles on Windows ETW:
http://msdn.microsoft.com/en-us/library/bb968803(v=VS.85).aspx