{"id":52,"date":"2011-03-31T00:22:21","date_gmt":"2011-03-31T00:22:21","guid":{"rendered":"https:\/\/peterklemperer.com\/blog\/?p=52"},"modified":"2016-11-27T04:45:25","modified_gmt":"2016-11-27T04:45:25","slug":"collecting-disk-access-traces-on-windows-with-tracelog","status":"publish","type":"post","link":"https:\/\/peterklemperer.com\/blog\/2011\/03\/31\/collecting-disk-access-traces-on-windows-with-tracelog\/","title":{"rendered":"Collecting Disk Access Traces on Windows with Tracelog"},"content":{"rendered":"<p>Here is some information on how I have been collecting disk access traces on Windows using Tracelog. \u00a0Tracelog utilizes the ETW which I believe is only supported by NT5 based kernels (Win2k, XP, some server versions). \u00a0Please let me know if you find this information useful.<\/p>\n<p><!--more--><\/p>\n<p>I use the Windows TRACELOG.EXE for collecting traces and the Windows TRACEDMP.EXE program for processing the dumps. They can be found here:<br \/>\n<a href=\"http:\/\/www.microsoft.com\/downloads\/en\/details.aspx?FamilyID=55e51b3b-6c26-4ca0-abf1-0e51d92b8298\"> Tracelog:\u00a0\u00a0 http:\/\/www.microsoft.com\/downloads\/en\/details.aspx?FamilyID=55e51b3b-6c26-4ca0-abf1-0e51d92b8298<\/a><br \/>\n<a href=\"http:\/\/www.microsoft.com\/downloads\/en\/details.aspx?FamilyID=8b7ee632-fb8c-4770-bf37-eed586469b2f\"> Tracedmp: http:\/\/www.microsoft.com\/downloads\/en\/details.aspx?FamilyID=8b7ee632-fb8c-4770-bf37-eed586469b2f<\/a><\/p>\n<p>There is a reasonable writeup by a UCSC student here:<br \/>\n<a href=\"http:\/\/users.soe.ucsc.edu\/~jrybz\/winTrace.pdf\"> http:\/\/users.soe.ucsc.edu\/~jrybz\/winTrace.pdf<\/a><\/p>\n<p>My basic procedure looks like this:<\/p>\n<pre><span style=\"font-family: Georgia, 'Bitstream Charter', serif; line-height: 24px; font-size: 16px;\">1. &gt; TRACELOG.EXE -start -noprocess -nothread -nonet<\/span>\r\n<span style=\"font-family: Georgia, 'Bitstream Charter', serif; line-height: 24px; font-size: 16px;\">2. Run some load on the disk<\/span>\r\n<span style=\"font-family: Georgia, 'Bitstream Charter', serif; line-height: 24px; font-size: 16px;\">3. &gt; TRACELOG.EXE -stop<\/span>\r\n<span style=\"font-family: Georgia, 'Bitstream Charter', serif; line-height: 24px; font-size: 16px;\">4. &gt; TRACEDMP.EXE C:\\LogFile.Etl<\/span>\r\n<span style=\"font-family: Georgia, 'Bitstream Charter', serif; line-height: 24px; font-size: 16px;\">5. Event summary is Summary.txt and trace is in DumpFile.csv<\/span><\/pre>\n<p>To interpret the CSV file, see the MOFDATA.GUID file in the C:\\Program Files\\Resource Kit where the TRACELOG and TRACEDMP programs reside. I have reproduced the relevant portion of that file below:<\/p>\n<pre>3d6fa8d4-fe05-11d0-9dda-00c04fd7ba7c DiskIo\r\n#type Read\u00a0\u00a0\u00a0\u00a0\u00a0 10\r\n#type Write\u00a0\u00a0\u00a0\u00a0 11\r\n{\r\nDisk Number, ItemULong\r\nIrp Flags, ItemULongX\r\nTransfer Size, ItemULong\r\nQueueDepth, ItemULong\r\nByte Offset, ItemLongLong\r\nFile Object, ItemPtr\r\n}<\/pre>\n<p>If you wish to control this functionality programmatically, you could check out the MSDN articles on Windows ETW:<br \/>\n<a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/bb968803(v=VS.85).aspx\"> http:\/\/msdn.microsoft.com\/en-us\/library\/bb968803(v=VS.85).aspx<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Here is some information on how I have been collecting disk access traces on Windows using Tracelog. \u00a0Tracelog utilizes the ETW which I believe is only supported by NT5 based kernels (Win2k, XP, some server versions). \u00a0Please let me know &hellip; <a href=\"https:\/\/peterklemperer.com\/blog\/2011\/03\/31\/collecting-disk-access-traces-on-windows-with-tracelog\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[67,6],"tags":[],"class_list":["post-52","post","type-post","status-publish","format-standard","hentry","category-programming","category-projects"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p1VqWo-Q","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/peterklemperer.com\/blog\/wp-json\/wp\/v2\/posts\/52","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/peterklemperer.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/peterklemperer.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/peterklemperer.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/peterklemperer.com\/blog\/wp-json\/wp\/v2\/comments?post=52"}],"version-history":[{"count":0,"href":"https:\/\/peterklemperer.com\/blog\/wp-json\/wp\/v2\/posts\/52\/revisions"}],"wp:attachment":[{"href":"https:\/\/peterklemperer.com\/blog\/wp-json\/wp\/v2\/media?parent=52"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/peterklemperer.com\/blog\/wp-json\/wp\/v2\/categories?post=52"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/peterklemperer.com\/blog\/wp-json\/wp\/v2\/tags?post=52"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}