WPR Additional Profiles
Beginners question, but what do the addition profiles provide in WPR?
I have done a capture with just the First Level Triage selected and then did the same capture with First Level triage and CPU usage. When I look at the traces in WPA, I can't see any extra graphs or information.
Presumably, the second trace is capturing more detailed information about the CPU, but how do I see this?
Thanks
Mark
November 19th, 2014 1:09pm
I've had a bit of a look at this using the following commands which can reveal the details of currently active ETW sessions:
xperf -loggers
tracelog -q "WPR_initiated_WprApp_WPR System Collector"
tracelog -q "WPR_initiated_WprApp_WPR Event Collector"
The xperf one gives good details for all but secured sessions, for those tracelog -q tends to be more informative. Tracelog doesn't seem to give much useful info for the non-secured WPR session.
From these results, one can determine (I'm basing these results on WPRUI.exe - Windows Performance Recorder 6.3.9600.16384) that
First Level Triage is a superset of CPU Only. The only effect of enabling both as compared to only running Triage is that the maximum buffer counts of the sessions will be increased.
Specifically, CPU Only enables these kernel provider flags:
Process Thread ImageLoad CxtSwap Profile Power MemInfo Priority Dispatcher CpuConfig KernelQueue
and collects stacks for:
CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
whereas FirstLevelTriage enables:
Process Thread ProcCounters ImageLoad DiskIo HardFaults CxtSwap Dpc Isr Profile Power MemInfo MemInfoWs Priority Dispatcher CpuConfig KernelQueue WdfDriverDpc WdfDriverInterrupt
with stacks on:
DiskRead DiskWrite DiskFlush ThreadDCEnd CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
Doing a diff gives the additional flags enabled by Triage:
ProcCounters DiskIo HardFaults Dpc Isr MemInfoWs WdfDriverDpc WdfDriverInterrupt
and for stack collection:
DiskRead DiskWrite DiskFlush ThreadDCEnd
Edit: Forgot about the user mode providers, First Level Triage enables the following additional providers:
9580d7dd-0379-4658-9870-d5be7d52d6de:0x200:0xff
0a002690-3839-4e3a-b3b6-96d8df868d99:0xffffffffffffffff:0x5
"Microsoft-Windows-COMRuntime":0x3:0xff
49c2c27c-fe2d-40bf-8c4e-c3fb518037e7:0xffffffffffffffff:0xff
751ef305-6c6e-4fed-b847-02ef79d26aef:0xffffffffffffffff:0xff
cfeb0608-330e-4410-b00d-56d8da9986e6:0xffffffffffffffff:0xff
8e92deef-5e17-413b-b927-59b2f06a3cfc:0xffffffffffffffff:0xff
e4b70372-261f-4c54-8fa6-a5a7914d73da:0xffffffffffffffff:0xff
(no idea what they do, but you can do things like searching for .man files containing the GUIDs or querying running executables with
logman providers -pid to find what providers they expose, that might give hints as to their function)
Also, some extra flags are enabled on the Immersive-Shell, Kernel-Pore and NCSI providers.
The common subset of user providers between them is:
"Microsoft-Windows-PowerCpl":0x1000000000000:0x4
"Microsoft-Windows-WinINet":0x1000000000000:0x4
"Microsoft-Windows-UIAutomationCore":0x1000000000000:0x4
"Microsoft-Windows-ntshrui":0x1000000000000:0x4
"Microsoft-Windows-Kernel-PnP":0x1000000000000:0x4
"Microsoft-Windows-NlaSvc":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-MSDE":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-WDC":0x1000000000000:0x4
"Microsoft-Windows-AppHost":0x1000000000000:0x4
"Microsoft-Windows-PushNotifications-Platform":0x1000000000000:0x4
"Microsoft-Windows-ErrorReportingConsole":0x1000000000000:0x4
"Microsoft-Windows-IME-KRTIP":0x1000000000000:0x4
"Microsoft-Windows-RPCSS":0xffffffffffffffff:0x4
"Microsoft-Windows-Network-and-Sharing-Center":0x1000000000000:0x4
"Microsoft-Windows-WPDClassInstaller":0x1000000000000:0x4
e7ef96be-969f-414f-97d7-3ddb7b558ccc:0x2000:0xff
"Microsoft-PerfTrack-MSHTML":0x1000000000000:0x4
"Microsoft-Windows-DiagCpl":0x1000000000000:0x4
"Microsoft-Windows-stobject":0x1000000000000:0x4
"Microsoft-Windows-DeviceSetupManager":0x1000000000000:0x4
"Microsoft-Windows-Kernel-BootDiagnostics":0x1000000000000:0x4
"Microsoft-Windows-Diagnostics-Networking":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell":0x1000000000000:0x4
"Microsoft-PerfTrack-IEFRAME":0x1000000000000:0x4
"Microsoft-Windows-WindowsUpdateClient":0x1000000000000:0x4
"Microsoft-Windows-VAN":0x1000000000000:0x4
"Microsoft-Windows-NetworkGCW":0x1000000000000:0x4
"Microsoft-Windows-Netshell":0x1000000000000:0x4
"Microsoft-Windows-ThemeUI":0x1000000000000:0x4
"Microsoft-Windows-DxgKrnl":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-AdvancedTaskManager":0x1000000000000:0x4
"Microsoft-Windows-User-ControlPanel":0x1000000000000:0x4
"Microsoft-Windows-Documents":0x1000000000000:0x4
"Microsoft-Windows-PDC":0x1000000000000:0x4
"Microsoft-Windows-Shell-AuthUI":0x1000000000000:0x4
36b6f488-aad7-48c2-afe3-d4ec2c8b46fa:0x10000:0xff
"Microsoft-Windows-Dwm-Core":0x1000000000000:0x4
"Microsoft-Windows-ProcessStateManager":0xffffffffffffffff:0xff
"Microsoft-Windows-DXP":0x1000000000000:0x4
"Microsoft-Windows-UserPnp":0x1000000000000:0x4
"Microsoft-Windows-AppXDeployment-Server":0x1000000000000:0x4
"Microsoft-Windows-MediaEngine":0x1000000000000:0x4
"Microsoft-Windows-HealthCenter":0x1000000000000:0x4
"Microsoft-Windows-Ncasvc":0x1000000000000:0x4
"Microsoft-Windows-Kernel-Power":0x1000000000000:0x4
"Microsoft-JScript":0x1:0xff
"Microsoft-Windows-VolumeControl":0x1000000000000:0x4
"Microsoft-Windows-PrimaryNetworkIcon":0x1000000000000:0x4
"Microsoft-Windows-IME-SCTIP":0x1000000000000:0x4
"Microsoft-Windows-NetworkProfile":0x1000000000000:0x4
".NET Common Language Runtime":0x98:0x5
"Microsoft-Windows-IME-TIP":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskRingtone":0x1000000000000:0x4
"Microsoft-Windows-IME-TCTIP":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-MFCaptureEngine":0x1000000000000:0x4
"Microsoft-Windows-DisplaySwitch":0x1000000000000:0x4
"Microsoft-Windows-LUA":0x1000000000000:0x4
"Microsoft-Windows-DateTimeControlPanel":0x1000000000000:0x4
"Microsoft-Windows-TabletPC-InputPanel":0x1000000000000:0x4
"Microsoft-Windows-TaskScheduler":0x1000000000000:0x4
"Microsoft-Windows-Help":0x1000000000000:0x4
"Microsoft-Windows-Audio":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-Performance":0x1000000000000:0x4
"Microsoft-Windows-UserAccountControl":0x1000000000000:0x4
"Microsoft-Windows-IME-JPTIP":0x1000000000000:0x4
"Microsoft-Windows-WMP":0x1000000000000:0x4
"Microsoft-Windows-Graphics-Printing":0x1000000000000:0x4
"Microsoft-Windows-Dwm-Udwm":0x1000000000000:0x4
"Microsoft-Windows-ComDlg32":0x1000000000000:0x4
"Microsoft-Windows-Dhcp-Client":0x1000000000000:0x4
"Microsoft-Windows-Display":0x1000000000000:0x4
"Microsoft-Windows-UxTheme":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskSyncProvider":0x1000000000000:0x4
"Microsoft-Windows-NCSI":0x1000000000000:0x4
"Microsoft-Windows-DeviceUx":0x1000000000000:0x4
"Microsoft-Windows-HealthCenterCPL":0x1000000000000:0x4
"Microsoft-Windows-User Profiles Service":0x1000000000000:0x4
"Microsoft-Windows-Networking-Correlation":0xffffffffffffffff:0xff
"Microsoft-Windows-Store-Client-UI":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell-API":0x1000000000000:0x4
"Microsoft-Windows-WindowsUIImmersive":0x1000000000000:0x4
"Microsoft-Windows-Winlogon":0x1000000000000:0x4
"Microsoft-Windows-PrintDialogs":0x1000000000000:0x4
"Microsoft-Windows-All-User-Install-Agent":0x1000000000000:0x4
"Microsoft-Windows-PowerShell":0x1000000000000:0x4
"Microsoft-Windows-Services":0x1000000000000:0x4
"Microsoft-Windows-RPC":0xffffffffffffffff:0x4
"Microsoft-Windows-ThemeCPL":0x1000000000000:0x4
"Microsoft-Windows-AltTab":0x1000000000000:0x4
"Microsoft-Windows-Win32k":0x1000000402000:0xff
"Microsoft-Windows-Shell-Core":0x1000000000000:0x4
"Microsoft-Windows-BrokerInfrastructure":0x1000000000001:0xff
"Microsoft-Windows-Superfetch":0x1000000000000:0x4
"Microsoft-Windows-SystemSettings":0x1000000000000:0x4
"Microsoft-Windows-DriverFrameworks-UserMode":0x1000000000000:0x4
"Microsoft-Windows-DHCPv6-Client":0x1000000000000:0x4
-
Edited by
Cam Sinclair
Tuesday, December 09, 2014 10:21 AM
-
Proposed as answer by
Cam Sinclair
Tuesday, December 09, 2014 10:22 AM
December 9th, 2014 10:06am
I've had a bit of a look at this using the following commands which can reveal the details of currently active ETW sessions:
xperf -loggers
tracelog -q "WPR_initiated_WprApp_WPR System Collector"
tracelog -q "WPR_initiated_WprApp_WPR Event Collector"
The xperf one gives good details for all but secured sessions, for those tracelog -q tends to be more informative. Tracelog doesn't seem to give much useful info for the non-secured WPR session.
From these results, one can determine (I'm basing these results on WPRUI.exe - Windows Performance Recorder 6.3.9600.16384) that
First Level Triage is a superset of CPU Only. The only effect of enabling both as compared to only running Triage is that the maximum buffer counts of the sessions will be increased.
Specifically, CPU Only enables these kernel provider flags:
Process Thread ImageLoad CxtSwap Profile Power MemInfo Priority Dispatcher CpuConfig KernelQueue
and collects stacks for:
CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
whereas FirstLevelTriage enables:
Process Thread ProcCounters ImageLoad DiskIo HardFaults CxtSwap Dpc Isr Profile Power MemInfo MemInfoWs Priority Dispatcher CpuConfig KernelQueue WdfDriverDpc WdfDriverInterrupt
with stacks on:
DiskRead DiskWrite DiskFlush ThreadDCEnd CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
Doing a diff gives the additional flags enabled by Triage:
ProcCounters DiskIo HardFaults Dpc Isr MemInfoWs WdfDriverDpc WdfDriverInterrupt
and for stack collection:
DiskRead DiskWrite DiskFlush ThreadDCEnd
Edit: Forgot about the user mode providers, First Level Triage enables the following additional providers:
9580d7dd-0379-4658-9870-d5be7d52d6de:0x200:0xff
0a002690-3839-4e3a-b3b6-96d8df868d99:0xffffffffffffffff:0x5
"Microsoft-Windows-COMRuntime":0x3:0xff
49c2c27c-fe2d-40bf-8c4e-c3fb518037e7:0xffffffffffffffff:0xff
751ef305-6c6e-4fed-b847-02ef79d26aef:0xffffffffffffffff:0xff
cfeb0608-330e-4410-b00d-56d8da9986e6:0xffffffffffffffff:0xff
8e92deef-5e17-413b-b927-59b2f06a3cfc:0xffffffffffffffff:0xff
e4b70372-261f-4c54-8fa6-a5a7914d73da:0xffffffffffffffff:0xff
(no idea what they do, but you can do things like searching for .man files containing the GUIDs or querying running executables with
logman providers -pid to find what providers they expose, that might give hints as to their function)
Also, some extra flags are enabled on the Immersive-Shell, Kernel-Pore and NCSI providers.
The common subset of user providers between them is:
"Microsoft-Windows-PowerCpl":0x1000000000000:0x4
"Microsoft-Windows-WinINet":0x1000000000000:0x4
"Microsoft-Windows-UIAutomationCore":0x1000000000000:0x4
"Microsoft-Windows-ntshrui":0x1000000000000:0x4
"Microsoft-Windows-Kernel-PnP":0x1000000000000:0x4
"Microsoft-Windows-NlaSvc":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-MSDE":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-WDC":0x1000000000000:0x4
"Microsoft-Windows-AppHost":0x1000000000000:0x4
"Microsoft-Windows-PushNotifications-Platform":0x1000000000000:0x4
"Microsoft-Windows-ErrorReportingConsole":0x1000000000000:0x4
"Microsoft-Windows-IME-KRTIP":0x1000000000000:0x4
"Microsoft-Windows-RPCSS":0xffffffffffffffff:0x4
"Microsoft-Windows-Network-and-Sharing-Center":0x1000000000000:0x4
"Microsoft-Windows-WPDClassInstaller":0x1000000000000:0x4
e7ef96be-969f-414f-97d7-3ddb7b558ccc:0x2000:0xff
"Microsoft-PerfTrack-MSHTML":0x1000000000000:0x4
"Microsoft-Windows-DiagCpl":0x1000000000000:0x4
"Microsoft-Windows-stobject":0x1000000000000:0x4
"Microsoft-Windows-DeviceSetupManager":0x1000000000000:0x4
"Microsoft-Windows-Kernel-BootDiagnostics":0x1000000000000:0x4
"Microsoft-Windows-Diagnostics-Networking":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell":0x1000000000000:0x4
"Microsoft-PerfTrack-IEFRAME":0x1000000000000:0x4
"Microsoft-Windows-WindowsUpdateClient":0x1000000000000:0x4
"Microsoft-Windows-VAN":0x1000000000000:0x4
"Microsoft-Windows-NetworkGCW":0x1000000000000:0x4
"Microsoft-Windows-Netshell":0x1000000000000:0x4
"Microsoft-Windows-ThemeUI":0x1000000000000:0x4
"Microsoft-Windows-DxgKrnl":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-AdvancedTaskManager":0x1000000000000:0x4
"Microsoft-Windows-User-ControlPanel":0x1000000000000:0x4
"Microsoft-Windows-Documents":0x1000000000000:0x4
"Microsoft-Windows-PDC":0x1000000000000:0x4
"Microsoft-Windows-Shell-AuthUI":0x1000000000000:0x4
36b6f488-aad7-48c2-afe3-d4ec2c8b46fa:0x10000:0xff
"Microsoft-Windows-Dwm-Core":0x1000000000000:0x4
"Microsoft-Windows-ProcessStateManager":0xffffffffffffffff:0xff
"Microsoft-Windows-DXP":0x1000000000000:0x4
"Microsoft-Windows-UserPnp":0x1000000000000:0x4
"Microsoft-Windows-AppXDeployment-Server":0x1000000000000:0x4
"Microsoft-Windows-MediaEngine":0x1000000000000:0x4
"Microsoft-Windows-HealthCenter":0x1000000000000:0x4
"Microsoft-Windows-Ncasvc":0x1000000000000:0x4
"Microsoft-Windows-Kernel-Power":0x1000000000000:0x4
"Microsoft-JScript":0x1:0xff
"Microsoft-Windows-VolumeControl":0x1000000000000:0x4
"Microsoft-Windows-PrimaryNetworkIcon":0x1000000000000:0x4
"Microsoft-Windows-IME-SCTIP":0x1000000000000:0x4
"Microsoft-Windows-NetworkProfile":0x1000000000000:0x4
".NET Common Language Runtime":0x98:0x5
"Microsoft-Windows-IME-TIP":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskRingtone":0x1000000000000:0x4
"Microsoft-Windows-IME-TCTIP":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-MFCaptureEngine":0x1000000000000:0x4
"Microsoft-Windows-DisplaySwitch":0x1000000000000:0x4
"Microsoft-Windows-LUA":0x1000000000000:0x4
"Microsoft-Windows-DateTimeControlPanel":0x1000000000000:0x4
"Microsoft-Windows-TabletPC-InputPanel":0x1000000000000:0x4
"Microsoft-Windows-TaskScheduler":0x1000000000000:0x4
"Microsoft-Windows-Help":0x1000000000000:0x4
"Microsoft-Windows-Audio":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-Performance":0x1000000000000:0x4
"Microsoft-Windows-UserAccountControl":0x1000000000000:0x4
"Microsoft-Windows-IME-JPTIP":0x1000000000000:0x4
"Microsoft-Windows-WMP":0x1000000000000:0x4
"Microsoft-Windows-Graphics-Printing":0x1000000000000:0x4
"Microsoft-Windows-Dwm-Udwm":0x1000000000000:0x4
"Microsoft-Windows-ComDlg32":0x1000000000000:0x4
"Microsoft-Windows-Dhcp-Client":0x1000000000000:0x4
"Microsoft-Windows-Display":0x1000000000000:0x4
"Microsoft-Windows-UxTheme":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskSyncProvider":0x1000000000000:0x4
"Microsoft-Windows-NCSI":0x1000000000000:0x4
"Microsoft-Windows-DeviceUx":0x1000000000000:0x4
"Microsoft-Windows-HealthCenterCPL":0x1000000000000:0x4
"Microsoft-Windows-User Profiles Service":0x1000000000000:0x4
"Microsoft-Windows-Networking-Correlation":0xffffffffffffffff:0xff
"Microsoft-Windows-Store-Client-UI":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell-API":0x1000000000000:0x4
"Microsoft-Windows-WindowsUIImmersive":0x1000000000000:0x4
"Microsoft-Windows-Winlogon":0x1000000000000:0x4
"Microsoft-Windows-PrintDialogs":0x1000000000000:0x4
"Microsoft-Windows-All-User-Install-Agent":0x1000000000000:0x4
"Microsoft-Windows-PowerShell":0x1000000000000:0x4
"Microsoft-Windows-Services":0x1000000000000:0x4
"Microsoft-Windows-RPC":0xffffffffffffffff:0x4
"Microsoft-Windows-ThemeCPL":0x1000000000000:0x4
"Microsoft-Windows-AltTab":0x1000000000000:0x4
"Microsoft-Windows-Win32k":0x1000000402000:0xff
"Microsoft-Windows-Shell-Core":0x1000000000000:0x4
"Microsoft-Windows-BrokerInfrastructure":0x1000000000001:0xff
"Microsoft-Windows-Superfetch":0x1000000000000:0x4
"Microsoft-Windows-SystemSettings":0x1000000000000:0x4
"Microsoft-Windows-DriverFrameworks-UserMode":0x1000000000000:0x4
"Microsoft-Windows-DHCPv6-Client":0x1000000000000:0x4
-
Edited by
Cam Sinclair
Tuesday, December 09, 2014 10:21 AM
-
Proposed as answer by
Cam Sinclair
Tuesday, December 09, 2014 10:22 AM
December 9th, 2014 10:06am
I've had a bit of a look at this using the following commands which can reveal the details of currently active ETW sessions:
xperf -loggers
tracelog -q "WPR_initiated_WprApp_WPR System Collector"
tracelog -q "WPR_initiated_WprApp_WPR Event Collector"
The xperf one gives good details for all but secured sessions, for those tracelog -q tends to be more informative. Tracelog doesn't seem to give much useful info for the non-secured WPR session.
From these results, one can determine (I'm basing these results on WPRUI.exe - Windows Performance Recorder 6.3.9600.16384) that
First Level Triage is a superset of CPU Only. The only effect of enabling both as compared to only running Triage is that the maximum buffer counts of the sessions will be increased.
Specifically, CPU Only enables these kernel provider flags:
Process Thread ImageLoad CxtSwap Profile Power MemInfo Priority Dispatcher CpuConfig KernelQueue
and collects stacks for:
CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
whereas FirstLevelTriage enables:
Process Thread ProcCounters ImageLoad DiskIo HardFaults CxtSwap Dpc Isr Profile Power MemInfo MemInfoWs Priority Dispatcher CpuConfig KernelQueue WdfDriverDpc WdfDriverInterrupt
with stacks on:
DiskRead DiskWrite DiskFlush ThreadDCEnd CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
Doing a diff gives the additional flags enabled by Triage:
ProcCounters DiskIo HardFaults Dpc Isr MemInfoWs WdfDriverDpc WdfDriverInterrupt
and for stack collection:
DiskRead DiskWrite DiskFlush ThreadDCEnd
Edit: Forgot about the user mode providers, First Level Triage enables the following additional providers:
9580d7dd-0379-4658-9870-d5be7d52d6de:0x200:0xff
0a002690-3839-4e3a-b3b6-96d8df868d99:0xffffffffffffffff:0x5
"Microsoft-Windows-COMRuntime":0x3:0xff
49c2c27c-fe2d-40bf-8c4e-c3fb518037e7:0xffffffffffffffff:0xff
751ef305-6c6e-4fed-b847-02ef79d26aef:0xffffffffffffffff:0xff
cfeb0608-330e-4410-b00d-56d8da9986e6:0xffffffffffffffff:0xff
8e92deef-5e17-413b-b927-59b2f06a3cfc:0xffffffffffffffff:0xff
e4b70372-261f-4c54-8fa6-a5a7914d73da:0xffffffffffffffff:0xff
(no idea what they do, but you can do things like searching for .man files containing the GUIDs or querying running executables with
logman providers -pid to find what providers they expose, that might give hints as to their function)
Also, some extra flags are enabled on the Immersive-Shell, Kernel-Pore and NCSI providers.
The common subset of user providers between them is:
"Microsoft-Windows-PowerCpl":0x1000000000000:0x4
"Microsoft-Windows-WinINet":0x1000000000000:0x4
"Microsoft-Windows-UIAutomationCore":0x1000000000000:0x4
"Microsoft-Windows-ntshrui":0x1000000000000:0x4
"Microsoft-Windows-Kernel-PnP":0x1000000000000:0x4
"Microsoft-Windows-NlaSvc":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-MSDE":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-WDC":0x1000000000000:0x4
"Microsoft-Windows-AppHost":0x1000000000000:0x4
"Microsoft-Windows-PushNotifications-Platform":0x1000000000000:0x4
"Microsoft-Windows-ErrorReportingConsole":0x1000000000000:0x4
"Microsoft-Windows-IME-KRTIP":0x1000000000000:0x4
"Microsoft-Windows-RPCSS":0xffffffffffffffff:0x4
"Microsoft-Windows-Network-and-Sharing-Center":0x1000000000000:0x4
"Microsoft-Windows-WPDClassInstaller":0x1000000000000:0x4
e7ef96be-969f-414f-97d7-3ddb7b558ccc:0x2000:0xff
"Microsoft-PerfTrack-MSHTML":0x1000000000000:0x4
"Microsoft-Windows-DiagCpl":0x1000000000000:0x4
"Microsoft-Windows-stobject":0x1000000000000:0x4
"Microsoft-Windows-DeviceSetupManager":0x1000000000000:0x4
"Microsoft-Windows-Kernel-BootDiagnostics":0x1000000000000:0x4
"Microsoft-Windows-Diagnostics-Networking":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell":0x1000000000000:0x4
"Microsoft-PerfTrack-IEFRAME":0x1000000000000:0x4
"Microsoft-Windows-WindowsUpdateClient":0x1000000000000:0x4
"Microsoft-Windows-VAN":0x1000000000000:0x4
"Microsoft-Windows-NetworkGCW":0x1000000000000:0x4
"Microsoft-Windows-Netshell":0x1000000000000:0x4
"Microsoft-Windows-ThemeUI":0x1000000000000:0x4
"Microsoft-Windows-DxgKrnl":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-AdvancedTaskManager":0x1000000000000:0x4
"Microsoft-Windows-User-ControlPanel":0x1000000000000:0x4
"Microsoft-Windows-Documents":0x1000000000000:0x4
"Microsoft-Windows-PDC":0x1000000000000:0x4
"Microsoft-Windows-Shell-AuthUI":0x1000000000000:0x4
36b6f488-aad7-48c2-afe3-d4ec2c8b46fa:0x10000:0xff
"Microsoft-Windows-Dwm-Core":0x1000000000000:0x4
"Microsoft-Windows-ProcessStateManager":0xffffffffffffffff:0xff
"Microsoft-Windows-DXP":0x1000000000000:0x4
"Microsoft-Windows-UserPnp":0x1000000000000:0x4
"Microsoft-Windows-AppXDeployment-Server":0x1000000000000:0x4
"Microsoft-Windows-MediaEngine":0x1000000000000:0x4
"Microsoft-Windows-HealthCenter":0x1000000000000:0x4
"Microsoft-Windows-Ncasvc":0x1000000000000:0x4
"Microsoft-Windows-Kernel-Power":0x1000000000000:0x4
"Microsoft-JScript":0x1:0xff
"Microsoft-Windows-VolumeControl":0x1000000000000:0x4
"Microsoft-Windows-PrimaryNetworkIcon":0x1000000000000:0x4
"Microsoft-Windows-IME-SCTIP":0x1000000000000:0x4
"Microsoft-Windows-NetworkProfile":0x1000000000000:0x4
".NET Common Language Runtime":0x98:0x5
"Microsoft-Windows-IME-TIP":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskRingtone":0x1000000000000:0x4
"Microsoft-Windows-IME-TCTIP":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-MFCaptureEngine":0x1000000000000:0x4
"Microsoft-Windows-DisplaySwitch":0x1000000000000:0x4
"Microsoft-Windows-LUA":0x1000000000000:0x4
"Microsoft-Windows-DateTimeControlPanel":0x1000000000000:0x4
"Microsoft-Windows-TabletPC-InputPanel":0x1000000000000:0x4
"Microsoft-Windows-TaskScheduler":0x1000000000000:0x4
"Microsoft-Windows-Help":0x1000000000000:0x4
"Microsoft-Windows-Audio":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-Performance":0x1000000000000:0x4
"Microsoft-Windows-UserAccountControl":0x1000000000000:0x4
"Microsoft-Windows-IME-JPTIP":0x1000000000000:0x4
"Microsoft-Windows-WMP":0x1000000000000:0x4
"Microsoft-Windows-Graphics-Printing":0x1000000000000:0x4
"Microsoft-Windows-Dwm-Udwm":0x1000000000000:0x4
"Microsoft-Windows-ComDlg32":0x1000000000000:0x4
"Microsoft-Windows-Dhcp-Client":0x1000000000000:0x4
"Microsoft-Windows-Display":0x1000000000000:0x4
"Microsoft-Windows-UxTheme":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskSyncProvider":0x1000000000000:0x4
"Microsoft-Windows-NCSI":0x1000000000000:0x4
"Microsoft-Windows-DeviceUx":0x1000000000000:0x4
"Microsoft-Windows-HealthCenterCPL":0x1000000000000:0x4
"Microsoft-Windows-User Profiles Service":0x1000000000000:0x4
"Microsoft-Windows-Networking-Correlation":0xffffffffffffffff:0xff
"Microsoft-Windows-Store-Client-UI":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell-API":0x1000000000000:0x4
"Microsoft-Windows-WindowsUIImmersive":0x1000000000000:0x4
"Microsoft-Windows-Winlogon":0x1000000000000:0x4
"Microsoft-Windows-PrintDialogs":0x1000000000000:0x4
"Microsoft-Windows-All-User-Install-Agent":0x1000000000000:0x4
"Microsoft-Windows-PowerShell":0x1000000000000:0x4
"Microsoft-Windows-Services":0x1000000000000:0x4
"Microsoft-Windows-RPC":0xffffffffffffffff:0x4
"Microsoft-Windows-ThemeCPL":0x1000000000000:0x4
"Microsoft-Windows-AltTab":0x1000000000000:0x4
"Microsoft-Windows-Win32k":0x1000000402000:0xff
"Microsoft-Windows-Shell-Core":0x1000000000000:0x4
"Microsoft-Windows-BrokerInfrastructure":0x1000000000001:0xff
"Microsoft-Windows-Superfetch":0x1000000000000:0x4
"Microsoft-Windows-SystemSettings":0x1000000000000:0x4
"Microsoft-Windows-DriverFrameworks-UserMode":0x1000000000000:0x4
"Microsoft-Windows-DHCPv6-Client":0x1000000000000:0x4
-
Edited by
Cam Sinclair
Tuesday, December 09, 2014 10:21 AM
-
Proposed as answer by
Cam Sinclair
Tuesday, December 09, 2014 10:22 AM
December 9th, 2014 10:06am
I've had a bit of a look at this using the following commands which can reveal the details of currently active ETW sessions:
xperf -loggers
tracelog -q "WPR_initiated_WprApp_WPR System Collector"
tracelog -q "WPR_initiated_WprApp_WPR Event Collector"
The xperf one gives good details for all but secured sessions, for those tracelog -q tends to be more informative. Tracelog doesn't seem to give much useful info for the non-secured WPR session.
From these results, one can determine (I'm basing these results on WPRUI.exe - Windows Performance Recorder 6.3.9600.16384) that
First Level Triage is a superset of CPU Only. The only effect of enabling both as compared to only running Triage is that the maximum buffer counts of the sessions will be increased.
Specifically, CPU Only enables these kernel provider flags:
Process Thread ImageLoad CxtSwap Profile Power MemInfo Priority Dispatcher CpuConfig KernelQueue
and collects stacks for:
CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
whereas FirstLevelTriage enables:
Process Thread ProcCounters ImageLoad DiskIo HardFaults CxtSwap Dpc Isr Profile Power MemInfo MemInfoWs Priority Dispatcher CpuConfig KernelQueue WdfDriverDpc WdfDriverInterrupt
with stacks on:
DiskRead DiskWrite DiskFlush ThreadDCEnd CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
Doing a diff gives the additional flags enabled by Triage:
ProcCounters DiskIo HardFaults Dpc Isr MemInfoWs WdfDriverDpc WdfDriverInterrupt
and for stack collection:
DiskRead DiskWrite DiskFlush ThreadDCEnd
Edit: Forgot about the user mode providers, First Level Triage enables the following additional providers:
9580d7dd-0379-4658-9870-d5be7d52d6de:0x200:0xff
0a002690-3839-4e3a-b3b6-96d8df868d99:0xffffffffffffffff:0x5
"Microsoft-Windows-COMRuntime":0x3:0xff
49c2c27c-fe2d-40bf-8c4e-c3fb518037e7:0xffffffffffffffff:0xff
751ef305-6c6e-4fed-b847-02ef79d26aef:0xffffffffffffffff:0xff
cfeb0608-330e-4410-b00d-56d8da9986e6:0xffffffffffffffff:0xff
8e92deef-5e17-413b-b927-59b2f06a3cfc:0xffffffffffffffff:0xff
e4b70372-261f-4c54-8fa6-a5a7914d73da:0xffffffffffffffff:0xff
(no idea what they do, but you can do things like searching for .man files containing the GUIDs or querying running executables with
logman providers -pid to find what providers they expose, that might give hints as to their function)
Also, some extra flags are enabled on the Immersive-Shell, Kernel-Pore and NCSI providers.
The common subset of user providers between them is:
"Microsoft-Windows-PowerCpl":0x1000000000000:0x4
"Microsoft-Windows-WinINet":0x1000000000000:0x4
"Microsoft-Windows-UIAutomationCore":0x1000000000000:0x4
"Microsoft-Windows-ntshrui":0x1000000000000:0x4
"Microsoft-Windows-Kernel-PnP":0x1000000000000:0x4
"Microsoft-Windows-NlaSvc":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-MSDE":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-WDC":0x1000000000000:0x4
"Microsoft-Windows-AppHost":0x1000000000000:0x4
"Microsoft-Windows-PushNotifications-Platform":0x1000000000000:0x4
"Microsoft-Windows-ErrorReportingConsole":0x1000000000000:0x4
"Microsoft-Windows-IME-KRTIP":0x1000000000000:0x4
"Microsoft-Windows-RPCSS":0xffffffffffffffff:0x4
"Microsoft-Windows-Network-and-Sharing-Center":0x1000000000000:0x4
"Microsoft-Windows-WPDClassInstaller":0x1000000000000:0x4
e7ef96be-969f-414f-97d7-3ddb7b558ccc:0x2000:0xff
"Microsoft-PerfTrack-MSHTML":0x1000000000000:0x4
"Microsoft-Windows-DiagCpl":0x1000000000000:0x4
"Microsoft-Windows-stobject":0x1000000000000:0x4
"Microsoft-Windows-DeviceSetupManager":0x1000000000000:0x4
"Microsoft-Windows-Kernel-BootDiagnostics":0x1000000000000:0x4
"Microsoft-Windows-Diagnostics-Networking":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell":0x1000000000000:0x4
"Microsoft-PerfTrack-IEFRAME":0x1000000000000:0x4
"Microsoft-Windows-WindowsUpdateClient":0x1000000000000:0x4
"Microsoft-Windows-VAN":0x1000000000000:0x4
"Microsoft-Windows-NetworkGCW":0x1000000000000:0x4
"Microsoft-Windows-Netshell":0x1000000000000:0x4
"Microsoft-Windows-ThemeUI":0x1000000000000:0x4
"Microsoft-Windows-DxgKrnl":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-AdvancedTaskManager":0x1000000000000:0x4
"Microsoft-Windows-User-ControlPanel":0x1000000000000:0x4
"Microsoft-Windows-Documents":0x1000000000000:0x4
"Microsoft-Windows-PDC":0x1000000000000:0x4
"Microsoft-Windows-Shell-AuthUI":0x1000000000000:0x4
36b6f488-aad7-48c2-afe3-d4ec2c8b46fa:0x10000:0xff
"Microsoft-Windows-Dwm-Core":0x1000000000000:0x4
"Microsoft-Windows-ProcessStateManager":0xffffffffffffffff:0xff
"Microsoft-Windows-DXP":0x1000000000000:0x4
"Microsoft-Windows-UserPnp":0x1000000000000:0x4
"Microsoft-Windows-AppXDeployment-Server":0x1000000000000:0x4
"Microsoft-Windows-MediaEngine":0x1000000000000:0x4
"Microsoft-Windows-HealthCenter":0x1000000000000:0x4
"Microsoft-Windows-Ncasvc":0x1000000000000:0x4
"Microsoft-Windows-Kernel-Power":0x1000000000000:0x4
"Microsoft-JScript":0x1:0xff
"Microsoft-Windows-VolumeControl":0x1000000000000:0x4
"Microsoft-Windows-PrimaryNetworkIcon":0x1000000000000:0x4
"Microsoft-Windows-IME-SCTIP":0x1000000000000:0x4
"Microsoft-Windows-NetworkProfile":0x1000000000000:0x4
".NET Common Language Runtime":0x98:0x5
"Microsoft-Windows-IME-TIP":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskRingtone":0x1000000000000:0x4
"Microsoft-Windows-IME-TCTIP":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-MFCaptureEngine":0x1000000000000:0x4
"Microsoft-Windows-DisplaySwitch":0x1000000000000:0x4
"Microsoft-Windows-LUA":0x1000000000000:0x4
"Microsoft-Windows-DateTimeControlPanel":0x1000000000000:0x4
"Microsoft-Windows-TabletPC-InputPanel":0x1000000000000:0x4
"Microsoft-Windows-TaskScheduler":0x1000000000000:0x4
"Microsoft-Windows-Help":0x1000000000000:0x4
"Microsoft-Windows-Audio":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-Performance":0x1000000000000:0x4
"Microsoft-Windows-UserAccountControl":0x1000000000000:0x4
"Microsoft-Windows-IME-JPTIP":0x1000000000000:0x4
"Microsoft-Windows-WMP":0x1000000000000:0x4
"Microsoft-Windows-Graphics-Printing":0x1000000000000:0x4
"Microsoft-Windows-Dwm-Udwm":0x1000000000000:0x4
"Microsoft-Windows-ComDlg32":0x1000000000000:0x4
"Microsoft-Windows-Dhcp-Client":0x1000000000000:0x4
"Microsoft-Windows-Display":0x1000000000000:0x4
"Microsoft-Windows-UxTheme":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskSyncProvider":0x1000000000000:0x4
"Microsoft-Windows-NCSI":0x1000000000000:0x4
"Microsoft-Windows-DeviceUx":0x1000000000000:0x4
"Microsoft-Windows-HealthCenterCPL":0x1000000000000:0x4
"Microsoft-Windows-User Profiles Service":0x1000000000000:0x4
"Microsoft-Windows-Networking-Correlation":0xffffffffffffffff:0xff
"Microsoft-Windows-Store-Client-UI":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell-API":0x1000000000000:0x4
"Microsoft-Windows-WindowsUIImmersive":0x1000000000000:0x4
"Microsoft-Windows-Winlogon":0x1000000000000:0x4
"Microsoft-Windows-PrintDialogs":0x1000000000000:0x4
"Microsoft-Windows-All-User-Install-Agent":0x1000000000000:0x4
"Microsoft-Windows-PowerShell":0x1000000000000:0x4
"Microsoft-Windows-Services":0x1000000000000:0x4
"Microsoft-Windows-RPC":0xffffffffffffffff:0x4
"Microsoft-Windows-ThemeCPL":0x1000000000000:0x4
"Microsoft-Windows-AltTab":0x1000000000000:0x4
"Microsoft-Windows-Win32k":0x1000000402000:0xff
"Microsoft-Windows-Shell-Core":0x1000000000000:0x4
"Microsoft-Windows-BrokerInfrastructure":0x1000000000001:0xff
"Microsoft-Windows-Superfetch":0x1000000000000:0x4
"Microsoft-Windows-SystemSettings":0x1000000000000:0x4
"Microsoft-Windows-DriverFrameworks-UserMode":0x1000000000000:0x4
"Microsoft-Windows-DHCPv6-Client":0x1000000000000:0x4
-
Edited by
Cam Sinclair
Tuesday, December 09, 2014 10:21 AM
-
Proposed as answer by
Cam Sinclair
Tuesday, December 09, 2014 10:22 AM
December 9th, 2014 10:06am
I've had a bit of a look at this using the following commands which can reveal the details of currently active ETW sessions:
xperf -loggers
tracelog -q "WPR_initiated_WprApp_WPR System Collector"
tracelog -q "WPR_initiated_WprApp_WPR Event Collector"
The xperf one gives good details for all but secured sessions, for those tracelog -q tends to be more informative. Tracelog doesn't seem to give much useful info for the non-secured WPR session.
From these results, one can determine (I'm basing these results on WPRUI.exe - Windows Performance Recorder 6.3.9600.16384) that
First Level Triage is a superset of CPU Only. The only effect of enabling both as compared to only running Triage is that the maximum buffer counts of the sessions will be increased.
Specifically, CPU Only enables these kernel provider flags:
Process Thread ImageLoad CxtSwap Profile Power MemInfo Priority Dispatcher CpuConfig KernelQueue
and collects stacks for:
CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
whereas FirstLevelTriage enables:
Process Thread ProcCounters ImageLoad DiskIo HardFaults CxtSwap Dpc Isr Profile Power MemInfo MemInfoWs Priority Dispatcher CpuConfig KernelQueue WdfDriverDpc WdfDriverInterrupt
with stacks on:
DiskRead DiskWrite DiskFlush ThreadDCEnd CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
Doing a diff gives the additional flags enabled by Triage:
ProcCounters DiskIo HardFaults Dpc Isr MemInfoWs WdfDriverDpc WdfDriverInterrupt
and for stack collection:
DiskRead DiskWrite DiskFlush ThreadDCEnd
Edit: Forgot about the user mode providers, First Level Triage enables the following additional providers:
9580d7dd-0379-4658-9870-d5be7d52d6de:0x200:0xff
0a002690-3839-4e3a-b3b6-96d8df868d99:0xffffffffffffffff:0x5
"Microsoft-Windows-COMRuntime":0x3:0xff
49c2c27c-fe2d-40bf-8c4e-c3fb518037e7:0xffffffffffffffff:0xff
751ef305-6c6e-4fed-b847-02ef79d26aef:0xffffffffffffffff:0xff
cfeb0608-330e-4410-b00d-56d8da9986e6:0xffffffffffffffff:0xff
8e92deef-5e17-413b-b927-59b2f06a3cfc:0xffffffffffffffff:0xff
e4b70372-261f-4c54-8fa6-a5a7914d73da:0xffffffffffffffff:0xff
(no idea what they do, but you can do things like searching for .man files containing the GUIDs or querying running executables with
logman providers -pid to find what providers they expose, that might give hints as to their function)
Also, some extra flags are enabled on the Immersive-Shell, Kernel-Pore and NCSI providers.
The common subset of user providers between them is:
"Microsoft-Windows-PowerCpl":0x1000000000000:0x4
"Microsoft-Windows-WinINet":0x1000000000000:0x4
"Microsoft-Windows-UIAutomationCore":0x1000000000000:0x4
"Microsoft-Windows-ntshrui":0x1000000000000:0x4
"Microsoft-Windows-Kernel-PnP":0x1000000000000:0x4
"Microsoft-Windows-NlaSvc":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-MSDE":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-WDC":0x1000000000000:0x4
"Microsoft-Windows-AppHost":0x1000000000000:0x4
"Microsoft-Windows-PushNotifications-Platform":0x1000000000000:0x4
"Microsoft-Windows-ErrorReportingConsole":0x1000000000000:0x4
"Microsoft-Windows-IME-KRTIP":0x1000000000000:0x4
"Microsoft-Windows-RPCSS":0xffffffffffffffff:0x4
"Microsoft-Windows-Network-and-Sharing-Center":0x1000000000000:0x4
"Microsoft-Windows-WPDClassInstaller":0x1000000000000:0x4
e7ef96be-969f-414f-97d7-3ddb7b558ccc:0x2000:0xff
"Microsoft-PerfTrack-MSHTML":0x1000000000000:0x4
"Microsoft-Windows-DiagCpl":0x1000000000000:0x4
"Microsoft-Windows-stobject":0x1000000000000:0x4
"Microsoft-Windows-DeviceSetupManager":0x1000000000000:0x4
"Microsoft-Windows-Kernel-BootDiagnostics":0x1000000000000:0x4
"Microsoft-Windows-Diagnostics-Networking":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell":0x1000000000000:0x4
"Microsoft-PerfTrack-IEFRAME":0x1000000000000:0x4
"Microsoft-Windows-WindowsUpdateClient":0x1000000000000:0x4
"Microsoft-Windows-VAN":0x1000000000000:0x4
"Microsoft-Windows-NetworkGCW":0x1000000000000:0x4
"Microsoft-Windows-Netshell":0x1000000000000:0x4
"Microsoft-Windows-ThemeUI":0x1000000000000:0x4
"Microsoft-Windows-DxgKrnl":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-AdvancedTaskManager":0x1000000000000:0x4
"Microsoft-Windows-User-ControlPanel":0x1000000000000:0x4
"Microsoft-Windows-Documents":0x1000000000000:0x4
"Microsoft-Windows-PDC":0x1000000000000:0x4
"Microsoft-Windows-Shell-AuthUI":0x1000000000000:0x4
36b6f488-aad7-48c2-afe3-d4ec2c8b46fa:0x10000:0xff
"Microsoft-Windows-Dwm-Core":0x1000000000000:0x4
"Microsoft-Windows-ProcessStateManager":0xffffffffffffffff:0xff
"Microsoft-Windows-DXP":0x1000000000000:0x4
"Microsoft-Windows-UserPnp":0x1000000000000:0x4
"Microsoft-Windows-AppXDeployment-Server":0x1000000000000:0x4
"Microsoft-Windows-MediaEngine":0x1000000000000:0x4
"Microsoft-Windows-HealthCenter":0x1000000000000:0x4
"Microsoft-Windows-Ncasvc":0x1000000000000:0x4
"Microsoft-Windows-Kernel-Power":0x1000000000000:0x4
"Microsoft-JScript":0x1:0xff
"Microsoft-Windows-VolumeControl":0x1000000000000:0x4
"Microsoft-Windows-PrimaryNetworkIcon":0x1000000000000:0x4
"Microsoft-Windows-IME-SCTIP":0x1000000000000:0x4
"Microsoft-Windows-NetworkProfile":0x1000000000000:0x4
".NET Common Language Runtime":0x98:0x5
"Microsoft-Windows-IME-TIP":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskRingtone":0x1000000000000:0x4
"Microsoft-Windows-IME-TCTIP":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-MFCaptureEngine":0x1000000000000:0x4
"Microsoft-Windows-DisplaySwitch":0x1000000000000:0x4
"Microsoft-Windows-LUA":0x1000000000000:0x4
"Microsoft-Windows-DateTimeControlPanel":0x1000000000000:0x4
"Microsoft-Windows-TabletPC-InputPanel":0x1000000000000:0x4
"Microsoft-Windows-TaskScheduler":0x1000000000000:0x4
"Microsoft-Windows-Help":0x1000000000000:0x4
"Microsoft-Windows-Audio":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-Performance":0x1000000000000:0x4
"Microsoft-Windows-UserAccountControl":0x1000000000000:0x4
"Microsoft-Windows-IME-JPTIP":0x1000000000000:0x4
"Microsoft-Windows-WMP":0x1000000000000:0x4
"Microsoft-Windows-Graphics-Printing":0x1000000000000:0x4
"Microsoft-Windows-Dwm-Udwm":0x1000000000000:0x4
"Microsoft-Windows-ComDlg32":0x1000000000000:0x4
"Microsoft-Windows-Dhcp-Client":0x1000000000000:0x4
"Microsoft-Windows-Display":0x1000000000000:0x4
"Microsoft-Windows-UxTheme":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskSyncProvider":0x1000000000000:0x4
"Microsoft-Windows-NCSI":0x1000000000000:0x4
"Microsoft-Windows-DeviceUx":0x1000000000000:0x4
"Microsoft-Windows-HealthCenterCPL":0x1000000000000:0x4
"Microsoft-Windows-User Profiles Service":0x1000000000000:0x4
"Microsoft-Windows-Networking-Correlation":0xffffffffffffffff:0xff
"Microsoft-Windows-Store-Client-UI":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell-API":0x1000000000000:0x4
"Microsoft-Windows-WindowsUIImmersive":0x1000000000000:0x4
"Microsoft-Windows-Winlogon":0x1000000000000:0x4
"Microsoft-Windows-PrintDialogs":0x1000000000000:0x4
"Microsoft-Windows-All-User-Install-Agent":0x1000000000000:0x4
"Microsoft-Windows-PowerShell":0x1000000000000:0x4
"Microsoft-Windows-Services":0x1000000000000:0x4
"Microsoft-Windows-RPC":0xffffffffffffffff:0x4
"Microsoft-Windows-ThemeCPL":0x1000000000000:0x4
"Microsoft-Windows-AltTab":0x1000000000000:0x4
"Microsoft-Windows-Win32k":0x1000000402000:0xff
"Microsoft-Windows-Shell-Core":0x1000000000000:0x4
"Microsoft-Windows-BrokerInfrastructure":0x1000000000001:0xff
"Microsoft-Windows-Superfetch":0x1000000000000:0x4
"Microsoft-Windows-SystemSettings":0x1000000000000:0x4
"Microsoft-Windows-DriverFrameworks-UserMode":0x1000000000000:0x4
"Microsoft-Windows-DHCPv6-Client":0x1000000000000:0x4
-
Edited by
Cam Sinclair
Tuesday, December 09, 2014 10:21 AM
-
Proposed as answer by
Cam Sinclair
Tuesday, December 09, 2014 10:22 AM
December 9th, 2014 10:06am
I've had a bit of a look at this using the following commands which can reveal the details of currently active ETW sessions:
xperf -loggers
tracelog -q "WPR_initiated_WprApp_WPR System Collector"
tracelog -q "WPR_initiated_WprApp_WPR Event Collector"
The xperf one gives good details for all but secured sessions, for those tracelog -q tends to be more informative. Tracelog doesn't seem to give much useful info for the non-secured WPR session.
From these results, one can determine (I'm basing these results on WPRUI.exe - Windows Performance Recorder 6.3.9600.16384) that
First Level Triage is a superset of CPU Only. The only effect of enabling both as compared to only running Triage is that the maximum buffer counts of the sessions will be increased.
Specifically, CPU Only enables these kernel provider flags:
Process Thread ImageLoad CxtSwap Profile Power MemInfo Priority Dispatcher CpuConfig KernelQueue
and collects stacks for:
CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
whereas FirstLevelTriage enables:
Process Thread ProcCounters ImageLoad DiskIo HardFaults CxtSwap Dpc Isr Profile Power MemInfo MemInfoWs Priority Dispatcher CpuConfig KernelQueue WdfDriverDpc WdfDriverInterrupt
with stacks on:
DiskRead DiskWrite DiskFlush ThreadDCEnd CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
Doing a diff gives the additional flags enabled by Triage:
ProcCounters DiskIo HardFaults Dpc Isr MemInfoWs WdfDriverDpc WdfDriverInterrupt
and for stack collection:
DiskRead DiskWrite DiskFlush ThreadDCEnd
Edit: Forgot about the user mode providers, First Level Triage enables the following additional providers:
9580d7dd-0379-4658-9870-d5be7d52d6de:0x200:0xff
0a002690-3839-4e3a-b3b6-96d8df868d99:0xffffffffffffffff:0x5
"Microsoft-Windows-COMRuntime":0x3:0xff
49c2c27c-fe2d-40bf-8c4e-c3fb518037e7:0xffffffffffffffff:0xff
751ef305-6c6e-4fed-b847-02ef79d26aef:0xffffffffffffffff:0xff
cfeb0608-330e-4410-b00d-56d8da9986e6:0xffffffffffffffff:0xff
8e92deef-5e17-413b-b927-59b2f06a3cfc:0xffffffffffffffff:0xff
e4b70372-261f-4c54-8fa6-a5a7914d73da:0xffffffffffffffff:0xff
(no idea what they do, but you can do things like searching for .man files containing the GUIDs or querying running executables with
logman providers -pid to find what providers they expose, that might give hints as to their function)
Also, some extra flags are enabled on the Immersive-Shell, Kernel-Pore and NCSI providers.
The common subset of user providers between them is:
"Microsoft-Windows-PowerCpl":0x1000000000000:0x4
"Microsoft-Windows-WinINet":0x1000000000000:0x4
"Microsoft-Windows-UIAutomationCore":0x1000000000000:0x4
"Microsoft-Windows-ntshrui":0x1000000000000:0x4
"Microsoft-Windows-Kernel-PnP":0x1000000000000:0x4
"Microsoft-Windows-NlaSvc":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-MSDE":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-WDC":0x1000000000000:0x4
"Microsoft-Windows-AppHost":0x1000000000000:0x4
"Microsoft-Windows-PushNotifications-Platform":0x1000000000000:0x4
"Microsoft-Windows-ErrorReportingConsole":0x1000000000000:0x4
"Microsoft-Windows-IME-KRTIP":0x1000000000000:0x4
"Microsoft-Windows-RPCSS":0xffffffffffffffff:0x4
"Microsoft-Windows-Network-and-Sharing-Center":0x1000000000000:0x4
"Microsoft-Windows-WPDClassInstaller":0x1000000000000:0x4
e7ef96be-969f-414f-97d7-3ddb7b558ccc:0x2000:0xff
"Microsoft-PerfTrack-MSHTML":0x1000000000000:0x4
"Microsoft-Windows-DiagCpl":0x1000000000000:0x4
"Microsoft-Windows-stobject":0x1000000000000:0x4
"Microsoft-Windows-DeviceSetupManager":0x1000000000000:0x4
"Microsoft-Windows-Kernel-BootDiagnostics":0x1000000000000:0x4
"Microsoft-Windows-Diagnostics-Networking":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell":0x1000000000000:0x4
"Microsoft-PerfTrack-IEFRAME":0x1000000000000:0x4
"Microsoft-Windows-WindowsUpdateClient":0x1000000000000:0x4
"Microsoft-Windows-VAN":0x1000000000000:0x4
"Microsoft-Windows-NetworkGCW":0x1000000000000:0x4
"Microsoft-Windows-Netshell":0x1000000000000:0x4
"Microsoft-Windows-ThemeUI":0x1000000000000:0x4
"Microsoft-Windows-DxgKrnl":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-AdvancedTaskManager":0x1000000000000:0x4
"Microsoft-Windows-User-ControlPanel":0x1000000000000:0x4
"Microsoft-Windows-Documents":0x1000000000000:0x4
"Microsoft-Windows-PDC":0x1000000000000:0x4
"Microsoft-Windows-Shell-AuthUI":0x1000000000000:0x4
36b6f488-aad7-48c2-afe3-d4ec2c8b46fa:0x10000:0xff
"Microsoft-Windows-Dwm-Core":0x1000000000000:0x4
"Microsoft-Windows-ProcessStateManager":0xffffffffffffffff:0xff
"Microsoft-Windows-DXP":0x1000000000000:0x4
"Microsoft-Windows-UserPnp":0x1000000000000:0x4
"Microsoft-Windows-AppXDeployment-Server":0x1000000000000:0x4
"Microsoft-Windows-MediaEngine":0x1000000000000:0x4
"Microsoft-Windows-HealthCenter":0x1000000000000:0x4
"Microsoft-Windows-Ncasvc":0x1000000000000:0x4
"Microsoft-Windows-Kernel-Power":0x1000000000000:0x4
"Microsoft-JScript":0x1:0xff
"Microsoft-Windows-VolumeControl":0x1000000000000:0x4
"Microsoft-Windows-PrimaryNetworkIcon":0x1000000000000:0x4
"Microsoft-Windows-IME-SCTIP":0x1000000000000:0x4
"Microsoft-Windows-NetworkProfile":0x1000000000000:0x4
".NET Common Language Runtime":0x98:0x5
"Microsoft-Windows-IME-TIP":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskRingtone":0x1000000000000:0x4
"Microsoft-Windows-IME-TCTIP":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-MFCaptureEngine":0x1000000000000:0x4
"Microsoft-Windows-DisplaySwitch":0x1000000000000:0x4
"Microsoft-Windows-LUA":0x1000000000000:0x4
"Microsoft-Windows-DateTimeControlPanel":0x1000000000000:0x4
"Microsoft-Windows-TabletPC-InputPanel":0x1000000000000:0x4
"Microsoft-Windows-TaskScheduler":0x1000000000000:0x4
"Microsoft-Windows-Help":0x1000000000000:0x4
"Microsoft-Windows-Audio":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-Performance":0x1000000000000:0x4
"Microsoft-Windows-UserAccountControl":0x1000000000000:0x4
"Microsoft-Windows-IME-JPTIP":0x1000000000000:0x4
"Microsoft-Windows-WMP":0x1000000000000:0x4
"Microsoft-Windows-Graphics-Printing":0x1000000000000:0x4
"Microsoft-Windows-Dwm-Udwm":0x1000000000000:0x4
"Microsoft-Windows-ComDlg32":0x1000000000000:0x4
"Microsoft-Windows-Dhcp-Client":0x1000000000000:0x4
"Microsoft-Windows-Display":0x1000000000000:0x4
"Microsoft-Windows-UxTheme":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskSyncProvider":0x1000000000000:0x4
"Microsoft-Windows-NCSI":0x1000000000000:0x4
"Microsoft-Windows-DeviceUx":0x1000000000000:0x4
"Microsoft-Windows-HealthCenterCPL":0x1000000000000:0x4
"Microsoft-Windows-User Profiles Service":0x1000000000000:0x4
"Microsoft-Windows-Networking-Correlation":0xffffffffffffffff:0xff
"Microsoft-Windows-Store-Client-UI":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell-API":0x1000000000000:0x4
"Microsoft-Windows-WindowsUIImmersive":0x1000000000000:0x4
"Microsoft-Windows-Winlogon":0x1000000000000:0x4
"Microsoft-Windows-PrintDialogs":0x1000000000000:0x4
"Microsoft-Windows-All-User-Install-Agent":0x1000000000000:0x4
"Microsoft-Windows-PowerShell":0x1000000000000:0x4
"Microsoft-Windows-Services":0x1000000000000:0x4
"Microsoft-Windows-RPC":0xffffffffffffffff:0x4
"Microsoft-Windows-ThemeCPL":0x1000000000000:0x4
"Microsoft-Windows-AltTab":0x1000000000000:0x4
"Microsoft-Windows-Win32k":0x1000000402000:0xff
"Microsoft-Windows-Shell-Core":0x1000000000000:0x4
"Microsoft-Windows-BrokerInfrastructure":0x1000000000001:0xff
"Microsoft-Windows-Superfetch":0x1000000000000:0x4
"Microsoft-Windows-SystemSettings":0x1000000000000:0x4
"Microsoft-Windows-DriverFrameworks-UserMode":0x1000000000000:0x4
"Microsoft-Windows-DHCPv6-Client":0x1000000000000:0x4
-
Edited by
Cam Sinclair
Tuesday, December 09, 2014 10:21 AM
-
Proposed as answer by
Cam Sinclair
Tuesday, December 09, 2014 10:22 AM
December 9th, 2014 10:06am
I've had a bit of a look at this using the following commands which can reveal the details of currently active ETW sessions:
xperf -loggers
tracelog -q "WPR_initiated_WprApp_WPR System Collector"
tracelog -q "WPR_initiated_WprApp_WPR Event Collector"
The xperf one gives good details for all but secured sessions, for those tracelog -q tends to be more informative. Tracelog doesn't seem to give much useful info for the non-secured WPR session.
From these results, one can determine (I'm basing these results on WPRUI.exe - Windows Performance Recorder 6.3.9600.16384) that
First Level Triage is a superset of CPU Only. The only effect of enabling both as compared to only running Triage is that the maximum buffer counts of the sessions will be increased.
Specifically, CPU Only enables these kernel provider flags:
Process Thread ImageLoad CxtSwap Profile Power MemInfo Priority Dispatcher CpuConfig KernelQueue
and collects stacks for:
CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
whereas FirstLevelTriage enables:
Process Thread ProcCounters ImageLoad DiskIo HardFaults CxtSwap Dpc Isr Profile Power MemInfo MemInfoWs Priority Dispatcher CpuConfig KernelQueue WdfDriverDpc WdfDriverInterrupt
with stacks on:
DiskRead DiskWrite DiskFlush ThreadDCEnd CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
Doing a diff gives the additional flags enabled by Triage:
ProcCounters DiskIo HardFaults Dpc Isr MemInfoWs WdfDriverDpc WdfDriverInterrupt
and for stack collection:
DiskRead DiskWrite DiskFlush ThreadDCEnd
Edit: Forgot about the user mode providers, First Level Triage enables the following additional providers:
9580d7dd-0379-4658-9870-d5be7d52d6de:0x200:0xff
0a002690-3839-4e3a-b3b6-96d8df868d99:0xffffffffffffffff:0x5
"Microsoft-Windows-COMRuntime":0x3:0xff
49c2c27c-fe2d-40bf-8c4e-c3fb518037e7:0xffffffffffffffff:0xff
751ef305-6c6e-4fed-b847-02ef79d26aef:0xffffffffffffffff:0xff
cfeb0608-330e-4410-b00d-56d8da9986e6:0xffffffffffffffff:0xff
8e92deef-5e17-413b-b927-59b2f06a3cfc:0xffffffffffffffff:0xff
e4b70372-261f-4c54-8fa6-a5a7914d73da:0xffffffffffffffff:0xff
(no idea what they do, but you can do things like searching for .man files containing the GUIDs or querying running executables with
logman providers -pid to find what providers they expose, that might give hints as to their function)
Also, some extra flags are enabled on the Immersive-Shell, Kernel-Pore and NCSI providers.
The common subset of user providers between them is:
"Microsoft-Windows-PowerCpl":0x1000000000000:0x4
"Microsoft-Windows-WinINet":0x1000000000000:0x4
"Microsoft-Windows-UIAutomationCore":0x1000000000000:0x4
"Microsoft-Windows-ntshrui":0x1000000000000:0x4
"Microsoft-Windows-Kernel-PnP":0x1000000000000:0x4
"Microsoft-Windows-NlaSvc":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-MSDE":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-WDC":0x1000000000000:0x4
"Microsoft-Windows-AppHost":0x1000000000000:0x4
"Microsoft-Windows-PushNotifications-Platform":0x1000000000000:0x4
"Microsoft-Windows-ErrorReportingConsole":0x1000000000000:0x4
"Microsoft-Windows-IME-KRTIP":0x1000000000000:0x4
"Microsoft-Windows-RPCSS":0xffffffffffffffff:0x4
"Microsoft-Windows-Network-and-Sharing-Center":0x1000000000000:0x4
"Microsoft-Windows-WPDClassInstaller":0x1000000000000:0x4
e7ef96be-969f-414f-97d7-3ddb7b558ccc:0x2000:0xff
"Microsoft-PerfTrack-MSHTML":0x1000000000000:0x4
"Microsoft-Windows-DiagCpl":0x1000000000000:0x4
"Microsoft-Windows-stobject":0x1000000000000:0x4
"Microsoft-Windows-DeviceSetupManager":0x1000000000000:0x4
"Microsoft-Windows-Kernel-BootDiagnostics":0x1000000000000:0x4
"Microsoft-Windows-Diagnostics-Networking":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell":0x1000000000000:0x4
"Microsoft-PerfTrack-IEFRAME":0x1000000000000:0x4
"Microsoft-Windows-WindowsUpdateClient":0x1000000000000:0x4
"Microsoft-Windows-VAN":0x1000000000000:0x4
"Microsoft-Windows-NetworkGCW":0x1000000000000:0x4
"Microsoft-Windows-Netshell":0x1000000000000:0x4
"Microsoft-Windows-ThemeUI":0x1000000000000:0x4
"Microsoft-Windows-DxgKrnl":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-AdvancedTaskManager":0x1000000000000:0x4
"Microsoft-Windows-User-ControlPanel":0x1000000000000:0x4
"Microsoft-Windows-Documents":0x1000000000000:0x4
"Microsoft-Windows-PDC":0x1000000000000:0x4
"Microsoft-Windows-Shell-AuthUI":0x1000000000000:0x4
36b6f488-aad7-48c2-afe3-d4ec2c8b46fa:0x10000:0xff
"Microsoft-Windows-Dwm-Core":0x1000000000000:0x4
"Microsoft-Windows-ProcessStateManager":0xffffffffffffffff:0xff
"Microsoft-Windows-DXP":0x1000000000000:0x4
"Microsoft-Windows-UserPnp":0x1000000000000:0x4
"Microsoft-Windows-AppXDeployment-Server":0x1000000000000:0x4
"Microsoft-Windows-MediaEngine":0x1000000000000:0x4
"Microsoft-Windows-HealthCenter":0x1000000000000:0x4
"Microsoft-Windows-Ncasvc":0x1000000000000:0x4
"Microsoft-Windows-Kernel-Power":0x1000000000000:0x4
"Microsoft-JScript":0x1:0xff
"Microsoft-Windows-VolumeControl":0x1000000000000:0x4
"Microsoft-Windows-PrimaryNetworkIcon":0x1000000000000:0x4
"Microsoft-Windows-IME-SCTIP":0x1000000000000:0x4
"Microsoft-Windows-NetworkProfile":0x1000000000000:0x4
".NET Common Language Runtime":0x98:0x5
"Microsoft-Windows-IME-TIP":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskRingtone":0x1000000000000:0x4
"Microsoft-Windows-IME-TCTIP":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-MFCaptureEngine":0x1000000000000:0x4
"Microsoft-Windows-DisplaySwitch":0x1000000000000:0x4
"Microsoft-Windows-LUA":0x1000000000000:0x4
"Microsoft-Windows-DateTimeControlPanel":0x1000000000000:0x4
"Microsoft-Windows-TabletPC-InputPanel":0x1000000000000:0x4
"Microsoft-Windows-TaskScheduler":0x1000000000000:0x4
"Microsoft-Windows-Help":0x1000000000000:0x4
"Microsoft-Windows-Audio":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-Performance":0x1000000000000:0x4
"Microsoft-Windows-UserAccountControl":0x1000000000000:0x4
"Microsoft-Windows-IME-JPTIP":0x1000000000000:0x4
"Microsoft-Windows-WMP":0x1000000000000:0x4
"Microsoft-Windows-Graphics-Printing":0x1000000000000:0x4
"Microsoft-Windows-Dwm-Udwm":0x1000000000000:0x4
"Microsoft-Windows-ComDlg32":0x1000000000000:0x4
"Microsoft-Windows-Dhcp-Client":0x1000000000000:0x4
"Microsoft-Windows-Display":0x1000000000000:0x4
"Microsoft-Windows-UxTheme":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskSyncProvider":0x1000000000000:0x4
"Microsoft-Windows-NCSI":0x1000000000000:0x4
"Microsoft-Windows-DeviceUx":0x1000000000000:0x4
"Microsoft-Windows-HealthCenterCPL":0x1000000000000:0x4
"Microsoft-Windows-User Profiles Service":0x1000000000000:0x4
"Microsoft-Windows-Networking-Correlation":0xffffffffffffffff:0xff
"Microsoft-Windows-Store-Client-UI":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell-API":0x1000000000000:0x4
"Microsoft-Windows-WindowsUIImmersive":0x1000000000000:0x4
"Microsoft-Windows-Winlogon":0x1000000000000:0x4
"Microsoft-Windows-PrintDialogs":0x1000000000000:0x4
"Microsoft-Windows-All-User-Install-Agent":0x1000000000000:0x4
"Microsoft-Windows-PowerShell":0x1000000000000:0x4
"Microsoft-Windows-Services":0x1000000000000:0x4
"Microsoft-Windows-RPC":0xffffffffffffffff:0x4
"Microsoft-Windows-ThemeCPL":0x1000000000000:0x4
"Microsoft-Windows-AltTab":0x1000000000000:0x4
"Microsoft-Windows-Win32k":0x1000000402000:0xff
"Microsoft-Windows-Shell-Core":0x1000000000000:0x4
"Microsoft-Windows-BrokerInfrastructure":0x1000000000001:0xff
"Microsoft-Windows-Superfetch":0x1000000000000:0x4
"Microsoft-Windows-SystemSettings":0x1000000000000:0x4
"Microsoft-Windows-DriverFrameworks-UserMode":0x1000000000000:0x4
"Microsoft-Windows-DHCPv6-Client":0x1000000000000:0x4
-
Edited by
Cam Sinclair
Tuesday, December 09, 2014 10:21 AM
-
Proposed as answer by
Cam Sinclair
Tuesday, December 09, 2014 10:22 AM
December 9th, 2014 10:06am
I've had a bit of a look at this using the following commands which can reveal the details of currently active ETW sessions:
xperf -loggers
tracelog -q "WPR_initiated_WprApp_WPR System Collector"
tracelog -q "WPR_initiated_WprApp_WPR Event Collector"
The xperf one gives good details for all but secured sessions, for those tracelog -q tends to be more informative. Tracelog doesn't seem to give much useful info for the non-secured WPR session.
From these results, one can determine (I'm basing these results on WPRUI.exe - Windows Performance Recorder 6.3.9600.16384) that
First Level Triage is a superset of CPU Only. The only effect of enabling both as compared to only running Triage is that the maximum buffer counts of the sessions will be increased.
Specifically, CPU Only enables these kernel provider flags:
Process Thread ImageLoad CxtSwap Profile Power MemInfo Priority Dispatcher CpuConfig KernelQueue
and collects stacks for:
CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
whereas FirstLevelTriage enables:
Process Thread ProcCounters ImageLoad DiskIo HardFaults CxtSwap Dpc Isr Profile Power MemInfo MemInfoWs Priority Dispatcher CpuConfig KernelQueue WdfDriverDpc WdfDriverInterrupt
with stacks on:
DiskRead DiskWrite DiskFlush ThreadDCEnd CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
Doing a diff gives the additional flags enabled by Triage:
ProcCounters DiskIo HardFaults Dpc Isr MemInfoWs WdfDriverDpc WdfDriverInterrupt
and for stack collection:
DiskRead DiskWrite DiskFlush ThreadDCEnd
Edit: Forgot about the user mode providers, First Level Triage enables the following additional providers:
9580d7dd-0379-4658-9870-d5be7d52d6de:0x200:0xff
0a002690-3839-4e3a-b3b6-96d8df868d99:0xffffffffffffffff:0x5
"Microsoft-Windows-COMRuntime":0x3:0xff
49c2c27c-fe2d-40bf-8c4e-c3fb518037e7:0xffffffffffffffff:0xff
751ef305-6c6e-4fed-b847-02ef79d26aef:0xffffffffffffffff:0xff
cfeb0608-330e-4410-b00d-56d8da9986e6:0xffffffffffffffff:0xff
8e92deef-5e17-413b-b927-59b2f06a3cfc:0xffffffffffffffff:0xff
e4b70372-261f-4c54-8fa6-a5a7914d73da:0xffffffffffffffff:0xff
(no idea what they do, but you can do things like searching for .man files containing the GUIDs or querying running executables with
logman providers -pid to find what providers they expose, that might give hints as to their function)
Also, some extra flags are enabled on the Immersive-Shell, Kernel-Pore and NCSI providers.
The common subset of user providers between them is:
"Microsoft-Windows-PowerCpl":0x1000000000000:0x4
"Microsoft-Windows-WinINet":0x1000000000000:0x4
"Microsoft-Windows-UIAutomationCore":0x1000000000000:0x4
"Microsoft-Windows-ntshrui":0x1000000000000:0x4
"Microsoft-Windows-Kernel-PnP":0x1000000000000:0x4
"Microsoft-Windows-NlaSvc":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-MSDE":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-WDC":0x1000000000000:0x4
"Microsoft-Windows-AppHost":0x1000000000000:0x4
"Microsoft-Windows-PushNotifications-Platform":0x1000000000000:0x4
"Microsoft-Windows-ErrorReportingConsole":0x1000000000000:0x4
"Microsoft-Windows-IME-KRTIP":0x1000000000000:0x4
"Microsoft-Windows-RPCSS":0xffffffffffffffff:0x4
"Microsoft-Windows-Network-and-Sharing-Center":0x1000000000000:0x4
"Microsoft-Windows-WPDClassInstaller":0x1000000000000:0x4
e7ef96be-969f-414f-97d7-3ddb7b558ccc:0x2000:0xff
"Microsoft-PerfTrack-MSHTML":0x1000000000000:0x4
"Microsoft-Windows-DiagCpl":0x1000000000000:0x4
"Microsoft-Windows-stobject":0x1000000000000:0x4
"Microsoft-Windows-DeviceSetupManager":0x1000000000000:0x4
"Microsoft-Windows-Kernel-BootDiagnostics":0x1000000000000:0x4
"Microsoft-Windows-Diagnostics-Networking":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell":0x1000000000000:0x4
"Microsoft-PerfTrack-IEFRAME":0x1000000000000:0x4
"Microsoft-Windows-WindowsUpdateClient":0x1000000000000:0x4
"Microsoft-Windows-VAN":0x1000000000000:0x4
"Microsoft-Windows-NetworkGCW":0x1000000000000:0x4
"Microsoft-Windows-Netshell":0x1000000000000:0x4
"Microsoft-Windows-ThemeUI":0x1000000000000:0x4
"Microsoft-Windows-DxgKrnl":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-AdvancedTaskManager":0x1000000000000:0x4
"Microsoft-Windows-User-ControlPanel":0x1000000000000:0x4
"Microsoft-Windows-Documents":0x1000000000000:0x4
"Microsoft-Windows-PDC":0x1000000000000:0x4
"Microsoft-Windows-Shell-AuthUI":0x1000000000000:0x4
36b6f488-aad7-48c2-afe3-d4ec2c8b46fa:0x10000:0xff
"Microsoft-Windows-Dwm-Core":0x1000000000000:0x4
"Microsoft-Windows-ProcessStateManager":0xffffffffffffffff:0xff
"Microsoft-Windows-DXP":0x1000000000000:0x4
"Microsoft-Windows-UserPnp":0x1000000000000:0x4
"Microsoft-Windows-AppXDeployment-Server":0x1000000000000:0x4
"Microsoft-Windows-MediaEngine":0x1000000000000:0x4
"Microsoft-Windows-HealthCenter":0x1000000000000:0x4
"Microsoft-Windows-Ncasvc":0x1000000000000:0x4
"Microsoft-Windows-Kernel-Power":0x1000000000000:0x4
"Microsoft-JScript":0x1:0xff
"Microsoft-Windows-VolumeControl":0x1000000000000:0x4
"Microsoft-Windows-PrimaryNetworkIcon":0x1000000000000:0x4
"Microsoft-Windows-IME-SCTIP":0x1000000000000:0x4
"Microsoft-Windows-NetworkProfile":0x1000000000000:0x4
".NET Common Language Runtime":0x98:0x5
"Microsoft-Windows-IME-TIP":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskRingtone":0x1000000000000:0x4
"Microsoft-Windows-IME-TCTIP":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-MFCaptureEngine":0x1000000000000:0x4
"Microsoft-Windows-DisplaySwitch":0x1000000000000:0x4
"Microsoft-Windows-LUA":0x1000000000000:0x4
"Microsoft-Windows-DateTimeControlPanel":0x1000000000000:0x4
"Microsoft-Windows-TabletPC-InputPanel":0x1000000000000:0x4
"Microsoft-Windows-TaskScheduler":0x1000000000000:0x4
"Microsoft-Windows-Help":0x1000000000000:0x4
"Microsoft-Windows-Audio":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-Performance":0x1000000000000:0x4
"Microsoft-Windows-UserAccountControl":0x1000000000000:0x4
"Microsoft-Windows-IME-JPTIP":0x1000000000000:0x4
"Microsoft-Windows-WMP":0x1000000000000:0x4
"Microsoft-Windows-Graphics-Printing":0x1000000000000:0x4
"Microsoft-Windows-Dwm-Udwm":0x1000000000000:0x4
"Microsoft-Windows-ComDlg32":0x1000000000000:0x4
"Microsoft-Windows-Dhcp-Client":0x1000000000000:0x4
"Microsoft-Windows-Display":0x1000000000000:0x4
"Microsoft-Windows-UxTheme":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskSyncProvider":0x1000000000000:0x4
"Microsoft-Windows-NCSI":0x1000000000000:0x4
"Microsoft-Windows-DeviceUx":0x1000000000000:0x4
"Microsoft-Windows-HealthCenterCPL":0x1000000000000:0x4
"Microsoft-Windows-User Profiles Service":0x1000000000000:0x4
"Microsoft-Windows-Networking-Correlation":0xffffffffffffffff:0xff
"Microsoft-Windows-Store-Client-UI":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell-API":0x1000000000000:0x4
"Microsoft-Windows-WindowsUIImmersive":0x1000000000000:0x4
"Microsoft-Windows-Winlogon":0x1000000000000:0x4
"Microsoft-Windows-PrintDialogs":0x1000000000000:0x4
"Microsoft-Windows-All-User-Install-Agent":0x1000000000000:0x4
"Microsoft-Windows-PowerShell":0x1000000000000:0x4
"Microsoft-Windows-Services":0x1000000000000:0x4
"Microsoft-Windows-RPC":0xffffffffffffffff:0x4
"Microsoft-Windows-ThemeCPL":0x1000000000000:0x4
"Microsoft-Windows-AltTab":0x1000000000000:0x4
"Microsoft-Windows-Win32k":0x1000000402000:0xff
"Microsoft-Windows-Shell-Core":0x1000000000000:0x4
"Microsoft-Windows-BrokerInfrastructure":0x1000000000001:0xff
"Microsoft-Windows-Superfetch":0x1000000000000:0x4
"Microsoft-Windows-SystemSettings":0x1000000000000:0x4
"Microsoft-Windows-DriverFrameworks-UserMode":0x1000000000000:0x4
"Microsoft-Windows-DHCPv6-Client":0x1000000000000:0x4
-
Edited by
Cam Sinclair
Tuesday, December 09, 2014 10:21 AM
-
Proposed as answer by
Cam Sinclair
Tuesday, December 09, 2014 10:22 AM
December 9th, 2014 10:06am
I've had a bit of a look at this using the following commands which can reveal the details of currently active ETW sessions:
xperf -loggers
tracelog -q "WPR_initiated_WprApp_WPR System Collector"
tracelog -q "WPR_initiated_WprApp_WPR Event Collector"
The xperf one gives good details for all but secured sessions, for those tracelog -q tends to be more informative. Tracelog doesn't seem to give much useful info for the non-secured WPR session.
From these results, one can determine (I'm basing these results on WPRUI.exe - Windows Performance Recorder 6.3.9600.16384) that
First Level Triage is a superset of CPU Only. The only effect of enabling both as compared to only running Triage is that the maximum buffer counts of the sessions will be increased.
Specifically, CPU Only enables these kernel provider flags:
Process Thread ImageLoad CxtSwap Profile Power MemInfo Priority Dispatcher CpuConfig KernelQueue
and collects stacks for:
CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
whereas FirstLevelTriage enables:
Process Thread ProcCounters ImageLoad DiskIo HardFaults CxtSwap Dpc Isr Profile Power MemInfo MemInfoWs Priority Dispatcher CpuConfig KernelQueue WdfDriverDpc WdfDriverInterrupt
with stacks on:
DiskRead DiskWrite DiskFlush ThreadDCEnd CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
Doing a diff gives the additional flags enabled by Triage:
ProcCounters DiskIo HardFaults Dpc Isr MemInfoWs WdfDriverDpc WdfDriverInterrupt
and for stack collection:
DiskRead DiskWrite DiskFlush ThreadDCEnd
Edit: Forgot about the user mode providers, First Level Triage enables the following additional providers:
9580d7dd-0379-4658-9870-d5be7d52d6de:0x200:0xff
0a002690-3839-4e3a-b3b6-96d8df868d99:0xffffffffffffffff:0x5
"Microsoft-Windows-COMRuntime":0x3:0xff
49c2c27c-fe2d-40bf-8c4e-c3fb518037e7:0xffffffffffffffff:0xff
751ef305-6c6e-4fed-b847-02ef79d26aef:0xffffffffffffffff:0xff
cfeb0608-330e-4410-b00d-56d8da9986e6:0xffffffffffffffff:0xff
8e92deef-5e17-413b-b927-59b2f06a3cfc:0xffffffffffffffff:0xff
e4b70372-261f-4c54-8fa6-a5a7914d73da:0xffffffffffffffff:0xff
(no idea what they do, but you can do things like searching for .man files containing the GUIDs or querying running executables with
logman providers -pid to find what providers they expose, that might give hints as to their function)
Also, some extra flags are enabled on the Immersive-Shell, Kernel-Pore and NCSI providers.
The common subset of user providers between them is:
"Microsoft-Windows-PowerCpl":0x1000000000000:0x4
"Microsoft-Windows-WinINet":0x1000000000000:0x4
"Microsoft-Windows-UIAutomationCore":0x1000000000000:0x4
"Microsoft-Windows-ntshrui":0x1000000000000:0x4
"Microsoft-Windows-Kernel-PnP":0x1000000000000:0x4
"Microsoft-Windows-NlaSvc":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-MSDE":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-WDC":0x1000000000000:0x4
"Microsoft-Windows-AppHost":0x1000000000000:0x4
"Microsoft-Windows-PushNotifications-Platform":0x1000000000000:0x4
"Microsoft-Windows-ErrorReportingConsole":0x1000000000000:0x4
"Microsoft-Windows-IME-KRTIP":0x1000000000000:0x4
"Microsoft-Windows-RPCSS":0xffffffffffffffff:0x4
"Microsoft-Windows-Network-and-Sharing-Center":0x1000000000000:0x4
"Microsoft-Windows-WPDClassInstaller":0x1000000000000:0x4
e7ef96be-969f-414f-97d7-3ddb7b558ccc:0x2000:0xff
"Microsoft-PerfTrack-MSHTML":0x1000000000000:0x4
"Microsoft-Windows-DiagCpl":0x1000000000000:0x4
"Microsoft-Windows-stobject":0x1000000000000:0x4
"Microsoft-Windows-DeviceSetupManager":0x1000000000000:0x4
"Microsoft-Windows-Kernel-BootDiagnostics":0x1000000000000:0x4
"Microsoft-Windows-Diagnostics-Networking":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell":0x1000000000000:0x4
"Microsoft-PerfTrack-IEFRAME":0x1000000000000:0x4
"Microsoft-Windows-WindowsUpdateClient":0x1000000000000:0x4
"Microsoft-Windows-VAN":0x1000000000000:0x4
"Microsoft-Windows-NetworkGCW":0x1000000000000:0x4
"Microsoft-Windows-Netshell":0x1000000000000:0x4
"Microsoft-Windows-ThemeUI":0x1000000000000:0x4
"Microsoft-Windows-DxgKrnl":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-AdvancedTaskManager":0x1000000000000:0x4
"Microsoft-Windows-User-ControlPanel":0x1000000000000:0x4
"Microsoft-Windows-Documents":0x1000000000000:0x4
"Microsoft-Windows-PDC":0x1000000000000:0x4
"Microsoft-Windows-Shell-AuthUI":0x1000000000000:0x4
36b6f488-aad7-48c2-afe3-d4ec2c8b46fa:0x10000:0xff
"Microsoft-Windows-Dwm-Core":0x1000000000000:0x4
"Microsoft-Windows-ProcessStateManager":0xffffffffffffffff:0xff
"Microsoft-Windows-DXP":0x1000000000000:0x4
"Microsoft-Windows-UserPnp":0x1000000000000:0x4
"Microsoft-Windows-AppXDeployment-Server":0x1000000000000:0x4
"Microsoft-Windows-MediaEngine":0x1000000000000:0x4
"Microsoft-Windows-HealthCenter":0x1000000000000:0x4
"Microsoft-Windows-Ncasvc":0x1000000000000:0x4
"Microsoft-Windows-Kernel-Power":0x1000000000000:0x4
"Microsoft-JScript":0x1:0xff
"Microsoft-Windows-VolumeControl":0x1000000000000:0x4
"Microsoft-Windows-PrimaryNetworkIcon":0x1000000000000:0x4
"Microsoft-Windows-IME-SCTIP":0x1000000000000:0x4
"Microsoft-Windows-NetworkProfile":0x1000000000000:0x4
".NET Common Language Runtime":0x98:0x5
"Microsoft-Windows-IME-TIP":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskRingtone":0x1000000000000:0x4
"Microsoft-Windows-IME-TCTIP":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-MFCaptureEngine":0x1000000000000:0x4
"Microsoft-Windows-DisplaySwitch":0x1000000000000:0x4
"Microsoft-Windows-LUA":0x1000000000000:0x4
"Microsoft-Windows-DateTimeControlPanel":0x1000000000000:0x4
"Microsoft-Windows-TabletPC-InputPanel":0x1000000000000:0x4
"Microsoft-Windows-TaskScheduler":0x1000000000000:0x4
"Microsoft-Windows-Help":0x1000000000000:0x4
"Microsoft-Windows-Audio":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-Performance":0x1000000000000:0x4
"Microsoft-Windows-UserAccountControl":0x1000000000000:0x4
"Microsoft-Windows-IME-JPTIP":0x1000000000000:0x4
"Microsoft-Windows-WMP":0x1000000000000:0x4
"Microsoft-Windows-Graphics-Printing":0x1000000000000:0x4
"Microsoft-Windows-Dwm-Udwm":0x1000000000000:0x4
"Microsoft-Windows-ComDlg32":0x1000000000000:0x4
"Microsoft-Windows-Dhcp-Client":0x1000000000000:0x4
"Microsoft-Windows-Display":0x1000000000000:0x4
"Microsoft-Windows-UxTheme":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskSyncProvider":0x1000000000000:0x4
"Microsoft-Windows-NCSI":0x1000000000000:0x4
"Microsoft-Windows-DeviceUx":0x1000000000000:0x4
"Microsoft-Windows-HealthCenterCPL":0x1000000000000:0x4
"Microsoft-Windows-User Profiles Service":0x1000000000000:0x4
"Microsoft-Windows-Networking-Correlation":0xffffffffffffffff:0xff
"Microsoft-Windows-Store-Client-UI":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell-API":0x1000000000000:0x4
"Microsoft-Windows-WindowsUIImmersive":0x1000000000000:0x4
"Microsoft-Windows-Winlogon":0x1000000000000:0x4
"Microsoft-Windows-PrintDialogs":0x1000000000000:0x4
"Microsoft-Windows-All-User-Install-Agent":0x1000000000000:0x4
"Microsoft-Windows-PowerShell":0x1000000000000:0x4
"Microsoft-Windows-Services":0x1000000000000:0x4
"Microsoft-Windows-RPC":0xffffffffffffffff:0x4
"Microsoft-Windows-ThemeCPL":0x1000000000000:0x4
"Microsoft-Windows-AltTab":0x1000000000000:0x4
"Microsoft-Windows-Win32k":0x1000000402000:0xff
"Microsoft-Windows-Shell-Core":0x1000000000000:0x4
"Microsoft-Windows-BrokerInfrastructure":0x1000000000001:0xff
"Microsoft-Windows-Superfetch":0x1000000000000:0x4
"Microsoft-Windows-SystemSettings":0x1000000000000:0x4
"Microsoft-Windows-DriverFrameworks-UserMode":0x1000000000000:0x4
"Microsoft-Windows-DHCPv6-Client":0x1000000000000:0x4
-
Edited by
Cam Sinclair
Tuesday, December 09, 2014 10:21 AM
-
Proposed as answer by
Cam Sinclair
Tuesday, December 09, 2014 10:22 AM
December 9th, 2014 10:06am
I've had a bit of a look at this using the following commands which can reveal the details of currently active ETW sessions:
xperf -loggers
tracelog -q "WPR_initiated_WprApp_WPR System Collector"
tracelog -q "WPR_initiated_WprApp_WPR Event Collector"
The xperf one gives good details for all but secured sessions, for those tracelog -q tends to be more informative. Tracelog doesn't seem to give much useful info for the non-secured WPR session.
From these results, one can determine (I'm basing these results on WPRUI.exe - Windows Performance Recorder 6.3.9600.16384) that
First Level Triage is a superset of CPU Only. The only effect of enabling both as compared to only running Triage is that the maximum buffer counts of the sessions will be increased.
Specifically, CPU Only enables these kernel provider flags:
Process Thread ImageLoad CxtSwap Profile Power MemInfo Priority Dispatcher CpuConfig KernelQueue
and collects stacks for:
CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
whereas FirstLevelTriage enables:
Process Thread ProcCounters ImageLoad DiskIo HardFaults CxtSwap Dpc Isr Profile Power MemInfo MemInfoWs Priority Dispatcher CpuConfig KernelQueue WdfDriverDpc WdfDriverInterrupt
with stacks on:
DiskRead DiskWrite DiskFlush ThreadDCEnd CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
Doing a diff gives the additional flags enabled by Triage:
ProcCounters DiskIo HardFaults Dpc Isr MemInfoWs WdfDriverDpc WdfDriverInterrupt
and for stack collection:
DiskRead DiskWrite DiskFlush ThreadDCEnd
Edit: Forgot about the user mode providers, First Level Triage enables the following additional providers:
9580d7dd-0379-4658-9870-d5be7d52d6de:0x200:0xff
0a002690-3839-4e3a-b3b6-96d8df868d99:0xffffffffffffffff:0x5
"Microsoft-Windows-COMRuntime":0x3:0xff
49c2c27c-fe2d-40bf-8c4e-c3fb518037e7:0xffffffffffffffff:0xff
751ef305-6c6e-4fed-b847-02ef79d26aef:0xffffffffffffffff:0xff
cfeb0608-330e-4410-b00d-56d8da9986e6:0xffffffffffffffff:0xff
8e92deef-5e17-413b-b927-59b2f06a3cfc:0xffffffffffffffff:0xff
e4b70372-261f-4c54-8fa6-a5a7914d73da:0xffffffffffffffff:0xff
(no idea what they do, but you can do things like searching for .man files containing the GUIDs or querying running executables with
logman providers -pid to find what providers they expose, that might give hints as to their function)
Also, some extra flags are enabled on the Immersive-Shell, Kernel-Pore and NCSI providers.
The common subset of user providers between them is:
"Microsoft-Windows-PowerCpl":0x1000000000000:0x4
"Microsoft-Windows-WinINet":0x1000000000000:0x4
"Microsoft-Windows-UIAutomationCore":0x1000000000000:0x4
"Microsoft-Windows-ntshrui":0x1000000000000:0x4
"Microsoft-Windows-Kernel-PnP":0x1000000000000:0x4
"Microsoft-Windows-NlaSvc":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-MSDE":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-WDC":0x1000000000000:0x4
"Microsoft-Windows-AppHost":0x1000000000000:0x4
"Microsoft-Windows-PushNotifications-Platform":0x1000000000000:0x4
"Microsoft-Windows-ErrorReportingConsole":0x1000000000000:0x4
"Microsoft-Windows-IME-KRTIP":0x1000000000000:0x4
"Microsoft-Windows-RPCSS":0xffffffffffffffff:0x4
"Microsoft-Windows-Network-and-Sharing-Center":0x1000000000000:0x4
"Microsoft-Windows-WPDClassInstaller":0x1000000000000:0x4
e7ef96be-969f-414f-97d7-3ddb7b558ccc:0x2000:0xff
"Microsoft-PerfTrack-MSHTML":0x1000000000000:0x4
"Microsoft-Windows-DiagCpl":0x1000000000000:0x4
"Microsoft-Windows-stobject":0x1000000000000:0x4
"Microsoft-Windows-DeviceSetupManager":0x1000000000000:0x4
"Microsoft-Windows-Kernel-BootDiagnostics":0x1000000000000:0x4
"Microsoft-Windows-Diagnostics-Networking":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell":0x1000000000000:0x4
"Microsoft-PerfTrack-IEFRAME":0x1000000000000:0x4
"Microsoft-Windows-WindowsUpdateClient":0x1000000000000:0x4
"Microsoft-Windows-VAN":0x1000000000000:0x4
"Microsoft-Windows-NetworkGCW":0x1000000000000:0x4
"Microsoft-Windows-Netshell":0x1000000000000:0x4
"Microsoft-Windows-ThemeUI":0x1000000000000:0x4
"Microsoft-Windows-DxgKrnl":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-AdvancedTaskManager":0x1000000000000:0x4
"Microsoft-Windows-User-ControlPanel":0x1000000000000:0x4
"Microsoft-Windows-Documents":0x1000000000000:0x4
"Microsoft-Windows-PDC":0x1000000000000:0x4
"Microsoft-Windows-Shell-AuthUI":0x1000000000000:0x4
36b6f488-aad7-48c2-afe3-d4ec2c8b46fa:0x10000:0xff
"Microsoft-Windows-Dwm-Core":0x1000000000000:0x4
"Microsoft-Windows-ProcessStateManager":0xffffffffffffffff:0xff
"Microsoft-Windows-DXP":0x1000000000000:0x4
"Microsoft-Windows-UserPnp":0x1000000000000:0x4
"Microsoft-Windows-AppXDeployment-Server":0x1000000000000:0x4
"Microsoft-Windows-MediaEngine":0x1000000000000:0x4
"Microsoft-Windows-HealthCenter":0x1000000000000:0x4
"Microsoft-Windows-Ncasvc":0x1000000000000:0x4
"Microsoft-Windows-Kernel-Power":0x1000000000000:0x4
"Microsoft-JScript":0x1:0xff
"Microsoft-Windows-VolumeControl":0x1000000000000:0x4
"Microsoft-Windows-PrimaryNetworkIcon":0x1000000000000:0x4
"Microsoft-Windows-IME-SCTIP":0x1000000000000:0x4
"Microsoft-Windows-NetworkProfile":0x1000000000000:0x4
".NET Common Language Runtime":0x98:0x5
"Microsoft-Windows-IME-TIP":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskRingtone":0x1000000000000:0x4
"Microsoft-Windows-IME-TCTIP":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-MFCaptureEngine":0x1000000000000:0x4
"Microsoft-Windows-DisplaySwitch":0x1000000000000:0x4
"Microsoft-Windows-LUA":0x1000000000000:0x4
"Microsoft-Windows-DateTimeControlPanel":0x1000000000000:0x4
"Microsoft-Windows-TabletPC-InputPanel":0x1000000000000:0x4
"Microsoft-Windows-TaskScheduler":0x1000000000000:0x4
"Microsoft-Windows-Help":0x1000000000000:0x4
"Microsoft-Windows-Audio":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-Performance":0x1000000000000:0x4
"Microsoft-Windows-UserAccountControl":0x1000000000000:0x4
"Microsoft-Windows-IME-JPTIP":0x1000000000000:0x4
"Microsoft-Windows-WMP":0x1000000000000:0x4
"Microsoft-Windows-Graphics-Printing":0x1000000000000:0x4
"Microsoft-Windows-Dwm-Udwm":0x1000000000000:0x4
"Microsoft-Windows-ComDlg32":0x1000000000000:0x4
"Microsoft-Windows-Dhcp-Client":0x1000000000000:0x4
"Microsoft-Windows-Display":0x1000000000000:0x4
"Microsoft-Windows-UxTheme":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskSyncProvider":0x1000000000000:0x4
"Microsoft-Windows-NCSI":0x1000000000000:0x4
"Microsoft-Windows-DeviceUx":0x1000000000000:0x4
"Microsoft-Windows-HealthCenterCPL":0x1000000000000:0x4
"Microsoft-Windows-User Profiles Service":0x1000000000000:0x4
"Microsoft-Windows-Networking-Correlation":0xffffffffffffffff:0xff
"Microsoft-Windows-Store-Client-UI":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell-API":0x1000000000000:0x4
"Microsoft-Windows-WindowsUIImmersive":0x1000000000000:0x4
"Microsoft-Windows-Winlogon":0x1000000000000:0x4
"Microsoft-Windows-PrintDialogs":0x1000000000000:0x4
"Microsoft-Windows-All-User-Install-Agent":0x1000000000000:0x4
"Microsoft-Windows-PowerShell":0x1000000000000:0x4
"Microsoft-Windows-Services":0x1000000000000:0x4
"Microsoft-Windows-RPC":0xffffffffffffffff:0x4
"Microsoft-Windows-ThemeCPL":0x1000000000000:0x4
"Microsoft-Windows-AltTab":0x1000000000000:0x4
"Microsoft-Windows-Win32k":0x1000000402000:0xff
"Microsoft-Windows-Shell-Core":0x1000000000000:0x4
"Microsoft-Windows-BrokerInfrastructure":0x1000000000001:0xff
"Microsoft-Windows-Superfetch":0x1000000000000:0x4
"Microsoft-Windows-SystemSettings":0x1000000000000:0x4
"Microsoft-Windows-DriverFrameworks-UserMode":0x1000000000000:0x4
"Microsoft-Windows-DHCPv6-Client":0x1000000000000:0x4
-
Edited by
Cam Sinclair
Tuesday, December 09, 2014 10:21 AM
-
Proposed as answer by
Cam Sinclair
Tuesday, December 09, 2014 10:22 AM
December 9th, 2014 10:06am
I've had a bit of a look at this using the following commands which can reveal the details of currently active ETW sessions:
xperf -loggers
tracelog -q "WPR_initiated_WprApp_WPR System Collector"
tracelog -q "WPR_initiated_WprApp_WPR Event Collector"
The xperf one gives good details for all but secured sessions, for those tracelog -q tends to be more informative. Tracelog doesn't seem to give much useful info for the non-secured WPR session.
From these results, one can determine (I'm basing these results on WPRUI.exe - Windows Performance Recorder 6.3.9600.16384) that
First Level Triage is a superset of CPU Only. The only effect of enabling both as compared to only running Triage is that the maximum buffer counts of the sessions will be increased.
Specifically, CPU Only enables these kernel provider flags:
Process Thread ImageLoad CxtSwap Profile Power MemInfo Priority Dispatcher CpuConfig KernelQueue
and collects stacks for:
CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
whereas FirstLevelTriage enables:
Process Thread ProcCounters ImageLoad DiskIo HardFaults CxtSwap Dpc Isr Profile Power MemInfo MemInfoWs Priority Dispatcher CpuConfig KernelQueue WdfDriverDpc WdfDriverInterrupt
with stacks on:
DiskRead DiskWrite DiskFlush ThreadDCEnd CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
Doing a diff gives the additional flags enabled by Triage:
ProcCounters DiskIo HardFaults Dpc Isr MemInfoWs WdfDriverDpc WdfDriverInterrupt
and for stack collection:
DiskRead DiskWrite DiskFlush ThreadDCEnd
Edit: Forgot about the user mode providers, First Level Triage enables the following additional providers:
9580d7dd-0379-4658-9870-d5be7d52d6de:0x200:0xff
0a002690-3839-4e3a-b3b6-96d8df868d99:0xffffffffffffffff:0x5
"Microsoft-Windows-COMRuntime":0x3:0xff
49c2c27c-fe2d-40bf-8c4e-c3fb518037e7:0xffffffffffffffff:0xff
751ef305-6c6e-4fed-b847-02ef79d26aef:0xffffffffffffffff:0xff
cfeb0608-330e-4410-b00d-56d8da9986e6:0xffffffffffffffff:0xff
8e92deef-5e17-413b-b927-59b2f06a3cfc:0xffffffffffffffff:0xff
e4b70372-261f-4c54-8fa6-a5a7914d73da:0xffffffffffffffff:0xff
(no idea what they do, but you can do things like searching for .man files containing the GUIDs or querying running executables with
logman providers -pid to find what providers they expose, that might give hints as to their function)
Also, some extra flags are enabled on the Immersive-Shell, Kernel-Pore and NCSI providers.
The common subset of user providers between them is:
"Microsoft-Windows-PowerCpl":0x1000000000000:0x4
"Microsoft-Windows-WinINet":0x1000000000000:0x4
"Microsoft-Windows-UIAutomationCore":0x1000000000000:0x4
"Microsoft-Windows-ntshrui":0x1000000000000:0x4
"Microsoft-Windows-Kernel-PnP":0x1000000000000:0x4
"Microsoft-Windows-NlaSvc":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-MSDE":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-WDC":0x1000000000000:0x4
"Microsoft-Windows-AppHost":0x1000000000000:0x4
"Microsoft-Windows-PushNotifications-Platform":0x1000000000000:0x4
"Microsoft-Windows-ErrorReportingConsole":0x1000000000000:0x4
"Microsoft-Windows-IME-KRTIP":0x1000000000000:0x4
"Microsoft-Windows-RPCSS":0xffffffffffffffff:0x4
"Microsoft-Windows-Network-and-Sharing-Center":0x1000000000000:0x4
"Microsoft-Windows-WPDClassInstaller":0x1000000000000:0x4
e7ef96be-969f-414f-97d7-3ddb7b558ccc:0x2000:0xff
"Microsoft-PerfTrack-MSHTML":0x1000000000000:0x4
"Microsoft-Windows-DiagCpl":0x1000000000000:0x4
"Microsoft-Windows-stobject":0x1000000000000:0x4
"Microsoft-Windows-DeviceSetupManager":0x1000000000000:0x4
"Microsoft-Windows-Kernel-BootDiagnostics":0x1000000000000:0x4
"Microsoft-Windows-Diagnostics-Networking":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell":0x1000000000000:0x4
"Microsoft-PerfTrack-IEFRAME":0x1000000000000:0x4
"Microsoft-Windows-WindowsUpdateClient":0x1000000000000:0x4
"Microsoft-Windows-VAN":0x1000000000000:0x4
"Microsoft-Windows-NetworkGCW":0x1000000000000:0x4
"Microsoft-Windows-Netshell":0x1000000000000:0x4
"Microsoft-Windows-ThemeUI":0x1000000000000:0x4
"Microsoft-Windows-DxgKrnl":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-AdvancedTaskManager":0x1000000000000:0x4
"Microsoft-Windows-User-ControlPanel":0x1000000000000:0x4
"Microsoft-Windows-Documents":0x1000000000000:0x4
"Microsoft-Windows-PDC":0x1000000000000:0x4
"Microsoft-Windows-Shell-AuthUI":0x1000000000000:0x4
36b6f488-aad7-48c2-afe3-d4ec2c8b46fa:0x10000:0xff
"Microsoft-Windows-Dwm-Core":0x1000000000000:0x4
"Microsoft-Windows-ProcessStateManager":0xffffffffffffffff:0xff
"Microsoft-Windows-DXP":0x1000000000000:0x4
"Microsoft-Windows-UserPnp":0x1000000000000:0x4
"Microsoft-Windows-AppXDeployment-Server":0x1000000000000:0x4
"Microsoft-Windows-MediaEngine":0x1000000000000:0x4
"Microsoft-Windows-HealthCenter":0x1000000000000:0x4
"Microsoft-Windows-Ncasvc":0x1000000000000:0x4
"Microsoft-Windows-Kernel-Power":0x1000000000000:0x4
"Microsoft-JScript":0x1:0xff
"Microsoft-Windows-VolumeControl":0x1000000000000:0x4
"Microsoft-Windows-PrimaryNetworkIcon":0x1000000000000:0x4
"Microsoft-Windows-IME-SCTIP":0x1000000000000:0x4
"Microsoft-Windows-NetworkProfile":0x1000000000000:0x4
".NET Common Language Runtime":0x98:0x5
"Microsoft-Windows-IME-TIP":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskRingtone":0x1000000000000:0x4
"Microsoft-Windows-IME-TCTIP":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-MFCaptureEngine":0x1000000000000:0x4
"Microsoft-Windows-DisplaySwitch":0x1000000000000:0x4
"Microsoft-Windows-LUA":0x1000000000000:0x4
"Microsoft-Windows-DateTimeControlPanel":0x1000000000000:0x4
"Microsoft-Windows-TabletPC-InputPanel":0x1000000000000:0x4
"Microsoft-Windows-TaskScheduler":0x1000000000000:0x4
"Microsoft-Windows-Help":0x1000000000000:0x4
"Microsoft-Windows-Audio":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-Performance":0x1000000000000:0x4
"Microsoft-Windows-UserAccountControl":0x1000000000000:0x4
"Microsoft-Windows-IME-JPTIP":0x1000000000000:0x4
"Microsoft-Windows-WMP":0x1000000000000:0x4
"Microsoft-Windows-Graphics-Printing":0x1000000000000:0x4
"Microsoft-Windows-Dwm-Udwm":0x1000000000000:0x4
"Microsoft-Windows-ComDlg32":0x1000000000000:0x4
"Microsoft-Windows-Dhcp-Client":0x1000000000000:0x4
"Microsoft-Windows-Display":0x1000000000000:0x4
"Microsoft-Windows-UxTheme":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskSyncProvider":0x1000000000000:0x4
"Microsoft-Windows-NCSI":0x1000000000000:0x4
"Microsoft-Windows-DeviceUx":0x1000000000000:0x4
"Microsoft-Windows-HealthCenterCPL":0x1000000000000:0x4
"Microsoft-Windows-User Profiles Service":0x1000000000000:0x4
"Microsoft-Windows-Networking-Correlation":0xffffffffffffffff:0xff
"Microsoft-Windows-Store-Client-UI":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell-API":0x1000000000000:0x4
"Microsoft-Windows-WindowsUIImmersive":0x1000000000000:0x4
"Microsoft-Windows-Winlogon":0x1000000000000:0x4
"Microsoft-Windows-PrintDialogs":0x1000000000000:0x4
"Microsoft-Windows-All-User-Install-Agent":0x1000000000000:0x4
"Microsoft-Windows-PowerShell":0x1000000000000:0x4
"Microsoft-Windows-Services":0x1000000000000:0x4
"Microsoft-Windows-RPC":0xffffffffffffffff:0x4
"Microsoft-Windows-ThemeCPL":0x1000000000000:0x4
"Microsoft-Windows-AltTab":0x1000000000000:0x4
"Microsoft-Windows-Win32k":0x1000000402000:0xff
"Microsoft-Windows-Shell-Core":0x1000000000000:0x4
"Microsoft-Windows-BrokerInfrastructure":0x1000000000001:0xff
"Microsoft-Windows-Superfetch":0x1000000000000:0x4
"Microsoft-Windows-SystemSettings":0x1000000000000:0x4
"Microsoft-Windows-DriverFrameworks-UserMode":0x1000000000000:0x4
"Microsoft-Windows-DHCPv6-Client":0x1000000000000:0x4
-
Edited by
Cam Sinclair
Tuesday, December 09, 2014 10:21 AM
-
Proposed as answer by
Cam Sinclair
Tuesday, December 09, 2014 10:22 AM
December 9th, 2014 10:06am
I've had a bit of a look at this using the following commands which can reveal the details of currently active ETW sessions:
xperf -loggers
tracelog -q "WPR_initiated_WprApp_WPR System Collector"
tracelog -q "WPR_initiated_WprApp_WPR Event Collector"
The xperf one gives good details for all but secured sessions, for those tracelog -q tends to be more informative. Tracelog doesn't seem to give much useful info for the non-secured WPR session.
From these results, one can determine (I'm basing these results on WPRUI.exe - Windows Performance Recorder 6.3.9600.16384) that
First Level Triage is a superset of CPU Only. The only effect of enabling both as compared to only running Triage is that the maximum buffer counts of the sessions will be increased.
Specifically, CPU Only enables these kernel provider flags:
Process Thread ImageLoad CxtSwap Profile Power MemInfo Priority Dispatcher CpuConfig KernelQueue
and collects stacks for:
CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
whereas FirstLevelTriage enables:
Process Thread ProcCounters ImageLoad DiskIo HardFaults CxtSwap Dpc Isr Profile Power MemInfo MemInfoWs Priority Dispatcher CpuConfig KernelQueue WdfDriverDpc WdfDriverInterrupt
with stacks on:
DiskRead DiskWrite DiskFlush ThreadDCEnd CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
Doing a diff gives the additional flags enabled by Triage:
ProcCounters DiskIo HardFaults Dpc Isr MemInfoWs WdfDriverDpc WdfDriverInterrupt
and for stack collection:
DiskRead DiskWrite DiskFlush ThreadDCEnd
Edit: Forgot about the user mode providers, First Level Triage enables the following additional providers:
9580d7dd-0379-4658-9870-d5be7d52d6de:0x200:0xff
0a002690-3839-4e3a-b3b6-96d8df868d99:0xffffffffffffffff:0x5
"Microsoft-Windows-COMRuntime":0x3:0xff
49c2c27c-fe2d-40bf-8c4e-c3fb518037e7:0xffffffffffffffff:0xff
751ef305-6c6e-4fed-b847-02ef79d26aef:0xffffffffffffffff:0xff
cfeb0608-330e-4410-b00d-56d8da9986e6:0xffffffffffffffff:0xff
8e92deef-5e17-413b-b927-59b2f06a3cfc:0xffffffffffffffff:0xff
e4b70372-261f-4c54-8fa6-a5a7914d73da:0xffffffffffffffff:0xff
(no idea what they do, but you can do things like searching for .man files containing the GUIDs or querying running executables with
logman providers -pid to find what providers they expose, that might give hints as to their function)
Also, some extra flags are enabled on the Immersive-Shell, Kernel-Pore and NCSI providers.
The common subset of user providers between them is:
"Microsoft-Windows-PowerCpl":0x1000000000000:0x4
"Microsoft-Windows-WinINet":0x1000000000000:0x4
"Microsoft-Windows-UIAutomationCore":0x1000000000000:0x4
"Microsoft-Windows-ntshrui":0x1000000000000:0x4
"Microsoft-Windows-Kernel-PnP":0x1000000000000:0x4
"Microsoft-Windows-NlaSvc":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-MSDE":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-WDC":0x1000000000000:0x4
"Microsoft-Windows-AppHost":0x1000000000000:0x4
"Microsoft-Windows-PushNotifications-Platform":0x1000000000000:0x4
"Microsoft-Windows-ErrorReportingConsole":0x1000000000000:0x4
"Microsoft-Windows-IME-KRTIP":0x1000000000000:0x4
"Microsoft-Windows-RPCSS":0xffffffffffffffff:0x4
"Microsoft-Windows-Network-and-Sharing-Center":0x1000000000000:0x4
"Microsoft-Windows-WPDClassInstaller":0x1000000000000:0x4
e7ef96be-969f-414f-97d7-3ddb7b558ccc:0x2000:0xff
"Microsoft-PerfTrack-MSHTML":0x1000000000000:0x4
"Microsoft-Windows-DiagCpl":0x1000000000000:0x4
"Microsoft-Windows-stobject":0x1000000000000:0x4
"Microsoft-Windows-DeviceSetupManager":0x1000000000000:0x4
"Microsoft-Windows-Kernel-BootDiagnostics":0x1000000000000:0x4
"Microsoft-Windows-Diagnostics-Networking":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell":0x1000000000000:0x4
"Microsoft-PerfTrack-IEFRAME":0x1000000000000:0x4
"Microsoft-Windows-WindowsUpdateClient":0x1000000000000:0x4
"Microsoft-Windows-VAN":0x1000000000000:0x4
"Microsoft-Windows-NetworkGCW":0x1000000000000:0x4
"Microsoft-Windows-Netshell":0x1000000000000:0x4
"Microsoft-Windows-ThemeUI":0x1000000000000:0x4
"Microsoft-Windows-DxgKrnl":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-AdvancedTaskManager":0x1000000000000:0x4
"Microsoft-Windows-User-ControlPanel":0x1000000000000:0x4
"Microsoft-Windows-Documents":0x1000000000000:0x4
"Microsoft-Windows-PDC":0x1000000000000:0x4
"Microsoft-Windows-Shell-AuthUI":0x1000000000000:0x4
36b6f488-aad7-48c2-afe3-d4ec2c8b46fa:0x10000:0xff
"Microsoft-Windows-Dwm-Core":0x1000000000000:0x4
"Microsoft-Windows-ProcessStateManager":0xffffffffffffffff:0xff
"Microsoft-Windows-DXP":0x1000000000000:0x4
"Microsoft-Windows-UserPnp":0x1000000000000:0x4
"Microsoft-Windows-AppXDeployment-Server":0x1000000000000:0x4
"Microsoft-Windows-MediaEngine":0x1000000000000:0x4
"Microsoft-Windows-HealthCenter":0x1000000000000:0x4
"Microsoft-Windows-Ncasvc":0x1000000000000:0x4
"Microsoft-Windows-Kernel-Power":0x1000000000000:0x4
"Microsoft-JScript":0x1:0xff
"Microsoft-Windows-VolumeControl":0x1000000000000:0x4
"Microsoft-Windows-PrimaryNetworkIcon":0x1000000000000:0x4
"Microsoft-Windows-IME-SCTIP":0x1000000000000:0x4
"Microsoft-Windows-NetworkProfile":0x1000000000000:0x4
".NET Common Language Runtime":0x98:0x5
"Microsoft-Windows-IME-TIP":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskRingtone":0x1000000000000:0x4
"Microsoft-Windows-IME-TCTIP":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-MFCaptureEngine":0x1000000000000:0x4
"Microsoft-Windows-DisplaySwitch":0x1000000000000:0x4
"Microsoft-Windows-LUA":0x1000000000000:0x4
"Microsoft-Windows-DateTimeControlPanel":0x1000000000000:0x4
"Microsoft-Windows-TabletPC-InputPanel":0x1000000000000:0x4
"Microsoft-Windows-TaskScheduler":0x1000000000000:0x4
"Microsoft-Windows-Help":0x1000000000000:0x4
"Microsoft-Windows-Audio":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-Performance":0x1000000000000:0x4
"Microsoft-Windows-UserAccountControl":0x1000000000000:0x4
"Microsoft-Windows-IME-JPTIP":0x1000000000000:0x4
"Microsoft-Windows-WMP":0x1000000000000:0x4
"Microsoft-Windows-Graphics-Printing":0x1000000000000:0x4
"Microsoft-Windows-Dwm-Udwm":0x1000000000000:0x4
"Microsoft-Windows-ComDlg32":0x1000000000000:0x4
"Microsoft-Windows-Dhcp-Client":0x1000000000000:0x4
"Microsoft-Windows-Display":0x1000000000000:0x4
"Microsoft-Windows-UxTheme":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskSyncProvider":0x1000000000000:0x4
"Microsoft-Windows-NCSI":0x1000000000000:0x4
"Microsoft-Windows-DeviceUx":0x1000000000000:0x4
"Microsoft-Windows-HealthCenterCPL":0x1000000000000:0x4
"Microsoft-Windows-User Profiles Service":0x1000000000000:0x4
"Microsoft-Windows-Networking-Correlation":0xffffffffffffffff:0xff
"Microsoft-Windows-Store-Client-UI":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell-API":0x1000000000000:0x4
"Microsoft-Windows-WindowsUIImmersive":0x1000000000000:0x4
"Microsoft-Windows-Winlogon":0x1000000000000:0x4
"Microsoft-Windows-PrintDialogs":0x1000000000000:0x4
"Microsoft-Windows-All-User-Install-Agent":0x1000000000000:0x4
"Microsoft-Windows-PowerShell":0x1000000000000:0x4
"Microsoft-Windows-Services":0x1000000000000:0x4
"Microsoft-Windows-RPC":0xffffffffffffffff:0x4
"Microsoft-Windows-ThemeCPL":0x1000000000000:0x4
"Microsoft-Windows-AltTab":0x1000000000000:0x4
"Microsoft-Windows-Win32k":0x1000000402000:0xff
"Microsoft-Windows-Shell-Core":0x1000000000000:0x4
"Microsoft-Windows-BrokerInfrastructure":0x1000000000001:0xff
"Microsoft-Windows-Superfetch":0x1000000000000:0x4
"Microsoft-Windows-SystemSettings":0x1000000000000:0x4
"Microsoft-Windows-DriverFrameworks-UserMode":0x1000000000000:0x4
"Microsoft-Windows-DHCPv6-Client":0x1000000000000:0x4
-
Edited by
Cam Sinclair
Tuesday, December 09, 2014 10:21 AM
-
Proposed as answer by
Cam Sinclair
Tuesday, December 09, 2014 10:22 AM
December 9th, 2014 10:06am
I've had a bit of a look at this using the following commands which can reveal the details of currently active ETW sessions:
xperf -loggers
tracelog -q "WPR_initiated_WprApp_WPR System Collector"
tracelog -q "WPR_initiated_WprApp_WPR Event Collector"
The xperf one gives good details for all but secured sessions, for those tracelog -q tends to be more informative. Tracelog doesn't seem to give much useful info for the non-secured WPR session.
From these results, one can determine (I'm basing these results on WPRUI.exe - Windows Performance Recorder 6.3.9600.16384) that
First Level Triage is a superset of CPU Only. The only effect of enabling both as compared to only running Triage is that the maximum buffer counts of the sessions will be increased.
Specifically, CPU Only enables these kernel provider flags:
Process Thread ImageLoad CxtSwap Profile Power MemInfo Priority Dispatcher CpuConfig KernelQueue
and collects stacks for:
CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
whereas FirstLevelTriage enables:
Process Thread ProcCounters ImageLoad DiskIo HardFaults CxtSwap Dpc Isr Profile Power MemInfo MemInfoWs Priority Dispatcher CpuConfig KernelQueue WdfDriverDpc WdfDriverInterrupt
with stacks on:
DiskRead DiskWrite DiskFlush ThreadDCEnd CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
Doing a diff gives the additional flags enabled by Triage:
ProcCounters DiskIo HardFaults Dpc Isr MemInfoWs WdfDriverDpc WdfDriverInterrupt
and for stack collection:
DiskRead DiskWrite DiskFlush ThreadDCEnd
Edit: Forgot about the user mode providers, First Level Triage enables the following additional providers:
9580d7dd-0379-4658-9870-d5be7d52d6de:0x200:0xff
0a002690-3839-4e3a-b3b6-96d8df868d99:0xffffffffffffffff:0x5
"Microsoft-Windows-COMRuntime":0x3:0xff
49c2c27c-fe2d-40bf-8c4e-c3fb518037e7:0xffffffffffffffff:0xff
751ef305-6c6e-4fed-b847-02ef79d26aef:0xffffffffffffffff:0xff
cfeb0608-330e-4410-b00d-56d8da9986e6:0xffffffffffffffff:0xff
8e92deef-5e17-413b-b927-59b2f06a3cfc:0xffffffffffffffff:0xff
e4b70372-261f-4c54-8fa6-a5a7914d73da:0xffffffffffffffff:0xff
(no idea what they do, but you can do things like searching for .man files containing the GUIDs or querying running executables with
logman providers -pid to find what providers they expose, that might give hints as to their function)
Also, some extra flags are enabled on the Immersive-Shell, Kernel-Pore and NCSI providers.
The common subset of user providers between them is:
"Microsoft-Windows-PowerCpl":0x1000000000000:0x4
"Microsoft-Windows-WinINet":0x1000000000000:0x4
"Microsoft-Windows-UIAutomationCore":0x1000000000000:0x4
"Microsoft-Windows-ntshrui":0x1000000000000:0x4
"Microsoft-Windows-Kernel-PnP":0x1000000000000:0x4
"Microsoft-Windows-NlaSvc":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-MSDE":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-WDC":0x1000000000000:0x4
"Microsoft-Windows-AppHost":0x1000000000000:0x4
"Microsoft-Windows-PushNotifications-Platform":0x1000000000000:0x4
"Microsoft-Windows-ErrorReportingConsole":0x1000000000000:0x4
"Microsoft-Windows-IME-KRTIP":0x1000000000000:0x4
"Microsoft-Windows-RPCSS":0xffffffffffffffff:0x4
"Microsoft-Windows-Network-and-Sharing-Center":0x1000000000000:0x4
"Microsoft-Windows-WPDClassInstaller":0x1000000000000:0x4
e7ef96be-969f-414f-97d7-3ddb7b558ccc:0x2000:0xff
"Microsoft-PerfTrack-MSHTML":0x1000000000000:0x4
"Microsoft-Windows-DiagCpl":0x1000000000000:0x4
"Microsoft-Windows-stobject":0x1000000000000:0x4
"Microsoft-Windows-DeviceSetupManager":0x1000000000000:0x4
"Microsoft-Windows-Kernel-BootDiagnostics":0x1000000000000:0x4
"Microsoft-Windows-Diagnostics-Networking":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell":0x1000000000000:0x4
"Microsoft-PerfTrack-IEFRAME":0x1000000000000:0x4
"Microsoft-Windows-WindowsUpdateClient":0x1000000000000:0x4
"Microsoft-Windows-VAN":0x1000000000000:0x4
"Microsoft-Windows-NetworkGCW":0x1000000000000:0x4
"Microsoft-Windows-Netshell":0x1000000000000:0x4
"Microsoft-Windows-ThemeUI":0x1000000000000:0x4
"Microsoft-Windows-DxgKrnl":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-AdvancedTaskManager":0x1000000000000:0x4
"Microsoft-Windows-User-ControlPanel":0x1000000000000:0x4
"Microsoft-Windows-Documents":0x1000000000000:0x4
"Microsoft-Windows-PDC":0x1000000000000:0x4
"Microsoft-Windows-Shell-AuthUI":0x1000000000000:0x4
36b6f488-aad7-48c2-afe3-d4ec2c8b46fa:0x10000:0xff
"Microsoft-Windows-Dwm-Core":0x1000000000000:0x4
"Microsoft-Windows-ProcessStateManager":0xffffffffffffffff:0xff
"Microsoft-Windows-DXP":0x1000000000000:0x4
"Microsoft-Windows-UserPnp":0x1000000000000:0x4
"Microsoft-Windows-AppXDeployment-Server":0x1000000000000:0x4
"Microsoft-Windows-MediaEngine":0x1000000000000:0x4
"Microsoft-Windows-HealthCenter":0x1000000000000:0x4
"Microsoft-Windows-Ncasvc":0x1000000000000:0x4
"Microsoft-Windows-Kernel-Power":0x1000000000000:0x4
"Microsoft-JScript":0x1:0xff
"Microsoft-Windows-VolumeControl":0x1000000000000:0x4
"Microsoft-Windows-PrimaryNetworkIcon":0x1000000000000:0x4
"Microsoft-Windows-IME-SCTIP":0x1000000000000:0x4
"Microsoft-Windows-NetworkProfile":0x1000000000000:0x4
".NET Common Language Runtime":0x98:0x5
"Microsoft-Windows-IME-TIP":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskRingtone":0x1000000000000:0x4
"Microsoft-Windows-IME-TCTIP":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-MFCaptureEngine":0x1000000000000:0x4
"Microsoft-Windows-DisplaySwitch":0x1000000000000:0x4
"Microsoft-Windows-LUA":0x1000000000000:0x4
"Microsoft-Windows-DateTimeControlPanel":0x1000000000000:0x4
"Microsoft-Windows-TabletPC-InputPanel":0x1000000000000:0x4
"Microsoft-Windows-TaskScheduler":0x1000000000000:0x4
"Microsoft-Windows-Help":0x1000000000000:0x4
"Microsoft-Windows-Audio":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-Performance":0x1000000000000:0x4
"Microsoft-Windows-UserAccountControl":0x1000000000000:0x4
"Microsoft-Windows-IME-JPTIP":0x1000000000000:0x4
"Microsoft-Windows-WMP":0x1000000000000:0x4
"Microsoft-Windows-Graphics-Printing":0x1000000000000:0x4
"Microsoft-Windows-Dwm-Udwm":0x1000000000000:0x4
"Microsoft-Windows-ComDlg32":0x1000000000000:0x4
"Microsoft-Windows-Dhcp-Client":0x1000000000000:0x4
"Microsoft-Windows-Display":0x1000000000000:0x4
"Microsoft-Windows-UxTheme":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskSyncProvider":0x1000000000000:0x4
"Microsoft-Windows-NCSI":0x1000000000000:0x4
"Microsoft-Windows-DeviceUx":0x1000000000000:0x4
"Microsoft-Windows-HealthCenterCPL":0x1000000000000:0x4
"Microsoft-Windows-User Profiles Service":0x1000000000000:0x4
"Microsoft-Windows-Networking-Correlation":0xffffffffffffffff:0xff
"Microsoft-Windows-Store-Client-UI":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell-API":0x1000000000000:0x4
"Microsoft-Windows-WindowsUIImmersive":0x1000000000000:0x4
"Microsoft-Windows-Winlogon":0x1000000000000:0x4
"Microsoft-Windows-PrintDialogs":0x1000000000000:0x4
"Microsoft-Windows-All-User-Install-Agent":0x1000000000000:0x4
"Microsoft-Windows-PowerShell":0x1000000000000:0x4
"Microsoft-Windows-Services":0x1000000000000:0x4
"Microsoft-Windows-RPC":0xffffffffffffffff:0x4
"Microsoft-Windows-ThemeCPL":0x1000000000000:0x4
"Microsoft-Windows-AltTab":0x1000000000000:0x4
"Microsoft-Windows-Win32k":0x1000000402000:0xff
"Microsoft-Windows-Shell-Core":0x1000000000000:0x4
"Microsoft-Windows-BrokerInfrastructure":0x1000000000001:0xff
"Microsoft-Windows-Superfetch":0x1000000000000:0x4
"Microsoft-Windows-SystemSettings":0x1000000000000:0x4
"Microsoft-Windows-DriverFrameworks-UserMode":0x1000000000000:0x4
"Microsoft-Windows-DHCPv6-Client":0x1000000000000:0x4
-
Edited by
Cam Sinclair
Tuesday, December 09, 2014 10:21 AM
-
Proposed as answer by
Cam Sinclair
Tuesday, December 09, 2014 10:22 AM
December 9th, 2014 10:06am
I've had a bit of a look at this using the following commands which can reveal the details of currently active ETW sessions:
xperf -loggers
tracelog -q "WPR_initiated_WprApp_WPR System Collector"
tracelog -q "WPR_initiated_WprApp_WPR Event Collector"
The xperf one gives good details for all but secured sessions, for those tracelog -q tends to be more informative. Tracelog doesn't seem to give much useful info for the non-secured WPR session.
From these results, one can determine (I'm basing these results on WPRUI.exe - Windows Performance Recorder 6.3.9600.16384) that
First Level Triage is a superset of CPU Only. The only effect of enabling both as compared to only running Triage is that the maximum buffer counts of the sessions will be increased.
Specifically, CPU Only enables these kernel provider flags:
Process Thread ImageLoad CxtSwap Profile Power MemInfo Priority Dispatcher CpuConfig KernelQueue
and collects stacks for:
CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
whereas FirstLevelTriage enables:
Process Thread ProcCounters ImageLoad DiskIo HardFaults CxtSwap Dpc Isr Profile Power MemInfo MemInfoWs Priority Dispatcher CpuConfig KernelQueue WdfDriverDpc WdfDriverInterrupt
with stacks on:
DiskRead DiskWrite DiskFlush ThreadDCEnd CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
Doing a diff gives the additional flags enabled by Triage:
ProcCounters DiskIo HardFaults Dpc Isr MemInfoWs WdfDriverDpc WdfDriverInterrupt
and for stack collection:
DiskRead DiskWrite DiskFlush ThreadDCEnd
Edit: Forgot about the user mode providers, First Level Triage enables the following additional providers:
9580d7dd-0379-4658-9870-d5be7d52d6de:0x200:0xff
0a002690-3839-4e3a-b3b6-96d8df868d99:0xffffffffffffffff:0x5
"Microsoft-Windows-COMRuntime":0x3:0xff
49c2c27c-fe2d-40bf-8c4e-c3fb518037e7:0xffffffffffffffff:0xff
751ef305-6c6e-4fed-b847-02ef79d26aef:0xffffffffffffffff:0xff
cfeb0608-330e-4410-b00d-56d8da9986e6:0xffffffffffffffff:0xff
8e92deef-5e17-413b-b927-59b2f06a3cfc:0xffffffffffffffff:0xff
e4b70372-261f-4c54-8fa6-a5a7914d73da:0xffffffffffffffff:0xff
(no idea what they do, but you can do things like searching for .man files containing the GUIDs or querying running executables with
logman providers -pid to find what providers they expose, that might give hints as to their function)
Also, some extra flags are enabled on the Immersive-Shell, Kernel-Pore and NCSI providers.
The common subset of user providers between them is:
"Microsoft-Windows-PowerCpl":0x1000000000000:0x4
"Microsoft-Windows-WinINet":0x1000000000000:0x4
"Microsoft-Windows-UIAutomationCore":0x1000000000000:0x4
"Microsoft-Windows-ntshrui":0x1000000000000:0x4
"Microsoft-Windows-Kernel-PnP":0x1000000000000:0x4
"Microsoft-Windows-NlaSvc":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-MSDE":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-WDC":0x1000000000000:0x4
"Microsoft-Windows-AppHost":0x1000000000000:0x4
"Microsoft-Windows-PushNotifications-Platform":0x1000000000000:0x4
"Microsoft-Windows-ErrorReportingConsole":0x1000000000000:0x4
"Microsoft-Windows-IME-KRTIP":0x1000000000000:0x4
"Microsoft-Windows-RPCSS":0xffffffffffffffff:0x4
"Microsoft-Windows-Network-and-Sharing-Center":0x1000000000000:0x4
"Microsoft-Windows-WPDClassInstaller":0x1000000000000:0x4
e7ef96be-969f-414f-97d7-3ddb7b558ccc:0x2000:0xff
"Microsoft-PerfTrack-MSHTML":0x1000000000000:0x4
"Microsoft-Windows-DiagCpl":0x1000000000000:0x4
"Microsoft-Windows-stobject":0x1000000000000:0x4
"Microsoft-Windows-DeviceSetupManager":0x1000000000000:0x4
"Microsoft-Windows-Kernel-BootDiagnostics":0x1000000000000:0x4
"Microsoft-Windows-Diagnostics-Networking":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell":0x1000000000000:0x4
"Microsoft-PerfTrack-IEFRAME":0x1000000000000:0x4
"Microsoft-Windows-WindowsUpdateClient":0x1000000000000:0x4
"Microsoft-Windows-VAN":0x1000000000000:0x4
"Microsoft-Windows-NetworkGCW":0x1000000000000:0x4
"Microsoft-Windows-Netshell":0x1000000000000:0x4
"Microsoft-Windows-ThemeUI":0x1000000000000:0x4
"Microsoft-Windows-DxgKrnl":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-AdvancedTaskManager":0x1000000000000:0x4
"Microsoft-Windows-User-ControlPanel":0x1000000000000:0x4
"Microsoft-Windows-Documents":0x1000000000000:0x4
"Microsoft-Windows-PDC":0x1000000000000:0x4
"Microsoft-Windows-Shell-AuthUI":0x1000000000000:0x4
36b6f488-aad7-48c2-afe3-d4ec2c8b46fa:0x10000:0xff
"Microsoft-Windows-Dwm-Core":0x1000000000000:0x4
"Microsoft-Windows-ProcessStateManager":0xffffffffffffffff:0xff
"Microsoft-Windows-DXP":0x1000000000000:0x4
"Microsoft-Windows-UserPnp":0x1000000000000:0x4
"Microsoft-Windows-AppXDeployment-Server":0x1000000000000:0x4
"Microsoft-Windows-MediaEngine":0x1000000000000:0x4
"Microsoft-Windows-HealthCenter":0x1000000000000:0x4
"Microsoft-Windows-Ncasvc":0x1000000000000:0x4
"Microsoft-Windows-Kernel-Power":0x1000000000000:0x4
"Microsoft-JScript":0x1:0xff
"Microsoft-Windows-VolumeControl":0x1000000000000:0x4
"Microsoft-Windows-PrimaryNetworkIcon":0x1000000000000:0x4
"Microsoft-Windows-IME-SCTIP":0x1000000000000:0x4
"Microsoft-Windows-NetworkProfile":0x1000000000000:0x4
".NET Common Language Runtime":0x98:0x5
"Microsoft-Windows-IME-TIP":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskRingtone":0x1000000000000:0x4
"Microsoft-Windows-IME-TCTIP":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-MFCaptureEngine":0x1000000000000:0x4
"Microsoft-Windows-DisplaySwitch":0x1000000000000:0x4
"Microsoft-Windows-LUA":0x1000000000000:0x4
"Microsoft-Windows-DateTimeControlPanel":0x1000000000000:0x4
"Microsoft-Windows-TabletPC-InputPanel":0x1000000000000:0x4
"Microsoft-Windows-TaskScheduler":0x1000000000000:0x4
"Microsoft-Windows-Help":0x1000000000000:0x4
"Microsoft-Windows-Audio":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-Performance":0x1000000000000:0x4
"Microsoft-Windows-UserAccountControl":0x1000000000000:0x4
"Microsoft-Windows-IME-JPTIP":0x1000000000000:0x4
"Microsoft-Windows-WMP":0x1000000000000:0x4
"Microsoft-Windows-Graphics-Printing":0x1000000000000:0x4
"Microsoft-Windows-Dwm-Udwm":0x1000000000000:0x4
"Microsoft-Windows-ComDlg32":0x1000000000000:0x4
"Microsoft-Windows-Dhcp-Client":0x1000000000000:0x4
"Microsoft-Windows-Display":0x1000000000000:0x4
"Microsoft-Windows-UxTheme":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskSyncProvider":0x1000000000000:0x4
"Microsoft-Windows-NCSI":0x1000000000000:0x4
"Microsoft-Windows-DeviceUx":0x1000000000000:0x4
"Microsoft-Windows-HealthCenterCPL":0x1000000000000:0x4
"Microsoft-Windows-User Profiles Service":0x1000000000000:0x4
"Microsoft-Windows-Networking-Correlation":0xffffffffffffffff:0xff
"Microsoft-Windows-Store-Client-UI":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell-API":0x1000000000000:0x4
"Microsoft-Windows-WindowsUIImmersive":0x1000000000000:0x4
"Microsoft-Windows-Winlogon":0x1000000000000:0x4
"Microsoft-Windows-PrintDialogs":0x1000000000000:0x4
"Microsoft-Windows-All-User-Install-Agent":0x1000000000000:0x4
"Microsoft-Windows-PowerShell":0x1000000000000:0x4
"Microsoft-Windows-Services":0x1000000000000:0x4
"Microsoft-Windows-RPC":0xffffffffffffffff:0x4
"Microsoft-Windows-ThemeCPL":0x1000000000000:0x4
"Microsoft-Windows-AltTab":0x1000000000000:0x4
"Microsoft-Windows-Win32k":0x1000000402000:0xff
"Microsoft-Windows-Shell-Core":0x1000000000000:0x4
"Microsoft-Windows-BrokerInfrastructure":0x1000000000001:0xff
"Microsoft-Windows-Superfetch":0x1000000000000:0x4
"Microsoft-Windows-SystemSettings":0x1000000000000:0x4
"Microsoft-Windows-DriverFrameworks-UserMode":0x1000000000000:0x4
"Microsoft-Windows-DHCPv6-Client":0x1000000000000:0x4
-
Edited by
Cam Sinclair
Tuesday, December 09, 2014 10:21 AM
-
Proposed as answer by
Cam Sinclair
Tuesday, December 09, 2014 10:22 AM
December 9th, 2014 10:06am
I've had a bit of a look at this using the following commands which can reveal the details of currently active ETW sessions:
xperf -loggers
tracelog -q "WPR_initiated_WprApp_WPR System Collector"
tracelog -q "WPR_initiated_WprApp_WPR Event Collector"
The xperf one gives good details for all but secured sessions, for those tracelog -q tends to be more informative. Tracelog doesn't seem to give much useful info for the non-secured WPR session.
From these results, one can determine (I'm basing these results on WPRUI.exe - Windows Performance Recorder 6.3.9600.16384) that
First Level Triage is a superset of CPU Only. The only effect of enabling both as compared to only running Triage is that the maximum buffer counts of the sessions will be increased.
Specifically, CPU Only enables these kernel provider flags:
Process Thread ImageLoad CxtSwap Profile Power MemInfo Priority Dispatcher CpuConfig KernelQueue
and collects stacks for:
CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
whereas FirstLevelTriage enables:
Process Thread ProcCounters ImageLoad DiskIo HardFaults CxtSwap Dpc Isr Profile Power MemInfo MemInfoWs Priority Dispatcher CpuConfig KernelQueue WdfDriverDpc WdfDriverInterrupt
with stacks on:
DiskRead DiskWrite DiskFlush ThreadDCEnd CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
Doing a diff gives the additional flags enabled by Triage:
ProcCounters DiskIo HardFaults Dpc Isr MemInfoWs WdfDriverDpc WdfDriverInterrupt
and for stack collection:
DiskRead DiskWrite DiskFlush ThreadDCEnd
Edit: Forgot about the user mode providers, First Level Triage enables the following additional providers:
9580d7dd-0379-4658-9870-d5be7d52d6de:0x200:0xff
0a002690-3839-4e3a-b3b6-96d8df868d99:0xffffffffffffffff:0x5
"Microsoft-Windows-COMRuntime":0x3:0xff
49c2c27c-fe2d-40bf-8c4e-c3fb518037e7:0xffffffffffffffff:0xff
751ef305-6c6e-4fed-b847-02ef79d26aef:0xffffffffffffffff:0xff
cfeb0608-330e-4410-b00d-56d8da9986e6:0xffffffffffffffff:0xff
8e92deef-5e17-413b-b927-59b2f06a3cfc:0xffffffffffffffff:0xff
e4b70372-261f-4c54-8fa6-a5a7914d73da:0xffffffffffffffff:0xff
(no idea what they do, but you can do things like searching for .man files containing the GUIDs or querying running executables with
logman providers -pid to find what providers they expose, that might give hints as to their function)
Also, some extra flags are enabled on the Immersive-Shell, Kernel-Pore and NCSI providers.
The common subset of user providers between them is:
"Microsoft-Windows-PowerCpl":0x1000000000000:0x4
"Microsoft-Windows-WinINet":0x1000000000000:0x4
"Microsoft-Windows-UIAutomationCore":0x1000000000000:0x4
"Microsoft-Windows-ntshrui":0x1000000000000:0x4
"Microsoft-Windows-Kernel-PnP":0x1000000000000:0x4
"Microsoft-Windows-NlaSvc":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-MSDE":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-WDC":0x1000000000000:0x4
"Microsoft-Windows-AppHost":0x1000000000000:0x4
"Microsoft-Windows-PushNotifications-Platform":0x1000000000000:0x4
"Microsoft-Windows-ErrorReportingConsole":0x1000000000000:0x4
"Microsoft-Windows-IME-KRTIP":0x1000000000000:0x4
"Microsoft-Windows-RPCSS":0xffffffffffffffff:0x4
"Microsoft-Windows-Network-and-Sharing-Center":0x1000000000000:0x4
"Microsoft-Windows-WPDClassInstaller":0x1000000000000:0x4
e7ef96be-969f-414f-97d7-3ddb7b558ccc:0x2000:0xff
"Microsoft-PerfTrack-MSHTML":0x1000000000000:0x4
"Microsoft-Windows-DiagCpl":0x1000000000000:0x4
"Microsoft-Windows-stobject":0x1000000000000:0x4
"Microsoft-Windows-DeviceSetupManager":0x1000000000000:0x4
"Microsoft-Windows-Kernel-BootDiagnostics":0x1000000000000:0x4
"Microsoft-Windows-Diagnostics-Networking":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell":0x1000000000000:0x4
"Microsoft-PerfTrack-IEFRAME":0x1000000000000:0x4
"Microsoft-Windows-WindowsUpdateClient":0x1000000000000:0x4
"Microsoft-Windows-VAN":0x1000000000000:0x4
"Microsoft-Windows-NetworkGCW":0x1000000000000:0x4
"Microsoft-Windows-Netshell":0x1000000000000:0x4
"Microsoft-Windows-ThemeUI":0x1000000000000:0x4
"Microsoft-Windows-DxgKrnl":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-AdvancedTaskManager":0x1000000000000:0x4
"Microsoft-Windows-User-ControlPanel":0x1000000000000:0x4
"Microsoft-Windows-Documents":0x1000000000000:0x4
"Microsoft-Windows-PDC":0x1000000000000:0x4
"Microsoft-Windows-Shell-AuthUI":0x1000000000000:0x4
36b6f488-aad7-48c2-afe3-d4ec2c8b46fa:0x10000:0xff
"Microsoft-Windows-Dwm-Core":0x1000000000000:0x4
"Microsoft-Windows-ProcessStateManager":0xffffffffffffffff:0xff
"Microsoft-Windows-DXP":0x1000000000000:0x4
"Microsoft-Windows-UserPnp":0x1000000000000:0x4
"Microsoft-Windows-AppXDeployment-Server":0x1000000000000:0x4
"Microsoft-Windows-MediaEngine":0x1000000000000:0x4
"Microsoft-Windows-HealthCenter":0x1000000000000:0x4
"Microsoft-Windows-Ncasvc":0x1000000000000:0x4
"Microsoft-Windows-Kernel-Power":0x1000000000000:0x4
"Microsoft-JScript":0x1:0xff
"Microsoft-Windows-VolumeControl":0x1000000000000:0x4
"Microsoft-Windows-PrimaryNetworkIcon":0x1000000000000:0x4
"Microsoft-Windows-IME-SCTIP":0x1000000000000:0x4
"Microsoft-Windows-NetworkProfile":0x1000000000000:0x4
".NET Common Language Runtime":0x98:0x5
"Microsoft-Windows-IME-TIP":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskRingtone":0x1000000000000:0x4
"Microsoft-Windows-IME-TCTIP":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-MFCaptureEngine":0x1000000000000:0x4
"Microsoft-Windows-DisplaySwitch":0x1000000000000:0x4
"Microsoft-Windows-LUA":0x1000000000000:0x4
"Microsoft-Windows-DateTimeControlPanel":0x1000000000000:0x4
"Microsoft-Windows-TabletPC-InputPanel":0x1000000000000:0x4
"Microsoft-Windows-TaskScheduler":0x1000000000000:0x4
"Microsoft-Windows-Help":0x1000000000000:0x4
"Microsoft-Windows-Audio":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-Performance":0x1000000000000:0x4
"Microsoft-Windows-UserAccountControl":0x1000000000000:0x4
"Microsoft-Windows-IME-JPTIP":0x1000000000000:0x4
"Microsoft-Windows-WMP":0x1000000000000:0x4
"Microsoft-Windows-Graphics-Printing":0x1000000000000:0x4
"Microsoft-Windows-Dwm-Udwm":0x1000000000000:0x4
"Microsoft-Windows-ComDlg32":0x1000000000000:0x4
"Microsoft-Windows-Dhcp-Client":0x1000000000000:0x4
"Microsoft-Windows-Display":0x1000000000000:0x4
"Microsoft-Windows-UxTheme":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskSyncProvider":0x1000000000000:0x4
"Microsoft-Windows-NCSI":0x1000000000000:0x4
"Microsoft-Windows-DeviceUx":0x1000000000000:0x4
"Microsoft-Windows-HealthCenterCPL":0x1000000000000:0x4
"Microsoft-Windows-User Profiles Service":0x1000000000000:0x4
"Microsoft-Windows-Networking-Correlation":0xffffffffffffffff:0xff
"Microsoft-Windows-Store-Client-UI":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell-API":0x1000000000000:0x4
"Microsoft-Windows-WindowsUIImmersive":0x1000000000000:0x4
"Microsoft-Windows-Winlogon":0x1000000000000:0x4
"Microsoft-Windows-PrintDialogs":0x1000000000000:0x4
"Microsoft-Windows-All-User-Install-Agent":0x1000000000000:0x4
"Microsoft-Windows-PowerShell":0x1000000000000:0x4
"Microsoft-Windows-Services":0x1000000000000:0x4
"Microsoft-Windows-RPC":0xffffffffffffffff:0x4
"Microsoft-Windows-ThemeCPL":0x1000000000000:0x4
"Microsoft-Windows-AltTab":0x1000000000000:0x4
"Microsoft-Windows-Win32k":0x1000000402000:0xff
"Microsoft-Windows-Shell-Core":0x1000000000000:0x4
"Microsoft-Windows-BrokerInfrastructure":0x1000000000001:0xff
"Microsoft-Windows-Superfetch":0x1000000000000:0x4
"Microsoft-Windows-SystemSettings":0x1000000000000:0x4
"Microsoft-Windows-DriverFrameworks-UserMode":0x1000000000000:0x4
"Microsoft-Windows-DHCPv6-Client":0x1000000000000:0x4
-
Edited by
Cam Sinclair
Tuesday, December 09, 2014 10:21 AM
-
Proposed as answer by
Cam Sinclair
Tuesday, December 09, 2014 10:22 AM
December 9th, 2014 10:06am
I've had a bit of a look at this using the following commands which can reveal the details of currently active ETW sessions:
xperf -loggers
tracelog -q "WPR_initiated_WprApp_WPR System Collector"
tracelog -q "WPR_initiated_WprApp_WPR Event Collector"
The xperf one gives good details for all but secured sessions, for those tracelog -q tends to be more informative. Tracelog doesn't seem to give much useful info for the non-secured WPR session.
From these results, one can determine (I'm basing these results on WPRUI.exe - Windows Performance Recorder 6.3.9600.16384) that
First Level Triage is a superset of CPU Only. The only effect of enabling both as compared to only running Triage is that the maximum buffer counts of the sessions will be increased.
Specifically, CPU Only enables these kernel provider flags:
Process Thread ImageLoad CxtSwap Profile Power MemInfo Priority Dispatcher CpuConfig KernelQueue
and collects stacks for:
CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
whereas FirstLevelTriage enables:
Process Thread ProcCounters ImageLoad DiskIo HardFaults CxtSwap Dpc Isr Profile Power MemInfo MemInfoWs Priority Dispatcher CpuConfig KernelQueue WdfDriverDpc WdfDriverInterrupt
with stacks on:
DiskRead DiskWrite DiskFlush ThreadDCEnd CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
Doing a diff gives the additional flags enabled by Triage:
ProcCounters DiskIo HardFaults Dpc Isr MemInfoWs WdfDriverDpc WdfDriverInterrupt
and for stack collection:
DiskRead DiskWrite DiskFlush ThreadDCEnd
Edit: Forgot about the user mode providers, First Level Triage enables the following additional providers:
9580d7dd-0379-4658-9870-d5be7d52d6de:0x200:0xff
0a002690-3839-4e3a-b3b6-96d8df868d99:0xffffffffffffffff:0x5
"Microsoft-Windows-COMRuntime":0x3:0xff
49c2c27c-fe2d-40bf-8c4e-c3fb518037e7:0xffffffffffffffff:0xff
751ef305-6c6e-4fed-b847-02ef79d26aef:0xffffffffffffffff:0xff
cfeb0608-330e-4410-b00d-56d8da9986e6:0xffffffffffffffff:0xff
8e92deef-5e17-413b-b927-59b2f06a3cfc:0xffffffffffffffff:0xff
e4b70372-261f-4c54-8fa6-a5a7914d73da:0xffffffffffffffff:0xff
(no idea what they do, but you can do things like searching for .man files containing the GUIDs or querying running executables with
logman providers -pid to find what providers they expose, that might give hints as to their function)
Also, some extra flags are enabled on the Immersive-Shell, Kernel-Pore and NCSI providers.
The common subset of user providers between them is:
"Microsoft-Windows-PowerCpl":0x1000000000000:0x4
"Microsoft-Windows-WinINet":0x1000000000000:0x4
"Microsoft-Windows-UIAutomationCore":0x1000000000000:0x4
"Microsoft-Windows-ntshrui":0x1000000000000:0x4
"Microsoft-Windows-Kernel-PnP":0x1000000000000:0x4
"Microsoft-Windows-NlaSvc":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-MSDE":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-WDC":0x1000000000000:0x4
"Microsoft-Windows-AppHost":0x1000000000000:0x4
"Microsoft-Windows-PushNotifications-Platform":0x1000000000000:0x4
"Microsoft-Windows-ErrorReportingConsole":0x1000000000000:0x4
"Microsoft-Windows-IME-KRTIP":0x1000000000000:0x4
"Microsoft-Windows-RPCSS":0xffffffffffffffff:0x4
"Microsoft-Windows-Network-and-Sharing-Center":0x1000000000000:0x4
"Microsoft-Windows-WPDClassInstaller":0x1000000000000:0x4
e7ef96be-969f-414f-97d7-3ddb7b558ccc:0x2000:0xff
"Microsoft-PerfTrack-MSHTML":0x1000000000000:0x4
"Microsoft-Windows-DiagCpl":0x1000000000000:0x4
"Microsoft-Windows-stobject":0x1000000000000:0x4
"Microsoft-Windows-DeviceSetupManager":0x1000000000000:0x4
"Microsoft-Windows-Kernel-BootDiagnostics":0x1000000000000:0x4
"Microsoft-Windows-Diagnostics-Networking":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell":0x1000000000000:0x4
"Microsoft-PerfTrack-IEFRAME":0x1000000000000:0x4
"Microsoft-Windows-WindowsUpdateClient":0x1000000000000:0x4
"Microsoft-Windows-VAN":0x1000000000000:0x4
"Microsoft-Windows-NetworkGCW":0x1000000000000:0x4
"Microsoft-Windows-Netshell":0x1000000000000:0x4
"Microsoft-Windows-ThemeUI":0x1000000000000:0x4
"Microsoft-Windows-DxgKrnl":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-AdvancedTaskManager":0x1000000000000:0x4
"Microsoft-Windows-User-ControlPanel":0x1000000000000:0x4
"Microsoft-Windows-Documents":0x1000000000000:0x4
"Microsoft-Windows-PDC":0x1000000000000:0x4
"Microsoft-Windows-Shell-AuthUI":0x1000000000000:0x4
36b6f488-aad7-48c2-afe3-d4ec2c8b46fa:0x10000:0xff
"Microsoft-Windows-Dwm-Core":0x1000000000000:0x4
"Microsoft-Windows-ProcessStateManager":0xffffffffffffffff:0xff
"Microsoft-Windows-DXP":0x1000000000000:0x4
"Microsoft-Windows-UserPnp":0x1000000000000:0x4
"Microsoft-Windows-AppXDeployment-Server":0x1000000000000:0x4
"Microsoft-Windows-MediaEngine":0x1000000000000:0x4
"Microsoft-Windows-HealthCenter":0x1000000000000:0x4
"Microsoft-Windows-Ncasvc":0x1000000000000:0x4
"Microsoft-Windows-Kernel-Power":0x1000000000000:0x4
"Microsoft-JScript":0x1:0xff
"Microsoft-Windows-VolumeControl":0x1000000000000:0x4
"Microsoft-Windows-PrimaryNetworkIcon":0x1000000000000:0x4
"Microsoft-Windows-IME-SCTIP":0x1000000000000:0x4
"Microsoft-Windows-NetworkProfile":0x1000000000000:0x4
".NET Common Language Runtime":0x98:0x5
"Microsoft-Windows-IME-TIP":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskRingtone":0x1000000000000:0x4
"Microsoft-Windows-IME-TCTIP":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-MFCaptureEngine":0x1000000000000:0x4
"Microsoft-Windows-DisplaySwitch":0x1000000000000:0x4
"Microsoft-Windows-LUA":0x1000000000000:0x4
"Microsoft-Windows-DateTimeControlPanel":0x1000000000000:0x4
"Microsoft-Windows-TabletPC-InputPanel":0x1000000000000:0x4
"Microsoft-Windows-TaskScheduler":0x1000000000000:0x4
"Microsoft-Windows-Help":0x1000000000000:0x4
"Microsoft-Windows-Audio":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-Performance":0x1000000000000:0x4
"Microsoft-Windows-UserAccountControl":0x1000000000000:0x4
"Microsoft-Windows-IME-JPTIP":0x1000000000000:0x4
"Microsoft-Windows-WMP":0x1000000000000:0x4
"Microsoft-Windows-Graphics-Printing":0x1000000000000:0x4
"Microsoft-Windows-Dwm-Udwm":0x1000000000000:0x4
"Microsoft-Windows-ComDlg32":0x1000000000000:0x4
"Microsoft-Windows-Dhcp-Client":0x1000000000000:0x4
"Microsoft-Windows-Display":0x1000000000000:0x4
"Microsoft-Windows-UxTheme":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskSyncProvider":0x1000000000000:0x4
"Microsoft-Windows-NCSI":0x1000000000000:0x4
"Microsoft-Windows-DeviceUx":0x1000000000000:0x4
"Microsoft-Windows-HealthCenterCPL":0x1000000000000:0x4
"Microsoft-Windows-User Profiles Service":0x1000000000000:0x4
"Microsoft-Windows-Networking-Correlation":0xffffffffffffffff:0xff
"Microsoft-Windows-Store-Client-UI":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell-API":0x1000000000000:0x4
"Microsoft-Windows-WindowsUIImmersive":0x1000000000000:0x4
"Microsoft-Windows-Winlogon":0x1000000000000:0x4
"Microsoft-Windows-PrintDialogs":0x1000000000000:0x4
"Microsoft-Windows-All-User-Install-Agent":0x1000000000000:0x4
"Microsoft-Windows-PowerShell":0x1000000000000:0x4
"Microsoft-Windows-Services":0x1000000000000:0x4
"Microsoft-Windows-RPC":0xffffffffffffffff:0x4
"Microsoft-Windows-ThemeCPL":0x1000000000000:0x4
"Microsoft-Windows-AltTab":0x1000000000000:0x4
"Microsoft-Windows-Win32k":0x1000000402000:0xff
"Microsoft-Windows-Shell-Core":0x1000000000000:0x4
"Microsoft-Windows-BrokerInfrastructure":0x1000000000001:0xff
"Microsoft-Windows-Superfetch":0x1000000000000:0x4
"Microsoft-Windows-SystemSettings":0x1000000000000:0x4
"Microsoft-Windows-DriverFrameworks-UserMode":0x1000000000000:0x4
"Microsoft-Windows-DHCPv6-Client":0x1000000000000:0x4
-
Edited by
Cam Sinclair
Tuesday, December 09, 2014 10:21 AM
-
Proposed as answer by
Cam Sinclair
Tuesday, December 09, 2014 10:22 AM
December 9th, 2014 10:06am
I've had a bit of a look at this using the following commands which can reveal the details of currently active ETW sessions:
xperf -loggers
tracelog -q "WPR_initiated_WprApp_WPR System Collector"
tracelog -q "WPR_initiated_WprApp_WPR Event Collector"
The xperf one gives good details for all but secured sessions, for those tracelog -q tends to be more informative. Tracelog doesn't seem to give much useful info for the non-secured WPR session.
From these results, one can determine (I'm basing these results on WPRUI.exe - Windows Performance Recorder 6.3.9600.16384) that
First Level Triage is a superset of CPU Only. The only effect of enabling both as compared to only running Triage is that the maximum buffer counts of the sessions will be increased.
Specifically, CPU Only enables these kernel provider flags:
Process Thread ImageLoad CxtSwap Profile Power MemInfo Priority Dispatcher CpuConfig KernelQueue
and collects stacks for:
CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
whereas FirstLevelTriage enables:
Process Thread ProcCounters ImageLoad DiskIo HardFaults CxtSwap Dpc Isr Profile Power MemInfo MemInfoWs Priority Dispatcher CpuConfig KernelQueue WdfDriverDpc WdfDriverInterrupt
with stacks on:
DiskRead DiskWrite DiskFlush ThreadDCEnd CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
Doing a diff gives the additional flags enabled by Triage:
ProcCounters DiskIo HardFaults Dpc Isr MemInfoWs WdfDriverDpc WdfDriverInterrupt
and for stack collection:
DiskRead DiskWrite DiskFlush ThreadDCEnd
Edit: Forgot about the user mode providers, First Level Triage enables the following additional providers:
9580d7dd-0379-4658-9870-d5be7d52d6de:0x200:0xff
0a002690-3839-4e3a-b3b6-96d8df868d99:0xffffffffffffffff:0x5
"Microsoft-Windows-COMRuntime":0x3:0xff
49c2c27c-fe2d-40bf-8c4e-c3fb518037e7:0xffffffffffffffff:0xff
751ef305-6c6e-4fed-b847-02ef79d26aef:0xffffffffffffffff:0xff
cfeb0608-330e-4410-b00d-56d8da9986e6:0xffffffffffffffff:0xff
8e92deef-5e17-413b-b927-59b2f06a3cfc:0xffffffffffffffff:0xff
e4b70372-261f-4c54-8fa6-a5a7914d73da:0xffffffffffffffff:0xff
(no idea what they do, but you can do things like searching for .man files containing the GUIDs or querying running executables with
logman providers -pid to find what providers they expose, that might give hints as to their function)
Also, some extra flags are enabled on the Immersive-Shell, Kernel-Pore and NCSI providers.
The common subset of user providers between them is:
"Microsoft-Windows-PowerCpl":0x1000000000000:0x4
"Microsoft-Windows-WinINet":0x1000000000000:0x4
"Microsoft-Windows-UIAutomationCore":0x1000000000000:0x4
"Microsoft-Windows-ntshrui":0x1000000000000:0x4
"Microsoft-Windows-Kernel-PnP":0x1000000000000:0x4
"Microsoft-Windows-NlaSvc":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-MSDE":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-WDC":0x1000000000000:0x4
"Microsoft-Windows-AppHost":0x1000000000000:0x4
"Microsoft-Windows-PushNotifications-Platform":0x1000000000000:0x4
"Microsoft-Windows-ErrorReportingConsole":0x1000000000000:0x4
"Microsoft-Windows-IME-KRTIP":0x1000000000000:0x4
"Microsoft-Windows-RPCSS":0xffffffffffffffff:0x4
"Microsoft-Windows-Network-and-Sharing-Center":0x1000000000000:0x4
"Microsoft-Windows-WPDClassInstaller":0x1000000000000:0x4
e7ef96be-969f-414f-97d7-3ddb7b558ccc:0x2000:0xff
"Microsoft-PerfTrack-MSHTML":0x1000000000000:0x4
"Microsoft-Windows-DiagCpl":0x1000000000000:0x4
"Microsoft-Windows-stobject":0x1000000000000:0x4
"Microsoft-Windows-DeviceSetupManager":0x1000000000000:0x4
"Microsoft-Windows-Kernel-BootDiagnostics":0x1000000000000:0x4
"Microsoft-Windows-Diagnostics-Networking":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell":0x1000000000000:0x4
"Microsoft-PerfTrack-IEFRAME":0x1000000000000:0x4
"Microsoft-Windows-WindowsUpdateClient":0x1000000000000:0x4
"Microsoft-Windows-VAN":0x1000000000000:0x4
"Microsoft-Windows-NetworkGCW":0x1000000000000:0x4
"Microsoft-Windows-Netshell":0x1000000000000:0x4
"Microsoft-Windows-ThemeUI":0x1000000000000:0x4
"Microsoft-Windows-DxgKrnl":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-AdvancedTaskManager":0x1000000000000:0x4
"Microsoft-Windows-User-ControlPanel":0x1000000000000:0x4
"Microsoft-Windows-Documents":0x1000000000000:0x4
"Microsoft-Windows-PDC":0x1000000000000:0x4
"Microsoft-Windows-Shell-AuthUI":0x1000000000000:0x4
36b6f488-aad7-48c2-afe3-d4ec2c8b46fa:0x10000:0xff
"Microsoft-Windows-Dwm-Core":0x1000000000000:0x4
"Microsoft-Windows-ProcessStateManager":0xffffffffffffffff:0xff
"Microsoft-Windows-DXP":0x1000000000000:0x4
"Microsoft-Windows-UserPnp":0x1000000000000:0x4
"Microsoft-Windows-AppXDeployment-Server":0x1000000000000:0x4
"Microsoft-Windows-MediaEngine":0x1000000000000:0x4
"Microsoft-Windows-HealthCenter":0x1000000000000:0x4
"Microsoft-Windows-Ncasvc":0x1000000000000:0x4
"Microsoft-Windows-Kernel-Power":0x1000000000000:0x4
"Microsoft-JScript":0x1:0xff
"Microsoft-Windows-VolumeControl":0x1000000000000:0x4
"Microsoft-Windows-PrimaryNetworkIcon":0x1000000000000:0x4
"Microsoft-Windows-IME-SCTIP":0x1000000000000:0x4
"Microsoft-Windows-NetworkProfile":0x1000000000000:0x4
".NET Common Language Runtime":0x98:0x5
"Microsoft-Windows-IME-TIP":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskRingtone":0x1000000000000:0x4
"Microsoft-Windows-IME-TCTIP":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-MFCaptureEngine":0x1000000000000:0x4
"Microsoft-Windows-DisplaySwitch":0x1000000000000:0x4
"Microsoft-Windows-LUA":0x1000000000000:0x4
"Microsoft-Windows-DateTimeControlPanel":0x1000000000000:0x4
"Microsoft-Windows-TabletPC-InputPanel":0x1000000000000:0x4
"Microsoft-Windows-TaskScheduler":0x1000000000000:0x4
"Microsoft-Windows-Help":0x1000000000000:0x4
"Microsoft-Windows-Audio":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-Performance":0x1000000000000:0x4
"Microsoft-Windows-UserAccountControl":0x1000000000000:0x4
"Microsoft-Windows-IME-JPTIP":0x1000000000000:0x4
"Microsoft-Windows-WMP":0x1000000000000:0x4
"Microsoft-Windows-Graphics-Printing":0x1000000000000:0x4
"Microsoft-Windows-Dwm-Udwm":0x1000000000000:0x4
"Microsoft-Windows-ComDlg32":0x1000000000000:0x4
"Microsoft-Windows-Dhcp-Client":0x1000000000000:0x4
"Microsoft-Windows-Display":0x1000000000000:0x4
"Microsoft-Windows-UxTheme":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskSyncProvider":0x1000000000000:0x4
"Microsoft-Windows-NCSI":0x1000000000000:0x4
"Microsoft-Windows-DeviceUx":0x1000000000000:0x4
"Microsoft-Windows-HealthCenterCPL":0x1000000000000:0x4
"Microsoft-Windows-User Profiles Service":0x1000000000000:0x4
"Microsoft-Windows-Networking-Correlation":0xffffffffffffffff:0xff
"Microsoft-Windows-Store-Client-UI":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell-API":0x1000000000000:0x4
"Microsoft-Windows-WindowsUIImmersive":0x1000000000000:0x4
"Microsoft-Windows-Winlogon":0x1000000000000:0x4
"Microsoft-Windows-PrintDialogs":0x1000000000000:0x4
"Microsoft-Windows-All-User-Install-Agent":0x1000000000000:0x4
"Microsoft-Windows-PowerShell":0x1000000000000:0x4
"Microsoft-Windows-Services":0x1000000000000:0x4
"Microsoft-Windows-RPC":0xffffffffffffffff:0x4
"Microsoft-Windows-ThemeCPL":0x1000000000000:0x4
"Microsoft-Windows-AltTab":0x1000000000000:0x4
"Microsoft-Windows-Win32k":0x1000000402000:0xff
"Microsoft-Windows-Shell-Core":0x1000000000000:0x4
"Microsoft-Windows-BrokerInfrastructure":0x1000000000001:0xff
"Microsoft-Windows-Superfetch":0x1000000000000:0x4
"Microsoft-Windows-SystemSettings":0x1000000000000:0x4
"Microsoft-Windows-DriverFrameworks-UserMode":0x1000000000000:0x4
"Microsoft-Windows-DHCPv6-Client":0x1000000000000:0x4
-
Edited by
Cam Sinclair
Tuesday, December 09, 2014 10:21 AM
-
Proposed as answer by
Cam Sinclair
Tuesday, December 09, 2014 10:22 AM
December 9th, 2014 10:06am
I've had a bit of a look at this using the following commands which can reveal the details of currently active ETW sessions:
xperf -loggers
tracelog -q "WPR_initiated_WprApp_WPR System Collector"
tracelog -q "WPR_initiated_WprApp_WPR Event Collector"
The xperf one gives good details for all but secured sessions, for those tracelog -q tends to be more informative. Tracelog doesn't seem to give much useful info for the non-secured WPR session.
From these results, one can determine (I'm basing these results on WPRUI.exe - Windows Performance Recorder 6.3.9600.16384) that
First Level Triage is a superset of CPU Only. The only effect of enabling both as compared to only running Triage is that the maximum buffer counts of the sessions will be increased.
Specifically, CPU Only enables these kernel provider flags:
Process Thread ImageLoad CxtSwap Profile Power MemInfo Priority Dispatcher CpuConfig KernelQueue
and collects stacks for:
CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
whereas FirstLevelTriage enables:
Process Thread ProcCounters ImageLoad DiskIo HardFaults CxtSwap Dpc Isr Profile Power MemInfo MemInfoWs Priority Dispatcher CpuConfig KernelQueue WdfDriverDpc WdfDriverInterrupt
with stacks on:
DiskRead DiskWrite DiskFlush ThreadDCEnd CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
Doing a diff gives the additional flags enabled by Triage:
ProcCounters DiskIo HardFaults Dpc Isr MemInfoWs WdfDriverDpc WdfDriverInterrupt
and for stack collection:
DiskRead DiskWrite DiskFlush ThreadDCEnd
Edit: Forgot about the user mode providers, First Level Triage enables the following additional providers:
9580d7dd-0379-4658-9870-d5be7d52d6de:0x200:0xff
0a002690-3839-4e3a-b3b6-96d8df868d99:0xffffffffffffffff:0x5
"Microsoft-Windows-COMRuntime":0x3:0xff
49c2c27c-fe2d-40bf-8c4e-c3fb518037e7:0xffffffffffffffff:0xff
751ef305-6c6e-4fed-b847-02ef79d26aef:0xffffffffffffffff:0xff
cfeb0608-330e-4410-b00d-56d8da9986e6:0xffffffffffffffff:0xff
8e92deef-5e17-413b-b927-59b2f06a3cfc:0xffffffffffffffff:0xff
e4b70372-261f-4c54-8fa6-a5a7914d73da:0xffffffffffffffff:0xff
(no idea what they do, but you can do things like searching for .man files containing the GUIDs or querying running executables with
logman providers -pid to find what providers they expose, that might give hints as to their function)
Also, some extra flags are enabled on the Immersive-Shell, Kernel-Pore and NCSI providers.
The common subset of user providers between them is:
"Microsoft-Windows-PowerCpl":0x1000000000000:0x4
"Microsoft-Windows-WinINet":0x1000000000000:0x4
"Microsoft-Windows-UIAutomationCore":0x1000000000000:0x4
"Microsoft-Windows-ntshrui":0x1000000000000:0x4
"Microsoft-Windows-Kernel-PnP":0x1000000000000:0x4
"Microsoft-Windows-NlaSvc":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-MSDE":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-WDC":0x1000000000000:0x4
"Microsoft-Windows-AppHost":0x1000000000000:0x4
"Microsoft-Windows-PushNotifications-Platform":0x1000000000000:0x4
"Microsoft-Windows-ErrorReportingConsole":0x1000000000000:0x4
"Microsoft-Windows-IME-KRTIP":0x1000000000000:0x4
"Microsoft-Windows-RPCSS":0xffffffffffffffff:0x4
"Microsoft-Windows-Network-and-Sharing-Center":0x1000000000000:0x4
"Microsoft-Windows-WPDClassInstaller":0x1000000000000:0x4
e7ef96be-969f-414f-97d7-3ddb7b558ccc:0x2000:0xff
"Microsoft-PerfTrack-MSHTML":0x1000000000000:0x4
"Microsoft-Windows-DiagCpl":0x1000000000000:0x4
"Microsoft-Windows-stobject":0x1000000000000:0x4
"Microsoft-Windows-DeviceSetupManager":0x1000000000000:0x4
"Microsoft-Windows-Kernel-BootDiagnostics":0x1000000000000:0x4
"Microsoft-Windows-Diagnostics-Networking":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell":0x1000000000000:0x4
"Microsoft-PerfTrack-IEFRAME":0x1000000000000:0x4
"Microsoft-Windows-WindowsUpdateClient":0x1000000000000:0x4
"Microsoft-Windows-VAN":0x1000000000000:0x4
"Microsoft-Windows-NetworkGCW":0x1000000000000:0x4
"Microsoft-Windows-Netshell":0x1000000000000:0x4
"Microsoft-Windows-ThemeUI":0x1000000000000:0x4
"Microsoft-Windows-DxgKrnl":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-AdvancedTaskManager":0x1000000000000:0x4
"Microsoft-Windows-User-ControlPanel":0x1000000000000:0x4
"Microsoft-Windows-Documents":0x1000000000000:0x4
"Microsoft-Windows-PDC":0x1000000000000:0x4
"Microsoft-Windows-Shell-AuthUI":0x1000000000000:0x4
36b6f488-aad7-48c2-afe3-d4ec2c8b46fa:0x10000:0xff
"Microsoft-Windows-Dwm-Core":0x1000000000000:0x4
"Microsoft-Windows-ProcessStateManager":0xffffffffffffffff:0xff
"Microsoft-Windows-DXP":0x1000000000000:0x4
"Microsoft-Windows-UserPnp":0x1000000000000:0x4
"Microsoft-Windows-AppXDeployment-Server":0x1000000000000:0x4
"Microsoft-Windows-MediaEngine":0x1000000000000:0x4
"Microsoft-Windows-HealthCenter":0x1000000000000:0x4
"Microsoft-Windows-Ncasvc":0x1000000000000:0x4
"Microsoft-Windows-Kernel-Power":0x1000000000000:0x4
"Microsoft-JScript":0x1:0xff
"Microsoft-Windows-VolumeControl":0x1000000000000:0x4
"Microsoft-Windows-PrimaryNetworkIcon":0x1000000000000:0x4
"Microsoft-Windows-IME-SCTIP":0x1000000000000:0x4
"Microsoft-Windows-NetworkProfile":0x1000000000000:0x4
".NET Common Language Runtime":0x98:0x5
"Microsoft-Windows-IME-TIP":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskRingtone":0x1000000000000:0x4
"Microsoft-Windows-IME-TCTIP":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-MFCaptureEngine":0x1000000000000:0x4
"Microsoft-Windows-DisplaySwitch":0x1000000000000:0x4
"Microsoft-Windows-LUA":0x1000000000000:0x4
"Microsoft-Windows-DateTimeControlPanel":0x1000000000000:0x4
"Microsoft-Windows-TabletPC-InputPanel":0x1000000000000:0x4
"Microsoft-Windows-TaskScheduler":0x1000000000000:0x4
"Microsoft-Windows-Help":0x1000000000000:0x4
"Microsoft-Windows-Audio":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-Performance":0x1000000000000:0x4
"Microsoft-Windows-UserAccountControl":0x1000000000000:0x4
"Microsoft-Windows-IME-JPTIP":0x1000000000000:0x4
"Microsoft-Windows-WMP":0x1000000000000:0x4
"Microsoft-Windows-Graphics-Printing":0x1000000000000:0x4
"Microsoft-Windows-Dwm-Udwm":0x1000000000000:0x4
"Microsoft-Windows-ComDlg32":0x1000000000000:0x4
"Microsoft-Windows-Dhcp-Client":0x1000000000000:0x4
"Microsoft-Windows-Display":0x1000000000000:0x4
"Microsoft-Windows-UxTheme":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskSyncProvider":0x1000000000000:0x4
"Microsoft-Windows-NCSI":0x1000000000000:0x4
"Microsoft-Windows-DeviceUx":0x1000000000000:0x4
"Microsoft-Windows-HealthCenterCPL":0x1000000000000:0x4
"Microsoft-Windows-User Profiles Service":0x1000000000000:0x4
"Microsoft-Windows-Networking-Correlation":0xffffffffffffffff:0xff
"Microsoft-Windows-Store-Client-UI":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell-API":0x1000000000000:0x4
"Microsoft-Windows-WindowsUIImmersive":0x1000000000000:0x4
"Microsoft-Windows-Winlogon":0x1000000000000:0x4
"Microsoft-Windows-PrintDialogs":0x1000000000000:0x4
"Microsoft-Windows-All-User-Install-Agent":0x1000000000000:0x4
"Microsoft-Windows-PowerShell":0x1000000000000:0x4
"Microsoft-Windows-Services":0x1000000000000:0x4
"Microsoft-Windows-RPC":0xffffffffffffffff:0x4
"Microsoft-Windows-ThemeCPL":0x1000000000000:0x4
"Microsoft-Windows-AltTab":0x1000000000000:0x4
"Microsoft-Windows-Win32k":0x1000000402000:0xff
"Microsoft-Windows-Shell-Core":0x1000000000000:0x4
"Microsoft-Windows-BrokerInfrastructure":0x1000000000001:0xff
"Microsoft-Windows-Superfetch":0x1000000000000:0x4
"Microsoft-Windows-SystemSettings":0x1000000000000:0x4
"Microsoft-Windows-DriverFrameworks-UserMode":0x1000000000000:0x4
"Microsoft-Windows-DHCPv6-Client":0x1000000000000:0x4
-
Edited by
Cam Sinclair
Tuesday, December 09, 2014 10:21 AM
-
Proposed as answer by
Cam Sinclair
Tuesday, December 09, 2014 10:22 AM
December 9th, 2014 10:06am
I've had a bit of a look at this using the following commands which can reveal the details of currently active ETW sessions:
xperf -loggers
tracelog -q "WPR_initiated_WprApp_WPR System Collector"
tracelog -q "WPR_initiated_WprApp_WPR Event Collector"
The xperf one gives good details for all but secured sessions, for those tracelog -q tends to be more informative. Tracelog doesn't seem to give much useful info for the non-secured WPR session.
From these results, one can determine (I'm basing these results on WPRUI.exe - Windows Performance Recorder 6.3.9600.16384) that
First Level Triage is a superset of CPU Only. The only effect of enabling both as compared to only running Triage is that the maximum buffer counts of the sessions will be increased.
Specifically, CPU Only enables these kernel provider flags:
Process Thread ImageLoad CxtSwap Profile Power MemInfo Priority Dispatcher CpuConfig KernelQueue
and collects stacks for:
CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
whereas FirstLevelTriage enables:
Process Thread ProcCounters ImageLoad DiskIo HardFaults CxtSwap Dpc Isr Profile Power MemInfo MemInfoWs Priority Dispatcher CpuConfig KernelQueue WdfDriverDpc WdfDriverInterrupt
with stacks on:
DiskRead DiskWrite DiskFlush ThreadDCEnd CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
Doing a diff gives the additional flags enabled by Triage:
ProcCounters DiskIo HardFaults Dpc Isr MemInfoWs WdfDriverDpc WdfDriverInterrupt
and for stack collection:
DiskRead DiskWrite DiskFlush ThreadDCEnd
Edit: Forgot about the user mode providers, First Level Triage enables the following additional providers:
9580d7dd-0379-4658-9870-d5be7d52d6de:0x200:0xff
0a002690-3839-4e3a-b3b6-96d8df868d99:0xffffffffffffffff:0x5
"Microsoft-Windows-COMRuntime":0x3:0xff
49c2c27c-fe2d-40bf-8c4e-c3fb518037e7:0xffffffffffffffff:0xff
751ef305-6c6e-4fed-b847-02ef79d26aef:0xffffffffffffffff:0xff
cfeb0608-330e-4410-b00d-56d8da9986e6:0xffffffffffffffff:0xff
8e92deef-5e17-413b-b927-59b2f06a3cfc:0xffffffffffffffff:0xff
e4b70372-261f-4c54-8fa6-a5a7914d73da:0xffffffffffffffff:0xff
(no idea what they do, but you can do things like searching for .man files containing the GUIDs or querying running executables with
logman providers -pid to find what providers they expose, that might give hints as to their function)
Also, some extra flags are enabled on the Immersive-Shell, Kernel-Pore and NCSI providers.
The common subset of user providers between them is:
"Microsoft-Windows-PowerCpl":0x1000000000000:0x4
"Microsoft-Windows-WinINet":0x1000000000000:0x4
"Microsoft-Windows-UIAutomationCore":0x1000000000000:0x4
"Microsoft-Windows-ntshrui":0x1000000000000:0x4
"Microsoft-Windows-Kernel-PnP":0x1000000000000:0x4
"Microsoft-Windows-NlaSvc":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-MSDE":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-WDC":0x1000000000000:0x4
"Microsoft-Windows-AppHost":0x1000000000000:0x4
"Microsoft-Windows-PushNotifications-Platform":0x1000000000000:0x4
"Microsoft-Windows-ErrorReportingConsole":0x1000000000000:0x4
"Microsoft-Windows-IME-KRTIP":0x1000000000000:0x4
"Microsoft-Windows-RPCSS":0xffffffffffffffff:0x4
"Microsoft-Windows-Network-and-Sharing-Center":0x1000000000000:0x4
"Microsoft-Windows-WPDClassInstaller":0x1000000000000:0x4
e7ef96be-969f-414f-97d7-3ddb7b558ccc:0x2000:0xff
"Microsoft-PerfTrack-MSHTML":0x1000000000000:0x4
"Microsoft-Windows-DiagCpl":0x1000000000000:0x4
"Microsoft-Windows-stobject":0x1000000000000:0x4
"Microsoft-Windows-DeviceSetupManager":0x1000000000000:0x4
"Microsoft-Windows-Kernel-BootDiagnostics":0x1000000000000:0x4
"Microsoft-Windows-Diagnostics-Networking":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell":0x1000000000000:0x4
"Microsoft-PerfTrack-IEFRAME":0x1000000000000:0x4
"Microsoft-Windows-WindowsUpdateClient":0x1000000000000:0x4
"Microsoft-Windows-VAN":0x1000000000000:0x4
"Microsoft-Windows-NetworkGCW":0x1000000000000:0x4
"Microsoft-Windows-Netshell":0x1000000000000:0x4
"Microsoft-Windows-ThemeUI":0x1000000000000:0x4
"Microsoft-Windows-DxgKrnl":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-AdvancedTaskManager":0x1000000000000:0x4
"Microsoft-Windows-User-ControlPanel":0x1000000000000:0x4
"Microsoft-Windows-Documents":0x1000000000000:0x4
"Microsoft-Windows-PDC":0x1000000000000:0x4
"Microsoft-Windows-Shell-AuthUI":0x1000000000000:0x4
36b6f488-aad7-48c2-afe3-d4ec2c8b46fa:0x10000:0xff
"Microsoft-Windows-Dwm-Core":0x1000000000000:0x4
"Microsoft-Windows-ProcessStateManager":0xffffffffffffffff:0xff
"Microsoft-Windows-DXP":0x1000000000000:0x4
"Microsoft-Windows-UserPnp":0x1000000000000:0x4
"Microsoft-Windows-AppXDeployment-Server":0x1000000000000:0x4
"Microsoft-Windows-MediaEngine":0x1000000000000:0x4
"Microsoft-Windows-HealthCenter":0x1000000000000:0x4
"Microsoft-Windows-Ncasvc":0x1000000000000:0x4
"Microsoft-Windows-Kernel-Power":0x1000000000000:0x4
"Microsoft-JScript":0x1:0xff
"Microsoft-Windows-VolumeControl":0x1000000000000:0x4
"Microsoft-Windows-PrimaryNetworkIcon":0x1000000000000:0x4
"Microsoft-Windows-IME-SCTIP":0x1000000000000:0x4
"Microsoft-Windows-NetworkProfile":0x1000000000000:0x4
".NET Common Language Runtime":0x98:0x5
"Microsoft-Windows-IME-TIP":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskRingtone":0x1000000000000:0x4
"Microsoft-Windows-IME-TCTIP":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-MFCaptureEngine":0x1000000000000:0x4
"Microsoft-Windows-DisplaySwitch":0x1000000000000:0x4
"Microsoft-Windows-LUA":0x1000000000000:0x4
"Microsoft-Windows-DateTimeControlPanel":0x1000000000000:0x4
"Microsoft-Windows-TabletPC-InputPanel":0x1000000000000:0x4
"Microsoft-Windows-TaskScheduler":0x1000000000000:0x4
"Microsoft-Windows-Help":0x1000000000000:0x4
"Microsoft-Windows-Audio":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-Performance":0x1000000000000:0x4
"Microsoft-Windows-UserAccountControl":0x1000000000000:0x4
"Microsoft-Windows-IME-JPTIP":0x1000000000000:0x4
"Microsoft-Windows-WMP":0x1000000000000:0x4
"Microsoft-Windows-Graphics-Printing":0x1000000000000:0x4
"Microsoft-Windows-Dwm-Udwm":0x1000000000000:0x4
"Microsoft-Windows-ComDlg32":0x1000000000000:0x4
"Microsoft-Windows-Dhcp-Client":0x1000000000000:0x4
"Microsoft-Windows-Display":0x1000000000000:0x4
"Microsoft-Windows-UxTheme":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskSyncProvider":0x1000000000000:0x4
"Microsoft-Windows-NCSI":0x1000000000000:0x4
"Microsoft-Windows-DeviceUx":0x1000000000000:0x4
"Microsoft-Windows-HealthCenterCPL":0x1000000000000:0x4
"Microsoft-Windows-User Profiles Service":0x1000000000000:0x4
"Microsoft-Windows-Networking-Correlation":0xffffffffffffffff:0xff
"Microsoft-Windows-Store-Client-UI":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell-API":0x1000000000000:0x4
"Microsoft-Windows-WindowsUIImmersive":0x1000000000000:0x4
"Microsoft-Windows-Winlogon":0x1000000000000:0x4
"Microsoft-Windows-PrintDialogs":0x1000000000000:0x4
"Microsoft-Windows-All-User-Install-Agent":0x1000000000000:0x4
"Microsoft-Windows-PowerShell":0x1000000000000:0x4
"Microsoft-Windows-Services":0x1000000000000:0x4
"Microsoft-Windows-RPC":0xffffffffffffffff:0x4
"Microsoft-Windows-ThemeCPL":0x1000000000000:0x4
"Microsoft-Windows-AltTab":0x1000000000000:0x4
"Microsoft-Windows-Win32k":0x1000000402000:0xff
"Microsoft-Windows-Shell-Core":0x1000000000000:0x4
"Microsoft-Windows-BrokerInfrastructure":0x1000000000001:0xff
"Microsoft-Windows-Superfetch":0x1000000000000:0x4
"Microsoft-Windows-SystemSettings":0x1000000000000:0x4
"Microsoft-Windows-DriverFrameworks-UserMode":0x1000000000000:0x4
"Microsoft-Windows-DHCPv6-Client":0x1000000000000:0x4
-
Edited by
Cam Sinclair
Tuesday, December 09, 2014 10:21 AM
-
Proposed as answer by
Cam Sinclair
Tuesday, December 09, 2014 10:22 AM
December 9th, 2014 10:06am
I've had a bit of a look at this using the following commands which can reveal the details of currently active ETW sessions:
xperf -loggers
tracelog -q "WPR_initiated_WprApp_WPR System Collector"
tracelog -q "WPR_initiated_WprApp_WPR Event Collector"
The xperf one gives good details for all but secured sessions, for those tracelog -q tends to be more informative. Tracelog doesn't seem to give much useful info for the non-secured WPR session.
From these results, one can determine (I'm basing these results on WPRUI.exe - Windows Performance Recorder 6.3.9600.16384) that
First Level Triage is a superset of CPU Only. The only effect of enabling both as compared to only running Triage is that the maximum buffer counts of the sessions will be increased.
Specifically, CPU Only enables these kernel provider flags:
Process Thread ImageLoad CxtSwap Profile Power MemInfo Priority Dispatcher CpuConfig KernelQueue
and collects stacks for:
CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
whereas FirstLevelTriage enables:
Process Thread ProcCounters ImageLoad DiskIo HardFaults CxtSwap Dpc Isr Profile Power MemInfo MemInfoWs Priority Dispatcher CpuConfig KernelQueue WdfDriverDpc WdfDriverInterrupt
with stacks on:
DiskRead DiskWrite DiskFlush ThreadDCEnd CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
Doing a diff gives the additional flags enabled by Triage:
ProcCounters DiskIo HardFaults Dpc Isr MemInfoWs WdfDriverDpc WdfDriverInterrupt
and for stack collection:
DiskRead DiskWrite DiskFlush ThreadDCEnd
Edit: Forgot about the user mode providers, First Level Triage enables the following additional providers:
9580d7dd-0379-4658-9870-d5be7d52d6de:0x200:0xff
0a002690-3839-4e3a-b3b6-96d8df868d99:0xffffffffffffffff:0x5
"Microsoft-Windows-COMRuntime":0x3:0xff
49c2c27c-fe2d-40bf-8c4e-c3fb518037e7:0xffffffffffffffff:0xff
751ef305-6c6e-4fed-b847-02ef79d26aef:0xffffffffffffffff:0xff
cfeb0608-330e-4410-b00d-56d8da9986e6:0xffffffffffffffff:0xff
8e92deef-5e17-413b-b927-59b2f06a3cfc:0xffffffffffffffff:0xff
e4b70372-261f-4c54-8fa6-a5a7914d73da:0xffffffffffffffff:0xff
(no idea what they do, but you can do things like searching for .man files containing the GUIDs or querying running executables with
logman providers -pid to find what providers they expose, that might give hints as to their function)
Also, some extra flags are enabled on the Immersive-Shell, Kernel-Pore and NCSI providers.
The common subset of user providers between them is:
"Microsoft-Windows-PowerCpl":0x1000000000000:0x4
"Microsoft-Windows-WinINet":0x1000000000000:0x4
"Microsoft-Windows-UIAutomationCore":0x1000000000000:0x4
"Microsoft-Windows-ntshrui":0x1000000000000:0x4
"Microsoft-Windows-Kernel-PnP":0x1000000000000:0x4
"Microsoft-Windows-NlaSvc":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-MSDE":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-WDC":0x1000000000000:0x4
"Microsoft-Windows-AppHost":0x1000000000000:0x4
"Microsoft-Windows-PushNotifications-Platform":0x1000000000000:0x4
"Microsoft-Windows-ErrorReportingConsole":0x1000000000000:0x4
"Microsoft-Windows-IME-KRTIP":0x1000000000000:0x4
"Microsoft-Windows-RPCSS":0xffffffffffffffff:0x4
"Microsoft-Windows-Network-and-Sharing-Center":0x1000000000000:0x4
"Microsoft-Windows-WPDClassInstaller":0x1000000000000:0x4
e7ef96be-969f-414f-97d7-3ddb7b558ccc:0x2000:0xff
"Microsoft-PerfTrack-MSHTML":0x1000000000000:0x4
"Microsoft-Windows-DiagCpl":0x1000000000000:0x4
"Microsoft-Windows-stobject":0x1000000000000:0x4
"Microsoft-Windows-DeviceSetupManager":0x1000000000000:0x4
"Microsoft-Windows-Kernel-BootDiagnostics":0x1000000000000:0x4
"Microsoft-Windows-Diagnostics-Networking":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell":0x1000000000000:0x4
"Microsoft-PerfTrack-IEFRAME":0x1000000000000:0x4
"Microsoft-Windows-WindowsUpdateClient":0x1000000000000:0x4
"Microsoft-Windows-VAN":0x1000000000000:0x4
"Microsoft-Windows-NetworkGCW":0x1000000000000:0x4
"Microsoft-Windows-Netshell":0x1000000000000:0x4
"Microsoft-Windows-ThemeUI":0x1000000000000:0x4
"Microsoft-Windows-DxgKrnl":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-AdvancedTaskManager":0x1000000000000:0x4
"Microsoft-Windows-User-ControlPanel":0x1000000000000:0x4
"Microsoft-Windows-Documents":0x1000000000000:0x4
"Microsoft-Windows-PDC":0x1000000000000:0x4
"Microsoft-Windows-Shell-AuthUI":0x1000000000000:0x4
36b6f488-aad7-48c2-afe3-d4ec2c8b46fa:0x10000:0xff
"Microsoft-Windows-Dwm-Core":0x1000000000000:0x4
"Microsoft-Windows-ProcessStateManager":0xffffffffffffffff:0xff
"Microsoft-Windows-DXP":0x1000000000000:0x4
"Microsoft-Windows-UserPnp":0x1000000000000:0x4
"Microsoft-Windows-AppXDeployment-Server":0x1000000000000:0x4
"Microsoft-Windows-MediaEngine":0x1000000000000:0x4
"Microsoft-Windows-HealthCenter":0x1000000000000:0x4
"Microsoft-Windows-Ncasvc":0x1000000000000:0x4
"Microsoft-Windows-Kernel-Power":0x1000000000000:0x4
"Microsoft-JScript":0x1:0xff
"Microsoft-Windows-VolumeControl":0x1000000000000:0x4
"Microsoft-Windows-PrimaryNetworkIcon":0x1000000000000:0x4
"Microsoft-Windows-IME-SCTIP":0x1000000000000:0x4
"Microsoft-Windows-NetworkProfile":0x1000000000000:0x4
".NET Common Language Runtime":0x98:0x5
"Microsoft-Windows-IME-TIP":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskRingtone":0x1000000000000:0x4
"Microsoft-Windows-IME-TCTIP":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-MFCaptureEngine":0x1000000000000:0x4
"Microsoft-Windows-DisplaySwitch":0x1000000000000:0x4
"Microsoft-Windows-LUA":0x1000000000000:0x4
"Microsoft-Windows-DateTimeControlPanel":0x1000000000000:0x4
"Microsoft-Windows-TabletPC-InputPanel":0x1000000000000:0x4
"Microsoft-Windows-TaskScheduler":0x1000000000000:0x4
"Microsoft-Windows-Help":0x1000000000000:0x4
"Microsoft-Windows-Audio":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-Performance":0x1000000000000:0x4
"Microsoft-Windows-UserAccountControl":0x1000000000000:0x4
"Microsoft-Windows-IME-JPTIP":0x1000000000000:0x4
"Microsoft-Windows-WMP":0x1000000000000:0x4
"Microsoft-Windows-Graphics-Printing":0x1000000000000:0x4
"Microsoft-Windows-Dwm-Udwm":0x1000000000000:0x4
"Microsoft-Windows-ComDlg32":0x1000000000000:0x4
"Microsoft-Windows-Dhcp-Client":0x1000000000000:0x4
"Microsoft-Windows-Display":0x1000000000000:0x4
"Microsoft-Windows-UxTheme":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskSyncProvider":0x1000000000000:0x4
"Microsoft-Windows-NCSI":0x1000000000000:0x4
"Microsoft-Windows-DeviceUx":0x1000000000000:0x4
"Microsoft-Windows-HealthCenterCPL":0x1000000000000:0x4
"Microsoft-Windows-User Profiles Service":0x1000000000000:0x4
"Microsoft-Windows-Networking-Correlation":0xffffffffffffffff:0xff
"Microsoft-Windows-Store-Client-UI":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell-API":0x1000000000000:0x4
"Microsoft-Windows-WindowsUIImmersive":0x1000000000000:0x4
"Microsoft-Windows-Winlogon":0x1000000000000:0x4
"Microsoft-Windows-PrintDialogs":0x1000000000000:0x4
"Microsoft-Windows-All-User-Install-Agent":0x1000000000000:0x4
"Microsoft-Windows-PowerShell":0x1000000000000:0x4
"Microsoft-Windows-Services":0x1000000000000:0x4
"Microsoft-Windows-RPC":0xffffffffffffffff:0x4
"Microsoft-Windows-ThemeCPL":0x1000000000000:0x4
"Microsoft-Windows-AltTab":0x1000000000000:0x4
"Microsoft-Windows-Win32k":0x1000000402000:0xff
"Microsoft-Windows-Shell-Core":0x1000000000000:0x4
"Microsoft-Windows-BrokerInfrastructure":0x1000000000001:0xff
"Microsoft-Windows-Superfetch":0x1000000000000:0x4
"Microsoft-Windows-SystemSettings":0x1000000000000:0x4
"Microsoft-Windows-DriverFrameworks-UserMode":0x1000000000000:0x4
"Microsoft-Windows-DHCPv6-Client":0x1000000000000:0x4
-
Edited by
Cam Sinclair
Tuesday, December 09, 2014 10:21 AM
-
Proposed as answer by
Cam Sinclair
Tuesday, December 09, 2014 10:22 AM
December 9th, 2014 10:06am
I've had a bit of a look at this using the following commands which can reveal the details of currently active ETW sessions:
xperf -loggers
tracelog -q "WPR_initiated_WprApp_WPR System Collector"
tracelog -q "WPR_initiated_WprApp_WPR Event Collector"
The xperf one gives good details for all but secured sessions, for those tracelog -q tends to be more informative. Tracelog doesn't seem to give much useful info for the non-secured WPR session.
From these results, one can determine (I'm basing these results on WPRUI.exe - Windows Performance Recorder 6.3.9600.16384) that
First Level Triage is a superset of CPU Only. The only effect of enabling both as compared to only running Triage is that the maximum buffer counts of the sessions will be increased.
Specifically, CPU Only enables these kernel provider flags:
Process Thread ImageLoad CxtSwap Profile Power MemInfo Priority Dispatcher CpuConfig KernelQueue
and collects stacks for:
CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
whereas FirstLevelTriage enables:
Process Thread ProcCounters ImageLoad DiskIo HardFaults CxtSwap Dpc Isr Profile Power MemInfo MemInfoWs Priority Dispatcher CpuConfig KernelQueue WdfDriverDpc WdfDriverInterrupt
with stacks on:
DiskRead DiskWrite DiskFlush ThreadDCEnd CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
Doing a diff gives the additional flags enabled by Triage:
ProcCounters DiskIo HardFaults Dpc Isr MemInfoWs WdfDriverDpc WdfDriverInterrupt
and for stack collection:
DiskRead DiskWrite DiskFlush ThreadDCEnd
Edit: Forgot about the user mode providers, First Level Triage enables the following additional providers:
9580d7dd-0379-4658-9870-d5be7d52d6de:0x200:0xff
0a002690-3839-4e3a-b3b6-96d8df868d99:0xffffffffffffffff:0x5
"Microsoft-Windows-COMRuntime":0x3:0xff
49c2c27c-fe2d-40bf-8c4e-c3fb518037e7:0xffffffffffffffff:0xff
751ef305-6c6e-4fed-b847-02ef79d26aef:0xffffffffffffffff:0xff
cfeb0608-330e-4410-b00d-56d8da9986e6:0xffffffffffffffff:0xff
8e92deef-5e17-413b-b927-59b2f06a3cfc:0xffffffffffffffff:0xff
e4b70372-261f-4c54-8fa6-a5a7914d73da:0xffffffffffffffff:0xff
(no idea what they do, but you can do things like searching for .man files containing the GUIDs or querying running executables with
logman providers -pid to find what providers they expose, that might give hints as to their function)
Also, some extra flags are enabled on the Immersive-Shell, Kernel-Pore and NCSI providers.
The common subset of user providers between them is:
"Microsoft-Windows-PowerCpl":0x1000000000000:0x4
"Microsoft-Windows-WinINet":0x1000000000000:0x4
"Microsoft-Windows-UIAutomationCore":0x1000000000000:0x4
"Microsoft-Windows-ntshrui":0x1000000000000:0x4
"Microsoft-Windows-Kernel-PnP":0x1000000000000:0x4
"Microsoft-Windows-NlaSvc":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-MSDE":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-WDC":0x1000000000000:0x4
"Microsoft-Windows-AppHost":0x1000000000000:0x4
"Microsoft-Windows-PushNotifications-Platform":0x1000000000000:0x4
"Microsoft-Windows-ErrorReportingConsole":0x1000000000000:0x4
"Microsoft-Windows-IME-KRTIP":0x1000000000000:0x4
"Microsoft-Windows-RPCSS":0xffffffffffffffff:0x4
"Microsoft-Windows-Network-and-Sharing-Center":0x1000000000000:0x4
"Microsoft-Windows-WPDClassInstaller":0x1000000000000:0x4
e7ef96be-969f-414f-97d7-3ddb7b558ccc:0x2000:0xff
"Microsoft-PerfTrack-MSHTML":0x1000000000000:0x4
"Microsoft-Windows-DiagCpl":0x1000000000000:0x4
"Microsoft-Windows-stobject":0x1000000000000:0x4
"Microsoft-Windows-DeviceSetupManager":0x1000000000000:0x4
"Microsoft-Windows-Kernel-BootDiagnostics":0x1000000000000:0x4
"Microsoft-Windows-Diagnostics-Networking":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell":0x1000000000000:0x4
"Microsoft-PerfTrack-IEFRAME":0x1000000000000:0x4
"Microsoft-Windows-WindowsUpdateClient":0x1000000000000:0x4
"Microsoft-Windows-VAN":0x1000000000000:0x4
"Microsoft-Windows-NetworkGCW":0x1000000000000:0x4
"Microsoft-Windows-Netshell":0x1000000000000:0x4
"Microsoft-Windows-ThemeUI":0x1000000000000:0x4
"Microsoft-Windows-DxgKrnl":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-AdvancedTaskManager":0x1000000000000:0x4
"Microsoft-Windows-User-ControlPanel":0x1000000000000:0x4
"Microsoft-Windows-Documents":0x1000000000000:0x4
"Microsoft-Windows-PDC":0x1000000000000:0x4
"Microsoft-Windows-Shell-AuthUI":0x1000000000000:0x4
36b6f488-aad7-48c2-afe3-d4ec2c8b46fa:0x10000:0xff
"Microsoft-Windows-Dwm-Core":0x1000000000000:0x4
"Microsoft-Windows-ProcessStateManager":0xffffffffffffffff:0xff
"Microsoft-Windows-DXP":0x1000000000000:0x4
"Microsoft-Windows-UserPnp":0x1000000000000:0x4
"Microsoft-Windows-AppXDeployment-Server":0x1000000000000:0x4
"Microsoft-Windows-MediaEngine":0x1000000000000:0x4
"Microsoft-Windows-HealthCenter":0x1000000000000:0x4
"Microsoft-Windows-Ncasvc":0x1000000000000:0x4
"Microsoft-Windows-Kernel-Power":0x1000000000000:0x4
"Microsoft-JScript":0x1:0xff
"Microsoft-Windows-VolumeControl":0x1000000000000:0x4
"Microsoft-Windows-PrimaryNetworkIcon":0x1000000000000:0x4
"Microsoft-Windows-IME-SCTIP":0x1000000000000:0x4
"Microsoft-Windows-NetworkProfile":0x1000000000000:0x4
".NET Common Language Runtime":0x98:0x5
"Microsoft-Windows-IME-TIP":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskRingtone":0x1000000000000:0x4
"Microsoft-Windows-IME-TCTIP":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-MFCaptureEngine":0x1000000000000:0x4
"Microsoft-Windows-DisplaySwitch":0x1000000000000:0x4
"Microsoft-Windows-LUA":0x1000000000000:0x4
"Microsoft-Windows-DateTimeControlPanel":0x1000000000000:0x4
"Microsoft-Windows-TabletPC-InputPanel":0x1000000000000:0x4
"Microsoft-Windows-TaskScheduler":0x1000000000000:0x4
"Microsoft-Windows-Help":0x1000000000000:0x4
"Microsoft-Windows-Audio":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-Performance":0x1000000000000:0x4
"Microsoft-Windows-UserAccountControl":0x1000000000000:0x4
"Microsoft-Windows-IME-JPTIP":0x1000000000000:0x4
"Microsoft-Windows-WMP":0x1000000000000:0x4
"Microsoft-Windows-Graphics-Printing":0x1000000000000:0x4
"Microsoft-Windows-Dwm-Udwm":0x1000000000000:0x4
"Microsoft-Windows-ComDlg32":0x1000000000000:0x4
"Microsoft-Windows-Dhcp-Client":0x1000000000000:0x4
"Microsoft-Windows-Display":0x1000000000000:0x4
"Microsoft-Windows-UxTheme":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskSyncProvider":0x1000000000000:0x4
"Microsoft-Windows-NCSI":0x1000000000000:0x4
"Microsoft-Windows-DeviceUx":0x1000000000000:0x4
"Microsoft-Windows-HealthCenterCPL":0x1000000000000:0x4
"Microsoft-Windows-User Profiles Service":0x1000000000000:0x4
"Microsoft-Windows-Networking-Correlation":0xffffffffffffffff:0xff
"Microsoft-Windows-Store-Client-UI":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell-API":0x1000000000000:0x4
"Microsoft-Windows-WindowsUIImmersive":0x1000000000000:0x4
"Microsoft-Windows-Winlogon":0x1000000000000:0x4
"Microsoft-Windows-PrintDialogs":0x1000000000000:0x4
"Microsoft-Windows-All-User-Install-Agent":0x1000000000000:0x4
"Microsoft-Windows-PowerShell":0x1000000000000:0x4
"Microsoft-Windows-Services":0x1000000000000:0x4
"Microsoft-Windows-RPC":0xffffffffffffffff:0x4
"Microsoft-Windows-ThemeCPL":0x1000000000000:0x4
"Microsoft-Windows-AltTab":0x1000000000000:0x4
"Microsoft-Windows-Win32k":0x1000000402000:0xff
"Microsoft-Windows-Shell-Core":0x1000000000000:0x4
"Microsoft-Windows-BrokerInfrastructure":0x1000000000001:0xff
"Microsoft-Windows-Superfetch":0x1000000000000:0x4
"Microsoft-Windows-SystemSettings":0x1000000000000:0x4
"Microsoft-Windows-DriverFrameworks-UserMode":0x1000000000000:0x4
"Microsoft-Windows-DHCPv6-Client":0x1000000000000:0x4
-
Edited by
Cam Sinclair
Tuesday, December 09, 2014 10:21 AM
-
Proposed as answer by
Cam Sinclair
Tuesday, December 09, 2014 10:22 AM
December 9th, 2014 1:06pm
I've had a bit of a look at this using the following commands which can reveal the details of currently active ETW sessions:
xperf -loggers
tracelog -q "WPR_initiated_WprApp_WPR System Collector"
tracelog -q "WPR_initiated_WprApp_WPR Event Collector"
The xperf one gives good details for all but secured sessions, for those tracelog -q tends to be more informative. Tracelog doesn't seem to give much useful info for the non-secured WPR session.
From these results, one can determine (I'm basing these results on WPRUI.exe - Windows Performance Recorder 6.3.9600.16384) that
First Level Triage is a superset of CPU Only. The only effect of enabling both as compared to only running Triage is that the maximum buffer counts of the sessions will be increased.
Specifically, CPU Only enables these kernel provider flags:
Process Thread ImageLoad CxtSwap Profile Power MemInfo Priority Dispatcher CpuConfig KernelQueue
and collects stacks for:
CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
whereas FirstLevelTriage enables:
Process Thread ProcCounters ImageLoad DiskIo HardFaults CxtSwap Dpc Isr Profile Power MemInfo MemInfoWs Priority Dispatcher CpuConfig KernelQueue WdfDriverDpc WdfDriverInterrupt
with stacks on:
DiskRead DiskWrite DiskFlush ThreadDCEnd CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
Doing a diff gives the additional flags enabled by Triage:
ProcCounters DiskIo HardFaults Dpc Isr MemInfoWs WdfDriverDpc WdfDriverInterrupt
and for stack collection:
DiskRead DiskWrite DiskFlush ThreadDCEnd
Edit: Forgot about the user mode providers, First Level Triage enables the following additional providers:
9580d7dd-0379-4658-9870-d5be7d52d6de:0x200:0xff
0a002690-3839-4e3a-b3b6-96d8df868d99:0xffffffffffffffff:0x5
"Microsoft-Windows-COMRuntime":0x3:0xff
49c2c27c-fe2d-40bf-8c4e-c3fb518037e7:0xffffffffffffffff:0xff
751ef305-6c6e-4fed-b847-02ef79d26aef:0xffffffffffffffff:0xff
cfeb0608-330e-4410-b00d-56d8da9986e6:0xffffffffffffffff:0xff
8e92deef-5e17-413b-b927-59b2f06a3cfc:0xffffffffffffffff:0xff
e4b70372-261f-4c54-8fa6-a5a7914d73da:0xffffffffffffffff:0xff
(no idea what they do, but you can do things like searching for .man files containing the GUIDs or querying running executables with
logman providers -pid to find what providers they expose, that might give hints as to their function)
Also, some extra flags are enabled on the Immersive-Shell, Kernel-Pore and NCSI providers.
The common subset of user providers between them is:
"Microsoft-Windows-PowerCpl":0x1000000000000:0x4
"Microsoft-Windows-WinINet":0x1000000000000:0x4
"Microsoft-Windows-UIAutomationCore":0x1000000000000:0x4
"Microsoft-Windows-ntshrui":0x1000000000000:0x4
"Microsoft-Windows-Kernel-PnP":0x1000000000000:0x4
"Microsoft-Windows-NlaSvc":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-MSDE":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-WDC":0x1000000000000:0x4
"Microsoft-Windows-AppHost":0x1000000000000:0x4
"Microsoft-Windows-PushNotifications-Platform":0x1000000000000:0x4
"Microsoft-Windows-ErrorReportingConsole":0x1000000000000:0x4
"Microsoft-Windows-IME-KRTIP":0x1000000000000:0x4
"Microsoft-Windows-RPCSS":0xffffffffffffffff:0x4
"Microsoft-Windows-Network-and-Sharing-Center":0x1000000000000:0x4
"Microsoft-Windows-WPDClassInstaller":0x1000000000000:0x4
e7ef96be-969f-414f-97d7-3ddb7b558ccc:0x2000:0xff
"Microsoft-PerfTrack-MSHTML":0x1000000000000:0x4
"Microsoft-Windows-DiagCpl":0x1000000000000:0x4
"Microsoft-Windows-stobject":0x1000000000000:0x4
"Microsoft-Windows-DeviceSetupManager":0x1000000000000:0x4
"Microsoft-Windows-Kernel-BootDiagnostics":0x1000000000000:0x4
"Microsoft-Windows-Diagnostics-Networking":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell":0x1000000000000:0x4
"Microsoft-PerfTrack-IEFRAME":0x1000000000000:0x4
"Microsoft-Windows-WindowsUpdateClient":0x1000000000000:0x4
"Microsoft-Windows-VAN":0x1000000000000:0x4
"Microsoft-Windows-NetworkGCW":0x1000000000000:0x4
"Microsoft-Windows-Netshell":0x1000000000000:0x4
"Microsoft-Windows-ThemeUI":0x1000000000000:0x4
"Microsoft-Windows-DxgKrnl":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-AdvancedTaskManager":0x1000000000000:0x4
"Microsoft-Windows-User-ControlPanel":0x1000000000000:0x4
"Microsoft-Windows-Documents":0x1000000000000:0x4
"Microsoft-Windows-PDC":0x1000000000000:0x4
"Microsoft-Windows-Shell-AuthUI":0x1000000000000:0x4
36b6f488-aad7-48c2-afe3-d4ec2c8b46fa:0x10000:0xff
"Microsoft-Windows-Dwm-Core":0x1000000000000:0x4
"Microsoft-Windows-ProcessStateManager":0xffffffffffffffff:0xff
"Microsoft-Windows-DXP":0x1000000000000:0x4
"Microsoft-Windows-UserPnp":0x1000000000000:0x4
"Microsoft-Windows-AppXDeployment-Server":0x1000000000000:0x4
"Microsoft-Windows-MediaEngine":0x1000000000000:0x4
"Microsoft-Windows-HealthCenter":0x1000000000000:0x4
"Microsoft-Windows-Ncasvc":0x1000000000000:0x4
"Microsoft-Windows-Kernel-Power":0x1000000000000:0x4
"Microsoft-JScript":0x1:0xff
"Microsoft-Windows-VolumeControl":0x1000000000000:0x4
"Microsoft-Windows-PrimaryNetworkIcon":0x1000000000000:0x4
"Microsoft-Windows-IME-SCTIP":0x1000000000000:0x4
"Microsoft-Windows-NetworkProfile":0x1000000000000:0x4
".NET Common Language Runtime":0x98:0x5
"Microsoft-Windows-IME-TIP":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskRingtone":0x1000000000000:0x4
"Microsoft-Windows-IME-TCTIP":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-MFCaptureEngine":0x1000000000000:0x4
"Microsoft-Windows-DisplaySwitch":0x1000000000000:0x4
"Microsoft-Windows-LUA":0x1000000000000:0x4
"Microsoft-Windows-DateTimeControlPanel":0x1000000000000:0x4
"Microsoft-Windows-TabletPC-InputPanel":0x1000000000000:0x4
"Microsoft-Windows-TaskScheduler":0x1000000000000:0x4
"Microsoft-Windows-Help":0x1000000000000:0x4
"Microsoft-Windows-Audio":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-Performance":0x1000000000000:0x4
"Microsoft-Windows-UserAccountControl":0x1000000000000:0x4
"Microsoft-Windows-IME-JPTIP":0x1000000000000:0x4
"Microsoft-Windows-WMP":0x1000000000000:0x4
"Microsoft-Windows-Graphics-Printing":0x1000000000000:0x4
"Microsoft-Windows-Dwm-Udwm":0x1000000000000:0x4
"Microsoft-Windows-ComDlg32":0x1000000000000:0x4
"Microsoft-Windows-Dhcp-Client":0x1000000000000:0x4
"Microsoft-Windows-Display":0x1000000000000:0x4
"Microsoft-Windows-UxTheme":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskSyncProvider":0x1000000000000:0x4
"Microsoft-Windows-NCSI":0x1000000000000:0x4
"Microsoft-Windows-DeviceUx":0x1000000000000:0x4
"Microsoft-Windows-HealthCenterCPL":0x1000000000000:0x4
"Microsoft-Windows-User Profiles Service":0x1000000000000:0x4
"Microsoft-Windows-Networking-Correlation":0xffffffffffffffff:0xff
"Microsoft-Windows-Store-Client-UI":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell-API":0x1000000000000:0x4
"Microsoft-Windows-WindowsUIImmersive":0x1000000000000:0x4
"Microsoft-Windows-Winlogon":0x1000000000000:0x4
"Microsoft-Windows-PrintDialogs":0x1000000000000:0x4
"Microsoft-Windows-All-User-Install-Agent":0x1000000000000:0x4
"Microsoft-Windows-PowerShell":0x1000000000000:0x4
"Microsoft-Windows-Services":0x1000000000000:0x4
"Microsoft-Windows-RPC":0xffffffffffffffff:0x4
"Microsoft-Windows-ThemeCPL":0x1000000000000:0x4
"Microsoft-Windows-AltTab":0x1000000000000:0x4
"Microsoft-Windows-Win32k":0x1000000402000:0xff
"Microsoft-Windows-Shell-Core":0x1000000000000:0x4
"Microsoft-Windows-BrokerInfrastructure":0x1000000000001:0xff
"Microsoft-Windows-Superfetch":0x1000000000000:0x4
"Microsoft-Windows-SystemSettings":0x1000000000000:0x4
"Microsoft-Windows-DriverFrameworks-UserMode":0x1000000000000:0x4
"Microsoft-Windows-DHCPv6-Client":0x1000000000000:0x4
-
Edited by
Cam Sinclair
Tuesday, December 09, 2014 10:21 AM
-
Proposed as answer by
Cam Sinclair
Tuesday, December 09, 2014 10:22 AM
December 9th, 2014 1:06pm
I've had a bit of a look at this using the following commands which can reveal the details of currently active ETW sessions:
xperf -loggers
tracelog -q "WPR_initiated_WprApp_WPR System Collector"
tracelog -q "WPR_initiated_WprApp_WPR Event Collector"
The xperf one gives good details for all but secured sessions, for those tracelog -q tends to be more informative. Tracelog doesn't seem to give much useful info for the non-secured WPR session.
From these results, one can determine (I'm basing these results on WPRUI.exe - Windows Performance Recorder 6.3.9600.16384) that
First Level Triage is a superset of CPU Only. The only effect of enabling both as compared to only running Triage is that the maximum buffer counts of the sessions will be increased.
Specifically, CPU Only enables these kernel provider flags:
Process Thread ImageLoad CxtSwap Profile Power MemInfo Priority Dispatcher CpuConfig KernelQueue
and collects stacks for:
CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
whereas FirstLevelTriage enables:
Process Thread ProcCounters ImageLoad DiskIo HardFaults CxtSwap Dpc Isr Profile Power MemInfo MemInfoWs Priority Dispatcher CpuConfig KernelQueue WdfDriverDpc WdfDriverInterrupt
with stacks on:
DiskRead DiskWrite DiskFlush ThreadDCEnd CSwitch ReadyThread KernelQueueEnqueue KernelQueueDequeue Profile
Doing a diff gives the additional flags enabled by Triage:
ProcCounters DiskIo HardFaults Dpc Isr MemInfoWs WdfDriverDpc WdfDriverInterrupt
and for stack collection:
DiskRead DiskWrite DiskFlush ThreadDCEnd
Edit: Forgot about the user mode providers, First Level Triage enables the following additional providers:
9580d7dd-0379-4658-9870-d5be7d52d6de:0x200:0xff
0a002690-3839-4e3a-b3b6-96d8df868d99:0xffffffffffffffff:0x5
"Microsoft-Windows-COMRuntime":0x3:0xff
49c2c27c-fe2d-40bf-8c4e-c3fb518037e7:0xffffffffffffffff:0xff
751ef305-6c6e-4fed-b847-02ef79d26aef:0xffffffffffffffff:0xff
cfeb0608-330e-4410-b00d-56d8da9986e6:0xffffffffffffffff:0xff
8e92deef-5e17-413b-b927-59b2f06a3cfc:0xffffffffffffffff:0xff
e4b70372-261f-4c54-8fa6-a5a7914d73da:0xffffffffffffffff:0xff
(no idea what they do, but you can do things like searching for .man files containing the GUIDs or querying running executables with
logman providers -pid to find what providers they expose, that might give hints as to their function)
Also, some extra flags are enabled on the Immersive-Shell, Kernel-Pore and NCSI providers.
The common subset of user providers between them is:
"Microsoft-Windows-PowerCpl":0x1000000000000:0x4
"Microsoft-Windows-WinINet":0x1000000000000:0x4
"Microsoft-Windows-UIAutomationCore":0x1000000000000:0x4
"Microsoft-Windows-ntshrui":0x1000000000000:0x4
"Microsoft-Windows-Kernel-PnP":0x1000000000000:0x4
"Microsoft-Windows-NlaSvc":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-MSDE":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-WDC":0x1000000000000:0x4
"Microsoft-Windows-AppHost":0x1000000000000:0x4
"Microsoft-Windows-PushNotifications-Platform":0x1000000000000:0x4
"Microsoft-Windows-ErrorReportingConsole":0x1000000000000:0x4
"Microsoft-Windows-IME-KRTIP":0x1000000000000:0x4
"Microsoft-Windows-RPCSS":0xffffffffffffffff:0x4
"Microsoft-Windows-Network-and-Sharing-Center":0x1000000000000:0x4
"Microsoft-Windows-WPDClassInstaller":0x1000000000000:0x4
e7ef96be-969f-414f-97d7-3ddb7b558ccc:0x2000:0xff
"Microsoft-PerfTrack-MSHTML":0x1000000000000:0x4
"Microsoft-Windows-DiagCpl":0x1000000000000:0x4
"Microsoft-Windows-stobject":0x1000000000000:0x4
"Microsoft-Windows-DeviceSetupManager":0x1000000000000:0x4
"Microsoft-Windows-Kernel-BootDiagnostics":0x1000000000000:0x4
"Microsoft-Windows-Diagnostics-Networking":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell":0x1000000000000:0x4
"Microsoft-PerfTrack-IEFRAME":0x1000000000000:0x4
"Microsoft-Windows-WindowsUpdateClient":0x1000000000000:0x4
"Microsoft-Windows-VAN":0x1000000000000:0x4
"Microsoft-Windows-NetworkGCW":0x1000000000000:0x4
"Microsoft-Windows-Netshell":0x1000000000000:0x4
"Microsoft-Windows-ThemeUI":0x1000000000000:0x4
"Microsoft-Windows-DxgKrnl":0x1000000000000:0x4
"Microsoft-Windows-Diagnosis-AdvancedTaskManager":0x1000000000000:0x4
"Microsoft-Windows-User-ControlPanel":0x1000000000000:0x4
"Microsoft-Windows-Documents":0x1000000000000:0x4
"Microsoft-Windows-PDC":0x1000000000000:0x4
"Microsoft-Windows-Shell-AuthUI":0x1000000000000:0x4
36b6f488-aad7-48c2-afe3-d4ec2c8b46fa:0x10000:0xff
"Microsoft-Windows-Dwm-Core":0x1000000000000:0x4
"Microsoft-Windows-ProcessStateManager":0xffffffffffffffff:0xff
"Microsoft-Windows-DXP":0x1000000000000:0x4
"Microsoft-Windows-UserPnp":0x1000000000000:0x4
"Microsoft-Windows-AppXDeployment-Server":0x1000000000000:0x4
"Microsoft-Windows-MediaEngine":0x1000000000000:0x4
"Microsoft-Windows-HealthCenter":0x1000000000000:0x4
"Microsoft-Windows-Ncasvc":0x1000000000000:0x4
"Microsoft-Windows-Kernel-Power":0x1000000000000:0x4
"Microsoft-JScript":0x1:0xff
"Microsoft-Windows-VolumeControl":0x1000000000000:0x4
"Microsoft-Windows-PrimaryNetworkIcon":0x1000000000000:0x4
"Microsoft-Windows-IME-SCTIP":0x1000000000000:0x4
"Microsoft-Windows-NetworkProfile":0x1000000000000:0x4
".NET Common Language Runtime":0x98:0x5
"Microsoft-Windows-IME-TIP":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskRingtone":0x1000000000000:0x4
"Microsoft-Windows-IME-TCTIP":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-MFCaptureEngine":0x1000000000000:0x4
"Microsoft-Windows-DisplaySwitch":0x1000000000000:0x4
"Microsoft-Windows-LUA":0x1000000000000:0x4
"Microsoft-Windows-DateTimeControlPanel":0x1000000000000:0x4
"Microsoft-Windows-TabletPC-InputPanel":0x1000000000000:0x4
"Microsoft-Windows-TaskScheduler":0x1000000000000:0x4
"Microsoft-Windows-Help":0x1000000000000:0x4
"Microsoft-Windows-Audio":0x1000000000000:0x4
"Microsoft-Windows-MediaFoundation-Performance":0x1000000000000:0x4
"Microsoft-Windows-UserAccountControl":0x1000000000000:0x4
"Microsoft-Windows-IME-JPTIP":0x1000000000000:0x4
"Microsoft-Windows-WMP":0x1000000000000:0x4
"Microsoft-Windows-Graphics-Printing":0x1000000000000:0x4
"Microsoft-Windows-Dwm-Udwm":0x1000000000000:0x4
"Microsoft-Windows-ComDlg32":0x1000000000000:0x4
"Microsoft-Windows-Dhcp-Client":0x1000000000000:0x4
"Microsoft-Windows-Display":0x1000000000000:0x4
"Microsoft-Windows-UxTheme":0x1000000000000:0x4
"Microsoft-Windows-DxpTaskSyncProvider":0x1000000000000:0x4
"Microsoft-Windows-NCSI":0x1000000000000:0x4
"Microsoft-Windows-DeviceUx":0x1000000000000:0x4
"Microsoft-Windows-HealthCenterCPL":0x1000000000000:0x4
"Microsoft-Windows-User Profiles Service":0x1000000000000:0x4
"Microsoft-Windows-Networking-Correlation":0xffffffffffffffff:0xff
"Microsoft-Windows-Store-Client-UI":0x1000000000000:0x4
"Microsoft-Windows-Immersive-Shell-API":0x1000000000000:0x4
"Microsoft-Windows-WindowsUIImmersive":0x1000000000000:0x4
"Microsoft-Windows-Winlogon":0x1000000000000:0x4
"Microsoft-Windows-PrintDialogs":0x1000000000000:0x4
"Microsoft-Windows-All-User-Install-Agent":0x1000000000000:0x4
"Microsoft-Windows-PowerShell":0x1000000000000:0x4
"Microsoft-Windows-Services":0x1000000000000:0x4
"Microsoft-Windows-RPC":0xffffffffffffffff:0x4
"Microsoft-Windows-ThemeCPL":0x1000000000000:0x4
"Microsoft-Windows-AltTab":0x1000000000000:0x4
"Microsoft-Windows-Win32k":0x1000000402000:0xff
"Microsoft-Windows-Shell-Core":0x1000000000000:0x4
"Microsoft-Windows-BrokerInfrastructure":0x1000000000001:0xff
"Microsoft-Windows-Superfetch":0x1000000000000:0x4
"Microsoft-Windows-SystemSettings":0x1000000000000:0x4
"Microsoft-Windows-DriverFrameworks-UserMode":0x1000000000000:0x4
"Microsoft-Windows-DHCPv6-Client":0x1000000000000:0x4
-
Edited by
Cam Sinclair
Tuesday, December 09, 2014 10:21 AM
-
Proposed as answer by
Cam Sinclair
Tuesday, December 09, 2014 10:22 AM
December 9th, 2014 1:06pm