What Is Bootckcl.etl and Why Does It Get Generated At Every Boot?


Summary:   Milad Aslaner , a Microsoft Premier Field Engineer based in Germany, walks us through a quick, easy, and built in way to explore boot time process and performance on your Windows machines. Enjoy!


Microsoft Windows LogoDid you know that at each boot your Windows 7 machine generates a boot trace?  No?  I’m not surprised.  Most of the time when I’m showing the Bootckcl.etl log file to my customers they are really surprised that Windows has a built-in boot trace.

Really important first of all:  yes, Bootckcl.etl is a boot trace, and yes, you can utilize XPerf from Windows Performance Analysis Toolkit (WPT) to analyze it, but its intent is to give you a high level overview of your boot performance.  It’s not a deep log file which contains a lot of providers.  For example, you won’t be able to do any stack walking or check the processing of group policy.

The Bootckcl.etl file is stored under C:\Windows\System32\WDI\LogFiles.  It’s a hidden folder and you require administrative privileges for it.  I recommend copying the log file, for example, on your desktop and then start it with XPerf.  You can get XPerf version 4 in the Windows SDK or version 5 in the Windows ADK.

If you are interested in just identifying the boot time, the most interesting graphs are Process Lifetimes and Generic Events. For example, just mark with your mouse in the Generic Events graph both red lines and the total time is the boot time of that machine.  You can also do it with Process Lifetime by marking the area where the system starts to the end of explorer.exe.

Process Lifetimes Graph

Generic Events Graph

If you want to drill a bit deeper what I usually do is open the Process Summary table by right clicking in the process lifetimes. Then I activate the columns Process ID and Parent Process ID, sort the summary table by start time, and then drill into the log.  For example, I check when gpscript.exe started, how long explorer.exe took, and check dependencies between the processes by reviewing the process and the parent process id.

Process Summary table with columns Process ID and Parent Process ID activated

This should help you to quickly get information about your boot process without investing too much time on a holistic overview of the boot performance.  If you want to deep dive and really understand what happens beyond that and drill into the nanoseconds then it’s time to install XPerf on that computer and collect a boot trace.


Written by Milad Aslaner; Posted by Frank Battiston, MSPFE Editor