Using XPERF to capture ETL traces for Slow Logons

Applies to:

Windows Server 2016

Note:  Also applies to Remote Desktop Servers (RDS)

Windows 10

Windows Server 2012 R2

Note:  Also applies to Remote Desktop Servers (RDS)

Windows 8.1

Windows Server 2012

Note:  Also applies to Remote Desktop Servers (RDS)

Windows 8.0

A common question that I get is:

How do you take a slow boot and slow logon etl trace on a non-persistent VDI?

The answer is, you can’t, you need to make it non-persistent, because the registry and files get wiped.

Ok, how about if you just want a slow logon etl trace?

The answer gets better, you can, but when using WPRUI or WPR, there are no pre-defined “Resource Analysis” or “Scenario Analysis” for different components (more specifically the providers) that are a part of the logon process.

The work-around would be to create a custom WPR (wprp) file.

In this scenario, we will go through using Xperf.exe since it will let us run in circular fashion until we stop it. (First-in-First-out (FIFO)).

1. Logon as an Administrator of the computer you want to trace (either a local admin or domain admin account that is a member of the local machine's administrator group will work).

2. Open an elevated command prompt and run this command from WPT Install directory (default: C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit): 

xperf -on base+latency+dispatcher+NetworkTrace+Registry+FileIO -stackWalk CSwitch+ReadyThread+ThreadCreate+Profile+ProcessCreate -f C:\temp\kernel.etl -BufferSize 1024 -MinBuffers 256 -MaxBuffers 256 -MaxFile 4096 -FileMode Circular -start UserTrace -on "Microsoft-Windows-Shell-Core+Microsoft-Windows-Wininit+Microsoft-Windows-Folder Redirection+Microsoft-Windows-User Profiles Service+Microsoft-Windows-GroupPolicy+Microsoft-Windows-Winlogon+Microsoft-Windows-Security-Kerberos+Microsoft-Windows-User Profiles General+e5ba83f6-07d0-46b1-8bc7-7e669a1d31dc+63b530f8-29c9-4880-a5b4-b8179096e7b8+2f07e2ee-15db-40f1-90ef-9d7ba282188a" -f C:\temp\user.etl -BufferSize 1024 -MinBuffers 128 -MaxBuffers 128 -MaxFile 1024 -FileMode Circular

Note:  Symbolic names for the following providers:

Microsoft-Windows-Security-Netlogon (e5ba83f6-07d0-46b1-8bc7-7e669a1d31dc )

Microsoft-Windows-NlaSvc (  63b530f8-29c9-4880-a5b4-b8179096e7b8 )

Microsoft-Windows-TCPIP (2f07e2ee-15db-40f1-90ef-9d7ba282188a )

Stop the trace shortly after the slow logon of interest has completed to avoid losing data.

3. Press CTRL+ALT+DEL followed by "Switch User"

4. Logon with the user account experiencing the slow user logon or slow logoff to reproduce the issue

5. Stop the trace

While logged on with the slow user account, open an elevated CMD prompt and type:   

xperf -stop UserTrace -d c:\temp\merged.etl

Close the slow logon user session and the admin logon session opened in step 2 as required.



Comments (1)

  1. Mark Hastings says:

    First, I want to thank you for being one of the few (?) Microsoft bloggers that cover the WPT, XPerf, and other debugging tools like Debug Diag 2.

    As a Win32 + .NET desktop app developer, I rarely see useful tips and tricks to help me figure out customer performance issues that we cannot reproduce in-house. Fortunately, the don’t pop up too often but when they do I am left scrambling to catch-up on the latest tools from Microsoft so I can learn what my options are.

    Just a couple of questions / comments:

    1. I have found that the macOS Activity Monitor has a very handy feature for quick-and-dirty performance analysis via “spindumps”, which samples the selected app for 10 seconds and provides a simple call stack analysis highlighting the “hot spots” based on how many samples hit a particular entry point. This is less powerful than WPT and perhaps the other tools, but is way more accessible for our customers to run and send back to us when they hit an issue. It would be great the Windows Task Manager added something like this instead of just the “Create Dump File” option, which often isn’t helpful for performance issues.

    2. I just stumbled upon your post about Debug Diagnostic Tool 2 Update 2, but that appears to be around 2 years old now. Is that tool abandoned? My impression (not having used it), is that it is more approachable than WPT, but I don’t want to learn if it is hasn’t kept up.

    3. Not having used WPT or XPerf extensively, I’m wondering if the Microsoft Virtual Academy videos from 2014 (or the Build conference talk from 2013) are still the best intros?

    4. Another concern is that what was once a straightforward MFC application has been migrated with additional WPF UI, and the introduction of the .NET runtime into a Win32 app might somehow impede or complicate the use of these tools. Generally my performance issues are not with the WPF layer, but rather the lower-level C++ code that makes up the bulk of the codebase, so I’d be fine if the .NET goo could just be ignored. Is this a valid mindset?

Skip to main content