2

I did read

Capture callstack and events in Xperf

and other sources, but the most straightforward thing I'd like to do is simply display the "Stack" column in WPA's "Generic events" graph.

WPA, Generic events graph

Why is it not there? Sure, because stack information is not available, but why? I do know "xperf -help stackwalk" but what's listed is not what I'm looking for. For example,

xperf -on networktrace -stackwalk networktrace

is not possible to get the callstack for network events. Why? I must be missing something. Thanks!

magicandre1981
  • 27,895
  • 5
  • 86
  • 127

1 Answers1

3

Activating stacks for user mode events has this syntax: PROVIDER:KEYWORD:LEVEL:'stack'

You have to activate stacks this way:

"C:\Program Files (x86)\Windows Kits\8.1\Windows Performance Toolkit\xperf.exe" -start UserLogger -on Microsoft-Windows-Kernel-Network:::'stack'+Microsoft-Windows-Networking-Correlation:::'stack'+Microsoft-Windows-TCPIP:::'stack' -buffersize 2048 -f User.etl

magicandre1981
  • 27,895
  • 5
  • 86
  • 127
  • Thanks, but this doesn't add a Stack column to the Generic Events graph. I only get an additional, separate "Stacks" graph. It's ok, but not where I'd expect it, i.e. in the Generic Events window. My question was related to Generic Events in general, not only to user mode providers. Maybe other kernel flags do not have corresponding user mode provider (do they?), so it's not clear for me yet.In addition, if I do it this way, symbols are missing again. Do we have to add a minimum set of providers to get symbol support? –  Feb 02 '16 at 20:48
  • generic events = user mode events. Click on "Open View Editor" and activate he stack column here. symbols are missing, because NETWORKTRACE is not enough. Use NETWORK which captures PROC_THREAD+LOADER, both MUST be used all the time! – magicandre1981 Feb 03 '16 at 04:58
  • Sorry, but this is not right, because "networktrace" is a kernel flag, and the events are shown in the "generic events" graph. Anyway, I'll just have to accept (but not understand) that there's no Stack column in that graph. Regarding symbols, I found out meanwhile, too, thanks. –  Feb 03 '16 at 12:12
  • there are stacks if you activate them. I use this often. But for network, there is no stack option. Here you have to activate the usermode providers that I told you. – magicandre1981 Feb 03 '16 at 16:49
  • btw, use **xperf -help stackwalk** to see which stacks you can enable for kernel mode events – magicandre1981 Feb 05 '16 at 04:52
  • I know that option. The point of my question was that there is no relation between the providers output with **xperf -help stackwalk** and the kernel flags output at the end of **xperf -providers** Anyway, we have to take what's there, so it's ok. Thanks again. –  Feb 08 '16 at 14:36
  • here is an unofficial list to show which stackwalk option belongs to which kernel flag: https://github.com/google/UIforETW/blob/master/UIforETW/StackWalkFlags.txt – magicandre1981 Feb 08 '16 at 16:22
  • Contributions to UIforETW's StackWalkFlags.txt file would be greatly appreciated. And, @CryGuy, you need to understand that using the :::'stack' syntax tells ETW to *record* stacks. That is necessary, but not sufficient. You then need to tell WPA to *display* them. Just enable the stacks column and rearrange as needed. Understanding when and how to enable and rearrange columns is the Zen of ETW trace analysis. This may be helpful: https://randomascii.wordpress.com/2012/06/19/wpaxperf-trace-analysis-reimagined/ – Bruce Dawson Jul 13 '16 at 03:05