Collecting Disk Access Traces on Windows with Tracelog

Here is some information on how I have been collecting disk access traces on Windows using Tracelog.  Tracelog utilizes the ETW which I believe is only supported by NT5 based kernels (Win2k, XP, some server versions).  Please let me know if you find this information useful.

I use the Windows TRACELOG.EXE for collecting traces and the Windows TRACEDMP.EXE program for processing the dumps. They can be found here:

There is a reasonable writeup by a UCSC student here:

My basic procedure looks like this:

1. > TRACELOG.EXE -start -noprocess -nothread -nonet
2. Run some load on the disk
3. > TRACELOG.EXE -stop
4. > TRACEDMP.EXE C:\LogFile.Etl
5. Event summary is Summary.txt and trace is in DumpFile.csv

To interpret the CSV file, see the MOFDATA.GUID file in the C:\Program Files\Resource Kit where the TRACELOG and TRACEDMP programs reside. I have reproduced the relevant portion of that file below:

3d6fa8d4-fe05-11d0-9dda-00c04fd7ba7c DiskIo
#type Read      10
#type Write     11
Disk Number, ItemULong
Irp Flags, ItemULongX
Transfer Size, ItemULong
QueueDepth, ItemULong
Byte Offset, ItemLongLong
File Object, ItemPtr

If you wish to control this functionality programmatically, you could check out the MSDN articles on Windows ETW:

This entry was posted in Programming, Projects. Bookmark the permalink.

Leave a Reply