What is it?

ETWControler allows you to troubleshoot performance problems in distributed systems by allowing you to start an ETW profiling session on one or two computers with user input tracing.

The main features are:

  • It is a veritable keyboard and mouse logger
    • To protect the innocent most keyboard presses are encrypted by logging a SomeKey and not the actual key code.
    • You can uncheck the Encrypt keyboard keys checkbox which is always on by default.
  • You can analyze local hangs and issues by logging the user input into an ETW session
    • To help you navigating in the ETL file you can define two hotkeys (press the green key and then the keyboard or mouse hotkey).
    • If it is slow you press the slow hotkey and if it is fast again you can press the fast hotkey to mark specific regions in an ETL file.
  • The most advanced scenario are client and a server issues. You can configure a remote computer under Configuration - Network and send the user input 
    • When you check the Start sending checkbox  the local keyboard and mouse events are traced both locally and on the remote machine which enables you to correlate the system reaction on user input on both machines.


Here is a screenshot of the new improved v1.1 UI:



A Little More Background

In a distributed world performance troubleshooting has just got much harder. Now we have at least two computers and the Internet involved. Sane developers blame for all performance problems, which involve a remote server, the network which can be true or not. It is nearly impossible to correlate user input of one computer (lets say a keyboard press) with the associated network traffic and the following actions on a remote server, since most of the time the network traffic is encrypted or too hard to follow because of the huge amount of data transferred.

This is where ETWControler comes into the game. The name ETWControler stems from Event Tracing for Windows. ETW is the most detailed and fastest profiling facility on Windows. If you do not know it you have one more reason to learn how to make use of it. ETWControler as the name suggests controls simultaneously profiling on two machines. It can start/stop at the same time ETW tracing on the local and remote machine making it an ideal buddy to capture data on one or more systems.


It allows you to simultaneously capture and correlate profiling information from the client, network and server. If the user presses a key or a mouse button it can be sent to the remote server over a dedicated port. ETWControler comes with a built in keyboard and mouse logger which writes the captured keyboard and mouse events locally to ETW and sends them over a configurable port in plain text over the wire to the remote server where another instance of ETWControler receives the user events and logs them also as ETW events.

Additionally there is a "Slow" button which can be assigned to a mouse or keyboard hot key which logs a user configurable message to the local computer, network stream and the remote machine. With this hotkey you can create marker events where you did experience sluggish behavior or other interesting incidents. This makes it very easy to identify in the network stream the exact time point where a slowdown did happen and you can look with e.g. Wireshark directly at the plain text data and search for your user defined message in a multi GB network trace stream.

Sure you can wade through GB network traces if you wish but I want to get my hands out of the network trace analyzer as fast as possible. These marker events on a dedicated port make searching and marking of strategic events trivial. Every logged event gets a unique number which allows you to search for specific mouse/keyboard events as well. The data flow is shown below:


Currently ETWControler does not start or stop Wireshark captures. You need to start network capturing on the network devices by yourself. But now you can correlate with the help of the keyboard and the Slow/Fast Marker events both ETW traces and the network trace without any trouble. That makes it much easier to find the point of interest in any captured ETW and/or network stream. You can e.g. watch your network load during an integration test and insert at interesting spikes marker events to check if the network performance did drop due to network issues or if the server or the client was busy doing something else (e.g. the virus scanner was active or your application did perform a garbage collection).

Last edited Nov 25, 2015 at 9:34 PM by Alois, version 17