• Windows Performance Toolkit of Windows 8.1 (works also on Windows 7) Please download from the Windows 8.1 SDK.
    • Hint: You need only the Windows Performance Toolkit which is only a 40 MB download and not the full SDK!
    • On Windows 7 you need after the WPT installation to execute
      1. wpr -disablepagingexecutive
      2. And a reboot to enable full stack walking.


Local Recording

When you start it you can first configure the settings to connect to a remote instance. If you want to use it only locally  you do not need to configure anything extra.

The easiest use case is to enable mouse and keyboard capturing:



Then you want to start profiling:



Here you can configure the command line options to the executed WPR command. Now you can press the Start Button at the bottom and execute your use case while pressing some keys ….

After you are done you can stop the recording. When done you can open the collected trace data on your local machine with the Open Trace button which will open WPA with the saved etl file.

There you need to add Generic Events from the available graphs and filter for HookEvents which will show your keyboard and mouse input:


The first field is the number of the keyboard event to enable identification of a specific keyboard/mouse press in the traces locally or on the server. The next field is the actually recorded keyboard/mouse event.


Remote Recording

First you need to install and start ETWControler on both machines.

To record remote traces as you need to disable the firewall of the remote server to be able to pass data on port 8080 and 4295. You can reconfigure the ports and the name of the remove server in the Configuration -  Network menu.


To send data over the wire check the "Start Sending" check box.



To start connected tracing you need to check the Enable checkbox on Local and Server in the Trace Collection tab. When you press Start/Stop/Cancel the ETW recording session on both machines will be started/stopped or cancelled at the same time. Now it is time to execute your use case with a network sniffer attached to make sense of the collected data. If you detect some glitches in your app you can press either the Log Slow Event button to insert a custom message you can search later for or you can press the Slow button to define a hot key which writes the Slow message every time to the ETW and network stream when you press the hotkey.

After the trap is set you can search for interesting events in the network stream. Below is an example of a network issue I found this way. There was a packet lost in the tcp stream. We see the "[TCP Previous segment not capture]" ACK message followed by another ACK which is the basic error handling in TCP to force the server to retransmit the missing packet/s. This takes time nearly 300ms as you can see which resulted in noticeable hiccups in an application.


Now you only need to learn how to read network traces. It is now much easier to create a setup where the client/network and server is fully under observation and you only need one repro to have enough data to pinpoint the issue. Happy bug hunting. If you have other creative ideas how to use or expand this tool I would love to hear about it!

Last edited Jan 25, 2014 at 8:38 PM by Alois, version 1