Event Tracing for Windows (ETW) is the most important diagnostic tool Windows developers have at their disposal. In this talk, we will explore the rich and wonderful world of ETW events, which span numerous components including the kernel scheduler, the CLR garbage collector, the Windows UI subsystem (including XAML-specific events), request-processing frameworks such as ASP.NET and WCF, and many others. You’ll learn how to diagnose incredibly complex issues in production systems such as excessive garbage collection pauses, slow startup due to JIT and disk accesses, and even sluggishness during the Windows boot process. We will also explore some ways to automate ETW collection and analysis to build self-diagnosing applications that identify high CPU issues, resource leaks, and concurrency problems and produce alerts and reports. In the course of the talk we will use innovative performance tools that haven’t been applied to ETW before — flame graphs for visualising call stacks and a command-line interface for dynamic, scriptable ETW tracing. ETW is truly a window into everything happening on your system, and it doesn’t require expensive licenses, invasive tools, or modifying your code in any way. It is a critical, first-stop skill on your way to mastering application performance and diagnostics.

1. Velocity NYC 2017 #VelocityConf | @dinagozil
ETW - Monitor Anything,
Anytime, Anywhere
Dina Goldshtein,
1

2. Velocity NYC 2017 #VelocityConf | @dinagozil
Agenda
• Traditional performance tooling
• Introduction to ETW
• Usage scenarios
• ETW tools
2

3. Velocity NYC 2017 #VelocityConf | @dinagozil
Introduction
3

4. Velocity NYC 2017 #VelocityConf | @dinagozil
Challenges with Traditional Profilers
Invasive
•Recompilation
•Performance overhead
http://imgur.com/gallery/qV4hPqk
4

5. Velocity NYC 2017 #VelocityConf | @dinagozil
Challenges with Traditional Profilers
Live monitoring
•Restart the stock server?
•Restart the aerial radar?
https://commons.wikimedia.org/wiki/File:Ekg_bigeminus_bionerd.jpg
5

6. Velocity NYC 2017 #VelocityConf | @dinagozil
Challenges with Traditional Profilers
Licensing
•Redistribution
•Per-machine license
https://pics.onsizzle.com/california-driver-license-di-mreinsteinthecat-class-c-exp-06-29-2020-end-2949841.png
6

7. Velocity NYC 2017 #VelocityConf | @dinagozil
Event Tracing for Windows
• High-speed logging framework supporting more than 100K structured
messages per second
7

8. Velocity NYC 2017 #VelocityConf | @dinagozil
Event Tracing for Windows
• High-speed logging framework supporting more than 100K structured
messages per second
• Does not require recompilation
• Can be turned on on-demand while running
8

9. Velocity NYC 2017 #VelocityConf | @dinagozil
Event Tracing for Windows
• High-speed logging framework supporting more than 100K structured
messages per second
• Does not require recompilation
• Can be turned on on-demand while running
• Very small overhead
9

10. Velocity NYC 2017 #VelocityConf | @dinagozil
Event Tracing for Windows
• High-speed logging framework supporting more than 100K structured
messages per second
• Does not require recompilation
• Can be turned on on-demand while running
• Very small overhead
• User-mode and kernel-mode
• .NET, drivers, services, third party components
10

11. Velocity NYC 2017 #VelocityConf | @dinagozil
Architecture Overview
• Generate ETW eventsProviders
• Start and stop ETW collectionControllers
• Log, analyze, or process eventsConsumers
11

12. Velocity NYC 2017 #VelocityConf | @dinagozil
Controller
Producer Consumer
Event Session
Buffer Pool
Log files
Events
Events
Events in Real-Time
Logged Events
12

13. Velocity NYC 2017 #VelocityConf | @dinagozil
It’s Everywhere
13

14. Velocity NYC 2017 #VelocityConf | @dinagozil
Let the Monitoring Begin
14

15. Velocity NYC 2017 #VelocityConf | @dinagozil
PerfView – Your ETW Aid
• Completely free from Microsoft’s GitHub
• Allows fine-grained configuration of ETW collection
• Light-weight (but not very visually appealing…)
• Built-in analysis and statistical views
15

16. Velocity NYC 2017 #VelocityConf | @dinagozil
DEMO
Profile Visual Studio startup
16

17. Velocity NYC 2017 #VelocityConf | @dinagozil
Collect Data
17

18. Velocity NYC 2017 #VelocityConf | @dinagozil
CPU Hot Paths
18

19. Velocity NYC 2017 #VelocityConf | @dinagozil
Let’s Drill Down
19

20. Velocity NYC 2017 #VelocityConf | @dinagozil
JIT
20

21. Velocity NYC 2017 #VelocityConf | @dinagozil
DEMO
GC gone mad
21

22. Velocity NYC 2017 #VelocityConf | @dinagozil
No Leak but GC-ing Like Crazy
22

23. Velocity NYC 2017 #VelocityConf | @dinagozil
PerfView Is Your Friend
23

24. Velocity NYC 2017 #VelocityConf | @dinagozil
Evidence Start Piling Up
24

25. Velocity NYC 2017 #VelocityConf | @dinagozil
What is Allocated?
25

26. Velocity NYC 2017 #VelocityConf | @dinagozil
Where Is It Allocated?
26

27. Velocity NYC 2017 #VelocityConf | @dinagozil
(CPU) (Self-)Profiling
• Use a programmatic API to detect high-CPU and record a trace log
• Microsoft TraceEvent Library on NuGet
• Can be used from external process or from inside the process
• Can use with any limited resource, not only CPU
27

28. Velocity NYC 2017 #VelocityConf | @dinagozil
Collecting Data
28

29. Velocity NYC 2017 #VelocityConf | @dinagozil
Collecting Data
using (var s = new TraceEventSession(name, file)) {
using (var ks = new TraceEventSession("NT Kernel Logger", kFile)) {
}
}
A separate session for the
kernel data is required
29

30. Velocity NYC 2017 #VelocityConf | @dinagozil
Collecting Data
using (var s = new TraceEventSession(name, file)) {
using (var ks = new TraceEventSession("NT Kernel Logger", kFile)) {
ks.EnableKernelProvider(kernelKeywords,
KernelTraceEventParser.Keywords.Profile);
s.EnableProvider(ClrTraceEventParser.ProviderGuid,
TraceEventLevel.Verbose,
(ulong)(ClrTraceEventParser.Keywords.Default));
}
}
Specify the data we’re
interested in
30

31. Velocity NYC 2017 #VelocityConf | @dinagozil
Collecting Data
using (var s = new TraceEventSession(name, file)) {
using (var ks = new TraceEventSession("NT Kernel Logger", kFile)) {
ks.EnableKernelProvider(kernelKeywords,
KernelTraceEventParser.Keywords.Profile);
s.EnableProvider(ClrTraceEventParser.ProviderGuid,
TraceEventLevel.Verbose,
(ulong)(ClrTraceEventParser.Keywords.Default));
m_collectionToken.WaitHandle.WaitOne();
}
}
Session is closed on Dispose,
so wait for something to stop
tracing…
31

32. Velocity NYC 2017 #VelocityConf | @dinagozil
Collecting Data
using (var s = new TraceEventSession(name, file)) {
using (var ks = new TraceEventSession("NT Kernel Logger", kFile)) {
ks.EnableKernelProvider(kernelKeywords,
KernelTraceEventParser.Keywords.Profile);
s.EnableProvider(ClrTraceEventParser.ProviderGuid,
TraceEventLevel.Verbose,
(ulong)(ClrTraceEventParser.Keywords.Default));
m_collectionToken.WaitHandle.WaitOne();
generateJitRundownEvents(file, name);
}
}
Generate JIT info to be able
to analyze .NET stacks
32

33. Velocity NYC 2017 #VelocityConf | @dinagozil
Managed Stacks
private void generateJitRundownEvents(string file, string name) {
using (var session = new TraceEventSession(name + "Rundown", file)) {
session.EnableProvider(ClrRundownTraceEventParser.ProviderGuid,
TraceEventLevel.Verbose,
(ulong)(ClrRundownTraceEventParser.Keywords.Default));
}
}
The ClrRundown provider
holds all needed information
33

34. Velocity NYC 2017 #VelocityConf | @dinagozil
Managed Stacks
private void generateJitRundownEvents(string file, string name) {
using (var session = new TraceEventSession(name + "Rundown", file)) {
session.EnableProvider(ClrRundownTraceEventParser.ProviderGuid,
TraceEventLevel.Verbose,
(ulong)(ClrRundownTraceEventParser.Keywords.Default));
// Poll until 2 second goes by without growth.
for (var prevLength = new FileInfo(file).Length; ;) {
Thread.Sleep(TimeSpan.FromSeconds(2));
var newLength = new FileInfo(file).Length;
if (newLength == prevLength) break;
prevLength = newLength;
}
}
}
This means the file stopped
writing
34

35. Velocity NYC 2017 #VelocityConf | @dinagozil
DEMO
Self-profile high CPU
35

36. Velocity NYC 2017 #VelocityConf | @dinagozil
Self-Profiling Application
36

37. Velocity NYC 2017 #VelocityConf | @dinagozil
CPU Hot Paths
37

38. Velocity NYC 2017 #VelocityConf | @dinagozil
EventParsers
https://github.com/Microsoft/dotnetsamples/blob/master/Microsoft.Diagnostics.Tracing/TraceEvent/docs/TraceEvent.md
38

39. Velocity NYC 2017 #VelocityConf | @dinagozil
Real-Time Analysis with TraceEvent
https://github.com/Microsoft/dotnetsamples/blob/master/Microsoft.Diagnostics.Tracing/TraceEvent/docs/TraceEvent.md
39

40. Velocity NYC 2017 #VelocityConf | @dinagozil
Real-Time Analysis with TraceEvent
// create a real time user mode session
using (var session = new TraceEventSession("ObserveProcs")) {
// Set up Ctrl-C to stop the session
Console.CancelKeyPress += (s, args) => session.Stop();
}
https://github.com/Microsoft/dotnetsamples/blob/master/Microsoft.Diagnostics.Tracing/TraceEvent/docs/TraceEvent.md
Create our own session
Stop collecting on ^C
40

41. Velocity NYC 2017 #VelocityConf | @dinagozil
Real-Time Analysis with TraceEvent
// create a real time user mode session
using (var session = new TraceEventSession("ObserveProcs")) {
// Set up Ctrl-C to stop the session
Console.CancelKeyPress += (s, args) => session.Stop();
// Turn on the process events (includes starts and stops).
session.EnableKernelProvider(KernelTraceEventParser.Keywords.Process);
}
https://github.com/Microsoft/dotnetsamples/blob/master/Microsoft.Diagnostics.Tracing/TraceEvent/docs/TraceEvent.md
We’re interested in data
about processes
41

42. Velocity NYC 2017 #VelocityConf | @dinagozil
Real-Time Analysis with TraceEvent
// create a real time user mode session
using (var session = new TraceEventSession("ObserveProcs")) {
// Set up Ctrl-C to stop the session
Console.CancelKeyPress += (s, args) => session.Stop();
// Subscribe to a callback that prints the information we wish
session.Source.Kernel.ProcessStart += data => {
Console.WriteLine("Process {0} Command Line {1}",
data.ProcessName, data.CommandLine);
};
// Turn on the process events (includes starts and stops).
session.EnableKernelProvider(KernelTraceEventParser.Keywords.Process);
}
https://github.com/Microsoft/dotnetsamples/blob/master/Microsoft.Diagnostics.Tracing/TraceEvent/docs/TraceEvent.md
Register on the event and
analyze
42

43. Velocity NYC 2017 #VelocityConf | @dinagozil
Real-Time Analysis with TraceEvent
// create a real time user mode session
using (var session = new TraceEventSession("ObserveProcs")) {
// Set up Ctrl-C to stop the session
Console.CancelKeyPress += (s, args) => session.Stop();
// Subscribe to a callback that prints the information we wish
session.Source.Kernel.ProcessStart += data => {
Console.WriteLine("Process {0} Command Line {1}",
data.ProcessName, data.CommandLine);
};
// Turn on the process events (includes starts and stops).
session.EnableKernelProvider(KernelTraceEventParser.Keywords.Process);
session.Source.Process(); // Listen (forever) for events
}
https://github.com/Microsoft/dotnetsamples/blob/master/Microsoft.Diagnostics.Tracing/TraceEvent/docs/TraceEvent.md
Start and process forever,
until stopped
43

44. Velocity NYC 2017 #VelocityConf | @dinagozil
Monitoring a Production System
• TraceEvent allows us to write monitoring systems which can be used
ad-hoc without recompilation or rebooting
44

45. Velocity NYC 2017 #VelocityConf | @dinagozil
Monitoring a Production System
• TraceEvent allows us to write monitoring systems which can be used
ad-hoc without recompilation or rebooting
• Someone has already done the job for us
• etrace – a free command-line tool for ETW live tracing
• By my dear husband Sasha
45

46. Velocity NYC 2017 #VelocityConf | @dinagozil
DEMO
Boot performance with WPR and WPA
46

47. Velocity NYC 2017 #VelocityConf | @dinagozil
Windows Performance Recorder
47

48. Velocity NYC 2017 #VelocityConf | @dinagozil
Windows Performance Recorder
48

49. Velocity NYC 2017 #VelocityConf | @dinagozil
Windows Performance Recorder
49

50. Velocity NYC 2017 #VelocityConf | @dinagozil
Something Is Taking a Long Time
50

51. Velocity NYC 2017 #VelocityConf | @dinagozil
What’s Running During Boot?
51

52. Velocity NYC 2017 #VelocityConf | @dinagozil
Drill Down with Good Old PerfView
52

53. Velocity NYC 2017 #VelocityConf | @dinagozil
Drill Down with Good Old PerfView
53

54. Velocity NYC 2017 #VelocityConf | @dinagozil
Summary
Omnipresent Performant
Free
54

55. Velocity NYC 2017 #VelocityConf | @dinagozil
Thank You!
Dina Goldshtein,
@dinagozil
dinazil@gmail.com
55