Skip to content

Commit

Permalink
Add batch file to record process creation
Browse files Browse the repository at this point in the history 
For truly long-term monitoring of system activity it can be helpful to
just record process creation, with command lines. This allows tracing
for multiple hours without creating excessively large trace files.
  • Loading branch information
@randomascii
randomascii committed Dec 9, 2019
1 parent a4b358a commit 3d683e4
Showing 1 changed file with 67 additions and 0 deletions.
67 changes: 67 additions & 0 deletions bin/etw_processes_longterm.bat
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
@rem Copyright 2015 Google Inc. All Rights Reserved.
@rem
@rem Licensed under the Apache License, Version 2.0 (the "License");
@rem you may not use this file except in compliance with the License.
@rem You may obtain a copy of the License at
@rem
@rem http://www.apache.org/licenses/LICENSE-2.0
@rem
@rem Unless required by applicable law or agreed to in writing, software
@rem distributed under the License is distributed on an "AS IS" BASIS,
@rem WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@rem See the License for the specific language governing permissions and
@rem limitations under the License.

@setlocal

@set logger="Circular Kernel Context Logger"
@rem Can also use "NT Kernel Logger", but that conflicts with UIforETW
@rem Better to use a different kernel logger to let them run in parallel.

@rem Set the etwtracedir environment variable if it
@rem isn't set already.
@if not "%etwtracedir%" == "" goto TraceDirSet
@set etwtracedir=%homedrive%%homepath%\documents\etwtraces
:TraceDirSet

@rem Make sure %etwtracedir% exists
@if exist "%etwtracedir%" goto TraceDirExists
@mkdir "%etwtracedir%"
:TraceDirExists

@rem Generate a file name based on the current date and time and put it in
@rem etwtracedir. This is compatible with UIforETW which looks for traces there.
@rem Note: this probably fails in some locales. Sorry.
@for /F "tokens=2-4 delims=/- " %%A in ('date/T') do @set datevar=%%C-%%A-%%B
@for /F "tokens=1-3 delims=:-. " %%A in ('echo %time%') do @set timevar=%%A-%%B-%%C&set hour=%%A
@rem Make sure that morning hours such as 9:00 are handled as 09 rather than 9
@if %hour% LSS 10 set timevar=0%timevar%
@set tracefile=%etwtracedir%\%datevar%_%timevar%_process_creation.etl
@set textfile=%etwtracedir%\%datevar%_%timevar%_process_creation.txt

@set kernelfile=%temp%\kernel_trace.etl

@xperf.exe -start %logger% -on PROC_THREAD+LOADER -buffersize 1024 -minbuffers 60 -maxbuffers 60 -f "%kernelfile%"
@set starttime=%time%
@if not %errorlevel% equ 0 goto failure
@echo Low data-rate tracing started at %starttime%

@echo Run the test you want to profile here
@rem Can replace "pause" with "timeout 3600" so that tracing automatically stops
@rem after an hour. But this will require some process to wake up once a second
@rem to update the timeout status.
@pause
@xperf.exe -stop %logger%
@xperf.exe -merge "%kernelfile%" "%tracefile%" -compress
@del "%kernelfile%"
@echo Tracing ran from %starttime% to %time%
@echo Tracing ran from %starttime% to %time% > "%textfile%"

@echo Trace can be loaded using UIforETW or with:
@echo wpa "%tracefile%" -profile CPUUsageByProcess.wpaProfile
@exit /b

:failure
@echo Failure! Stopping tracing to clear state.
@xperf.exe -stop %logger%
@exit /b

0 comments on commit 3d683e4

Please sign in to comment.