Collect a Windows Performance Recorder Trace
search cancel

Collect a Windows Performance Recorder Trace

book

Article ID: 286753

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection) Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter) Carbon Black EDR (formerly Cb Response) Carbon Black Hosted EDR (formerly Cb Response Cloud)

Issue/Introduction

Steps to capture a Windows Performance Recorder (WPR) trace for troubleshooting & diagnosis of an issue.

Environment

  • All Products
  • Microsoft Windows: All Supported Versions

Resolution

Command Line:

The command line version of WPR is included by default on Windows 10 and above.

  1. Launch an administrative command prompt and issue the following commands:
    cd "C:\Windows\System32" wpr -start CPU -start diskio -start fileio -start registry -start network -start minifilter
  2. Reproduce the issue.
  3. Stop & capture the trace file:
    wpr -stop "C:\Temp\WPRCapture.etl"
  4. Zip the resulting file and provide to Support.

Graphical User Interface:

  1. Install the Windows Performance Recorder toolkit.
  2. Launch Windows Performance Recorder and click More options. Configure as follows:
    • First Level Triage: Enabled.
    • Resource Analysis: Enable the following...
      • CPU Usage
      • Disk I/O activity
      • File I/O activity
      • Networking I/O activity
    • Scenario Analysis: Enable the following...
      • Minifilter I/O activity
    • Performance scenario: General
    • Detail Level: Verbose
    • Logging Mode: File
  3. Click Start.
  4. Reproduce the issue, then click on the Save button
  5. Choose a location for the WPR capture.
  6. Zip the resulting file and provide to Support.

Additional Information

  • EDR Sensor version 7.2.0 and higher will need Tamper Protection temporarily disabled to allow access to cb.exe for stack trace information.
  • By default the WPR capture is saved in
    C:\Users\<User>\Documents\WPR Files\
  • WPR may ask to modify the registry in order to prevent kernel memory from being paged to disk by Paging Executive. This will allow the application to collect more-complete stack information. If it does change the registry, a reboot will be required for the setting to take effect.
  • If the computer OS is Windows 7, use an administrative command prompt to reverse these registry modifications manually after the recording:
    wpr -disablepagingexecutive off
  • Windows 8 and above does not need to have these modifications reversed manually.