Steps to capture a Windows Performance Recorder (WPR) trace for troubleshooting & diagnosis of an issue.

• All Products
• Microsoft Windows: All Supported Versions

Command Line:

The command line version of WPR is included by default on Windows 10 and above.

1. Launch an administrative command prompt and issue the following commands:

   cd "C:\Windows\System32" wpr -start CPU -start diskio -start fileio -start registry -start network -start minifilter

2. Reproduce the issue.
3. Stop & capture the trace file:

   wpr -stop "C:\Temp\WPRCapture.etl"

4. Zip the resulting file and provide to Support.

Graphical User Interface:

1. Install the Windows Performance Recorder toolkit.
2. Launch Windows Performance Recorder and click More options. Configure as follows:
   • First Level Triage: Enabled.
   • Resource Analysis: Enable the following...
     • CPU Usage
     • Disk I/O activity
     • File I/O activity
     • Networking I/O activity
   • Scenario Analysis: Enable the following...
     • Minifilter I/O activity
   • Performance scenario: General
   • Detail Level: Verbose
   • Logging Mode: File
3. Click Start.
4. Reproduce the issue, then click on the Save button
5. Choose a location for the WPR capture.
6. Zip the resulting file and provide to Support.

• EDR Sensor version 7.2.0 and higher will need Tamper Protection temporarily disabled to allow access to cb.exe for stack trace information.
• By default the WPR capture is saved in

  C:\Users\<User>\Documents\WPR Files\

• WPR may ask to modify the registry in order to prevent kernel memory from being paged to disk by Paging Executive. This will allow the application to collect more-complete stack information. If it does change the registry, a reboot will be required for the setting to take effect.
• If the computer OS is Windows 7, use an administrative command prompt to reverse these registry modifications manually after the recording:

  wpr -disablepagingexecutive off

• Windows 8 and above does not need to have these modifications reversed manually.