Wtrace Versions Save

Command line tracing tool for Windows, based on ETW.

3.4

4 months ago

Changelog:

  • fixed missing events when the target process finishes very quickly
  • minor improvements and fixes

Hashes for the wtrace.exe binary:

MD5 = 1974CFB0F6829E9A66B0B2F8EEC22C41 SHA1 = E0442450120CAB90F392D0985C55A21B8B3FE732 SHA256 = E96252913EE897F4C5816682EEDDBC193CEF5E87A3AB2C40EE487CB490D11FF1

3.3

1 year ago

Changelog:

  • the summary view now includes RPC procedure names (if wtrace was able to resolve them)
  • from now Process/Thread events are always enabled (they are required to make filters work)
  • minor improvements and fixes

You may find more details in the blog post describing the new release.

Hashes for the wtrace.exe binary:

MD5 = DF60B4BA8D6E9B07479E2FAD0520319B SHA1 = 2C9C790B63DC9669AB2ED4AA936ACDAB94937B3D SHA256 = 2CE3E6D447E32952388A5088C2A58DF836F87F605FD62F7DC605338F5F383271

3.2-fix_chocolatey

2 years ago

NEW features:

  • added support for load image events (#15)

Hashes for the wtrace.exe binary:

MD5 = 50D867653449A348D248C9BA83F95012 SHA1 = 06FB5EDD7F7EAFA4B35A7639E99AF51A68F74C7D SHA256 = D4400B327EDDFC83B7182214CC894B3A2D41E836E5C65FE1EC9874456324CFE3

3.1

3 years ago

NEW features:

  • added support for UDP events (#14 )

Hashes for the wtrace.exe binary:

MD5 = B1B05F925382FD98A7048BBFE2C1B429 SHA1 = C2BC4BB398D142A16B763DEF2E6BC76586DC45FB SHA256 = CAD1A1A4448A8BEE58F99FFFEF824A014C300676B9BF1148FF5B54E2805391FE

3.0

3 years ago

The post describing the new release is at https://wtrace.net/2021/01/29/announcing-wtrace-3-0/.

NEW features:

  • system-wide tracing
  • extensive filtering options
  • a --handlers option to choose handlers for the trace session
  • a process tree in the statistics view

FIXES:

  • missing paths are much less common
  • wtrace can run in the Windows container (requires .NET Framework 4.7.2)

REMOVED features:

  • PowerShell events
  • ALPC events

Wtrace 3.0 runs on Windows 8.1+ and requires .NET Framework 4.7.2. If you need to trace an older system, please use wtrace 2.2.

2.2

6 years ago

Changes

  • PowerShell commands tracing added
  • Basic filtering for event names (-f switch)

Please have a look at the post on my blog to learn more.

2.1

6 years ago

Changes

  • You may trace only drivers, with no process specified (wtrace -s)
  • Trace all child processes started by the parent process (-c switch)

2.0

6 years ago

Changes

  • Summary events are back again displayed at the end of the trace
  • Collecting statistics for drivers execution during the trace session (-s option) - DPC/ISR events, eg.:
> wtrace -s notepad
...
--------------------------------
              ISR
--------------------------------
'C:\WINDOWS\System32\drivers\HDAudBus.sys', total: 4,047ms (338 event(s))
'C:\WINDOWS\system32\drivers\Wdf01000.sys', total: 1,831ms (372 event(s))
'C:\WINDOWS\System32\drivers\USBPORT.SYS', total: 0,599ms (66 event(s))

--------------------------------
              DPC
--------------------------------
'C:\WINDOWS\system32\drivers\Wdf01000.sys', total: 27,645ms (372 event(s))
'C:\WINDOWS\System32\drivers\dxgkrnl.sys', total: 11,721ms (665 event(s))
'C:\WINDOWS\system32\ntoskrnl.exe', total: 10,388ms (526 event(s))
'C:\WINDOWS\System32\drivers\USBPORT.SYS', total: 3,768ms (321 event(s))
'C:\WINDOWS\System32\drivers\HDAudBus.sys', total: 1,581ms (338 event(s))
'C:\WINDOWS\system32\drivers\ndis.sys', total: 1,162ms (99 event(s))
'C:\WINDOWS\System32\drivers\tcpip.sys', total: 0,637ms (30 event(s))
'C:\WINDOWS\system32\DRIVERS\igdkmd64.sys', total: 0,571ms (93 event(s))
'C:\WINDOWS\System32\drivers\storport.sys', total: 0,469ms (17 event(s))
'C:\WINDOWS\System32\drivers\vmswitch.sys', total: 0,311ms (35 event(s))
'C:\WINDOWS\System32\drivers\dxgmms2.sys', total: 0,174ms (27 event(s))
'C:\WINDOWS\System32\drivers\CLASSPNP.SYS', total: 0,046ms (1 event(s))
'C:\WINDOWS\System32\drivers\vmbusr.sys', total: 0,033ms (6 event(s))
'C:\WINDOWS\System32\drivers\bridge.sys', total: 0,019ms (4 event(s))
'C:\WINDOWS\system32\drivers\hvservice.sys', total: 0,009ms (3 event(s))
'C:\WINDOWS\System32\drivers\storahci.sys', total: 0,005ms (2 event(s))
'C:\WINDOWS\system32\Drivers\WdNisDrv.sys', total: 0,004ms (2 event(s))
...

1.3

7 years ago

Changes

  • Powershell support
  • More consistent output to make filtering easier - summary is printed as summary events

1.2

7 years ago

You may now trace RPC calls with wtrace!

Example trace:

4317.5999 (8424.15088) RpcClientCall/Stop  --- NamedPipes --> 6bffd098-a112-3610-9833-46c3f87e345a (\PIPE\wkssvc) 11
4317.7007 (8424.15088) RpcClientCall/Start --- LRPC --> 53825514-1183-4934-a0f4-cfdc51c3389b (LSMApi) 0 NULL
4317.8605 (8424.15088) RpcServerCall/Start <-- LRPC --- 53825514-1183-4934-a0f4-cfdc51c3389b (LSMApi) 0 NULL (96.5612)
4317.9506 (96.5612) RpcServerCall/Stop  <-- LRPC --- 53825514-1183-4934-a0f4-cfdc51c3389b (LSMApi) 0 NULL (96.5612)
4317.9738 (8424.15088) RpcClientCall/Stop  --- LRPC --> 53825514-1183-4934-a0f4-cfdc51c3389b (LSMApi) 0 NULL

More information in wiki.