Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

How to Collect a WPR (Windows Performance Recorder) Trace

How to Collect a WPR (Windows Performance Recorder) Trace

Environment

  • All Products
  • Microsoft Windows: All Supported Versions

Objective

To capture a WPR (Windows Performance Recorder) trace, to assist Support Team with troubleshooting & diagnosis of an issue.


Resolution

  1. Install the Windows Performance Recorder toolkit.
    Note: EDR Sensor version 7.2.0 and higher will need Tamper Protection temporarily disabled to allow access to cb.exe for stack trace information.
  2. Launch Windows Performance Recorder and click More options. Configure as follows:
    • First Level Triage: Enabled.
    • Resource Analysis: Enable the following...
      • CPU Usage
      • Disk I/O activity
      • File I/O activity
      • Networking I/O activity
    • Scenario Analysis: Enable the following...
      • Minifilter I/O activity
    • Performance scenario: General
    • Detail Level: Verbose
    • Logging Mode: File
  3. Click Start.
  4. Reproduce the issue, then click on the Save button
  5. Choose a location for the WPR capture and in the description box include the Support Case Number.
  6. Click Save.
  7. Compress the files and upload to the Vault.
  8. Update the Support Case that the results have been uploaded to the Vault.

Additional Notes

  • By default the WPR capture is saved in
    C:\Users\<User>\Documents\WPR Files\
  • WPR may ask to modify the registry in order to prevent kernel memory from being paged to disk by Paging Executive. This will allow the application to collect more-complete stack information.  If it does change the registry, a reboot will be required for the setting to take effect.
  • If the computer OS is Windows 7, use an administrative command prompt to reverse these registry modifications manually after the recording:
    wpr -disablepagingexecutive off
  • Windows 8 and above does not need to have these modifications reversed manually.
  • Windows 10 and above includes the CLI version and the following commands could be used in an administrative command prompt instead of using the GUI:
    cd "C:\Windows\System32"
    wpr -start CPU -start diskio -start fileio -start registry -start network -start minifilter
    (Reproduce the Issue)
    wpr -stop "C:\Temp\WPRCapture.etl"

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎10-31-2016
Views:
20735
Contributors