Environment

Objective

To capture a WPR (Windows Performance Recorder) trace, to assist the Technical Support Team with Troubleshooting & Diagnosis of an issue

Resolution

1. Install Windows Performance Recorder (“WPTx64-x86_en-us.exe” or “WPTx86-x86_en-us.exe”)
   • Windows Performance Recorder 
2. Open the Windows Performance Recorder Application
3. Under the 'More Options' Dropdown - in the “Select additional profiles for performance recording:” pane, check the following options:

First level triage
– First level triage

Resource Analysis
– CPU Usage
– Disk I/O activity
– File I/O activity
– Networking I/O activity

Scenario Analysis
– Minifilter I/O activity

Other settings can stay as default.

1. Reproduce the behavior in question (e.g. CPU Utilization spike), then click on the “Save” button
2. Type a description (or case number) of the problem, and click “Save”
3. By default, the resulting files will be saved in a location similar to “C:\Users\User1\Documents\WPR Files\.”  There will be an .etl file and a directory full of other …pdb directories. 
4. Compress the files into a .zip file.
5. Upload the .zip to https://community.carbonblack.com/groups/cb-vault
6. Once the upload completes, please comment on your case that the data is available for review.

Additional Notes

• WPR may ask to modify the registry in order to prevent kernel memory from being paged to disk by Paging Executive.  This will allow the application to collect more-complete stack information.  If it does change the registry, a reboot will be required for the setting to take effect.
• If the computer OS is Windows 7, the registry modification made by the Windows Performance Recorder can be reversed by running this command in an Administrator-Level Command Prompt window:
  • wpr -disablepagingexecutive off
• For systems that are running Windows 8 and above, performance recording can operate without setting disablepagingexecutiveto On, so this command Is not needed on those systems after the recording.
• For systems that are running Windows 10, the Command Line Version should be pre-installed in c:\windows\system32 and the following commands can be ran in place of the GUI option...
  • wpr -start CPU -start diskio -start fileio -start registry -start network -start minifilter
  • (Reproduce the Issue)
  • wpr -stop c:\temp\LogNameHere.etl (The Log can be named as per you requirements, and written to any location of your choosing that has write access)

Related Content