To select trace log providers and events
Using the Windows interface
Double-click Performance Logs and Alerts, and then click Trace Logs.
In the details pane, double-click the log.
For a list of the installed providers and their status (enabled or not), click Provider Status.
By default, the Nonsystem providers option is selected to keep trace-logging overhead to a minimum.
If you click Events logged by system provider, a default provider (the Windows kernel trace provider) is used to monitor processes, threads, and other activity. To define events for logging, click the check boxes as appropriate.
If you click Nonsystem providers, you can select the data providers you want --for example, if you have written your own providers. Use the Add or Remove buttons as needed.
To open Performance, click Start, click Control Panel, click Performance and Maintenance, click Administrative Tools, and then double-click Performance.
Trace logging of file details and page faults can generate an extremely large amount of data. It is recommended that you limit trace logging using the file details and page fault options to a maximum of two hours.
You need special privileges to log data from the kernel or some providers. Use the Run as text box to specify an administrator account to do this.
Only one instance of each trace provider can be enabled at any given time.
Using a command line
Open Command Prompt
Type the appropriate command below:
To view each installed provider and its status.
logman query providers
To specify that data collected by the system trace provider is logged.
logman update collection_name -P "Windows kernel trace" (process, thread, disk, net, page, file)
To specify that data collected by a provider other than the system trace provider is logged.
logman update collection_name -P provider
Queries the providers installed on the local system.
Updates the collection query named collection_name.
-P "Windows kernel trace" (process, thread, disk, net, page, file)
Specifies "Windows kernEl trace" as the provider that collects data for the trace log. Process, thread, disk, net, pf, hf, registry, image, and file are optional events to include in the trace log.
Use process to include data on the creating and ending processes.
Use thread to include data on the creating and ending threads.
Use disk to include data on disk input/output operations.
Use net to include data on TCP/IP send or receive requests.
Use pf to enable soft page fault tracing.
Use hf to enable hard page fault tracing.
Use registry to include data on registry operations.
Use image to include data on the program name for the loaded process.
Use file to include file I/O data.
Specifies the nonsystem provider that collects data for the trace log.
For example, to specify that a provider named Nonsystem01 is used to collect data for a trace log named perf_log, type:
logman update perf_log -P Nonsystem01
To open command prompt, click Start, point to All Programs, point to Accessories, and then click Command Prompt.
To view the complete syntax for this command, at a command prompt, type: