For various reasons, I'd like to get a trace of disk accesses on some Windows Server 2008 machines.
I can set up a user defined data collector set in the Reliability and Performance Monitor tool to create an event trace using the "Windows Kernel Trace" provider ("disk" suboption), and this works fine.
However, I really would like to automate this using the logman.exe command. The documentation on logman is, I'd say, sparse. (If there's some great documentation out there, I'd be very grateful for a pointer!) I've tried using both commands with the -ets option and without, and using both the logman create trace <name> <params>/logman start <name> and the -ets-only logman start <name> <params> -ets method.
Nothing I've tried seems to work:
C:\>mkdir \tracedata
C:\>logman create trace DiskTr1 -p "Windows Kernel Trace" disk -o "C:\tracedata\DiskTr1"
The command completed successfully.
C:\>logman start DiskTr1
Error:
The session name provided is invalid.
C:\>logman start DiskTr2 -p "Windows Kernel Trace" disk -o "C:\tracedata\DiskTr2" -ets
Error:
The session name provided is invalid.
C:\>logman create trace DiskTr3 -p "Windows Kernel Trace" disk -o "C:\tracedata\DiskTr3" -ets
Error:
The session name provided is invalid.
I've also tried variants using the GUID for the provider and a hex value for the disk suboption, and so far nothing seems to work.
Thanks!
Best Answer
The 'Windows Kernel Trace' provider is considered a special provider in ETW, and it will only log to a session called 'NT Kernel Logger'.
See http://www.daschmelzer.com/cmg2006/PDFs/096.pdf