2.5.13

• Fixes regression where more process would be printed in -Dump Process queries and Session filter was not working as intended.
  See #68

2.5.12

-Dump Process

• Process tree output support added with -SortBy Tree
  Parent filtering is also supported with -Parent. To e.g. find all child processes of cmd.exe use:
  ETWAnalyzer -dump Process -SortBy Tree -Parent cmd
• Added -Sortby StopTime to sort processes by stop time.
• Add session Id to extracted process data.
  SessionId is shown when -Details is added.

-Dump CPU

• Fix regression issue where column headers were not printed.

-LoadSymbol Fix for #67

• We no longer abort processing when encountering just one invalid pdb format.

-Dump Tcp

• Added -MinMaxConnectionDurationS filter

Changes From 2.5.11

• default.stacktags
  • Added Edge/WebView2 tags
  • Added more Chrome tags
  • Moved network related tags into a new Network Node which contains tags for TLS/Socket/TCPIP drivers
• Trim CPU Name and Vendor. AMD seems to fill up the name with spaces.
• By default ETWAnalyzer should not calculate CPU totals because it makes no sense for method inclusive times.

-Dump Memory

• Added WorkingsetPrivateMemMiB in -Details mode
• Added -MinMaxWorkingsetPrivateMiB filter

-Dump Tcp

• Fix: Too many retransmission events were shown because for all sent packets with the same sequence number all retransmission events were printed. The fix needs also changes in the extraction logic. Old TCP data should be extracted again to get correct metrics.
  This is also the reason why sometimes we have more transmission events than sent packets leading to retransmission counts > 100%.

2.5.10.0

Changes

• -Dump Version supports -ProcessName filter and -TopN xxx to limit the amount of printed output.
• Added -smi (ShowModule information) to -dump File. This prints in -PerProcess mode the process version information.
• Summary added for -Dump TCP.
• -ShowTotal None to suppress summaries are supported by -Dump CPU/TCPFile/Memory.
• Dependencies updated Microsoft.Windows.EventTracing.Processing.All 1.11.109 -> 1.12.9.

Fixes

• -csv mode of -Dump File was broken.
• Too many retransmission events were shown because for all sent packets with the same sequence number all retransmission events were printed. The fix needs also changes in the extraction logic. Old TCP data should be extracted again to get correct metrics.
  This is also the reason why sometimes we had more retransmission events than sent packets leading to retransmission counts > 100%.
• Missing connection close times due to (#49) when TCP connection estabishment did not succeed.
  The Kernel fires then a TcpConnectTcbFailedRcvdRst event instead.

2.5.9.0

New Features

-Dump CPU

• Enable sorting in CPU total mode with -sortBy First/Last to sort by process start/end time.
  E.g. ETWAnalyzer -dump cpu -sortBy First -NewProcess 1

-Dump TCP

• Added -zerotime support
  • You can shift printed times (connect/disconnect/retransmit) by e.g. relative to e.g. a process start event. This is useful to compare several
    ETL files.
• Added -ProcessFmt support
  • Enable printing process start/end times in -dump TCP output.
• Added to CSV output Process start/end and duration.

-Dump Memory

• Added -ProcessFmt support to also print process start/end/duration timings besides executable name.

Breaking

-Dump File

• Removed from -dump file -MinMax. The other options -MinMax[Read/Write/Total][Size/Time] and -MinMaxTotalCount are the now much better alternatives.
• Units of KB are like in -dump Disk SI units with 1000 bytes and not 1024 bytes. This was done to stay consistent with -Dump Disk.

Enhancements

-Dump File

• When -SortBy criteria is used a dynamic column is added which shows the values by which the sort is done.
• The same is true for totals which are also properly aggregated.
• When -FileOperation filter is used like Read then all other columns which are not dealing with read data are nulled out. That way you can filter by read count with
  -FileOperation Read -MinMaxTotalCount 100 -SortBy Count

Fixes

• Add Nuget package Microsoft.Windows.EventTracing.Processing.Toolkit 1.11.0 to work around error 0x80070032 when loading ETLs with .NET 7.0 Rejit events.
• -Dump Disk total flush time unit was us and not s.
• -Dump Memory -smi would NullRef when no module data is present.
• -Dump Tcp Fixed output alignment when IP addresses were shorter than headline.
• Improved help for enum parsing when no enum value was present. Now all allowed values are printed in help.

2.5.8.0

New Features

• -Extract TCP: Detect client and server side retransmissions and extract per connection sent/received/retransmitted metrics.
• -Dump TCP
  • Added -OnlyClientRetransmit to show only client retransmission events sent by remote host which are all received packets with > 1 byte payload and a duplicate sequence number
  • Added -MinMaxRetransCount filter to filter connections by number of retransmission events.
  • Include CSV output to support pivot sum columns when individual retransmission events are aggregated.

Enhancements

• -Dump DNS -TopNDetails dd added Limit amount of output per DNS query when -details is present.

• Breaking: -Dump Disk Removed -MinMax

  • This is simplified and replaced with
  • -MinMaxReadTime xx-yy
  • -MinMaxReadSize xx-yy
  • -MinMaxWriteTime xx-yy
  • -MinMaxWriteSize xx-yy
  • -MinMaxTotalTime xx-yy
  • -MinMaxTotalSize xx-yy
  • The reported number units are MB but were actually MiB. Now the correct units are used.
  • It filters as expected and allows unit modifier like -MinMaxReadSize 100MB-500GB and can be combined giving even more flexibility.

• Breaking: -Dump Memory Removed -Minworkingsetmb

  • Replaced with -MinMaxWorkingSetMiB which also allows size modifiers.

-Dump Disk

• Print totals per file by default.
• -Dump Process -Crash
• Added to NtStatus Application Hang and Internal .NET Runtime exception to print application crashes due to these exceptions as well when we encounter these process exit return codes.

Added to -Dump Memory

• -MinMaxCommitMiB
• -MinMaxSharedCommitMiB

Added unit support

• -Dump CPU -MinMaxCPU/Wait/ReadyMS allow now also unit modifiers like -MinMaxCPUms 15ms-2.5s.

Print executable version in -dump cpu

• Extend -smi feature to -dump cpu in per method mode. Now the executable version is also printed besides the command line.

default.stacktags

• Added ReadDirectoryChanges/NtfsReportDirNotify stacktags which slow down file IO operations by a factor 2 when someone is watching for directory changes which causes NTFS to allocate large amounts of memory for the notification buffers.

Fixes

• Return number of failed files during extraction as return code > 0. 0 means success, and -1 or other codes is failure. Currently only the ExtractCommand sets this a return code, but other commands code now set different command return codes via ICommandExecutor.ReturnCode property.
• ColorConsole would not correctly skip linefeed when long lines are printed.
• GetDateTimeString when input is null and width adjustment is enabled create a spacer string to align also empty rows.
• All dump commands which support -SortBy will print now only the allowed enum values if an invalid value is entered for all commands: Process,Exception,Disk,File,CPU,TCP,DNS and Memory

2.5.6.0

• default.stacktags: Fix spelling errors which produced warnings in output.
• Fix: Multithreaded extraction is done in a self managed queue because it was observed that for long running extractions we use just one worker thread which looks like the data is not distributed evenly.

2.5.5.0

• Make -Extract CPU/Stacktag extraction multithreaded with -Concurrency dd option.
  This improves extraction of a single file up to 40% but gets in the way if multiple files are extracted concurrently.
  The default is value of -Concurrency is 1, except if just one file is extracted.
  Then we use the defaults from -pthreads/-nthreads which is 75% of all cores.

• -Extract now also supports additional file filtering flags and a dryrun mode which shows which files would be extracted.

• -Dump Exception now also supports -smi to show module information of processes which produce .NET Exceptions

• -Dump Exception supports also a flat list sorted by time. -Dump Exception -SortBy Time instead of the default process/type/message/stack grouping.

• -ShowModuleInfo of CPU/Memory/Exception supports also a module filter to print only these modules/processes which match a part of the Version,ProductName,Description,Directory of the ModuleDefinition properties.
  Made process and module loookup cached to become much faster when -smi switch is present.

• default.stacktags:

  • Made node naming consistent
    • Injected dll xxx are injected dlls into processes
    • Driver xxxx.sys are kernel drivers used by this AV solution
  • Added injected Defender dlls
  • Updated TrendMicro AV stacktags to show overhead per driver and injected dlls
  • Added Sophos AV Stacktags

• Fix: -Extract Module would fail if pdb name would contain spaces.
• Fix: Make -dump cpu -methods .dll;.sys -methods *.dll -methods *.sys work again although we store now xx.dll+dddd addresses.
• Fix: Do not terminate due to missing Disk RundownData.

2.5.4.0

-LoadSymbol

ETWAnalyzer now stores during extraction for all methods which cannot be resolved the image RVA. This enables scenarios to extract data on network isolated machines. Only the small extracted Json files need to be transferred. On a different machine

ETWAnalyzer -LoadSymbol -fd xxx.json -symServer MS

will resolve the missing symbols the usual way and will update the Json file accordingly. You can do this several times to work around symbol server outages or other transient errors (e.g. path too long) during the initial extraction.
This uses TraceEvent library which shows higher CPU costs compared to what WPA resolves. WPA seems to be able to properly decode inlined methods which will not show up. In practice the differences are not big. The extracted stacktags will NOT be updated and are not reliable, except for all stacktags which do not need method names which is true for all Virus stacktags. The costs of AV can be judged also with no symbol resolution.

2.5.3.0

Features

• -Dump Process -Crash
  • Sort processes by End Time to group WerFault and crashed process directly adjacent to each other.
• -Dump Dns
  • Made process display non default. If you want to view the processes for each query you can add -ShowProcess to view them as before.
• -Dump Memory
  • ModuleInfo info of executable is printed when -smi is added. CSV output is also supported
  • Print totals for committed , diff and number of processes per file
• -Dump File
  • Show Total Time in summary which is the sum of Read+Write+Open+Close times. This is also supported in per process summary and detail (-details) mode.
• IETWExtract
  - Add ComputerName to IETWExtract.ComputerName
  - Add Disk layout and partition (e.g. drive letter) information to IETWExtract.Disk.DiskInformation
• -Dump Stats
  - Add Machine and Disk to console output.
• -Extract Memory
  • Extract SystemCacheWs, PagedPoolWs, SystemPteWs as synthetic processes with pid 1. These are not real processes.
• default.stacktags
  • Added Trim Working Set stacktag to identify performance issues due to hard limits on system file cache working set.

Fixes

• Exception in ETWProcess when ProcessName was null
• Exception during extract: Some files are not using datetime versioning to extract module versions. Ignore these.
• -Dump Memory: Dump all processes even when working set did not change.
• Extracted memory info is now rounded at x.5 to the next bigger number (MB) which reduces the rounding error.
• -Extract CPU: When CPU Sampling without stacks are recorded we did not use CSwitch data for CPU consumption.
  This seems to be a setting which is widely used by MS support.
• All commands support now -help e.g. -dump cpu -help will print just the CPU help. Before that you needed to add garbage to the command to get the help text.

2.5.0.0

ETWAnalyzer 2.5.0.0

• Update to released version 1.11.108 of TraceProcessing which is no longer beta.
• -dump Process Added -MinMaxStart filter to filter processes by start time in etw session time.
• -dump CPU now also supports -smi switch which will print for each executable the file version, description and directory from where it was started.
• -dump CPU with -sortby xx and -topn changed behavior. We use now the -TopN processes what is used by the -SortBy clause. Previously we sorted only by CPU. The old behavior has on the + side that the -TopN processes stay stable regardless of sort order. The new sort behavior is more consistent, although it might produce surprising output.
• When -ShowTotal is used the Json files files and the processes inside file processes are sorted by their totals.
  Improved total output formatting a lot to be more readable and also include ready times which are now color coded red.
• Document that -Dump File can also sort by file operation count

Fixes

• -dump Process will throw InvalidOperationException when no lines are to print because max will throw.
• NullReferenceException in MachineDetailsExtractor when user SID was null.