How to force PerfView to collect ETW events coming only from one process

Question

I know there is a /Process:NameOrPID switch but it affects only /StopXXX commands. Collecting ETW events from all processes leads to big *.ETL file. I am trying to be able to catch ETW events only from one process in order to avoid polluting the output file with non relevant ETW events.

Answer 1

Updated 2019-04-14.

Now there is a way to do that. Please use /focusProcess=ProcessIDOrName option available in PerfView 2.0.32 (also available in UI starting from 2.0.39).

Answer 2

If you know the names of the ETW providers emitting events from your process you can filter the process when specifying providers in the Additional Providers text box, or in the -Providers or -OnlyProviders command line arguments to perfview.

From PerfView's docs:

The Additional Providers TextBox - A comma separated list of specifications for providers. This can be specified by using the (the ... button) or by the following textual specification. Each provider specification has the general form of provider:keywords:level:values. The keyword and levels specification parts are optional and can be omitted (For example provider:keywords:values or provider:values is legal).

Process filters occur in the values section. Relevant portions from the docs:

values - this is a list of semicolon-separated values KEY=VALUE, which are used to pass extra information to the provider or to the ETW system. KEY values that begin with an @ are commands to the ETW system. Everything else is passed on the the provider (EventSources have direct support for accepting this information in its OnEventCommand method). The special ETW keywords include

• @ProcessIDFilter - a space separated list of decimal process IDs to collect data from. Only events from these processes (or those named in the @ProcessNameFilter) will be collected. Since IDs only exist after a process is created, this only works on processes that are running at the time collection starts.
• @ProcessNameFilter - a space separated list of process names (a process name is the file name (no path) of the executable INCLUDING the .EXE extension). Only events from the names processes (or those named in the @ProcessIDFilter) will be collected. It does not matter if the process was running before collection or not.

So, if I have an ETW provider named my-provider running in a process named my.process.exe, I could run a perfview trace at the command line targeting the process like so:

perfview collect -OnlyProviders:"*my-provider:@ProcessNameFilter=my.process.exe"

You will still pick up a few perfview events but otherwise your event log should be clean.