XPerf Tool – Why Can’t You Live Without It?

Israel Burman (Israel is one of the ADPlus creators and the guy who taught me the XPerf tool) and Mario Hewardt told me I should blog about the XPerf tool.

Although I’m new to this tool I decided to follow their suggestions because I believe you’re going to wonder how you could live without using this tool after using it for the first time. J


So, when starting to write this article I decided to browse the internet to see how many articles from Microsoft I could find because I didn’t want to be redundant. As a matter of fact I found several great articles. (Am I late to the party? J) Some of these articles are very didactic and similar to what I had in mind.

That said, I’m not going to be redundant here, likewise I’m going to give you just an overview about the tool and mention those articles that details the configuration and usage of XPerf so you can get the necessary details from these articles without having to research the internet all over again.



-      XPerf is based on ETW (Event Tracing for Windows) which is a very efficient tracing infrastructure.

-      The overhead caused by XPerf is about ~2.5% CPU, in other words, very minimum.

-      The tracing can be dynamically enabled or disabled and it doesn’t require a reboot.

-      XPerf enables you to collect logs, create reports and see charts from the collected data.





-      When you need to isolate performance problems.

-      To get a better understanding of the Operating System.

-      Probably other scenarios where you can benefit for tracing the Windows components.





From here or here.





-      Collect logs from a few seconds to 5 minutes.

-      Start just before reproducing the symptom.

-      Don’t forget to setup the symbols.





After installing XPerf open a Command Prompt using RunAs Administrator.


Setup symbols:


set _NT_SYMBOL_PATH= srv*C:\symbols*http://msdl.microsoft.com/downloads/symbols



Start XPerf, collecting just general information:


XPerf -on DiagEasy


Reproduce the symptom.

After that use this command to stop the tracing, creating a log file:


XPerf -d trace.etl


To visualize the charts from the data you just collected use:


XPerf trace.etl


XPerf can collect different information for different scenarios.

To do that you need to change the provider. Providers are the Windows components that have the ability to log information.



XPerf –on <provider>


To get a list of all available providers use:


XPerf -providers k  


To get call stack information you need to specify the Kernel events that should log the call stack.

This is the way to do that:


Xperf -on <provider> -stackwalk <flags>


Example using provider = diageasy and stackwalk = profile:


XPerf -on diageasy -stackwalk profile


If you want to see other types of flags use:


XPerf -help stackwalk


To send the information to a CSV file use:


XPerf -i trace.etl > output.csv


You can create a PowerShell script which parses the output from the CSV file.

It’s possible to create a CSV file with filtered information. To do that use:


XPerf –i trace.etl –a <action_name> > output.csv




XPerf –i trace.etl –a registry > output.csv



XPerf –i trace.etl –o output.txt –a registry


Notice the –o parameter above to specify the output file.


In my machine XPerf is in the C:\ETL folder.

Considering that, here is one possible way to use the tool:


C:\ETL>set _NT_SYMBOL_PATH= srv*C:\symbols*http://msdl.microsoft.com/downloads/symbols


C:\ETL>XPerf -on DiagEasy


# Reproduce symptom here…


C:\ETL>XPerf -d trace.etl


# At this point you may want to create a CSV file. See instructions above.


C:\ETL>XPerf trace.etl



Ok, you’re probably wondering where the screenshots are. I decided to not use screenshots because some of the links below have all screenshots you need.








http://msdn.microsoft.com/en-us/performance/default.aspx (download)





XPerf rocks!


Comments (7)

  1. Helge Klein says:

    Hi Roberto,

    you should have mentioned that xperf, great as it may be, is very well hidden in the Windows SDK. In order to get to xperf, you need to download the SDK web installer, guess the correct component (I keep forgetting) and, when done, locate the xperf MSI which the SDK installer placed in some obscure place.

    I find it sad that on the one hand you guys keep writing about this nice tool, but on the other hand it is next to impossible to download and install. Don’t believe me? Ask any average admin guy to "install xperf".

    So you should really really at least have described in detail how to do that.


  2. André says:

    I’m also using xperf and xbootmgr very often and I posted some guides in german.

    @Helge You need to install the Win32 Development Tools to get the WPT MSI Installer. I also don’t like this. But it’s the same with the Debugging Tools. The standalone download was removed, now you have to get the whole WDK.

  3. no.compromise says:


    FWIW, the Microsoft Hardware Newsletter for March 10, 2010 (http://www.microsoft.com/whdc/resources/news/newsletters/MHN_031010.htm) states "… Also, a decision on where and how to release the Debugging Tools has not yet been made. For now, the current release of the Debugging Tools is available in the Windows Driver Kit (WDK) 7.1.0 release. …"

    So maybe we will be lucky with the DTW, and not have to go through a similar convoluted process as the WPT installer currently seems to be.

  4. Phil Thompson says:

    A tool you can’t live without but you’ll struggle to find and install – classic !

    Why can’t i go to Add/Remove programs,select xperf and have it arrive on a menu ? perhaps I’m thinking of a different OS.

  5. rafarah says:

    Phil, I understand your pain and the pain of all other users facing the same problem. Personally, I don’t have any explanation or justification for that but maybe the Performance Team knows better how to answer your question: http://blogs.technet.com/askperf/default.aspx



  6. Ian says:

    How does xperf compare with typeperf?

    as described in "Monitoring CPU Runaway Processes" at http://wp.me/poJiS-63

  7. rafarah says:

    Hi Ian,

    I don't know TypePerf so I can't answer your question. 🙁



Skip to main content