ProcExp and XPerf tracing


I was trying to run some XPerf traces to prepare for a training, when it all of a sudden stopped working. The error I got was this:

xperf: error: NT Kernel Logger: Cannot create a file when that file already exists. (0xb7).

Weird because I ran the same command successfully multiple times before. Trying to stop a potentially conflicting session by using:

Xperf –d blah.etl

Failed with this error:

xperf: error: Merge ETL: The specified path is invalid. (0xa1).

And the event log contained this:

Session “NT Kernel Logger” failed to start with the following error: 0xC0000035

What has changed was that I had started ProcMon.exe. That uses the NT Kernel Logger. Exiting that process cleared the way for my first command.


Comments (6)

  1. The PE14 uses ETW for Network IO display and this causes the issue. I also needed some time to figure this out. I already send Mark an email about it. That's why I'm back to version 12.04

  2. nc/m says:

    Ran into the same thing when I tried to run powercfg -energy – Process Explorer 14.01 was running and had the session open.

    =-=-=-=-=

    Enabling tracing for 60 seconds…

    Observing system behavior…

    Could not open the NT Kernel Logger.  The NT Kernel Logger is already in use.  Ensure that all other performance monitor

    ing utilities, including Reliability and Performance Monitor are not currently in use.

    =-=-=-=-=

    Exiting Process Explorer allowed powercfg to run…  (Same message when Procmon is capturing and one tries to run powercfg -energy, of course.)

  3. Bryan Price says:

    Thanks!  I've been having some weirdness, and xperf was suggested.  Couldn't figure out WHY the damn file already existed!  Better error message here Microsoft!

  4. sergmat says:

    If the NT Kernel Logger session is already in use, the StartTrace func returns ERROR_ALREADY_EXISTS twitter.com

  5. Nax says:

    C:Program FilesMicrosoft Windows Performance Toolkit>xperf.exe -on DiagEasy

    xperf: error: NT Kernel Logger: Cannot create a file when that file already exis

    ts. (0xb7).

    The problem is you cannot stop the NT Kernel Logger trace when the Trace Session->Stream mode is set to Real Time in the NT Kernel Logger Event Trace Sessions’ properties. Switch it to File and then you will be able to stop it. You can then utilize xperf to run kernel traces. Be sure to switch it back to the way it was when you are done!

  6. asd says:

    C:Program FilesMicrosoft Windows Performance Toolkit>xperf.exe -on DiagEasy

    xperf: error: NT Kernel Logger: Cannot create a file when that file already exis

    ts. (0xb7).

    The problem is you cannot stop the NT Kernel Logger trace when the Trace Session->Stream mode is set to Real Time in the NT Kernel Logger Event Trace Sessions’ properties. Switch it to File and then you will be able to stop it. You can then utilize xperf to run kernel traces. Be sure to switch it back to the way it was when you are done!