PerfView Version V1.7 released to the web.

It has been a 9 months since the last public version of PerfView, so today I have updated the PerfView Download location from version 1.6 to Version 1.7.  

Here are some of the new features that I think are noteworthy.  You can look at the Help -> Release Notes for more information on detailed changes. 

  • Much improved '(With Tasks) views handles async much better (will improve more in the future as well)
  • Added the 'Size' menu and the 'Directory Size' menu item for figuring out where disk space is going.
  • Enabled Goto Source for .NET Framework.   Will fetch the source code from Microsoft's server so you can see inside .NET framework code.
  • Can turn on Network Capture to capture every network packet (See collection dialog box).  Rudimentary parsing in the 'events' view
  • Net GC Allocations (as well as the original alot-ignore free) now possible for coarse sampling (the default)
  • Provider Browser in collection menu for exploring ETW events on the system (can look at manifset)
  • PerfView log from time of collection is storted in the file and is available from the 'TraceLog' view.
  • 'Set As Default Grouping Menu Item' lets you set your default stack viewer parameters.
  • In the events' view you can select events and issue the 'Highlight in Histogram' to see where they are visually in the histogram.


Comments (26)
  1. Mathias says:

    If PerfView can now capture network traffic, we can no longer use it. Our it department does not allow the use of tools that can capture network traffic. Please provide a version without network capturing support.

  2. Anon says:

    @Mathias: Best not let your IT department know about the browser you're using to read this, and its baked in developer tools… or that as a (presumed) developer you can always write your own network sniffing tools.

  3. For what it is worth, the network capture I am talking about is packets that are coming from or going to the machine on which you run the tool not all packets on the connected network (e.g. sniffing tool.   Also for what it is worth, the capability to capture these packets is not built into PerfView so much as into the operating system itself.   In fact, PerfView literally executes a  'netsh trace start' command to actually do the capture, so that frankly NO PROGRAMMING would be needed to accomplish the packet capture with ON THE BOX TOOLS (logman and netsh would be enough, as has already been blogged about (that is how I found out about it!)).    Finally, if the stream has been encrypted e.g. https://… , what you get the encrypted stream, which of dubious use for hacking purposes.  

  4. Mathias says:

    Ok, that makes it clearer what the feature does. Capturing only the traffic from my own machine is ok, only tools that capture all network traffic are forbidden by our IT.

  5. Kavya says:

    I had a very basic question and I'm hoping you would be able to help this amateur perfView user.

    when i try to collect data for a w3wp, and double click on cpu stack -> the time and interval is shown in some weird number. really long number. where as the images and tutorials have the unit milliseconds. How do i change this?

    please help

  6. I am not sure what you mean by 'wierd'.   The number is in milliseconds, which may make it bigger than you expect, and if you let the collection go for a very long time, it might be a very big number,   It you collected for only a modest time (say less than 5 min), then the number should be < 60 * 5 * 1000 == 300,000.    If this is not the case, I would be interested in seeing the trace, as it sounds like a bug.

  7. LarryC says:

    I just downloaded and work on the tutorial. But it seems to be somewhat outdated:

    – There is no automatic popup of a process selection box after collecting data using "run" (neither in dialog nor in batch mode)

    – it would be nice to mention the percentage of wall clock time spent by the CPU is reported in metric/msec (I had to figure out…)

    –  Alt-R to Zoom into a range of interest by: "Selecting two cells (typically the 'First' and 'Last') cells of a particular method of interest, right clicking and selecting 'SetTimeRange' " fails:  selection gets deselected after RMB click, ALT-R has no effect.

    Do I miss something?

  8. I have made a note to update the tutorial text.  

    On the last point, I can't reproduce your issue.   I assume you know how to select multiple cells by dragging or using the CTRL key.   You should make sure that mouse is still in one of the selected cells when you right click (typically this naturally happens, but maybe you are moving the mouse).    As long as you see two cells selected, and the stack window has focus I have never seen Alt-R fail.    Is there any error in the log?

  9. LarryC says:

    I get this experience when selecting 2 adjacent fields in one row (the First and the Last):

    The status bar at the bottom report: Cell contents: <some number> (number in hex)

    When the second field is selected (while the first one remains selected) it reports:

    Sum=<someSum>  Mean=<theMean> Min=<theMin> Max=<theMax> Count=1

    State is now: the 2 fields are selected, indicated by some (blue) background color.

    If I use my RMB on the selection:

    – the selection vanishes (background color reverts to normal)

    – the popup menu appears

    Then I continue selecting an entry from the popup: "Set Time Range (Alt-R)"

    The Popup disappears, the selection gets re-established by the background color AND

    – the status bar reports: Invalid number: <theLast>. Seems here is to look for the root cause.

    No entries in the eventlog.

    Same effect if I use ALT-R (no popup, of course) on the selection.

  10. Just exactly what is the text in the two selected boxes?   Also what is the exact text when PerfView reports 'Invalid Number: '.    Are you by any chance in a locale were you are using something besides a '.' for the decimal point?  

  11. LarryC says:

    Vance, thank you: the locale setting was responsible for the malfunction.

    If I set the Number Format in "Region and Language" to a language using the U.S. number format perfview works as desired.

    Is there a way to get perfview correctly running with a different locale (i.e. another number format)?

    Did I miss something in the documentation?


  12. What you discovered is certainly a bug in PerfView.  I will attempt to fix it in the next release.   It is just that I needed to reproduce and understand the bug.  If you find other locale bugs I will try to fix those as well.

  13. Erik says:

    Are you open to the idea of open-sourcing PerfView on GitHub and accepting PRs?

  14. PerfView and TraceEvent will probably be open-sourced sometime this calendar year.   It is work to make this transition, and that work has to compete against all the other work I might be doing.  

  15. av says:

    Is it possible with TraceEvent to get informed about changes to Windows Firewall?

    Also it would be nice to have a working sample project included with it. I got as far as adding the references, on running the sample code in the .docx I get "The kernel provider must be enabled first and only once in a session." on session.EnableKernelProvider(KernelTraceEventParser.Keywords.Process); line. This is the RX sample code (I got the latest rx and traceevent from nuget and project is console 4.5.1 project)

    I then tried to run it as administrator and same message. I have win7 sp1 64bit.

  16. av says:

    I just the dotnetsamples project on github with a bunch of ETW samples using TraveEvent … but I'm getting the feel that maybe the whole monitoring with etw idea doesn't work well with ETW if there's some sort of limitation. Did I understand correctly that some random app/service can start monitoring kernel stuff with ETW and then my app can't?

  17. av says:

    fix typos:

    I just the found dotnetsamples project on github with a bunch of ETW samples using TraveEvent.

    I'm getting the idea that maybe the monitoring low level things with ETW idea in real-time with Windows 7 doesn't work well with ETW if there's some sort of Windows 7-limitation.

    Did I understand correctly that some random app/service can start monitoring kernel stuff with ETW and then my app can't as that other app has the "session". Puzzling design.

  18. av says:

    What I'd really like to achieve is this:

    1) Alert my app if firewall configuration is changed

    2) If communication is attempted to new address with any protocol, allow me to decide whether to allow communication to that address or not. Optionally I can allow the communication and subscribe to listen to it passively

    And I'd like to do both in a C# console app in < 20 lines of code…

    I know that 2) is "impossible" without some low level traffic interception/filter (eg. WinDivert). It would be acceptable to just see the initial communication and then decide to block that address in firewall. This should be possible without having to install any drivers.

  19. I don't know whether the windows firewall has the ETW events you what, however do note that if you go to the 'advanced' section of PerfView's collection dialog box and click on the 'Provider Browsers' you can see all the providers that have 'Firewall in their name, and you can click the 'View Manifest' button to look at the manifest, which will show you what events are available.    Often just turning things on and seeing what gets produced is the fastest way to answer such questions.   Note that accessing these events does NOT require the kernel provider.  

    I do see that you found the TraceEvent samples (also on Nuget, see…/walk-through-getting-started-with-etw-traceevent-nuget-samples-package.aspx).  

    It is true that you must be administrator to start an ETW session.

    It is also true that on windows 7 there can be at most 1 kernel provider.

    However I don't know that there is an event, even in the kernel that will do what you want of finding any time a communication channel is initiated regardless of transport protocol.    It may exist, I simply don't know.  Again you can research the provides in the provider browser, but low level hooks like this often are done specially, and may not be there.   I am not very hopeful…

    Finally, note that even in real-time ETW providers there is a noticeable delay (e.g. 1 or more seconds), between the time something happens and the time you get the event (because of buffering).   ETW is NOT really designed as a hook in the OS, it is designed for TELEMETRY / LOGGING.  

  20. av says:

    Thanks for your input. I found a site that sells library & driver for the kind of things mentioned. I'll look at the ETW providers when I get on to Windows 10 preview, maybe things have changed there or in 8.

    I did get as far as reimplementing nestat -bno with hints from SO.

    It looks like the bottom line is that Windows just wasn't designed in a way that would allow for comprehensive reliable tracking of where communications are originating from or going to. You can get a small taste of that with netstat and perhaps bit more with ETW but if some app has enough rights they can just bypass all the APIs.

    I just wanted to know what are the possibilities, for my actual use I actually only want to automate some network stats rather than chase what process intruders are in.

  21. Alan M says:

    This is a wonderful tool. I'm having an issue using it, where the .NET application I'm profiling starts to throw exceptions when collecting is turned on. The exception is happening in what looks to be networking related classes in the BCL during web service calls to Dynamics CRM. I have spent a couple hours trying to narrow it down by setting up reference source debugging but still feel like I have a long way to go. Is there anything you can suggest for how to troubleshoot this or what to be looking for?

  22. Actually it should be very easy to determine what is causing the exception because PerfView turns on the .NET Exception event which includes a stack trace of exactly where the exception happened.     This is probably a bug in the framework, so we are definitely interested in getting it fixed.  If you place the .ETL.ZIP file you have on my one drive I can take look.  

    Note that this is probably caused by extra code turned on by a particular provider that PerfView turns on by default.  It is likely I can give you a work-around to turn off that provider and thus avoid the failure.  

  23. @Alan M:  If you wish to follow up more privately, let me know at

  24. Alan M says:

    Thank you, I've looked into this some more and will follow up by email.

  25. Peter Palotas says:

    The formatting of numbers are not consistent on a machine with non-US regional settings, which leads to some things not working correctly. For example, with Swedish regional settings, the decimal point is a comma (',') instead of a dot. So, the Start/End time range textboxes shows the numbers with correct formatting, however if I want to enter a number in one of these text-boxes I cannot enter them with local format. It seems to strip away everything after the decimal point. I can't enter them with US format either, then I just get a beep.

    In the events view, the "Time MSec" column shows numbers with US format. This means I also cannot for example select two items in the event view and select "Set Range Filter", this will enter the numbers in the textboxes but then just a beep, since they are not in the correct format.  So I need to change the region to US every time I need to do some work with PerfView to get it to work correctly, which is kind of annoying.

    It should either use regional formats for numbers everywhere, or invariant (US) formats everywhere. This mix of things apparently is not a good thing. 🙁

  26. The intent is these should be in the local culture however WPF does not make this easy (see…/wpf-tips-1-have-all-your-dates-times.html).   The code LOOKS like it should work, but your experience proves otherwise.   I have logged a work item, but I am not really set up to do multi-language localization tests, so it may be a while.

Comments are closed.

Skip to main content