Collecting WinRM Traces

This blog entry explains how to collect WinRM ETW and WPP traces:

WinRM ETW Traces:

You can use EventViewer to look at WinRM ETW events:

·         They are under Application and Services Logs à Microsoft àWindowsàWindows Remote Management


Operational channel is enabled by default. Analytic needs to be enabled

Use the following to show and enable Analytic log:

·         Menu à View àShow Analytic and Debug Logs

·         Rightclick on Analytic log and Enable Log


Alternatively one can enable Analytic logs using:

·         Wevtutil.exe sl Microsoft-Windows-Winrm/Analytic /e:true /q


Here’s a way to collect ETW log dump using logman.exe

·         Start the provider: logman.exe start winrmtrace -p Microsoft-Windows-Winrm -o winrmtrace.etl -ets

·         Run the repro.

·         Stop the provider: logman.exe stop winrmtrace -ets


Here’s a way to convert the etl log to various formats

·         XML: tracerpt.exe winrmtrace.etl -of XML -o winrmtrace.xml

·         CSV: tracerpt.exe winrmtrace.etl -of CSV -o winrmtrace.csv

·         TXT: netsh trace convert winrmtrace.etl dump=TXT



Note that these are just operational and analytic logs. If there is a low level design/implementation problem that couldn’t be figured out using these logs, WPP traces may be required. Following are steps on how to generate WinRM WPP traces.


WinRM WPP Traces:

Launch a PowerShell console with the elevated admin credentials and run the following commands:

·         Import-Module psdiagnostics

·         Enable-WSManTrace

·         Now reproduce the problem by sending the subscription packets from the client. Continue with the next step after the problem stops.

·         Disable-wsmantrace

·         Send us the file %windir%\system32\wsmtraces.log

Comments (4)

  1. Marc Sherman says:


    What is the difference between "WinRM" and "WSMan" ?

    What is "WPP" ?



  2. Manoj Ampalam says:

    Hi Marc,

    WinRM and WSMan are synonymns and refer to Microsoft’s implementation of Web Services for Management. I’ll change the wordings to WinRM to make it less confusing.

    WPP (Windows software trace preprocessor) is a tracing technology that is provided by OS (Windows). It is generally used to log highly verbose dev/debug traces. Traces generated by WPP require special files to decode (these are called tmf files) that are not availble to external customers. has more information on WPP tracing.

    ETW traces on the other hand can be viewed directly in Event Viewer and are good enough to diagnose a majority of customer issues.


  3. VJ says:

    How to retrieve WMI property qualifiers using WINRM?


    By using below query we can disk read rate, so how we can get countertype property qualifier of "DiskReadsPerSec ".?

    "select DiskReadsPerSec from Win32_PerfRawData_PerfDisk_LogicalDisk"

    Thanks in Advance.


  4. Aamer says:

    How do you read wsmtraces.log?