Tracelog.exe: Trace Log

TraceLog is event tracing command-line tool that starts, stops, or enables trace logging. The results of event logging can be viewed with either the TraceDmp or Reducer tools.

TraceLog acts like a Windows Management Instrumentation (WMI) controller link in that it helps control the various parameters associated with the logging of event traces.

Using TraceLog you can:

Start, stop, update, and query a trace session.
Set up a buffer to which the event traces will be logged by the provider.
Create a log file to which the buffer would be flushed. Can also set up a real-time mode in which case the buffer would be delivered directly to the consumer that wants it
Provide more specific control over system level tracing.
Control the level of tracing required.

TraceLog first creates a circular buffer and enables tracing. The WMI provider, such as the operating system or an application such as the directory service, starts tracing events. These traces are written to the buffer. When a buffer is filled, the data is written to a log file. If real-time mode is set, then the consumer, such as TraceDmp or another application, can take data directly from the buffer.

TraceLog display

Logger Name	Name of the logging instance. For the kernel it is NT Kernel Logger, else it defaults to what you have provided (see example 2)
Logger Id	ID of the logger
Logger Thread Id	Thread ID of the logger
Buffer Size	The size of the buffer allocated
Maximum Buffers	The maximum buffers in pool
Minimum Buffers	The number of buffers to pre-allocate
Number of Buffers	The number of buffers being currently used
Free Buffers	The number of buffers in the free list
Buffers Written	The number of buffers that have already been written to

TraceLog Topics

Files Required

Tracelog.exe
Control.guid: contains the GUIDs of the providers for which tracing is possible