Defrag Tools: #46 - WPT - Driver Analysis

Download this episode

Download Video


In this episode of Defrag Tools, Andrew Richards, Chad Beeder and Larry Larsen continue walking you through the Windows Performance Toolkit (WPT). Example xPerf scripts.

Defrag Tools: #23 - Windows 8 SDK
Defrag Tools: #29 - WinDbg - ETW Logging
Windows Performance Analysis Developer Center
Windows Performance Toolkit
Channel 9 Videos
NTDebugging Blog Article
PFE Blog Series

[00:32] - xperf -on PROC_THREAD+LOADER+PROFILE+DRIVERS -stackwalk ...
[01:27] - xPerfView - Driver Delays
[05:09] - WPA
[05:50] - Device Stack & IRPs
[09:14] - Advanced Settings (Filter)
[12:14] - Long Duration example
[13:30] - Zoom and then look at other graphs - e.g. CPU Usage (Sampled)
[15:22] - Summary

Example: "xperf - Collect Drivers.cmd"

@echo off
echo Press a key when ready to start...

echo .
echo ...Capturing...
echo .

xperf -on PROC_THREAD+LOADER+PROFILE+DRIVERS -stackwalk Profile -BufferSize 1024 -MinBuffers 256 -MaxBuffers 256 -MaxFile 256 -FileMode Circular

echo Press a key when you want to stop...
echo .
echo ...Stopping...
echo .

xperf -stop -d drivers.etl



Available formats for this video:

Actual format may change based on video formats available and browser capability.

    The Discussion

    • User profile image

      C:\Program Files\Windows Performance Toolkit>"xperf - Collect Drivers.cmd"
      Press a key when ready to start...
      Premere un tasto per continuare . . .
      xperf: warning: This system is not fully configured for x64 stack tracing.
      Please modify the registry under:

      HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management

      and set the value:

      DisablePagingExecutive (REG_DWORD) = 1

      Then reboot before retrying tracing.

      Note: Tracing has been enabled, this is just a warning.
      xperf: error: NT Kernel Logger: Flag non validi. (0x3ec).
      Press a key when you want to stop...
      Press a key to continue. . .
      xperf: error: NT Kernel Logger: Il nome di istanza inviato non Þ valido per il provider di dati WMI. (0x1069).


      Is this error (0x1069) related to DisablePagingExecutive not set at 1?

      I have Windows 7 64bit Home Premium

      I wish you could reply also to my question posted in #45 that I copy and paste here
      Not directly related to this video, but in general.
      Whenever I launch those cmd, xperf correctly warns me that "This system is not fully configured for x64 stack tracing" so that Disable Paging Executive must be set at 1, to have valid results.
      My question is: "Why isn't Disable Paging Executive set to 1 as default in Windows 7?"

      I have Windows 7 Home Premium 64bit with 16 GB RAM
      What do I risk if I leave it set at 1 as default?

      is there any (brief) technical reason why Microsoft didn't leave at 1 in W7, while I understand it is set at 1 in W8?

    • User profile image

      @loverboy: "Disable Paging Executive" keeps the PE Header of drivers in RAM - so that symbolic resolution can be guaranteed.  It isn't on by default as it would waste RAM (once the image is loaded, it isn't need).  In Windows 8, they did some magic (not sure what) to make it irrelevant.

      In my personal experience, I've always been able to do the analysis without it set - other may have a different experience.

    • User profile image

      OK thanks for your reply.

      But what about these errors (that I try to translate) when running the cmd file

      xperf: error: NT Kernel Logger: Not valid flags. (0x3ec).


      xperf: error: NT Kernel Logger: Sent instance name is not valid for WMI data provider. (0x1069).

      Any ideas?

    • User profile image

      @loverboy: The command provided is for Win8 but it should work on Win7 as well.  This might be a text formatting issue due caused by copy/paste of the web page.  Try downloading the script instead (

    • User profile image

      There is an "S" missing in the example above


      Thanks ;)

    • User profile image

      @loverboy: Sorry about that -- fixed.

    Comments closed

    Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.