Tracedmp.exe: Trace Dump

TraceDmp is an event tracing command-line tool that produces a summary of event trace log items. TraceDmp processes either a trace log file generated by TraceLog or polls real time trace buffer data, and converts that information to a .csv file.

TraceDmp behaves like a WMI consumer. It takes the output from a TraceLog file, generally a .etl file, and converts it into a user-friendly format. This output provides you with a view event trace results.

TraceDmp gives you several ways to view event tracing data:

Summary.txt file: A summary of the events traced.
CSV (comma-separated format) file: Events traced are saved in chronologically sorted order. This gives you a more detailed view for each event.
Real time tracing: Tracedmp can also be used for real time event tracing. In this case, TraceDmp will read directly from the buffer instead of from a TraceLog file.
The format and process is similar to that described for log files in "How TraceDmp Works" below.

How TraceDmp Works

TraceDmp interprets the log file created by TraceLog. This log file is written in a specific format, with a header and some variable data. While the header is fixed, the variable data has to be interpreted separately for each event. For example, process start/end tracing and disk I/O tracing have their own variable structure. This variable portion is determined by TraceDmp through a lookup in the mofdata.guid file.

Currently, mofdata.guid only contains information for directory service and System tracing. To process data from other providers, you must either include the format for that provider in mofdata.guid, or get another pre-configured mofdata.guid file. The format is based on the WMI format, which uses the MOF structure. Details can be obtained by running WBEMTest.

TraceDmp Topics

Files Required

Tracedmp.exe
Mofdata.guid: contains the MOF format for the variable portion of the event log

For More Information

See the Microsoft Platform SDK for more information about Event tracing.