static void Main(string[] args)
        if (args.Length != 3)
            Console.Error.WriteLine("Usage: GetCpuSampleDuration.exe <trace.etl> <imageName> <functionName>");

        string tracePath    = args[0];
        string imageName    = args[1];
        string functionName = args[2];

        Dictionary <string, Duration> matchDurationByCommandLine = new Dictionary <string, Duration>();

        using (ITraceProcessor trace = TraceProcessor.Create(tracePath))
            IPendingResult <ISymbolDataSource>    pendingSymbolData      = trace.UseSymbols();
            IPendingResult <ICpuSampleDataSource> pendingCpuSamplingData = trace.UseCpuSamplingData();


            ISymbolDataSource    symbolData      = pendingSymbolData.Result;
            ICpuSampleDataSource cpuSamplingData = pendingCpuSamplingData.Result;

            symbolData.LoadSymbolsForConsoleAsync(SymCachePath.Automatic, SymbolPath.Automatic).GetAwaiter().GetResult();

            IThreadStackPattern pattern = AnalyzerThreadStackPattern.Parse($"{imageName}!{functionName}");

            foreach (ICpuSample sample in cpuSamplingData.Samples)
                if (sample.IsExecutingDeferredProcedureCall == true || sample.IsExecutingInterruptServicingRoutine == true)

                if (sample.Stack != null && sample.Stack.Matches(pattern))
                    string commandLine = sample.Process.CommandLine;

                    if (!matchDurationByCommandLine.ContainsKey(commandLine))
                        matchDurationByCommandLine.Add(commandLine, Duration.Zero);

                    matchDurationByCommandLine[commandLine] += sample.Weight;

        foreach (string commandLine in matchDurationByCommandLine.Keys)
            Console.WriteLine($"{commandLine}: {matchDurationByCommandLine[commandLine]}");
    public static int Main(string[] args)
        if (args.Length != 1)
            Console.Error.WriteLine("Usage: FindZombieProcess.exe <trace.etl>");

        string tracePath = args[0];

        TraceProcessorSettings settings = new TraceProcessorSettings {
            AllowLostEvents = true

        using (ITraceProcessor trace = TraceProcessor.Create(tracePath, settings))
            IPendingResult <IHandleDataSource> pendingHandleData = trace.UseHandles();
            IPendingResult <ISymbolDataSource> pendingSymbolData = trace.UseSymbols();


            IHandleDataSource handleData = pendingHandleData.Result;
            ISymbolDataSource symbolData = pendingSymbolData.Result;

            symbolData.LoadSymbolsForConsoleAsync(SymCachePath.Automatic, SymbolPath.Automatic).GetAwaiter().GetResult();

            foreach (IProcessHandle processHandle in handleData.ProcessHandles)
                // Zombie processes are processes which have exited but which still have a running process holding a handle to them
                if (processHandle.Process != null && !processHandle.CloseTime.HasValue &&
                    string owningProcessName = processHandle.Owner?.ImageName ?? "Unknown";
                    string targetProcessName = processHandle.Process?.ImageName ?? "Unknown";
                    Console.WriteLine($"Owning process: {owningProcessName} has handle to: {targetProcessName}");

Exemplo n.º 3
        static void RunWithOptions(Options opts)
            using (ITraceProcessor trace = TraceProcessor.Create(opts.etlFileName))
                IPendingResult <ICpuSampleDataSource> pendingCpuSampleData = trace.UseCpuSamplingData();
                IPendingResult <ISymbolDataSource>    pendingSymbolData    = trace.UseSymbols();


                ISymbolDataSource    symbolData    = pendingSymbolData.Result;
                ICpuSampleDataSource cpuSampleData = pendingCpuSampleData.Result;

                var symbolProgress = new Progress <SymbolLoadingProgress>(progress =>
                    Console.Write("\r{0:P} {1} of {2} symbols processed ({3} loaded)",
                                  (double)progress.ImagesProcessed / progress.ImagesTotal,
                    SymCachePath.Automatic, SymbolPath.Automatic, symbolProgress)

                var profileWriter = new ProfileWriter(opts.etlFileName,

                var timeStart = opts.timeStart ?? 0;
                var timeEnd   = opts.timeEnd ?? decimal.MaxValue;

                var exportAllProcesses = opts.processFilter == "*";
                var processFilterSet   = new HashSet <string>(
                    opts.processFilter.Trim().Split(",", StringSplitOptions.RemoveEmptyEntries));

                for (int i = 0; i < cpuSampleData.Samples.Count; i++)
                    if (i % 100 == 0)
                        Console.Write("\r{0:P} {1} of {2} samples processed",
                                      (double)i / cpuSampleData.Samples.Count, i, cpuSampleData.Samples.Count);

                    var cpuSample = cpuSampleData.Samples[i];

                    if ((cpuSample.IsExecutingDeferredProcedureCall ?? false) ||
                        (cpuSample.IsExecutingInterruptServicingRoutine ?? false))

                    if (!exportAllProcesses)
                        var processImage = cpuSample.Process.Images
                                           .FirstOrDefault(image => image.FileName == cpuSample.Process.ImageName);

                        string imagePath = processImage?.Path ?? cpuSample.Process.ImageName;

                        if (!processFilterSet.Any(filter => imagePath.Contains(filter.Replace("/", "\\"))))

                    var timestamp = cpuSample.Timestamp.RelativeTimestamp.TotalSeconds;
                    if (timestamp < timeStart || timestamp > timeEnd)


                long outputSize = profileWriter.Write(opts.outputFileName);
                Console.WriteLine("Wrote {0:N0} bytes to {1}", outputSize, opts.outputFileName);
Exemplo n.º 4
        // Process a trace and create a summary.
        static SnapshotSummary GetAllocSummary(ITraceProcessor trace)
            var pendingSnapshotData = trace.UseHeapSnapshots();
            var pendingSymbols      = trace.UseSymbols();


            var snapshotData = pendingSnapshotData.Result;
            var symbols      = pendingSymbols.Result;

            symbols.LoadSymbolsAsync(new SymCachePath(@"c:\symcache")).GetAwaiter().GetResult();

            if (snapshotData.Snapshots.Count != 1)
                Console.Error.WriteLine("Trace must contain exactly one heap snapshot - actually contained {0}.",
                return(new SnapshotSummary(null, 0));

            // Scan through all of the allocations and collect them by
            // SnapshotUniqueStackId (which corresponds to Stack Ref#),
            // accumulating the bytes allocated, allocation count, and the
            // stack.
            var allocsByStackId = new Dictionary <ulong, AllocDetails>();

            foreach (IHeapAllocation row in snapshotData.Snapshots[0].Allocations)
                allocsByStackId.TryGetValue(row.SnapshotUniqueStackId, out AllocDetails value);
                value.Stack  = row.Stack;
                value.Size  += row.Size;
                value.Count += 1;
                allocsByStackId[row.SnapshotUniqueStackId] = value;

            // Count how many allocations each stack frame is part of.
            // RtlThreadStart will presumably be near the top, along with
            // RtlpAllocateHeapInternal, but some clues may be found.
            var hotStackFrames = new Dictionary <string, long>();

            foreach (var data in allocsByStackId.Values)
                foreach (var entry in data.Stack)
                    var analyzerString = entry.GetAnalyzerString();
                    hotStackFrames.TryGetValue(analyzerString, out long count);
                    count += data.Count;
                    hotStackFrames[analyzerString] = count;

            var result = new SnapshotSummary(allocsByStackId, snapshotData.Snapshots[0].ProcessId);

            // Create a summary of the alloc counts and byte counts.
            var  totalAllocBytes = DataSize.Zero;
            long totalAllocCount = 0;

            foreach (var data in allocsByStackId.Values)
                totalAllocBytes += data.Size;
                totalAllocCount += data.Count;

            result.hotStackFrames_ = hotStackFrames;
            result.totalBytes_     = totalAllocBytes;
            result.allocCount_     = totalAllocCount;

Exemplo n.º 5
        static int Main(string[] args)
            if (args.Length != 1)
                Console.Error.WriteLine("Usage: PotentialDelayLoads.exe <trace.etl>");

            string tracePath = args[0];

            var settings = new TraceProcessorSettings
                AllowLostEvents = true,

            using (ITraceProcessor trace = TraceProcessor.Create(tracePath, settings))
                IPendingResult <IReferenceSetDataSource> pendingReferenceSet  = trace.UseReferenceSetData();
                IPendingResult <IProcessDataSource>      pendingProcesses     = trace.UseProcesses();
                IPendingResult <ISymbolDataSource>       pendingSymbols       = trace.UseSymbols();
                IPendingResult <IImageSectionDataSource> pendingImageSections = trace.UseImageSections();


                IProcessDataSource      processData      = pendingProcesses.Result;
                IReferenceSetDataSource referenceSetData = pendingReferenceSet.Result;
                ISymbolDataSource       symbolData       = pendingSymbols.Result;
                IImageSectionDataSource imageSectionData = pendingImageSections.Result;

                symbolData.LoadSymbolsForConsoleAsync(SymCachePath.Automatic, SymbolPath.Automatic).GetAwaiter().GetResult();

                // Create a mapping of all static images loaded into all processes during the course of the trace.
                // This is a mapping of images to a dictionary of [processes, IsPotentialDelayLoadTarget]
                Dictionary <string, Dictionary <string, bool> > potentialDelayLoads = new Dictionary <string, Dictionary <string, bool> >();

                // Keep track of the image data for all of the images we've seen loaded. We use this later to look up
                // section names for the offsets being accessed.
                Dictionary <string, IImage> imageData = new Dictionary <string, IImage>();

                foreach (var proc in processData.Processes)
                    foreach (var image in proc.Images)
                        string processName = GenerateProcessNameString(proc);
                        if (image.LoadTime != null)
                            Dictionary <string, bool> processDict;
                            if (!potentialDelayLoads.ContainsKey(image.Path))
                                processDict = new Dictionary <string, bool>();
                                potentialDelayLoads.Add(image.Path, processDict);
                                processDict = potentialDelayLoads[image.Path];

                            if (!processDict.ContainsKey(processName))
                                bool eligibleForDelayLoad = (image.LoadReason == ImageLoadReason.StaticDependency);
                                processDict.Add(processName, eligibleForDelayLoad);

                            // Save off whether or not this image is a potential delay load target. We only consider
                            // static dependencies for delay loads.
                            processDict[processName] = processDict[processName] && (image.LoadReason == ImageLoadReason.StaticDependency);

                            // Save off a pointer to the image data for this image so we can look up sections later
                            if (!imageData.ContainsKey(image.Path))
                                imageData.Add(image.Path, image);

                // Enumerate every page access. We're going to check each one to see if it was a 'code' page being accessed,
                // and if it was we conclude that code from this image was used during the trace by that process. Therefore,
                // it's not something that should be delay loaded.
                foreach (IReferenceSetInterval refSetInterval in referenceSetData.Intervals)
                    foreach (IReferenceSetAccessedPage pageAccess in refSetInterval.PageAccesses)
                        // Make sure the page was accessed from the usermode process.
                        if (pageAccess.ImpactedProcess == null)

                        // Ignore the memory compression process. This is a system service.
                        if (pageAccess.ImpactedProcess.ImageName.Equals("MemCompression"))

                        // Make sure we have a file path
                        if (pageAccess?.Page?.Path == null)
                        var fileBeingAccessed = pageAccess?.Page?.Path;

                        // Not all file paths are images (think MFT or data files). Make sure this is in our image
                        // dictionary.
                        if (!imageData.ContainsKey(pageAccess.Page.Path))

                        // Make sure that this image was listed in the image data
                        if (!potentialDelayLoads.ContainsKey(fileBeingAccessed))

                        // Grab the image data, and use this to get the info on the page that was being accessed.
                        var data        = imageData[pageAccess.Page.Path];
                        var sectionName = GetSectionNameFromPage(pageAccess, data, imageSectionData, pageAccess.ImpactedProcess);

                        // We really only want consider .text pages, as we want to find images where the 'code' is never
                        // used. We have to include "unknown" as well since this is what shows up for images that we
                        // can't find symbols for. This effectively means for images without symbols we consider all pages.
                        if (!(sectionName.Contains(".text") || sectionName.Contains("Unknown")))

                        // If the loader accessed the page, it's still a potential delay load candidiate.
                        if (IsLoaderAccessedPage(pageAccess))

                        // A .text page was accessed from somewhere other then the loader. This image isn't
                        // a delay load candidate for this process.
                        string processName = GenerateProcessNameString(pageAccess.ImpactedProcess);
                        if ((potentialDelayLoads[fileBeingAccessed]).ContainsKey(processName))
                            if ((potentialDelayLoads[fileBeingAccessed])[processName])
                                (potentialDelayLoads[fileBeingAccessed])[processName] = false;
                            potentialDelayLoads[fileBeingAccessed].Add(processName, false);

                // Print out all potential delays loads we found. We modify the output format to be in
                // process->image style for easier consumption from the console.
                List <Tuple <string, string> > delayLoads = new List <Tuple <string, string> >();
                foreach (var imagesLoaded in potentialDelayLoads)
                    foreach (var processesDict in imagesLoaded.Value)
                        if (processesDict.Value == true)
                            delayLoads.Add(new Tuple <string, string>(processesDict.Key, imagesLoaded.Key));
                foreach (var delayload in delayLoads)
                    Console.WriteLine("{0} can delay load {1}", delayload.Item1, delayload.Item2);
