Post by Andre.Ziegler Post by Marc
I've been using xperf to monitory registry activity and I get
everything (including good call stacks) but I don't see value data for
calls that read/write registry values. I see the value name but
nothing about the value data. Anyone know how I can get the value data
Why don't you use ProcessMonitor?
Initially tried procmon but this needs to run for a whole day.
Limiting procmon's history depth to 1 million events doesn't help much
here because it's running on a terminal server with a about 25 users.
It usually takes 20 minutes from the time a user notices a problem to
the time where the correct admin is notified. By that time the events
in question are gone. Customer is weary about increasing procmon's
history depth due to disk space.
We noticed that even though only registry monitoring was selected,
procmon was still receiving events for file I/O, network I/O, and
profiling events. These events were taking up space in the events
history so I needed a tool that had more fine grained control over the
ETW events to be consumed and even finer grained control over the call
stacks recorded. Xperf allows us to only consume registry events so we
don't waste space storing events we don't care about. Plus, within the
registry events, we can tell xperf to only record call stacks for the
reg calls in which we're interested (query and set value) so we don't
waste space storing call stacks for things like reg open operations.
But the great thing about procmon is that it shows the reg value data
whereas xperf does not (as far as I can tell). I thought since procmon
is using ETW then maybe there is something I'm overlooking in xperf.