BASIC

How to collect Winsock (AFD) logging for Windows

12th May 2019 /

Starting in Windows Vista and Windows Server 2008, we added an Event Trace for Windows (ETW) provider for Winsock (AFD).

ETW provider: Microsoft-Windows-Winsock-AFD

ETW provider GUID: E53C6823-7BB8-44BB-90DC-3F86090D48A6

Method 1: Enable AFD logging using the perfmon GUI

Note: The benefit, it’s built-in to the O.S.

1. Open Perfmon

2. On the left under “Data Collector Sets”

3. Right-Click “Startup Event Trace Sessions”

4. Choose “New”->”Data Collector Set”

5. Type “Winsock-AFD” and click Next

6. Click Add

7. Wait for the dialog to populate and choose “Microsoft-Windows-Winsock-AFD” and click ok

8. In the Properties Dialog select each item and click edit

9. Enable all check boxes and for the level type 4

10. It will look something like the following.

clip_image002

11. Click Next and specify the path to save the data

12. Click Finish

13. Right-Click Winsock-AFD and choose “Start as Event Trace Session”

14. <Reproduce the issue.>

15. On the left under “Data Collector Sets”

16. Click “Event Trace Sessions”

17. Right-Click Winsock-AFD and choose “Stop”

18. This will produce a Winsock-AFD.etl file

Method 2: Enable AFD logging using the perfmon command line (logman.exe)

Note: The benefit, it’s built-in to the O.S.

1. Start, CMD (Run As Admin)

2. C:

3. MD c:\logfile

4. CD c:\logfile

5. Logman.exe start Winsock-AFD -p Microsoft-Windows-Winsock-AFD 0x800001000000007f win:Verbose -bs 64 -nb 256 256 -max 1024 -mode circular -o c:\logfile -ets

6. Note: -p <provider> [flags or keywords] [level]

7. <Reproduce the issue>

8. Logman.exe stop Winsock-AFD

Method 3: Enable AFD logging using xperf.exe (a part of the Windows Performance Toolkit).

Note:  You could download the latest version as of when this blog was posted here: WPT: Updated version of “Windows Performance Toolkit” from Windows 10 Technical Preview ADK or SDK

Note: The benefit, if you want to get a matching kernel xperf, you can combine this command.

1. Start, CMD (Run As Admin)

2. C:

3. MD c:\logfile

4. CD c:\logfile

5. xperf -start Winsock-AFD -on Microsoft-Windows-Winsock-AFD:0x800001000000007f:0x5: ‘stack ‘ -BufferSize 64 -MinBuffers 256 -MaxBuffers 256 -MaxFile 1024 -FileMode Circular -f c:\PreMerge_Winsock-AFD_%ComputerName%.etl

Note: -on <provider> [flags or keywords] [level]

6. <Reproduce the issue>

7. xperf -stop Winsock-AFD -d c:\logfile\Winsock-AFD_%ComputerName%.etl

Method 4: Enable AFD logging using Tracelog.exe (a part of the Windows Development Kit (WDK, used to be known as the Windows “Driver Development Kit” (DDK)).

Note: The benefit, it has the most options.

1. Open an elevated command prompt.

2. Create a folder off the root of C: called “Logfile”

3. Run the command “tracelog -start Winsock-AFD -guid #E53C6823-7BB8-44BB-90DC-3F86090D48A6 -flags 0x800001000000007f -level 5 -b 64 -min 256 -max 256 -cir 1024 -f c:\logfile\Winsock-AFD_OutPutLogFile_%ComputerName%.log” and press enter.

4. Reproduce the issue.

5. Type “tracelog -stop” and press Enter

6. Grab the logfile from c:\logfile\Winsock-AFD_OutPutLogFile_%ComputerName%.log”

Leave a Reply

Your email address will not be published. Required fields are marked *