Browse files

Filter out 75% of the Microsoft-Windows-Win32k events

Three critical section related events were causing 75% of the traffic
for the Microsoft-Windows-Win32k on Windows 7. This was causing the
buffers to wrap around extremely quickly, causing the user events
to cover a very short period of time, often not overlapping at all
with the kernel events.

This is probably also why the window-in-focus graph is frequently

The 0xFFFFFF was determined based on looking at trace statistics,
rather than the previous version which was experimental.
  • Loading branch information...
randomascii committed Sep 12, 2015
1 parent f1f73bc commit 9f1a9e7fc2fe6be11dbde92d064b3e58bef479bd
Showing with 15 additions and 10 deletions.
  1. +15 −10 UIforETW/UIforETWDlg.cpp
@@ -786,16 +786,21 @@ void CUIforETWDlg::OnBnClickedStarttracing()
std::wstring kernelArgs = L" -start " + GetKernelLogger() + L" -on" + kernelProviders + kernelStackWalk + kernelBuffers + kernelFile;

WindowsVersion winver = GetWindowsVersion();
// 0xFFFFFF is an experimentally determined mask value for the Microsoft-Windows-Win32k
// provider. Having no mask specified causes ReleaseUserCrit, ExclusiveUserCrit, and
// SharedUserCrit to generate 75% of the messages for this provider - 33,000/s in one
// test. This fills up the user buffers and pushes out other messages that are more
// useful such as the window-in-focus, UI Delays, and UIforETW messages!
// 0xFFFF contains the window-in-focus messages. 0xFF0000 contains the AppMessagePump
// messages which are presumed to generate the UI Delays graphs.
// Getting rid of the *Crit messages appears to be equivalent to quadrupling the size of
// the user buffers.
std::wstring userProviders = L"Microsoft-Windows-Win32k:0xFFFFFF";
// The ReleaseUserCrit, ExclusiveUserCrit, and SharedUserCrit events generate
// 75% of the events for this provider - 33,000/s in one test. They account for
// more than 75% of the space used, according to System Configuration-> Trace
// Statistics. That table also shows their Keyword (aka flags) which are
// 0x0200000010000000. By specifying a flag of ~0x0200000010000000 we can
// reduce the fill-rate of the user buffers by a factor of four, allowing much
// longer time periods to be captured with lower overhead.
// This avoids the problem where the user buffers wrap around so quickly that
// their timer period doesn't overlap that of the kernel buffers. Specifying
// this flag is equivalent to quadrupling the size of the user buffers!
// This should also make the UI Delays and window-in-focus graphs more
// reliable, by not having them lose messages so frequently, although it is not
// clear that it actually helps.
const uint64_t kCritFlags = 0x0200000010000000;
std::wstring userProviders = stringPrintf(L"Microsoft-Windows-Win32k:0x%llx", ~kCritFlags);
if (winver <= kWindowsVersionVista)
userProviders = L"Microsoft-Windows-LUA"; // Because Microsoft-Windows-Win32k doesn't work on Vista.
userProviders += L"+Multi-MAIN+Multi-FrameRate+Multi-Input+Multi-Worker";

0 comments on commit 9f1a9e7

Please sign in to comment.