Sometimes in support you’ll be asked to collect a boot trace to help troubleshoot slow boot or slow logon scenarios. The symptoms are a long time passes from startup to the CTRL+ALT+DEL or  from CTRL+ALT+DEL to a usable desktop experience. This blog will walk you through the steps needed to do this.

While you can do boot tracing in Windows 10 using the built-in native WPR.exe, it’s a bit kludgy and doesn’t add all the providers it’s ancestor xbootmgr added in boot scenarios. Therefore if you do it that way, you are missing parts of the trace expected by the analyst.

The only alternative is to download the ADK for Windows 10, install the Windows Performance Toolkit (aka WPT), and do the trace using either WPRUI (with the boot scenario selected) or use xbootmgr if you prefer command line.

The Windows ADK for Windows 10 is sometimes updated when a new build is out. Usually, for Windows 10, you want to use the most recent ADK’s install of the WPT. At writing that is the ADK for Windows 10 version 2004. You can always get the link to the most current ADK at the page Download and install the Windows ADK. Installing the WPT requires you to run the ADK installer which pulls what you select in the checkboxes from the web (as shown below).

Or if you prefer, you can download and install the redistributable located in my OneDrive. Your call. I put the Build 2004 redist’s for x86 and x64 there.

Once the WPT is installed, the command line to grab a boot trace is:

xbootmgr -trace boot -traceflags dispatcher+latency -stackwalk readythread+threadcreate+profile+cswitch

This of course must be run as administrator. By default an Administrator command prompt puts you in System32, so it’s best to make a directory off C:\ and name it Trace or whatnot and change directory to there to run the command. The output of the trace will be written to the directory where the trace command is run by default.

Run the command, this will reboot the host and then boot up the kernel in tracing mode.

So to recap:

  1. Install WPT
  2. Open CMD Prompt as Administrator
  3. CD\
  4. mkdir Trace
  5. CD Trace
  6. xbootmgr -trace boot -traceflags dispatcher+latency -stackwalk readythread+threadcreate+profile+cswitch
  7. Wait for CTRL+ALT+DEL after the machine reboots and login
  8. The trace will count down for 2 minutes and then write to C:\trace.
  9. The interim trace files will be labeled KM and UM in the file name. Those are pre-merge files from kernel memory and user memory respectively. Once those are both paged to disk from RAM, xbootmgr will merge the two into a single file and delete the KM and UM working files.

Jeff “dude” Stokes

Leave a comment

Leave a Reply

Exit mobile version