Search code examples
asp.netiistraceetw

Are there any ETW events created by IIS or ASP.NET which include the request URL?

I have been trying, without much success, to capture ETW events created by IIS or ASP.NET which include the request URL.

I am using Windows 8 (development) and Windows Server 2008 R2 (production), so IIS 8.0 and 7.5 respectively. I am aware that in IIS 8.5 there is better ETW support but that's not going to help at the moment unfortunately.

Using PerfView, collecting system-wide events and with the following Additional Providers I get some events in the Microsoft-Windows-IIS-Configuration namespace but nothing that includes individual request details.

enter image description here

Additional Providers

Microsoft-Windows-IIS-APPHOSTSVC:*:5,Microsoft-Windows-IIS-Configuration:*:5,Microsoft-Windows-IIS-FTP:*:5,Microsoft-Windows-IIS-IisMetabaseAudit:*:5,Microsoft-Windows-IIS-IISReset:*:5,Microsoft-Windows-IIS-W3SVC:*:5,Microsoft-Windows-IIS-W3SVC-PerfCounters:*:5 ,Microsoft-Windows-IIS-W3SVC-WP:*:5,Microsoft-Windows-IIS-WMSVC:*:5

If I run logman query providers I get the following, so I know these providers are available (on my Windows 8 machine).

Provider                                 GUID
-------------------------------------------------------------------------------

Microsoft-Windows-IIS-APPHOSTSVC         {CAC10856-9223-48FE-96BA-2A772274FB53}
Microsoft-Windows-IIS-Configuration      {DC0B8E51-4863-407A-BC3C-1B479B2978AC}
Microsoft-Windows-IIS-FTP                {AB29F35C-8531-42FF-810D-B8552D23BC92}
Microsoft-Windows-IIS-IisMetabaseAudit   {BBB924B8-F415-4F57-AA45-1007F704C9B1}
Microsoft-Windows-IIS-IISReset           {DA9A85BB-563D-40FB-A164-8E982EA6844B}
Microsoft-Windows-IIS-W3SVC              {05448E22-93DE-4A7A-BBA5-92E27486A8BE}
Microsoft-Windows-IIS-W3SVC-PerfCounters {90303B54-419D-4081-A683-6DBCB532F261}
Microsoft-Windows-IIS-W3SVC-WP           {670080D9-742A-4187-8D16-41143D1290BD}
Microsoft-Windows-IIS-WMSVC              {23108B68-1B7E-43FA-94FB-EC3066805744}

I've also tried using logman to create an ETL file, but this doesn't seem to capture anything IIS related:

etw.ps1

logman start ASPTrace -pf providers.txt -ets
Start-Sleep -Seconds 30
logman stop ASPTrace -ets

providers.txt

"Microsoft-Windows-IIS-APPHOSTSVC" 0xFFFFFFFE 5
"Microsoft-Windows-IIS-Configuration" 0xFFFFFFFE 5
"Microsoft-Windows-IIS-FTP" 0xFFFFFFFE 5
"Microsoft-Windows-IIS-IisMetabaseAudit" 0xFFFFFFFE 5
"Microsoft-Windows-IIS-IISReset" 0xFFFFFFFE 5
"Microsoft-Windows-IIS-W3SVC" 0xFFFFFFFE 5
"Microsoft-Windows-IIS-W3SVC-PerfCounters" 0xFFFFFFFE 5
"Microsoft-Windows-IIS-W3SVC-WP" 0xFFFFFFFE 5
"Microsoft-Windows-IIS-WMSVC" 0xFFFFFFFE 5

I have tried the above with 0xFFFFFFFE and 0xFFFFFFFF.

Solution

  • Microsoft-Windows-HttpService {DD5EF90A-6398-47A4-AD34-4DCECDEF795F}

    Look at the Deliver event. It has RequestUrl, and the app pool the request got forwarded to.

    This is available in Windows Vista and higher.