Performance Log Utility
logman
- C:\Windows\system32\logman.exe /?
Output:
Microsoft r Logman.exe (10.0.19041.1741)
Usage:
C:\Windows\system32\logman.exe [create|query|start|stop|delete|update|import|export] [options]
Verbs:
create Create a new data collector.
query Query data collector properties. If no name
is given all data collectors are listed.
start Start an existing data collector and set the
begin time to manual.
stop Stop an existing data collector and set the
end time to manual.
delete Delete an existing data collector.
update Update an existing data collector's properties.
import Import a data collector set from an XML file.
export Export a data collector set to an XML file.
Adverbs:
counter Create a counter data collector.
trace Create a trace data collector.
alert Create an alert data collector.
cfg Create a configuration data collector.
providers Show registered providers.
Options (counter):
-c <path [path [...]]> Performance counters to collect.
-cf <filename> File listing performance counters to collect,
one per line.
-f <bin|bincirc|csv|tsv|sql> Specifies the log format for the data
collector. For SQL database format, you must
use the -o option in the command line with
the DNS!log option. The defaults is binary.
-sc <value> Maximum number of samples to collect with a
performance counter data collector.
-si <[[hh:]mm:]ss> Sample interval for performance counter data
collectors.
Options (trace):
-f <bin|bincirc|csv|tsv|sql> Specifies the log format for the data
collector. For SQL database format, you must
use the -o option in the command line with
the DNS!log option. The defaults is binary.
-mode <trace_mode> Event Trace Session logger mode. For more
information visit -
https://go.microsoft.com/fwlink/?LinkID=136464
-ct <perf|system|cycle> Specifies the clock resolution to use when
logging the time stamp for each event. You
can use query performance counter, system
time, or CPU cycle.
-ln <logger_name> Logger name for Event Trace Sessions.
-ft <[[hh:]mm:]ss> Event Trace Session flush timer.
-[-]p <provider [flags [level]]> A single Event Trace provider to enable.
The terms 'Flags' and 'Keywords' are
synonymous in this context.
-pf <filename> File listing multiple Event Trace providers
to enable.
-[-]rt Run the Event Trace Session in real-time mode.
-[-]ul Run the Event Trace Session in user mode.
-bs <value> Event Trace Session buffer size in kb.
-nb <min max> Number of Event Trace Session buffers.
Options (alert):
-[-]el Enable/Disable event log reporting.
-th <threshold [threshold [...]]> Specify counters and their threshold
values for and alert.
-[-]rdcs <name> Data collector set to start when alert fires.
-[-]tn <task> Task to run when alert fires.
-[-]targ <argument> Task arguments.
-si <[[hh:]mm:]ss> Sample interval for performance counter data
collectors.
Options (cfg):
-[-]ni Enable/Disable network interface query.
-reg <path [path [...]]> Registry values to collect.
-mgt <query [query [...]]> WMI objects to collect.
-ftc <path [path [...]]> Full path to the files to collect.
Options:
-? Displays context sensitive help.
-s <computer> Perform the command on specified remote system.
-config <filename> Settings file containing command options.
[-n] <name> Name of the target object.
-pid <pid> Process identifier.
-xml <filename> Name of the XML file to import or export.
-as Perform the requested operation asynchronously.
-[-]u <user [password]> User to Run As. Entering a * for the password
produces a prompt for the password. The
password is not displayed when you type it at
the password prompt.
-m <[start] [stop]> Change to manual start or stop instead of a
scheduled begin or end time.
-rf <[[hh:]mm:]ss> Run the data collector for the specified
period of time.
-b <M/d/yyyy h:mm:ss[AM|PM]> Begin the data collector at specified time.
-e <M/d/yyyy h:mm:ss[AM|PM]> End the data collector at specified time.
-o <path|dsn!log> Path of the output log file or the DSN and
log set name in a SQL database. The default
path is '%systemdrive%\PerfLogs\Admin'.
-[-]r Repeat the data collector daily at the
specified begin and end times.
-[-]a Append to an existing log file.
-[-]ow Overwrite an existing log file.
-[-]v <nnnnnn|mmddhhmm> Attach file versioning information to the end
of the log name.
-[-]rc <task> Run the command specified each time the log
is closed.
-[-]max <value> Maximum log file size in MB or number of
records for SQL logs.
-[-]cnf <[[hh:]mm:]ss> Create a new file when the specified time has
elapsed or when the max size is exceeded.
-y Answer yes to all questions without prompting.
-fd Flushes all the active buffers of an existing
Event Trace Session to disk.
-ets Send commands to Event Trace Sessions
directly without saving or scheduling.
Note:
Where [-] is listed, an extra - negates the option.
For example --u turns off the -u option.
More Information:
Microsoft TechNet - https://go.microsoft.com/fwlink/?LinkID=136332
Examples:
logman start perf_log
logman update perf_log -si 10 -f csv -v mmddhhmm
logman create counter perf_log -c "\Processor(_Total)\% Processor Time"
logman create counter perf_log -c "\Processor(_Total)\% Processor Time" -max 10 -rf 01:00
logman create trace trace_log -nb 16 256 -bs 64 -o c:\logfile
logman create alert new_alert -th "\Processor(_Total)\% Processor Time>50"
logman create cfg cfg_log -reg "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\\"
logman create cfg cfg_log -mgt "root\cimv2:SELECT * FROM Win32_OperatingSystem"
logman query providers
logman query providers Microsoft-Windows-Diagnostics-Networking
logman start process_trace -p Microsoft-Windows-Kernel-Process 0x10 win:Informational -ets
logman start usermode_trace -p "Service Control Manager Trace" -ul -ets
logman query usermode_trace -p "Service Control Manager Trace" -ul -ets
logman stop usermode_trace -p "Service Control Manager Trace" -ul -ets
logman start process_trace -p Microsoft-Windows-Kernel-Process -mode newfile -max 1 -o output%d.etl -ets
logman start "NT Kernel Logger" -o log.etl -ets
logman start "NT Kernel Logger" -p "Windows Kernel Trace" (process,thread) -ets
Return Code: 1
C:\Windows\system32\logman.exe
c:\>ver
Microsoft Windows [Version 10.0.19045.2075]
| File | Info |
|---|---|
| File Size | 120320bytes |
| Creation Time | 2022/07/08 08:48:55 |
| LastWrite Time | 2022/07/08 08:48:55 |
| ProductVersion | 10.0.19041.1 |
| FileVersion | 10.0.19041.1 (WinBuild.160101.0800) |
| Hash | Value |
|---|---|
| MD5 | 109dc942a24f990abbce7fac6806ac4f |
| SHA1 | ac4508d6aa5ee1b54c2a78b84e3c3668082edd46 |
| SHA224 | 73608543239d8d656d9b4d9ea3b3708c7c8018f4247273ec077400ed |
| SHA256 | 5aef6707df8992c4054166385cac3c92048d38ead3f3f08440d704a7b95a7e32 |
| SHA384 | 9e34156cf45cbd8693202689c50673750f3bad8778d4358801bf03cd089306145ea9b7e81cd53d02df06020b26fd1ed8 |
| SHA512 | c3b5783c4f2d450217af5c55c48e6c1168c1c5192b9a9869a67157f4e7eba202e2d0802c3feb9610e6243fe579e1e2efbc2063a9a6a1047af5644f27a30e82a7 |