Tools – ETL file references

Time:2020-1-17

This is a system file. You can’t open it directly.
Try to use Notepad and other software to open, it’s all garbled.

Tracerpt command

1. Open CMD command, CD to C: \ windows \ system32
2. There is a tool called tracerpt.exe.
3. Enter tracerpt.exe -?

Tools - ETL file references

Tools - ETL file references

Examples:
tracerpt logfile1.etl logfile2.etl -o logdump.xml -of XML
tracerpt logfile.etl -o logdmp.xml -of XML -lr -summary logdmp.txt -report log
rpt.xml
tracerpt logfile1.etl logfile2.etl -o -report
tracerpt logfile.etl counterfile.blg -report logrpt.xml -df schema.xml
tracerpt -rt “NT Kernel Logger” -o logfile.csv -of CSV
tracerpt.exe abcd.etl -o abcd.xml -of XML.
4. The meaning of this command is to convert abcd.etl to abcd.xml format. Then you can see that there is a file called abcd.xml in the current directory, and you can see the contents.

WMI data services

Tools - ETL file references

Tools - ETL file references

Tools - ETL file references

http://www.kafan.cn/edu/4594241.html

WMI is a core Windows Management Technology. As a specification and infrastructure, WMI can access, configure, manage and monitor almost all windows resources. For example, a user can start a process on a remote computing machine; set a process running on a specific date and time; start a computer remotely; obtain the installed program of a local or remote computer Sequence tables; querying windows event logs for local or remote computers, and so on.
The system does not have WMI service, or network adapter sharing prompts WMI error, etc. can be used.
Usage: copy and save as wmi.bat

@echo on
cd /d c:/temp
if not exist %windir%/system32/wbem goto TryInstall
cd /d %windir%/system32/wbem
net stop winmgmt
winmgmt /kill
if exist Rep_bak rd Rep_bak /s /q
rename Repository Rep_bak
for %%i in (*.dll) do RegSvr32 -s %%i
for %%i in (*.exe) do call :FixSrv %%i
for %%i in (*.mof,*.mfl) do Mofcomp %%i
net start winmgmt
goto End
:FixSrv
if /I (%1) == (wbemcntl.exe) goto SkipSrv
if /I (%1) == (wbemtest.exe) goto SkipSrv
if /I (%1) == (mofcomp.exe) goto SkipSrv
%1 /RegServer
:SkipSrv
goto End
:TryInstall
if not exist wmicore.exe goto End
wmicore /s
net start winmgmt
:End

Tools - ETL file references

Tools - ETL file references

The generated XML file is huge and has several megabytes, which is very easy to get stuck.

<Events>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
        <Provider Guid="{9e814aad-3204-11d2-9a82-006008a86939}" />
        <EventID>0</EventID>
        <Version>2</Version>
        <Level>0</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x0</Keywords>
        <TimeCreated SystemTime="2015-10-12T23:41:42.753165800Z" />
        <Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" />
        <Execution ProcessID="9040" ThreadID="2644" ProcessorID="0" KernelTime="30" UserTime="0" />
        <Channel />
        <Computer />
    </System>
    <EventData>
        <Data Name="BufferSize">   65536</Data>
        <Data Name="Version">83951878</Data>
        <Data Name="ProviderVersion">    7601</Data>
        <Data Name="NumberOfProcessors">       4</Data>
        <Data Name="EndTime">130891381795465582</Data>
        <Data Name="TimerResolution">  156001</Data>
        <Data Name="MaxFileSize">       0</Data>
        <Data Name="LogFileMode">0x10001</Data>
        <Data Name="BuffersWritten">      24</Data>
        <Data Name="StartBuffers">       1</Data>
        <Data Name="PointerSize">       8</Data>
        <Data Name="EventsLost">       0</Data>
        <Data Name="CPUSpeed">    2394</Data>
        <Data Name="LoggerName">0x0</Data>
        <Data Name="LogFileName">0x0</Data>
        <Data Name="BootTime">130891281581255994</Data>
        <Data Name="PerfFreq">2338369</Data>
        <Data Name="StartTime">130891381027531658</Data>
        <Data Name="ReservedFlags">0x1</Data>
        <Data Name="BuffersLost">       0</Data>
        <Data Name="SessionNameString">Relogger</Data>
        <Data Name="LogFileNameString">C:\kernel.etl</Data>
    </EventData>
    <RenderingInfo Culture="zh-CN">
        <Opcode>Header</Opcode>
        <Provider>MSNT_SystemTrace</Provider>
        <EventName xmlns="http://schemas.microsoft.com/win/2004/08/events/trace">EventTrace</EventName>
    </RenderingInfo>
    <ExtendedTracingInfo xmlns="http://schemas.microsoft.com/win/2004/08/events/trace">
        <EventGuid>{68fdd900-4a3e-11d1-84f4-0000f80464e3}</EventGuid>
    </ExtendedTracingInfo>
</Event>

Recommended Today

RCAST 35: add type to currency

– font ALT: Simsun; MSO font charset: 134; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:3 680460288 22 0 262145 0;} @font-face {font-family:”Cambria Math”; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-charset:1; mso-generic-font-family:roman; mso-font-format:other; mso-font-pitch:variable; mso-font-signature:0 0 0 0 0 0;} @font-face {font-family:Calibri; Variable; Ose-1: 216301111; mso-font-charset:134; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:3 680460288 22 0 262145 0;} /\* Style […]