perfview icon indicating copy to clipboard operation
perfview copied to clipboard

Published 20 hours ago verified publisher icon microsoft

IIS OOB module events not captured

Open mahamr opened this issue 1 year ago • 0 comments

There are several IIS out-of-band modules such as:

  • URL Rewrite
  • Application Request Routing (ARR)
  • AspNetCoreModule
  • CORS
  • iisnode

I know for sure that URL Rewrite, ARR, and ANCM events are not captured. I have not tested with CORS or iisnode but they are setup the same way as the others as far as I know, so I suspect they also aren't captured.

Here's a comparison of the same requests (same activityID) from IIS Failed Request Tracing that just captures IIS ETW events and formats them: image

And the PerfView events for the same request: image

This also made me notice that the NOTIFY_MODULE_START and _END events are also missing from PerfView.

I could get these added to PerfView if I can get some guidance on how to properly do it.

EDIT: adding some extra info

For the ANCM events, here are two example events formatted as XML from IIS tracing:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
  <Provider Name="WWW Server" Guid="{3A2A4E84-4C21-4981-AE10-3FDA0D9B0F83}"/>
  <EventID>0</EventID>
  <Version>1</Version>
  <Level>4</Level>
  <Opcode>3</Opcode>
  <Keywords>0x10000</Keywords>
  <TimeCreated SystemTime="2023-03-30T17:37:16.430Z"/>
  <Correlation ActivityID="{40000048-0001-F400-B63F-84710C7967BB}"/>
  <Execution ProcessID="371052" ThreadID="395704"/>
  <Computer>[redacted]</Computer>
 </System>
 <EventData>
  <Data Name="ContextId">{40000048-0001-F400-B63F-84710C7967BB}</Data>
 </EventData>
 <RenderingInfo Culture="en-US">
  <Opcode>ANCM_REQUEST_FORWARD_START</Opcode>
  <Keywords>
   <Keyword>ANCM</Keyword>
  </Keywords>
 </RenderingInfo>
 <ExtendedTracingInfo xmlns="http://schemas.microsoft.com/win/2004/08/events/trace">
  <EventGuid>{82ADEAD7-12B2-4781-BDCA-5A4B6C757191}</EventGuid>
 </ExtendedTracingInfo>
</Event>

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
  <Provider Name="WWW Server" Guid="{3A2A4E84-4C21-4981-AE10-3FDA0D9B0F83}"/>
  <EventID>0</EventID>
  <Version>1</Version>
  <Level>4</Level>
  <Opcode>6</Opcode>
  <Keywords>0x10000</Keywords>
  <TimeCreated SystemTime="2023-03-30T17:37:16.446Z"/>
  <Correlation ActivityID="{40000048-0001-F400-B63F-84710C7967BB}"/>
  <Execution ProcessID="371052" ThreadID="395704"/>
  <Computer>[redacted]</Computer>
 </System>
 <EventData>
  <Data Name="ContextId">{40000048-0001-F400-B63F-84710C7967BB}</Data>
  <Data Name="InternetStatus">16</Data>
 </EventData>
 <RenderingInfo Culture="en-US">
  <Opcode>ANCM_WINHTTP_CALLBACK</Opcode>
  <Keywords>
   <Keyword>ANCM</Keyword>
  </Keywords>
 </RenderingInfo>
 <ExtendedTracingInfo xmlns="http://schemas.microsoft.com/win/2004/08/events/trace">
  <EventGuid>{82ADEAD7-12B2-4781-BDCA-5A4B6C757191}</EventGuid>
 </ExtendedTracingInfo>
</Event>

So it appears to just be another keyword (0x10000) added to the existing WWW Server provider which is essentially the main IIS provider already captured by PerfView.

It seems, when IIS events are selected in PerfView with the default capture parameters, that it captures verbose-level events with the 0xfffffffe keywords, so I would think it would capture them by default. Does the fact they aren't displayed in the PerfView events window due to them not being added to the IisTraceEventParserClass here:? https://github.com/microsoft/perfview/blob/main/src/TraceEvent/Parsers/IisTraceEventParser.cs

If so, would all it take to get them added is add the corresponding methods and such to that class?

TIA!

mahamr avatar Mar 29 '23 21:03 mahamr