Here at Microsoft, we are always looking to engage with open source communities to produce better solutions for the community and our customers . One of the more useful debugging advances that have arrived in the last decade is DTrace. DTrace of course needs no introduction: it’s a dynamic tracing framework that allows an admin or developer to get a real-time look into a system either in user or kernel mode. DTrace has a C-style high level and powerful programming language that allows you to dynamically insert trace points. Using these dynamically inserted trace points, you can filter on conditions or errors, write code to analyze lock patterns, detect deadlocks, etc. ETW while powerful, is static and does not provide the ability to programmatically insert trace points at runtime.  


There are a lot of websites and resources from the community to learn about DTrace. One of the most comprehensive one is the Dynamic Tracing Guide html book available on website. This ebook describes DTrace in detail and is the authoritative guide for DTrace. We also have Windows specific examples below which will provide more info.


Starting in 2016, the OpenDTrace effort began on GitHub that  tried to ensure a portable implementation of DTrace for different operating systems. We decided to add support for DTrace on Windows using this OpenDTrace port.


We have created a Windows branch for “DTrace on Windows” under the OpenDTrace project on GitHub. All our changes made to support DTrace on Windows are available here. Over the next few months, we plan to work with the OpenDTrace community to merge our changes. All our source code is also available at the 3rd party sources website maintained by Microsoft.   


Without further ado, let’s get into how to setup and use DTrace on Windows.


Install and Run DTrace

Prerequisites for using the feature

  • Windows 10 insider build 18342 or higher
  • Only available on x64 Windows and captures tracing info only for 64-bit processes
  • Windows Insider Program is enabled and configured with valid Windows Insider Account
    • Visit Settings->Update & Security->Windows Insider Program for details


  1. BCD configuration set:
    1. bcdedit /set dtrace on
    2. Note, you need to set the bcdedit option again, if you upgrade to a new Insider build
  2. Download and install the DTrace package from download center.
    1. This installs the user mode components, drivers and additional feature on demand packages necessary for DTrace to be functional.
  3. Optional: Update the PATH environment variable to include C:\Program Files\DTrace
    1. set PATH=%PATH%;"C:\Program Files\DTrace"
  4. Setup symbol path
    1. Create a new directory for caching symbols locally. Example: mkdir c:\symbols
    2. Set _NT_SYMBOL_PATH=srv*C:\symbols*
    3. DTrace automatically downloads the symbols necessary from the symbol server and caches to the local path.
  5. Optional: Setup Kernel debugger connection to the target machine (MSDN link). This is only required if you want to trace Kernel events using FBT or other providers.
    1. Note that you will need to disable Secureboot and Bitlocker on C:, (if enabled), if you want to setup a kernel debugger. 
  6. Reboot target machine


Running DTrace

Launch CMD prompt in administrator mode


Get started with sample one-liners:


# Syscall summary by program for 5 seconds: 
dtrace -Fn "tick-5sec { exit(0);} syscall:::entry{ @num[pid,execname] = count();} "
# Summarize timer set/cancel program for 3 seconds: 
dtrace -Fn "tick-3sec { exit(0);} syscall::Nt*Timer*:entry { @[probefunc, execname, pid] = count();}"
# Dump System Process kernel structure: (requires symbol path to be set)
dtrace -n "BEGIN{print(*(struct nt`_EPROCESS *) nt`PsInitialSystemProcess);exit(0);}"
# Tracing paths through NTFS when running notepad.exe (requires KD attach): Run below command and launch notepad.exe
dtrace -Fn "fbt:ntfs::/execname==\"notepad.exe\"/{}"


The command dtrace -lvn syscall::: will list all the probes and their parameters available from the syscall provider.


The following are some of the providers available on Windows and what they instrument.

  • syscall – NTOS system calls
  • fbt (Function Boundary Tracing) – Kernel function entry and returns
  • pid – User-mode process tracing. Like kernel-mode FBT, but also allowing the instrumentation of arbitrary function offsets.
  • etw (Event Tracing for Windows) – Allows probes to be defined for ETW This provider helps to leverage existing operating system instrumentation in DTrace.
    • This is one addition we have done to DTrace to allow it to expose and gain all the information that Windows already provides in ETW.

We have more Windows sample scripts applicable for Windows scenarios in the samples directory of the source.


How to file feedback?

DTrace on Windows is very different from our typical features on Windows and we are going to rely on our Insider community to guide us. If you hit any problems or bugs, please use Feedback hub to let us know.


  1. Launch feedback hub by clicking this link
  2. Select Add new feedback.
  3. Please provide a detailed description of the issue or suggestion.
    1. Currently, we do not automatically collect any debug traces, so your verbatim feedback is crucial for understanding and reproducing the issue. Pass on any verbose logs.
    2. You can set DTRACE_DEBUG environment variable to 1 to collect verbose dtrace logs.
  4. Submit


DTrace Architecture

Let’s talk a little about the internals and architecture of how we supported DTrace. As mentioned, DTrace on Windows is a port of OpenDTrace and reuses much of its user mode components and architecture. Users interact with DTrace through the dtrace command, which is a generic front-end to the DTrace engine. D scripts get compiled to an intermediate format (DIF) in user-space and sent to the DTrace kernel component for execution, sometimes called as the DIF Virtual Machine. This runs in the dtrace.sys driver.


Traceext.sys (trace extension) is a new kernel extension driver we added, which allows Windows to expose functionality that DTrace relies on to provide tracing. The Windows kernel provides callouts during stackwalk or memory accesses which are then implemented by the trace extension.


All APIs and functionality used by dtrace.sys are documented calls.



Security of Windows is key for our customers and the security model of DTrace makes it ideally suited to Windows. The DTrace guide, linked above talks about DTrace security and performance impact. It would be useful for anyone interested in this space to read that section. At a high level, DTrace uses an intermediate form which is validated for safety and runs in its own execution environment (think C# or Java). This execution environment also handles any run time errors to avoid crashing the system. In addition, the cost of having a probe is minimal and should not visibly affect the system performance unless you enable too many probes in performance sensitive paths.


DTrace on Windows also leverages the Windows security model in useful ways to enhance its security for our customers.


  1. To connect to the DTrace trace engine, your account needs to be part of the admin or LocalSystem group
  2. Events originating from kernel mode (FBT, syscalls with ‘kernel’ previous mode, etc.), are only traceable if Kernel debugger is attached
  3. To read kernel-mode memory (probe parameters for kernel-mode originated events, kernel-mode global variables, etc.), the following must be true:
    1. DTrace session security context has either TCB or LoadDriver privilege enabled.
    2. Secure Boot is not active.
  4. To trace a user-mode process, the user needs to have:
    1. Debug privilege
    2. DEBUG access to the target process.


Script signing

In addition, we have also updated DTrace on Windows to support signing of d scripts. We follow the same model as PowerShell to support signing of scripts.


There is a system wide DTrace script signing policy knob which controls whether to check for signing or not for DTrace scripts. This policy knob is controlled by the Registry.


By default, we do NOT check for signature on DTrace scripts.


Use the following registry keys to enforce policy at machine or user level.

  • User Scope: HKCU\Software\OpenDTrace\Dtrace, ExecutionPolicy, REG_SZ
  • Machine Scope: HKLM\Software\OpenDTrace\Dtrace, ExecutionPolicy, REG_SZ


Policy Values:

DTrace policy take the following values.


  • Bypass": do not perform signature checks. This is the default policy. Only set the registry key if you want to deviate from this policy.
  • "Unrestricted": Do not perform checks on local files, allow user's consent to use unsigned remote files.
  • "RemoteSigned": Do not perform checks on local files, requires a valid and trusted signature for remote files.
  • "AllSigned": Require valid and trusted signature for all files.
  • "Restricted": Script file must be installed as a system component and have a signature from the trusted source.

You can also set policy by defining the environment variable DTRACE_EXECUTION_POLICY to the required value.



We are very excited to release the first version of DTrace on Windows. We look forward to feedback from the Windows Insider community.



DTrace Team (Andrey Shedel, Gopikrishna Kannan, & Hari Pulapaka)


Occasional Visitor

Are there plans to make an .msi of a build for Windows for ARM64 available?


hi @kobyk, thanks for your interest, its definitely on our roadmap for the future.
Occasional Visitor

A nod to Sun Microsystems, the inventors of dTrace.

Senior Member

I'm not having any joy installing DTrace for Windows on my PC.

During install, I get the error:


DTrace: Failed to add capability
'Tools.DTrace.Platform~~~~': 0x800f0954

I first tried with Windows 10 build 18342 and then with build 18351 but still the same problem :-(



@nksmith Can you use "dism /online /get-capabilities" to find the status of DTrace feature on your machine? If state indicates DTrace is not installed - try reinstalling the package after ensuring your machine has network connectivity and configured for the insider program.
Senior Member

Hi Gopikrishna Kannan 

No joy with the command you suggested:

PS C:\WINDOWS\system32> dism /online /get-capabilites
Deployment Image Servicing and Management tool
Version: 10.0.18351.1

Image Version: 10.0.18351.7

Error: 87

The get-capabilites option is unknown.


I am configured for Insider builds, but on the 'slow' ring.  I'm not experiencing any network connectivity problems.

I also tried this:

PS C:\WINDOWS\system32> Get-WindowsCapability -Online | ? Name -like '*DTrace*'

Name : Tools.DTrace.Platform~~~~
State : NotPresent


PS C:\WINDOWS\system32> Get-WindowsCapability -Online -Name Tools.DTrace.Platform~~~~

Name : Tools.DTrace.Platform~~~~
State : NotPresent
DisplayName : DTrace/NT
Description : DTrace/NT enables the system support for DTrace.
DownloadSize : 51314
InstallSize : 135889


In the DISM.log file, at the time I was trying to install DTrace, and it was failing, I see the following lines:

2019-03-12 18:04:22, Warning DISM DISM Provider Store: PID=14740 TID=12060 Failed to load the provider: C:\Windows\System32\Dism\SiloedPackageProvider.dll. - CDISMProviderStore::Internal_GetProvider(hr:0x8007007e)
2019-03-12 18:04:22, Warning DISM DISM Provider Store: PID=14740 TID=12060 Failed to load the provider: C:\Windows\System32\Dism\MetaDeployProvider.dll. - CDISMProviderStore::Internal_GetProvider(hr:0x8007007e)
[14740] [0x8007007b] FIOReadFileIntoBuffer:(1381): The filename, directory name, or volume label syntax is incorrect.
[14740] [0xc142011c] UnmarshallImageHandleFromDirectory:(641)
[14740] [0xc142011c] WIMGetMountedImageHandle:(2897)
[14740] [0x8007007b] FIOReadFileIntoBuffer:(1381): The filename, directory name, or volume label syntax is incorrect.
[14740] [0xc142011c] UnmarshallImageHandleFromDirectory:(641)
[14740] [0xc142011c] WIMGetMountedImageHandle:(2897)
2019-03-12 18:04:22, Warning DISM DISM Provider Store: PID=5656 TID=6812 Failed to load the provider: C:\Users\NWS~1.HEX\AppData\Local\Temp\F77F284C-E59D-42F7-B17C-0B809136900A\PEProvider.dll. - CDISMProviderStore::Internal_GetProvider(hr:0x8007007e)
2019-03-12 18:04:45, Error DISM DISM Package Manager: PID=5656 TID=6812 Failed finalizing changes. - CDISMPackageManager::Internal_Finalize(hr:0x800f0954)
2019-03-12 18:04:45, Error DISM DISM Package Manager: PID=5656 TID=6812 Failed processing package changes with session options - CDISMPackageManager::ProcessChangesWithOptions(hr:0x800f0954)
2019-03-12 18:04:45, Error DISM API: PID=14740 TID=12060 Failed to install capability. - CAddCapabilityCommandObject::InternalExecute(hr:0x800f0954)
2019-03-12 18:04:45, Error DISM API: PID=14740 TID=12060 InternalExecute failed - CBaseCommandObject::Execute(hr:0x800f0954)
2019-03-12 18:04:45, Error DISM API: PID=14740 TID=10572 CAddCapabilityCommandObject internal execution failed - DismAddCapabilityInternal(hr:0x800f0954)



Senior Member

Hi Gopikrishna Kannan

Must have had a typo in the dism getting this, which just confirms its not present:

PS C:\WINDOWS\system32> dism /online /Get-Capabilities | sls DTrace -Context 0,2

> Capability Identity : Tools.DTrace.Platform~~~~
State : Not Present


So what to do...?


Senior Member

Hello Gopikrishna Kannan

DISM seems to be looking for the following files:




..but I checked my 'C:\Windows\System32\Dism' folder, and these two files do not exist...



Can you share log files under C:\Windows\Logs\CBS? Also, it will be great if you can confirm your environment is configured for WSUS. 

WSUS doesn’t receive insider builds. However the policies as it is setup cause FOD installs to check on WSUS and it fails.

Configuring the repair source policy to go to WU for FOD \ Repair content will resolve this.

Senior Member

Hello Gopikrishna Kannan

I now have DTrace installed & tried some simple commands with success :-)

(I'm getting a lot of DEBUG output to the console, from libdtrace, when I run a dtrace command.)


PS C:\WINDOWS\system32> Get-WindowsCapability -Online -Name Tools.DTrace.Platform~~~~

Name : Tools.DTrace.Platform~~~~
State : Installed
DisplayName : DTrace/NT
Description : DTrace/NT enables the system support for DTrace.
DownloadSize : 51314
InstallSize : 135889


I'm not sure what I did that fixed it. I ran these commands:

PS C:\WINDOWS\system32> dism /online /cleanup-image /scanhealth
Deployment Image Servicing and Management tool
Version: 10.0.18351.1

Image Version: 10.0.18351.7

[==========================100.0%==========================] No component store corruption detected.
The operation completed successfully.

PS C:\WINDOWS\system32> sfc /scannow
Beginning system scan. This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection found corrupt files and successfully repaired them.


I checked C:\Windows\Logs\CBS\CBS.log and the repairs did not seem to be too important.

My CBS.log is rather large. If you email me your email, I will send it to you.


Then I also checked Windows Update again, and it found a further update:

Cumulative Update for Windows 10 Version Next (10.0.18351.7) (KB4492310) maybe that fixed it.

After the Cumulative Update and a reboot, the DTrace install worked fine, and completed sucessfully :-)

I did not need to try your advice on "Configure a Windows Repair Source" as it had already fixed itself.


By the way, it's so great that Microsoft have brought Dtrace to Windows :-)

I remember the joy of using DTrace on OpenSolaris, over 10 years ago!

Thanks you




@nksmith - Great to know you have DTrace working :) and thanks for trying the scripts. Hope you get a chance to try the advanced samples. Regarding logs, did you set DTRACE_DEBUG=1? This has the effect of turning ON logging.
We definitely want to understand and root cause the installation hiccup. Kindly share the CBS logs directly to my email address -
Thank you for your enthusiam and support.


Senior Member
K:\DTrace for Windows\Samples>type counter.d
i = 0;
i = i + 1;
K:\DTrace for Windows\Samples>dtrace -s counter.d  2>NUL
10 3696 :tick-1sec 1
0 3696 :tick-1sec 2
2 3696 :tick-1sec 3
4 3696 :tick-1sec 4
6 3696 :tick-1sec 5
10 3696 :tick-1sec 6
0 3696 :tick-1sec 7
2 3696 :tick-1sec 8
4 3696 :tick-1sec 9
4 3696 :tick-1sec 10

6 3696 :tick-1sec 11
2 2 :END 11
@nigel, great to hear. I suspect, that you were on a build that didn't have the FOD package for dtrace, since you said you were on the slow ring. after you took the update to the latest slow release, you got the dtrace FOD package.
Frequent Visitor

Is it possible to download the whole installation for an offline install?

Would it work with Windows Server 2016?

Senior Member

My problems installing DTrace indicates I need to better understand how 'Features On Demand' (FOD) works in Windows 10.

It would be good if the installer for DTrace could check the status of the relevant FOD and provide better feedback & advice, if it detects a problem.

Presumably as DTRACE needs the latest kernel from the preview of Windows 10 Version 1903, this means thats DTrace is not going to work on the current version of Windows Server 2019, which would be unfortunate. Maybe DTrace support could be back-ported eventually to older/existing kernels?

I wonder if Microsoft has a road-map of their planned work on DTrace for Windows, which they can make public?

It would be interesting to know if/what additional providers are planned...?

It would be useful to have further documentation & examples on how to use the ETW provider, particularly mapping the GUID listed by 'dtrace -l' to the ETW providers.

Also useful would be more details on the setup required for the fbt provider.

Thank you!


Occasional Visitor

Hey, what about ZFS?  May the BSD community works together Microsoft? I'm not expecting ZFS on Windows, but would be amazing!

Senior Member

I get this error "Product: DTrace for Windows -- Error 1920. Service 'dtrace' (dtrace) failed to start. Verify that you have sufficient privileges to start system " 1) when i run the DTrace.amd64.msi in cmd box with Administrator priv and I have run the "bcdedit /set dtrace on" and I'm running Windows 10 build 18356.1. What could i be missing ? 



Log Name: Application
Source: MsiInstaller
Date: 3/14/2019 4:42:44 PM
Event ID: 11920
Task Category: None
Level: Error
Keywords: Classic
User: DESKTOP-M4I196O\pgram
Computer: DESKTOP-M4I196O
Product: DTrace for Windows -- Error 1920. Service 'dtrace' (dtrace) failed to start. Verify that you have sufficient privileges to start system services.
Event Xml:
<Event xmlns="">
<Provider Name="MsiInstaller" />
<EventID Qualifiers="0">11920</EventID>
<TimeCreated SystemTime="2019-03-14T15:42:44.556932600Z" />
<Security UserID="S-1-5-21-2576452605-3747203651-1590175832-1001" />
<Data>Product: DTrace for Windows -- Error 1920. Service 'dtrace' (dtrace) failed to start. Verify that you have sufficient privileges to start system services.</Data>

@nwsmith Thanks for sharing your feedback. It's in our backlog to make FoD install failures more friendly. Regarding server 2019 backport, we will consider your request and look into this possibility. Please do share more of your recommendations (like providers/capabilities to add) and we will look into the possibility to make it happen working with the open source community

@Nenad_Noveljic Thanks for your feedback. Unfortunately, we dont support offline setup (enterprise ISO install) at this moment. This requires OS changes. We have this in our backlog and will consider this for our next release.

@peter_gram We can help you get this fixed. Let's take this offline and follow up over email (Please email me at Thanks!

Occasional Visitor
@Hari Pulapaka are we able to define our own custom probes in our applications to leverage this? can we define our own custom dtrace providers?

@mofidulj We don't support custom providers for now. However, this is in our backlog and future consideration.

Occasional Visitor

Hi. Any ideas why FBT traces may doesn't work? DTrace -l doesn't see any, this is DTrace.exe -y C:\symbols -Fn "fbt:nt:: {}" output:

Debugger of course attached, am I doing something wrong?

Occasional Visitor

Hi. Does anyone know why my installation fails at starting the services, because of insufficient privileges, even though it is running as admin?

I recently joined this program only to use this feature.

@joaoalves_061785 we are working with another user regarding this problem and will post a response as soon as we root cause this problem. Can you email me at I will add you to the thread. The root cause could be different and it will help validate the same.

@Kozera2137 fbt:nt:: instruments all NT functions. This may stall smaller systems and make it go unresponsive. Can you try instrumenting a  specific set of functions instead - dtrace -n "fbt:nt:*lock*:"

Occasional Visitor
@Gopikrishna Kannan It doesn't work also.

@Kozera2137 Can you confirm if you attached the KD at the time of "boot"? I relooked into your logs and it appears that was not the case. The output shows symbol look up was fine and still FBT failed to match any probes (meaning FBT is not enabled). This typically happens if the KD was not attached at the time of the boot. Try these steps - 1. Attach KD to your machine 2. Reboot the machine 3. Try FBT command. 


Trace: invalid probe specifier fbt:nt:: {}: probe description fbt:nt:: does not match any probes

Occasional Visitor
@Gopikrishna Kannan Thanks, it works. I thought I tested that but I guess I didn't
Occasional Visitor

I am also getting    dtrace: failed to match syscall:::: No probe matches description

When I run 

C:\WINDOWS\system32>dtrace -lvn syscall:::

I am on version 1903 build 18855.1000

dtrace: failed to match syscall:::: No probe matches description

Capability Identity : Tools.DTrace.Platform~~~~
State : Installed


What am I missing?

If it is a problem with KD, how do I check to see if KD is attached, and if it isn't how do I attach it?


@tomfenton can you check if you have DTrace enabled in BCDedit? Otherwise, run BCDedit /set dtrace on and reboot.

Occasional Visitor

I entered 

  1. bcdedit /set dtrace on

and rebooted the system but I am still getting the same message

Occasional Visitor

Sorry I had a type in my command it is working now. thank you!


Frequent Visitor

Any chance of getting ustack to work on 64bit? I'm getting "unknown fault in action" with:

dtrace -n "profile-1 {@[ustack()]=count();}"


Also, predicates don't seem to work with the profile probe, like e.g.:

/ pid == $target /


The current DTrace version does not support user mode stack trace. I tested Profile-1 on two machines.


It's worked on machine running build 18361 (see below). 

C:\WINDOWS\system32>dtrace -n " profile-1 /$target == pid/ { @[pid, stack(), execname]=count();}" -c taskmgr.exe
dtrace: description ' profile-1 ' matched 1 probe

Taskmgr.exe 2



However, it did not work on machine running an older build. It turned out that i was running with secure boot enabled and that blocks access to kernel. That is by design. In this case, I will need to attach KD to get the script working.  I get the below error even without predicates. Can you confirm if you have secure boot turned ON?


dtrace -n " profile-1  { @[pid, stack(), execname]=count();}"
dtrace: description ' profile-1  ' matched 1 probe
dtrace: error on enabled probe ID 1 (ID 3633: profile:::profile-1): unknown fault in action #2 at DIF offset 0
dtrace: error on enabled probe ID 1 (ID 3633: profile:::profile-1): unknown fault in action #2 at DIF offset 0
dtrace: error on enabled probe ID 1 (ID 3633: profile:::profile-1): unknown fault in action #2 at DIF offset 0
dtrace: error on enabled probe ID 1 (ID 3633: profile:::profile-1): unknown fault in action #2 at DIF offset 0


Frequent Visitor

I have the insider build 18362.1 too.


In the meantime, we turned off secure boot. I'm not getting the error message with the profile-1 probe any more. But the observed process seems blocked. For example, taskmgr doesn't show up until I break the dtrace execution. In contrast, everything works fine after removing the predicate /$target == pid/.


Also, the ustack behaviour has changed since turning off secure boot. ustack probes don't throw errors anymore. However, the ustacks seem lost. I mean they are not printed at the end, I see just the number of samples.



New Contributor

Dang!!! -I never heard of this tech. Thanks for the POST.

Question: Do you folks have a Twitter account that I can follow (and subsequently I can get alerts on) ?