Capturing USB Debug Traces

Published Oct 12 2018 03:47 PM 5,480 Views
Occasional Visitor

First published on MSDN on Sep 02, 2014
By Philip Froese [MSFT]


[Update 04/25/2019] We strongly suggest you to use instructions from for collecting USB traces specially if you are root causing problems related to USB Type-C and HID. 

[Update 11/2016] The commands outlined in this post are now published in the USB and HID trace capture script available at .

Previous blog posts have described in detail how to capture and read USB ETW , and WPP traces.  This post is a supplement to those, and aggregates the trace capture commands into a condensed reference.  Please continue to refer back to the previous posts for more details on the two tracing mechanisms and parsing the respective traces.

The following commands will generate traces from the USB 3.0 and USB 2.0 driver stacks as well as other related components: WinUSB, USBCCGP, and PCI.  We recommend that you capture the complete set of traces, but if you are certain that a specific component is not relevant to the scenario you want to analyze, you may omit the commands that pertain to that component.

Capturing USB ETW and WPP event traces:

You can capture USB event traces without installing any additional software.

1) Open an elevated command prompt window.  One way is to right click on the Start button and select Command Prompt (Admin) .

2)     Disconnect the USB devices that you are not interested in.  Fewer devices result in smaller traces making it easier to read and analyze.

3)     Start a capture session by pasting this sequence of commands into the elevated command prompt:

logman create trace -n usbtrace -o %SystemRoot%\Tracing\usbtrace.etl -ct perf -nb 128 640 -bs 128


logman update trace -n usbtrace -p Microsoft-Windows-USB-USBXHCI (Default,PartialDataBusTrace,StateMachine)


logman update trace -n usbtrace -p Microsoft-Windows-USB-UCX (Default,PartialDataBusTrace,StateMachine)


logman update trace -n usbtrace -p Microsoft-Windows-USB-USBHUB3 (Default,PartialDataBusTrace,StateMachine)


logman update trace -n usbtrace -p Microsoft-Windows-USB-USBPORT


logman update trace -n usbtrace -p Microsoft-Windows-USB-USBHUB


logman update trace -n usbtrace -p Microsoft-Windows-Kernel-IoTrace 0 2


logman start -n usbtrace


logman start -ets usbhub3 -ct perf -p {6e6cc2c5-8110-490e-9905-9f2ed700e455} 0xffffffff 0xff  -o %SystemRoot%\Tracing\usbhub3.etl


logman start -ets ucx01000 -ct perf -p {6fb6e467-9ed4-4b73-8c22-70b97e22c7d9}  0xffffffff 0xff  -o %SystemRoot%\Tracing\ucx01000.etl


logman start -ets usbxhci -ct perf -p {9F7711DD-29AD-C1EE-1B1B-B52A0118A54C} 0xffffffff 0xff  -o %SystemRoot%\Tracing\usbxhci.etl


logman start -ets usbhub -ct perf -p {b10d03b8-e1f6-47f5-afc2-0fa0779b8188} 0xffffffff 0xff  -o %SystemRoot%\Tracing\usbhub.etl


logman start -ets usbport -ct perf -p {d75aedbe-cfcd-42b9-94ab-f47b224245dd} 0xffffffff 0xff  -o %SystemRoot%\Tracing\usbport.etl


logman start -ets usbccgp -ct perf -p {bc6c9364-fc67-42c5-acf7-abed3b12ecc6} 0xffffffff 0xff  -o %SystemRoot%\Tracing\usbccgp.etl


logman start -ets winusb -ct perf -p {ef201d1b-4e45-4199-9e9e-74591f447955} 0xffffffff 0xff  -o %SystemRoot%\Tracing\winusb.etl


logman start -ets pci -ct perf -p {47711976-08c7-44ef-8fa2-082da6a30a30} 0xffffffff 0xff  -o %SystemRoot%\Tracing\pci.etl

(Note: these provider-specific GUIDs correspond to those that can be obtained from the provider’s symbol file using Tracepdb.exe as described in the previous WPP blog post )

4)     Perform the action that you want to capture.  For example, plug in USB device that fails to enumerate properly.  The session captures device enumeration activities .  Keep the command prompt window open.

5)     Stop the capture session when you are finished by pasting this sequence of commands into the elevated command prompt:

logman stop -n usbtrace


logman delete -n usbtrace


logman stop -ets usbhub3


logman stop -ets ucx01000


logman stop -ets usbxhci


logman stop -ets usbhub


logman stop -ets usbport


logman stop -ets usbccgp


logman stop -ets winusb


logman stop -ets pci


move /Y %SystemRoot%\Tracing\usbtrace_000001.etl %SystemRoot%\Tracing\usbtrace.etl

The preceding capture session generates a set of etl files stored at %SystemRoot%\Tracing\ (for example, C:\Windows\Tracing).  Once complete, move these files to another location or rename them in order to avoid overwriting them when you capture another session.

As described in the blog post on WPP tracing linked above, symbol files are required to parse these traces properly.  When capturing a set of traces, it is necessary to record the Windows version on which they were taken so that the traces can be mapped to the correct symbols for analysis.  One way to do this is to run the following command from an elevated prompt and save the resulting BuildNumber.txt file along with the traces:

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v BuildLabEX > %SystemRoot%\Tracing\BuildNumber.txt

Version history
Last update:
‎Apr 25 2019 11:23 AM
Updated by: