Windows PowerShell command on Get-command Send-EtwTraceSession

NAME

Send-EtwTraceSession

SYNOPSIS

Copies ETW trace sessions to a folder.

SYNTAX

Send-EtwTraceSession [-Name] [-CimSession ] [-DeleteAfterSend] [-ThrottleLimit ]

-DestinationFolder []

Send-EtwTraceSession [-CimSession ] [-DeleteAfterSend] [-ThrottleLimit ] -DestinationFolder

[]

DESCRIPTION

The Send-EtwTraceSession cmdlet copies Event Trace for Windows (ETW) trace sessions to a folder. After you send

the sessions to a specified destination folder, use an analysis tool, such as Microsoft Message Analyzer, to read them.

PARAMETERS

-CimSession []

Runs the cmdlet in a remote session or on a remote computer. Enter a computer name or a session object, such

as the output of a New-CimSession or Get-CimSession cmdlet. The default is the current session on the local

computer. Required? false Position? named Default value none Accept pipeline input? false Accept wildcard characters? false

-DeleteAfterSend []

Indicates that this cmdlet deletes the local copy of the original trace file after this cmdlet successfully sends a snapshot to the specified location. Required? false Position? named Default value none Accept pipeline input? false Accept wildcard characters? false

-DestinationFolder

Specifies the location where this cmdlet stores ETW trace sessions. Required? true Position? named Default value none Accept pipeline input? false Accept wildcard characters? false

-Name

Specifies an array of names of sessions to send to the destination folder. Required? true Position? 1 Default value none

Accept pipeline input? true(ByPropertyName)

Accept wildcard characters? false

-ThrottleLimit []

Specifies the maximum number of concurrent operations that can be established to run the cmdlet. If this parameter is omitted or a value of zero is entered, then Windows PowerShellr calculates an optimum throttle limit for the cmdlet based on the number of CIM cmdlets that are running on the computer. The throttle limit applies only to the current cmdlet, not to the session or to the computer. Required? false Position? named Default value none Accept pipeline input? false Accept wildcard characters? false This cmdlet supports the common parameters: Verbose, Debug, ErrorAction, ErrorVariable, WarningAction, WarningVariable, OutBuffer, PipelineVariable, and OutVariable. For more information, see about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).

INPUTS

OUTPUTS

NOTES

The return values consist of a Win32 error code and a value returned by the cmdlet. The codes have the following meanings: 0: Success. New file created. Existing file copied to the destination folder. Existing file deleted, if specified. 1: CreateNewFileFailed. Operation halts at this point if a new file is not created. 2: CopyFileFailed. New file created. 3: DeleteOldFileFailed. New file created. Existing file copied to the destination folder.

Example 1: Send a trace session to a folder

PS C:\>Send-EtwTraceSession -Name "WFP-IPsec Trace" -DestinationFolder "\\server17\traces\"

-DeleteExistingFileAfterSend

This command sends an ETW trace session named WFP-IPsec Trace to the destination folder \\server17\traces\. The

command deletes the local copy of the original trace after it is successfully copied.