“Performance Analyzer doesn’t process traces while elevated”

For security reasons xperfview won’t load ETW (Event Tracing for Windows) trace files while running as administrator. I always launch xperfview as administrator, because it is convenient to have the batch file that records a trace also launch the viewer. When I do this I get the dialog below.

Blogging about bugs in software comes with a danger. It is possible that the bug might get fixed, and then your blog looks dated. Well, this bug has been fixed. Recent versions of xperfview, as of summer 2012, do not show the pointless dialog below.

The remainder of this post is left for archival purposes. If you are here because you keep hitting these problems, then you should upgrade to a newer version of xperfview, or use WPA for trace analysis.


If xperfview did parse traces as administrator then any bugs in the parsing that were exploitable (and almost all parsers have bugs) would be particularly dangerous since they could lead to arbitrary code execution as administrator. Since some uses of xperfview involve looking at traces from other people this could be a significant security risk. So, if you launch xperfview as administrator it relaunches as a standard user.

Ideally this would be unnoticeable, but the clumsy dialog above is a reminder that there may be consequences. I have noticed two.

The first consequence is with Microsoft’s Symbol Server. If you have this configured as part of your _NT_SYMBOL_PATH (and you absolutely should) then you will occasionally see this dialog, the EULA for the Microsoft Internet Symbol Store:


After ‘carefully’ reading the terms you will, of course, click yes. And then, a few days or weeks later it will pop up again! The cause of this problem is only visible if you use Process Monitor to see what happens when you click Yes. Hidden amongst the thousands of lines of data you will see one ACCESS_DENIED from xperfview.exe as it attempts to create the file “C:\Program Files\Microsoft Windows Performance Toolkit\symsrv.yes”. Since you’re running as a non-admin this fails. The only way to permanently banish this dialog is to use your administrator powers to create a file there. The contents don’t matter – the file merely needs to exist. This design is apparently a holdover from the Windows XP days when everything ran as administrator. Apparently Microsoft hasn’t upgraded the design of their symbol server code to be Vista compatible. Oops!

The second consequence is also related to _NT_SYMBOL_PATH. My batch files carefully set _NT_SYMBOL_PATH, but it is only set for the current command prompt process. When xperfview relaunches itself as standard user it gets the global environment variables, and any process-private settings made in the command prompt are lost. Oops. This was very confusing at first as it seemed like these settings were coming out of nowhere.

The solutions to these problems are simple. Create a symsrv.yes file in the xperf install directory, and make sure that you set up _NT_SYMBOL_PATH globally. With those two tasks done you can blissfully ignore xperfview’s nagging warning each time it loads a trace.

About brucedawson

I'm a programmer, working for Google, focusing on optimization and reliability. Nothing's more fun than making code run 10x as fast. Unless it's eliminating large numbers of bugs. I also unicycle. And play (ice) hockey. And sled hockey. And juggle. And worry about whether this blog should have been called randomutf-8. 2010s in review tells more: https://twitter.com/BruceDawson0xB/status/1212101533015298048
This entry was posted in xperf. Bookmark the permalink.

3 Responses to “Performance Analyzer doesn’t process traces while elevated”

  1. Pingback: Xperf Basics: Recording a Trace | Random ASCII

  2. Pingback: Xperf Analysis Basics | Random ASCII

  3. preshing says:

    I had a trace which made xperfview.exe crash after showing that EULA, twice. Your tip eliminated the EULA and the crash. Thanks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.