How to use the performance tool in WPR and WPA to thoroughly analyze Windows

Thoroughly controlling Windows performance is no longer just for developersWith the Windows Performance Recorder (WPR) and Windows Performance Analyzer (WPA) tools, you can capture and dissect exactly what's happening on your computer when the CPU spikes, boot times are incredibly slow, or annoying micro-freezes occur.

While the classic Performance Monitor or perfmon It falls somewhat short for certain scenarios, WPR and WPA form a tandem designed for demanding profiles: administrators, systems engineers or advanced users who want accurate data, highly detailed ETL traces and a powerful analysis interface to get to the root of the problem without shooting in the dark.

What are WPR and WPA and what exactly are they used for?

• Windows Performance Toolkit (WPT) is the Microsoft package that combines WPR and WPA, two independent utilities but designed to work together and generate very fine profiles of the behavior of the operating system and applications.
• Windows Performance Recorder (WPR) is the component responsible for recording the traceIt relies on Event Tracing for Windows (ETW) to record events from CPU, memory, disk, network, power and other subsystems, generating ETL files that are then calmly analyzed.
• Windows Performance Analyzer (WPA) is the advanced viewer and analyzer of those ETL tracesIt offers an interface with interactive graphics, pivot tables, filters, full-text searches, and an Issues window that helps locate root causes in certain scenarios.
• Although Xperf (line of commands (inherited) still exists, its Xperfview viewer is no longer supportedNowadays, all visual analysis is done with WPA, which is much more flexible, modern, and powerful.
• In terms of requirements, the environment is quite reasonable.WPR and WPA are designed for Windows 8 or later, and WPA also requires .NET Framework 4.5 or later. The command-line version of WPR (WPR.exe) is included with Windows 8.1 and later, while the graphical interface for WPR and WPA is obtained by installing the Windows Assessment and Deployment Kit (WADK).

Installing and accessing WPR and WPA on Windows

To work with the full graphic potential of these tools, it is advisable to install the Windows Performance Toolkit from the ADK.During the Windows ADK installation, simply select the Windows Performance Toolkit component to obtain WPR (UI) and WPA.

Once installed, access WPR on Windows 10 or Windows 11 It is very simpleYou can type "Windows Performance Recorder" in the Start menu and launch the graphical application (WPRUI.exe), or use WPR.exe from a symbol of the system if you prefer scripts and automation.

In the WPR graphical interface you will see a simple panel with scenarios or profiles to choose from.such as CPU usage, power issues, overall system performance, or memory usage. Clicking "More options" displays advanced parameters to adjust what is logged, at what level of detail, and for how long.

At the bottom you can add or remove additional recording profiles If you need to combine several sets of events (for example, CPU + memory + disk), once you're clear on what you want to capture, start logging by clicking the "Start" button.

WPA, meanwhile, can be located by searching for "Windows Performance Analyzer" in the Start menu.You can also open WPA directly after completing a WPR recording, using the "Open in WPA" option that appears when you save the ETL file.

How to record performance data with WPR

The typical workflow always begins with a recording using WPR, either from the graphical interface or from the command line, depending on how formal or automated you want the process to be.

With the graphical interface (WPRUI.exe), the standard procedure is very straightforwardYou choose a predefined profile such as "First level triage" (basic priority assessment) or one specific to CPU, memory, power, modern standby, etc., and click Start to begin the capture.

If you need more control, the "More options" button lets you configure details: duration, level of detail (light, detailed), inclusion of call stack (stack walking), circular or continuous logging, and even custom profiles defined in XML for very specific scenarios.

During the recording you will see on WPR There elapsed time, buffer size, and number of logged eventsThis is very useful to ensure that you don't lose control of an excessively long tracking process that could generate giant files.

To stop and save the session, press "Save".At that point, WPR will ask you where to store the ETL file and usually displays a box to add a description of the problem (for example, "CPU spike when opening Excel" or "Very slow domain login"). You can then choose between opening it directly in WPA or closing it and analyzing it later.

Capture traces from the command line using WPR.exe

If you work in enterprise environments or want integration with scripts and automationsThe console version of WPR.exe is key, as it allows you to start and stop traces from scripts, GPOs, scheduled tasks, or orchestration tools (Modify services in Windows 11).

The basic usage pattern is very simpleYou run "wpr -start Profile" to start a trace, reproduce the problem you want to study, and then run "wpr -stop name.etl" to save the file.

A commonly used example is the analysis of energy problems or modern standby mode.In that case, WPT is installed, a command prompt with elevated privileges is opened, navigation is made to the installation folder, and a command such as the following is executed:

wpr -start Power To begin recording data related to power, CPU states, devices, and standby activity; in these analyses, it may be useful to review power settings such as activate high performance mode.

After leaving the system in modern standby mode for at least one hourThe team wakes up and launches wpr -stop TrackingPower.etl to close and store the trace, which will then be examined in WPA.

Open and explore ETL files in Windows Performance Analyzer

With the ETL file in hand, the next logical step is to open it in WPA To begin the visual analysis, you can do it in two ways: directly from the WPR save wizard (option "Open in WPA") or by starting WPA and using the File > Open menu, or the keyboard shortcut Ctrl + O.

The WPA interface is organized around a central work area with Analysis tabs, surrounded by several dockable windows that can be shown or hidden from the Window menu, such as the Graphics Explorer, Analysis Wizard, Problems, Details, or Diagnostic Console.

The Graph Explorer contains thumbnails of all available graphs for that trace.grouped by categories (CPU, memory, I/O, power, devices, etc.). Clicking on the small triangle next to a category displays the different related charts.

To analyze a chart in detail, simply drag it from the Chart Explorer to the Analysis tab or double-click on it. The full-size chart and an associated data table that behaves like an advanced pivot table will appear in the tab.

In each chart you can choose the design using the icons in the upper right corner: chart only, table only, or both at the same time. This is very useful when you need to see the visual trend and, at the same time, filter very specific data in the table.

Time management: selection, zoom, and highlighting in WPA

One of the key features of WPA is that all charts on the same Analysis tab share the same timescale.This makes it easier to correlate events between different subsystems (CPU, disk, network, power, etc.).

To select a specific interval of the trace, drag the mouse horizontally over an area of ​​the graph.That selection is reflected in the timeline located at the bottom of the tab.

If you want to zoom in on that section to see it in more detail, right-click on the selection and choose "Zoom to selected time range"You can repeat this operation several times, zooming in to very small intervals that allow you to see even micro-peaks of activity.

When you need to visually highlight a range in all charts at onceYou can use the highlight selection option: right-click on the range, select "Highlight selection". This selection will remain selected even if you later click on other points in the chart or change the view.

To clear that mark, right-click on the range again and select "Clear selection".It's a very convenient way to focus attention on a boot phase, a CPU peak, or a modern waiting period without losing reference when moving your gaze.

Advanced customization of data tables

WPA tables are true dynamic tables with much more power than they first appear to have.Each column can be dragged, sorted, converted into a key or data, and its structure is also reflected in the legend of the associated chart.

You can sort by any column by clicking on its header.If you click again, the order is reversed (ascending/descending). This is very useful for answering questions like "which process is using the most CPU?" or "which device has been active the longest during modern wait?"

Right-clicking on the table header opens the "Column Selector"where you choose which columns are displayed and can save or apply predefined sets of columns so you don't have to set up the table from scratch every time.

Inside the table you will find two vertical colored bars (gold and blue)The columns to the left of the gold bar are considered key (dimensions by which the information is grouped), while the columns between the gold and blue bars contain the actual numerical data. The elements displayed in the chart are typically placed to the right of the blue bar.

Dragging a column to the left of the gold bar turns it into a keyThe table is then regrouped, and the chart's legend adjusts accordingly. Similarly, some columns can be dragged to the chart elements area to be displayed visually.

Views, profiles, and window management in WPA

If you want to compare the same trace with different timescales or combinations of graphsYou can open multiple Analysis tabs. From the Window menu, select "New Analysis View" and drag the charts you want to isolate to that new tab.

You can also open or close the various auxiliary windows from the Window menu. (Graphs Explorer, Analysis Assistant, Problems, Details, Diagnostic Console). If you've closed something by mistake, it's as simple as re-selecting it in that menu.

Once you have built a layout of charts, tables, and windows that is comfortable for a particular type of analysis (for example, CPU performance or energy analysis), it is highly recommended to convert it into a "view profile".

In the Profiles menu you will find options such as Export, Apply and Save startup profileExport generates a file with the current layout of charts and columns; Apply loads a previously saved profile; Save startup profile makes that view automatically applied every time you open WPA, ideal if you often repeat the same type of diagnostic.

The Diagnostic Console is another useful window, as it collects exceptions and problems during the analysis., especially related to loading and decoding of SymbolsIf something goes wrong when interpreting call stacks, this console usually gives clear clues as to what is happening.

Searching, filtering, and working with legends

When the trace is large, intelligent filtering is vital to avoid getting lost among thousands of rows.WPA offers several filtering and search options both from the chart legend and from the data tables themselves.

In the chart legend, you can activate or deactivate specific elements by right-clicking. about them. This way you only leave visible the processes, devices or triggers that interest you, reducing visual noise.

In the table, if you select one or more rows and right-click, you have the option to "Filter to selection".This creates a view restricted to those elements, perfect if, for example, you want to focus only on a suspicious process or a problematic network device.

The text search function is also activated by right-clicking on the tableUsing "Find", "Find Next", or "Find Previous", it allows you to quickly locate processes by name, group tags, paths, etc.

Additionally, you can lock a subset of columns using gray locking bars.Right-click to display them, and then drag those bars to delimit which columns remain fixed while you scroll horizontally through the rest; very practical in wide tables.

Loading symbols and user preferences

For call stacks to be truly useful, WPA needs to load symbolsThis allows the translation of memory addresses into human-readable function names, both from the system itself and, optionally, from third-party binaries.

In the tracking or advanced settings menu, you can enable symbol loading and define symbol paths. (for example, Microsoft symbol servers, local folders, etc.). With this, when you open a trace, WPA will attempt to automatically resolve the symbols and display much richer information.

If something goes wrong or takes too long, the Diagnostic Console will display errors or symbol download warnings.Therefore, it is advisable to keep it in mind when working with complex stacks or non-standard versions of binaries.

These preferences are saved for future sessionsThis makes it easier to repeat analyses with the same symbol resolution conditions without having to reconfigure each time.

Real-world scenarios: CPU high load, memory leaks, and drivers

Beyond theory, WPR and WPA shine in very specific performance problem scenarioswhere other monitors do not reach the level of detail necessary to see the root cause.

To investigate high CPU usageIn WPR, the default first-level profile or the specific "CPU Usage" profile is usually used. Then, in WPA, the key graph is "CPU Usage (Sampled)" or "CPU Usage (Precise)" depending on the capture type.

In these diagrams, it is common to work with keys such as process stack, thread identifier, or process namesand sort by CPU sample count to find out which threads and functions are monopolizing the processor.

For losses of virtual memory (VirtualAlloc), the VirtualAlloc usage profile is used and the graph of "virtualAlloc Commit Lifetimes", examining columns such as Type, Process and Stack, and data such as count and total size affected in MB.

Kernel memory leaks (pools) are addressed using pool usage profiling.This is analyzed using "Pool Usage" graphs. The relevant keys are type (paginated/non-paginated), pool label, and stack, and it is sorted by count and size to detect which label is growing uncontrollably.

Regarding handle leaks, there is a specific handle usage profile which is associated with "Handle Usage" graphs. Columns of interest there include the creation process, handle type, and creation stack, looking at the object name, identifier, and number of handles.

Slow startup, GPO, and login problems

One of the most common headaches in domain environments is interminable startup times and very slow logins., often related to complex GPO processing, blocking drivers, network latencies, or applications that get stuck.

In these cases, the recommended strategy usually combines WPR/WPA with other specific tools. such as GPLogView, uberAgent-type solutions, SysTrack, Nexthink, or digital experience platforms, and, where appropriate, techniques for disable unnecessary services that slow down the start-up.

A practical workflow would be to launch a trace with WPR just before the problematic boot. (or configure it to start on boot), let the system complete the domain login and stop tracing once it is "stable" on the desktop.

Then, in WPA, CPU, disk, controller, and service graphs are analyzed in the time window corresponding to the boot period., looking for which processes or services are consuming CPU time or blocking the main thread for long intervals.

If you suspect GPO activity, you can correlate policy processing events with network and service activity.However, for a breakdown by CSE (Client Side Extension) it is usually useful to supplement with specific group policy records or specialized tools that directly measure the duration of each extension.

Modern standby mode and DRIPS graphics on WPA

Modern devices with connected standby mode have their own performance and battery consumption challengesHere, WPR with its power profile and WPA with its specific graphics are practically indispensable.

After capturing a long trace in modern standby mode, WPA provides graphs such as "Platform Idle State" and "DRIPS" to understand what is preventing the system from remaining in deep low-power states.

The "Platform Idle State" graph shows the platform's residence in different idle states over time.The most important state is the deepest, known as DRIPS, which represents the lowest level of SoC power consumption.

The higher the percentage of time spent in DRIPS, the better the standby time.A percentage above 90% is usually a sign of good performance; below 80% warrants further investigation. To view this, open the chart's table view and filter by status, examining the duration percentage column.

The DRIPS chart, on the other hand, lists active components (triggers, devices, processes) that keep the system awakeTriggers are software mechanisms authorized to execute tasks while waiting (such as notification services or synchronization agents).

In the table in that chart, the Reason Time Percentage column indicates which trigger or device has been active the longest.For example, you might see that an agent service (BI), WNS, NCSI, or a manager of downloads Images are taking up 40% or 50% of the time, blocking entry into DRIPS.

Devices, energy states and correlation with SleepStudy

In addition to software activity, physical devices also play a key role in whether or not a device enters DRIPS.WPA displays device power states (D0-D3) and allows you to locate those that remain at high power consumption.

The "Device Dstate" graph lists the Windows Power Framework (PoFx) devices that have been active. during the modern waiting session. Examining the reason time percentage column identifies the most problematic ones.

WPA also integrates very well with reports generated by SleepStudyMany of the concepts in SleepStudy (triggers, processors, Fx devices, PDC phases, networks, power requests) have a direct mapping to WPA graphs, such as PDC resistor activity, CPU idle states, Device Dstate, or Power Requests.

Thanks to that correlation, you can go from a high-level summary in SleepStudy to a low-level analysis in WPA, seeing exactly which sessions, processes or devices have turned on the system and for how long.

By combining WPR's capture power with WPA's visual analysis capabilities, it's possible to dissect almost any performance problem in Windows down to the millimeter.From seemingly random CPU spikes and elusive memory leaks to slow boot times caused by Group Policy Objects (GPOs) or excessive battery drain in modern standby mode, this tool can help identify and address a range of issues. While the learning curve is somewhat steeper than with other utilities, once you master the workflow—record ETL > open in WPA > select charts > filter and drill down—it becomes an invaluable tool for demanding home environments and, especially, for enterprise scenarios where data is needed to identify who or what is degrading the user experience.

Related article:

Complete Guide to Monitoring Performance in Windows Server: Advanced Tools, Techniques, and Tips

Isaac

Passionate writer about the world of bytes and technology in general. I love sharing my knowledge through writing, and that's what I'll do on this blog, show you all the most interesting things about gadgets, software, hardware, tech trends, and more. My goal is to help you navigate the digital world in a simple and entertaining way.