Windows Performance Recorder to detect hardware bottlenecks

When a Windows PC becomes slow for no apparent reasonThere's almost always a hidden hardware or software bottleneck behind it: a saturated CPU, a 100% disk usage, memory at its limit, or a storm of drivers and security processes. In these cases, basic monitoring tools fall short, and it's time to bring out the heavy artillery: Windows Performance Recorder (WPR) and Windows Performance Analyzer (WPA), the core of the Windows Performance Toolkit.

The goal of this article is for you to learn how to use WPR and WPA as if they were a system oscilloscope: record ETW traces, open ETL files, view detailed graphs, and from there, detect real hardware bottlenecks, driver problems, CPU overload, disk, network, or GPU saturation, both on desktop PCs and in more advanced scenarios (HoloLens, corporate environments with many security solutions, etc.). You will also see how to fit these traces into a comprehensive methodology for diagnostics and performance testing.

Key concepts: ETW, ETL, WPR, WPA and the like

Before you start recording traces with Windows Performance Recorder It is important to be clear about some terms that you will constantly see in the documentation and tools.

ETW (Event Tracing for Windows) It's the trace infrastructure integrated into the Windows kernel. It's the core technology that allows logging events related to the CPU, disk, network, memory, drivers, applications, and more. Many modern diagnostic tools are simply attractive interfaces built on top of ETW.

ETL (Event Trace Log) This is the file format that stores those ETW events. Every time you launch a trace session with WPR, Device Portal, or PLA, you'll end up with one or more files with this extension. .etl which are the ones you will then open in Windows Performance Analyzer.

WPR (Windows Performance Recorder) It is the tool responsible for starting and stopping recordings

of ETW events according to a capture profileThat profile, stored in a file .wprpIt defines which event providers are triggered (CPU sampling, disk, call stack, GPU, network, etc.) and at what level of detail. You can use it with a graphical interface or from the command line. commands.

WPA (Windows Performance Analyzer) It's a graphical analytics application that opens ETL processes and translates them into time-based graphs, tables, call stacks, and statistics. From WPA, you can sort by CPU usage, by process, by thread, see which driver triggers interrupts, identify I/O spikes and memory leaks, and correlate all of this on a timeline.

Windows Performance Toolkit (WPT) It includes WPR and WPA, along with related profiles and utilities. It installs as part of the Windows Assessment and Deployment Kit (Windows ADK), or, in more recent versions, you can also find WPA in the Microsoft Store as a standalone application.

Other pieces of the Windows performance ecosystem Related to WPR/WPA are the classic performance counters, performance logs and alerts (PLA), System Monitor (SYSMON), the AXE assessment execution engine, the Network Diagnostics Framework (NDF), the Process State API (PSAPI), the Tools Help Library, and, at the reporting and telemetry level, Windows Error Reporting (WER) and the Windows Event Infrastructure.

Installing Windows Performance Recorder and Windows Performance Analyzer

To conveniently analyze ETL traces in WPA You need to have Windows Performance Analyzer installed at a minimum, and if you want to record the traces from the computer itself, you also need Windows Performance Recorder.

Option 1: Install WPA from the Microsoft StoreIn many modern setups, simply open the Microsoft Store, search for "Windows Performance Analyzer," and install it. This is ideal if you only want to analyze ETL files generated on other computers (for example, on user machines or remote devices).

Option 2: Install Windows Performance Toolkit from the ADKIf you're looking for a more complete debugging and testing environment, download the Windows Assessment and Deployment KitDuring installation, select the “Windows Performance Toolkit” component to include WPR and WPA. This option is well-suited for support teams, labs, and technicians who perform daily diagnostics.

Don't forget the symbols: In order for WPA to display decent call stacks and associate code with real functions, it needs access to symbols (.pdb) of the system and, preferably, of your applications. You can use a corporate symbol server, download symbols from Microsoft, or place the PDB files in a local "Symbols" folder accessible from WPA.

Recording performance traces with WPR and Device Portal

The critical step in accurately detecting hardware bottlenecks It's about capturing a trace at the exact moment the problem occurs. If you record when "everything is fine," you'll only see a stable system. You must start recording just before, play back the slow situation, and stop it as soon as you notice the symptom.

On special devices like HoloLens You can use the Windows Device Portal to generate the ETL file remotely. From the portal dashboard, you'll find a section for performance tracking where to choose profiles, start recording and download the result.

Typical steps for tracking from Device Portal on HoloLens:

1. Access the Device Portal from the HoloLens from a browser using the device's IP address and credentials.
2. Navigate to the “Performance Tracking” section in the left panel.
3. Select a capture profile (for example, CPU intensive, GPU, full system) or load a custom one via “Custom Profiles > Browse”.
4. Press “Start tracking” and reproduces the problematic scenario on the device: the app that freezes, the 3D scene that triggers the fan, etc.
5. Stop tracking Once you've captured a few seconds of slow-motion behavior, you'll see the tracking listed at the bottom.
6. Download the ETL file Using the disk icon that appears next to the registry entry, you can open that ETL file in WPA mode on your PC.

On PCs and portable with Windows 10/11The most common way is to launch WPR directly on the computer itself: with a graphical interface or using the console with predefined profiles (for example, wpr -start CPU -filemode, wpr -stop trace.etl).

File architecture for good analysis with WPA

To ensure a smooth analysis with Windows Performance AnalyzerIt organizes all trace-related components into a single folder. This allows WPA to easily locate symbols, profiles, and the ETL file.

A typical work structure could be something similar to:

Equipo_X_Rendimiento
├─ rastreo_equipoX.etl # Archivo de traza ETW
├─ CPU_y_dispositivo.wpaProfile # Perfil WPA con vistas y gráficos preconfigurados
└─ Symbols # Carpeta con símbolos (PDB) descomprimidos
├─ app_cliente.pdb
├─ driver_gpu.pdb
└─ ...

Basic steps in WPA once you have the folder ready:

1. Start Windows Performance Analyzer from the Start menu or by running wpa.exe.
2. Open the ETL file from “File > Open” and select your .etl.
3. Load the symbols via “Tracking > Upload symbols”, pointing to your local symbol folder or server.
4. Apply a WPA profile (for example, one focused on CPU or on storage) using “Profiles > Apply > Browse” and selecting the .wpaProfile .
5. Explore the charts in the analysis tab which will open automatically: you'll see tracks of CPU, disk, interrupts, processes, etc.

WPA profiles are view templates which save a lot of time, because they already come with filtered tables and relevant graphs for typical scenarios: CPU analysis, storage analysis, GPU diagnostics, etc.

How to use WPA to detect hardware bottlenecks

Once the trace is loaded, the real work begins in the WPA interface, where you must cross-reference several views to understand which physical component (or combination of them) is limiting the system's performance.

CPU bottleneck: first check the graphs of CPU Usage (Sampled) o CPU Usage (Precise) In WPA, you can sort by process, thread, or call stack. If you see a process stuck at 90-100% usage on one or more cores during the slowdown, the limitation is likely CPU-related. Expanding the call stack will show you if the load is due to the app's logic, a scripting engine, a graphics library, or a misbehaving driver. You can also optimize the system. Adjusting core parking with ParkControl.

Disk or storage bottleneck: activates the views of Disk I/Odisk queues and response times. If the disk appears at 100% activity with very high read or write latencies during lag, the problem lies with the drive (or how the software is using it). On systems with older HDDs, this is common when many applications start simultaneously or security tasks are triggered, or you might even consider Use ReadyBoost to improve performance on slow records.

Memory bottleneck: check the views of Memory and memory commitment counters. If the system is nearing its RAM limit and page file usage spikes, you'll see bursts of memory-related I/O and significant disk waits. WPA allows you to identify which processes are accumulating reserved memory, leaking, or exhibiting unhealthy allocation patterns; it also assesses whether it's advisable to... Enable XMP profile in BIOS to take advantage of the available RAM.

Network bottleneckIn environments where slowness is perceived when accessing remote resources, add the views of Networking and correlation with NDF. You'll be able to detect bandwidth saturation, excessive retransmissions, or latency spikes, and see which process or service is generating the traffic bursts.

GPU bottleneckIn games or 3D applications, if the CPU usage isn't too high but graphics performance drops, enable GPU views (when available) and analyze. There rendering, command queues, and calls to graphics APIs. If you combine this with hardware performance counters or tools like MSI Afterburner, you'll have a pretty clear picture; also check the hardware-accelerated GPU programming for further optimizations.

A very powerful aspect of WPA is temporal correlation.You can align CPU, disk, network, and application events on the time axis, making it easy to see, for example, how an antivirus task triggers massive reads just as the user notices everything freezing.

Integrating WPR/WPA into a comprehensive performance methodology in Windows 11

Windows Performance Recorder and Analyzer are "low-level" analysisBut they fit much better if you're part of a broader system optimization procedure, especially in Windows 11 where there are many layers of software on top.

Always start with the "basic hygiene" of the systemUpdate Windows from Settings> Windows UpdateInstall any relevant optional patches (especially drivers and firmware), and review the power plan to ensure you're not in an aggressive power-saving mode that limits the CPU or GPU. For example, it's worth checking specific cases such as a NVIDIA hotfix which corrects performance drops after patches.

Debug system startup using Task Manager and more advanced tools such as AutorunsRemove from Boot Anything that isn't essential: secondary sync clients, game launchers, redundant manufacturer utilities, etc. The fewer things that load at startup, the less noise you'll have in your WPA traces.

Optimize temporary storage and cleanup with the Storage Sensor and official tools such as Microsoft PC Managerinstead of systematically resorting to third-party cleaners. A system full of Temporary files And with disks almost at their limit, diagnosis is complicated because there is always background I/O activity.

To see which processes are consuming resources in real timeCombine it with Process Explorer, RAMMap and the Task Manager itself. These give you a "live" view so you can decide when to launch a WPR trace: the instant you see the CPU or disk usage increase, start logging.

A good technical practice It's about following an almost scientific approach: formulate hypotheses ("I suspect the bottleneck is CPU due to the antivirus"), apply changes (temporarily disable some exclusions or change the scan schedule), run stress tests, and record WPR traces before and after to verify if the metric you're interested in improves.

Pre-monitoring: Task Manager, performance counters, and SYSMON

Before diving headfirst into WPR/WPA, it makes sense to do a preliminary screening with lighter tools. that give you an idea of ​​what's going on.

Task ManagerIn the "Performance" tab, you can see a real-time graph of CPU, memory, disk, and network usage. If, when you open the problematic application, you notice that, for example, the CPU usage jumps to 100% on one or two cores while the GPU remains idle, you have a clear suspect. If the disk usage jumps to 100%, the suspicion changes.

System Monitor (SYSMON) and traditional performance counters They offer another valuable perspective. Through Perfmon You can configure counters like % Processor Time, Average Disk Queue Length, Available MBytesetc., record the information and use it to trigger alerts (PLA) if thresholds are exceeded. It is useful for capturing slowdown episodes that occur in the early morning or randomly.

Performance Logs and Alerts (PLA) They allow not only periodic counter sampling, but also automatic ETW session initiation or script launch when an anomalous value is detected. In enterprise environments, this can be integrated with the SIEM to correlate performance, security, and infrastructure events.

In a network, you can combine this Use Network Monitor or the Network Diagnostics Framework (NDF) to isolate connectivity problems, excessive latency, or route failures, especially when users report "internet is slow," but the bottleneck is actually in an intermediate component.

Stress tests to confirm the bottleneck

A WPR trace tells you what happens in a specific scenario.But it is often advisable to push the system to its limits in a controlled manner to see if the hardware can handle it or if it will fail.

CPU and RAM tests with Prime95Run the "Blend" test to simultaneously stress the processor and memory. While the test is running, monitor temperatures and stability. A WPR trace captured midway through this test will clearly show if there is thermal throttling, if the CPU is reaching its limit, or if the RAM is developing errors or causing abnormal wait times.

GPU test with FurMarkUseful for ensuring that the GPU, drivers, and power supply are functioning correctly under maximum load. You can combine it with GPU counters, WPR, and monitoring tools to see if the system is being bottlenecked by temperature, power management, or drivers.

Network test with iperf3By running iperf3 between two machines (server and client), you can measure the actual bandwidth, throughput stability, and variation over time. An ETL trace taken while iperf3 is running allows you to see if the NIC's CPU, network interrupts, or security filters are creating a bottleneck.

System tools such as Windows Memory Diagnostic, Resource Monitor, and TestLimit They help simulate extreme memory and address space pressure scenarios to see if the system degrades gracefully or panics. Again, WPR is your "black box" for these tests.

Use of WPR/WPA in corporate environments with many security tools

In companies, it is very common for laptops and desktops to be loaded with security suites.: corporate antivirus, EDR, DLP, disk encryption, inventory agents, VPNetc. The user sees that the equipment "is getting worse and worse," but the hardware is relatively recent.

In these cases, Windows Performance Recorder is ideal for separating emotions from data.You can deploy a policy to initiate traces when the CPU or disk exceeds certain thresholds, or even schedule periodic captures during peak hours. Then, with WPA, you can analyze which specific processes are using the CPU, which drivers are generating interrupts, and which services are performing massive disk operations.

Once the security processes causing the spikes have been identifiedYou can negotiate with the team of ciberseguridad Reasonable configuration adjustments: excluding certain directories from real-time scans, moving heavy tasks to nighttime windows, distributing scans so that not all computers do the same thing at the same time, etc.

This information can also be fed into the SIEM.ETL converted into metrics, counters dumped to logsPLA alerts are integrated with the event viewer. This allows operations teams to see if a new version of a security agent has triggered an overall load on the device fleet.

Comparison with bottleneck calculators and other online tools

In parallel with the professional approach with WPR and WPAThere are many bottleneck calculators on the web (PC Builds, CPU Agent, UserBenchmark, GPU Check, etc.) that attempt to predict whether a CPU and GPU will "match well" or if there will be a clearly limiting component.

These calculators are useful as a preliminary estimate before assembling equipmentYou enter the processor model, graphics card, amount and speed of RAM, game resolution, and they give you a rough idea of ​​whether the GPU will be underutilized because of the CPU, whether the RAM might be a bottleneck, or what FPS you can expect.

But they have significant limitations.They don't know your specific software, your drivers, your actual operating system, or how you use your computer. They might tell you a combination is "balanced," but then, in practice, a poorly optimized game or a problematic driver could create unexpected bottlenecks. Or vice versa: they might label a combination as unfavorable, but in your case, it might work perfectly due to your workload.

The big difference with WPR and WPA The difference is that these latter metrics don't speculate: they measure what's actually happening on your machine under your real-world load. They don't work with theoretical averages or generic benchmarks, but with your work session, your gaming, your corporate software, your security spikes.

Even so, calculators can help you choose future hardware more wisely.You can use them as a first filter, then look for real experiences in user forums with the same combination of components, and finally validate with WPR/WPA that the new equipment performs as you expected in your critical scenarios.

Manual bottleneck check without external tools

If you cannot install anything additional on the computer (whether due to corporate policies or because you're doing a quick diagnostic), you can still perform a fairly useful check using the Task Manager itself.

The basic procedure is simple.: You start the Task Manager, close all applications except the one you want to analyze, and with the "Performance" tab in view, you launch the problematic load (game, heavy app, video export, etc.).

While the task is running, it monitors CPU, memory, disk, and network.If any of these components remains stuck at 100% usage for the duration of the operation, that component is likely the one limiting performance. For example, a game that constantly pushes the CPU to 100% even though the GPU is at 40% indicates a processor bottleneck, even if you still have RAM available.

The important thing is to interpret this data carefully.Seeing RAM as "quite used" doesn't necessarily mean it's the bottleneck if the CPU is overloaded. In many games, for example, the CPU simply can't handle the game's logic and isn't able to utilize the available RAM or supply the GPU with enough draw calls.

This type of visual observation It's a good first clue, but it doesn't replace detailed WPR/WPA traces, where you'll see the call stacks, drivers, interrupts, and exact timings.

Criteria for deciding if there is a serious hardware problem

Not all bottlenecks justify an RMA or a warranty.Often, the issues are due to configuration, poorly optimized software, or an unbalanced combination of components. However, there are clear symptoms that the hardware may be faulty.

Typical critical indicators include frequent blue screens (BSOD) with memory or CPU-related codes, sudden shutdowns when subjecting the system to stress tests, temperatures that spike above 90 °C under moderate loads, strange noises from fans or mechanical disks, and recurring read or write errors.

To properly document a potential hardware failure You can use Windows Reliability Monitor, DxDiag to extract a hardware and driver configuration report, and tools like Process Monitor to capture what the system was doing just before it failed. All of that, along with one or two WPR traces showing clearly anomalous behavior, is invaluable for justifying a replacement to the manufacturer.

When you gather this informationAlways note the exact date and time of each incident, what you were doing, what software was running, and whether the problem is reproducible. The more precise you are, the easier it will be for technical support to understand and validate your case.

Use Windows Performance Recorder and Analyzer to hunt down hardware bottlenecks It's essentially about learning to look "under the hood" of Windows with precision instruments. When you combine these with good configuration practices, well-designed stress tests, classic tools like performance counters, and rigorous documentation, you go from simply "the PC is slow" to having solid diagnoses, comparable data over time, and clear arguments for deciding whether to optimize software, adjust policies, redesign workloads, or simply invest in better-balanced hardware.