Substantial refinements to Network Tracing / NetBlame Plug-in (#45)

* Fix link to (releases)

* Better find XPerf.exe, Handle 0x80071069, etc.

* Substantial refinements to NetBlame WPA Network add-in v1.6.0

---------

Co-authored-by: Raymond Fowkes <REFowkes@frontier.com>

Author: rayfo

src/BETA/GetSymbols.bat

@@ -6,6 +6,7 @@ REM Licensed under the MIT License.
 REM Download symbols based on those referenced in the given ETW log file (.etl).
 REM Optionally limit downloads to the given modules (faster).
 REM EnvVar OVerbose=1 : report commands executed
+REM EnvVar WPT_PATH : find XPerf here
 
 setlocal
 
@@ -37,6 +38,9 @@ call :SetSymDir
 if not defined _NT_SYMBOL_PATH set _NT_SYMBOL_PATH=%SYMPATH_DFT%
 if not defined _NT_SYMCACHE_PATH set _NT_SYMCACHE_PATH=%SYMCACHE_DFT%
 
+if defined WPT_PATH set path=%WPT_PATH:"=%;%path%
+if defined OVerbose echo XPERF: & where xperf & echo:
+
 REM Older versions of XPerf.exe copy PDB files to the current directory, which will be _SYMDIR.
 
 pushd "%_SYMDIR%"
@@ -50,7 +54,7 @@ echo:
 
 rem XPerf.exe is often adjacent to WPA.exe, or available in the ADK / Windows Performance Toolkit: https://aka.ms/adk
 
-set _filter=findstr /r "bytes.*SYMSRV.*RESULT..0x00000000"
+set _filter=findstr /r /c:"[0-9] bytes -"
 set _filter1=2^>^&1 ^| %_filter%
 set _filter2=2^^^>^^^&1 ^^^| %_filter%
 
@@ -230,4 +234,10 @@ echo Download all referenced modules, or (faster) the modules listed and depende
 echo See: https://github.com/microsoft/MSO-Scripts/wiki/Advanced-Symbols#deeper
 echo See: https://github.com/microsoft/MSO-Scripts/wiki/Symbol-Resolution#native
 echo See: https://learn.microsoft.com/en-us/previous-versions/windows/desktop/xperf/symbols
+echo:
+echo Optional Environment Variables:
+echo _NT_SYMBOL_PATH=cache*%SystemDrive%\Symbols;srv*https://msdl.microsoft.com/download/symbols
+echo _NT_SYMCACHE_PATH=%SystemDrive%\SymCache
+echo WPT_PATH=^<path containing XPerf.exe^> (no quotes)
+echo OVerbose=1 (diagnostic output)
 exit /b 1

src/BETA/TraceNetwork.ps1

@@ -377,6 +377,7 @@ Param ( # $ViewerParams 'parameter splat'
 		# Case 2: Do not proceed.
 
 		Write-Err "Found an older version of the Windows Performance Analyzer (WPA): $Version"
+		Write-Err "`"$WpaPath`""
 		Write-Err "The minimum version for this analysis is: $VersionMinForAddin"
 		WriteWPTInstallMessage "WPA.exe"
 		exit 1
@@ -390,9 +391,9 @@ Param ( # $ViewerParams 'parameter splat'
 	$ExtraParams = $Null
 	$Processors = $Null
 
-	if (!$Version -or ($Version -ge $VersionForProcessors) -or !$WpaPath.EndsWith('.exe'))
+	if (!$Version -or !(IsRealVersion $Version) -or ($Version -ge $VersionForProcessors))
 	{
-		# Required for WPA.bat or WPA.exe v11.8+ to bypass the New WPA Launcher
+		# Required for WPA.bat or WindowsApps\WPA.exe (stub) or WPA.exe v11.8+ to bypass the New WPA Launcher.
 		$Processors = GetPluginsList $Version
 		$ExtraParams += GetArgs -processors $Processors
 	}

src/INCLUDE.WPA.ps1

@@ -402,7 +402,7 @@ function LaunchAsStandardUser
 		$ArgList = $ArgList -replace '(?<!\\)"', "'"
 	}
 
-	Write-Status "Launching WPA as Standard User (non-Admin):`n" $ProcessCommand.FilePath $ArgList
+	Write-Status "Launching as Standard User (non-Admin):`n" $ProcessCommand.FilePath $ArgList
 
 	ResetError
 	$ErrorDefault = "Failed to run: $($Args[0])"
@@ -467,7 +467,7 @@ Param(
 	# If the viewer command is WPA.bat or something other than WPA.exe or "WPA.exe", don't maximize that window.
 	if ($Viewer.TrimEnd('"') -notlike '*.exe') { $ProcessCommand.WindowStyle = "Minimized" }
 
-	Write-Status "Launching WPA as Current User."
+	Write-Status "Launching as Current User."
 
 	ResetError
 	$Process = $Null
@@ -496,7 +496,7 @@ function BackgroundResolveSymbols
 Param (
 	[string]$ETL
 )
-	$XPerfPath = GetWptExePath 'XPerf.exe' -silent
+	$XPerfPath = GetWptExePath 'XPerf.exe' -TestRun -Shallow
 
 	if (!$XPerfPath)
 	{
@@ -524,7 +524,7 @@ Param (
 	$XPerfCmd = "`"$XPerfPath`" -tle -tti -i `"$ETL`" -symbols verbose -a symcache -build"
 	$XPerfCmdEnv = "$(ReplaceEnv $XPerfPath) -tle -tti -i $(ReplaceEnv $ETL) -symbols verbose -a symcache -build"
 
-	$OutFilter = <# $XPerfCmd #> '2>&1 | findstr /r "bytes.*SYMSRV.*RESULT..0x00000000"'
+	$OutFilter = <# $XPerfCmd #> '2>&1 | findstr /r /c:"[0-9] bytes -"'
 	$XPerfFiltered = "$XPerfCmd $OutFilter"
 	$XPerfFilterEnv = "$XPerfCmdEnv $OutFilter"
 

src/INCLUDE.ps1

@@ -728,7 +728,9 @@ function HandleChangeThreadMode
 {
 	Write-Err "Windows Performance Recorder (WPR): Internal COM Error"
 	Write-Warn "This issue usually resolves by restarting Windows."
-	Write-Warn "If this occurs frequently, make sure that you have a very recent version of WPR:`n"
+	Write-Warn "If this occurs frequently, make sure that you have a very recent version of WPR."
+	if (!$script:WPR_PreWin10) { Write-Warn "The current version is: $script:WPR_Win10Ver" }
+	Write-Warn 'https://devblogs.microsoft.com/performance-diagnostics/wpr-start-and-stop-commands/#:~:text=0x80010106'
 	WriteWPTInstallMessage "WPR.exe"
 }
 
@@ -872,6 +874,28 @@ Param (
 }
 
 
+<#
+	0x80071069: The instance name passed was not recognized as valid by a WMI data provider.
+#>
+function HandleAbortedTrace
+{
+Param (
+	$WprParams
+)
+	Write-Err (GetCmdVerbose $script:WPR_Path $WprParams)
+
+	Write-Err "`nWPR returned error 0x80071069: The instance name passed was not recognized as valid by a WMI data provider.`n"
+
+	Write-Warn "This sometimes means that there is not enough space on the disk for the .ETL log file."
+	Write-Warn "Intermediate trace files are stored here:"
+	Write-Warn "`"$env:TRACE_PATH`""
+	Write-Warn
+	Write-Warn "Try running 'cleanmgr' or clearing space on the disk."
+	Write-Warn "Or set the TRACE_PATH environment variable to a folder on another drive."
+	Write-Warn "Or simply try again to capture the trace using -Loop : TraceCPU Start -Loop ..."
+}
+
+
 <#
 	Use WMI (deprecated after PSv2) to return the SID of the logged-on user for the current Windows Session.
 	Return: $Null if failure; $False if it's unchanged from the current context; [string]SID if success.
@@ -1865,17 +1889,19 @@ Param (
 
 	if ($TestRun)
 	{
+		# Skip stray, obviously old installations.
+		$fileVer = GetFileVersion $ExePath
+		if ($fileVer -and ($fileVer.Major -lt [Environment]::OSVersion.Version.Major))
+		{
+			Write-Status "Found old v$fileVer at: $ExePath"
+			return $False
+		}
+
 		try
 		{
 			$Null = & $ExePath -? 2>$Null | Out-Null # silent mode for PSv2+
-			if ($?) { $TestRun = $False } # Success!
 		}
 		catch
-		{
-			# Do not flag success.
-		}
-
-		if ($TestRun)
 		{
 			Write-Status "Test run failed: $ExePath"
 			return $False
@@ -1906,23 +1932,26 @@ Param (
 	Get the full path of the given executable from the Windows Performance Toolkit: WPA.exe, WPR.exe, etc.
 	This path can be customized with the WPT_PATH environment variable. ($Env:WPT_PATH may get cleared if it is invalid.)
 	ISSUE Win10/11+: WPR.exe exists in: $Env:windir\system32\wpr.exe  Should this script search for another (newer?) version?
+	Consider Win10 installed with: WPR v10.0.19041  This is subject to: Error 0x80010106
+	https://devblogs.microsoft.com/performance-diagnostics/wpr-start-and-stop-commands/#:~:text=0x80010106
 #>
 function GetWptExePath
 {
 Param (
 	[string]$Exe,
 	[switch]$Silent,
+	[switch]$Shallow,
 	[switch]$AltPath,
 	[switch]$TestRun
 )
-	# Test the optional environment variable
+	# Test the optional environment variable. (Use the binary found on this path if at all possible.)
 	# This is set by the user. All others are set by the system or by an installer.
 
 	if ($env:WPT_PATH)
 	{
 		$WptPath = $env:WPT_PATH.Trim('"').TrimEnd('\')
 		$WptPath = "$WptPath\$Exe"
-		if (TestExePath $WptPath $TestRun ([ref]$AltPath)) { return $WptPath }
+		if (TestExePath $WptPath -TestRun:$False ([ref]$AltPath)) { return $WptPath }
 
 		# Sanity check: If $env:WPT_PATH does not exist then reset is to null for this script.
 		if (!(Test-Path -PathType container -Path $env:WPT_PATH -ErrorAction:SilentlyContinue)) { $env:WPT_PATH = $Null }
@@ -1931,9 +1960,9 @@ Param (
 	# Test Windows Apps (not executable stubs)
 
 	# $Exe should exist in the folder registered under WPA.exe
-	$PathReg = $Null
+	$WptPath = $PathReg = $Null
 	$WpaOpenPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\App Paths\wpa.exe"
-	$WptPath = GetRegistryValue $WpaOpenPath "Path"
+	if (!$Shallow) { $WptPath = GetRegistryValue $WpaOpenPath "Path" }
 	if ($WptPath)
 	{
 		$WptPath = $PathReg = "$WptPath\$Exe"
@@ -1970,10 +1999,14 @@ Param (
 
 	# App store paths require Admin privilege to walk, unless you land directly on the app folder.
 	# Look up the path of the app folder(s) via the registry.
+	# This may only work for WPA.
 
-	$WildPath = 'Registry::HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Packages\Microsoft.WindowsPerformanceAnalyzer*'
-	[string[]] $RegPaths = Get-Item -Path $WildPath -ErrorAction:SilentlyContinue
-
+	[string[]]$RegPaths = $Null
+	if (!$Shallow)
+	{
+		$WildPath = 'Registry::HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Packages\Microsoft.WindowsPerformanceAnalyzer*'
+		$RegPaths = Get-Item -Path $WildPath -ErrorAction:SilentlyContinue
+	}
 	foreach ($RegPath in $RegPaths)
 	{
 		$Path = GetRegistryValue "Registry::$RegPath" 'PackageRootFolder'
@@ -1989,11 +2022,10 @@ Param (
 
 	# Test the system path, which may include WindowsApps (executable stubs, NO VERSION)
 
-	$PathApps= $Null
 	$WptCmd = Get-Command -TotalCount 1 -CommandType Application $Exe -ErrorAction:SilentlyContinue
-	if ($WptCmd)
+	foreach ($Cmd in $WptCmd)
 	{
-		$WptPath = $PathApps = $WptCmd.Path
+		$WptPath = $PathApps = $Cmd.Path
 		if (TestExePath $WptPath $TestRun ([ref]$AltPath)) { return $WptPath }
 	}
 
@@ -2002,7 +2034,7 @@ Param (
 	if ($Env:LOCALAPPDATA)
 	{
 		$WptPath = "$Env:LOCALAPPDATA\Microsoft\WindowsApps\$Exe"
-		if (($WptPath -ne $PathApps) -and (TestExePath $WptPath $TestRun ([ref]$AltPath))) { return $WptPath }
+		if (!($WptCmd -contains $WptPath) -and (TestExePath $WptPath $TestRun ([ref]$AltPath))) { return $WptPath }
 	}
 
 	# Try the Side-by-Side path for WPR
@@ -3211,6 +3243,18 @@ Param (
 			return [ResultValue]::Error
 		}
 
+		0x80071069 # The instance name passed was not recognized as valid by a WMI data provider.
+		{
+			HandleAbortedTrace $WprParams
+
+			Write-Msg "`nCanceling..."
+			$Null = InvokeWPR -Cancel -InstanceName $InstanceName
+
+			ListRunningProfiles
+
+			return [ResultValue]::Error
+		}
+
 		default
 		{
 			Write-Err $script:WPR_Path @WprParams