Are there any ETW events created by IIS or ASP.NET which include the request URL?

Question

I have been trying, without much success, to capture ETW events created by IIS or ASP.NET which include the request URL.

I am using Windows 8 (development) and Windows Server 2008 R2 (production), so IIS 8.0 and 7.5 respectively. I am aware that in IIS 8.5 there is better ETW support but that's not going to help at the moment unfortunately.

Using PerfView, collecting system-wide events and with the following Additional Providers I get some events in the Microsoft-Windows-IIS-Configuration namespace but nothing that includes individual request details.

Additional Providers

Microsoft-Windows-IIS-APPHOSTSVC:*:5,Microsoft-Windows-IIS-Configuration:*:5,Microsoft-Windows-IIS-FTP:*:5,Microsoft-Windows-IIS-IisMetabaseAudit:*:5,Microsoft-Windows-IIS-IISReset:*:5,Microsoft-Windows-IIS-W3SVC:*:5,Microsoft-Windows-IIS-W3SVC-PerfCounters:*:5 ,Microsoft-Windows-IIS-W3SVC-WP:*:5,Microsoft-Windows-IIS-WMSVC:*:5

If I run logman query providers I get the following, so I know these providers are available (on my Windows 8 machine).

Provider                                 GUID
-------------------------------------------------------------------------------

Microsoft-Windows-IIS-APPHOSTSVC         {CAC10856-9223-48FE-96BA-2A772274FB53}
Microsoft-Windows-IIS-Configuration      {DC0B8E51-4863-407A-BC3C-1B479B2978AC}
Microsoft-Windows-IIS-FTP                {AB29F35C-8531-42FF-810D-B8552D23BC92}
Microsoft-Windows-IIS-IisMetabaseAudit   {BBB924B8-F415-4F57-AA45-1007F704C9B1}
Microsoft-Windows-IIS-IISReset           {DA9A85BB-563D-40FB-A164-8E982EA6844B}
Microsoft-Windows-IIS-W3SVC              {05448E22-93DE-4A7A-BBA5-92E27486A8BE}
Microsoft-Windows-IIS-W3SVC-PerfCounters {90303B54-419D-4081-A683-6DBCB532F261}
Microsoft-Windows-IIS-W3SVC-WP           {670080D9-742A-4187-8D16-41143D1290BD}
Microsoft-Windows-IIS-WMSVC              {23108B68-1B7E-43FA-94FB-EC3066805744}

I've also tried using logman to create an ETL file, but this doesn't seem to capture anything IIS related:

etw.ps1

logman start ASPTrace -pf providers.txt -ets
Start-Sleep -Seconds 30
logman stop ASPTrace -ets

providers.txt

"Microsoft-Windows-IIS-APPHOSTSVC" 0xFFFFFFFE 5
"Microsoft-Windows-IIS-Configuration" 0xFFFFFFFE 5
"Microsoft-Windows-IIS-FTP" 0xFFFFFFFE 5
"Microsoft-Windows-IIS-IisMetabaseAudit" 0xFFFFFFFE 5
"Microsoft-Windows-IIS-IISReset" 0xFFFFFFFE 5
"Microsoft-Windows-IIS-W3SVC" 0xFFFFFFFE 5
"Microsoft-Windows-IIS-W3SVC-PerfCounters" 0xFFFFFFFE 5
"Microsoft-Windows-IIS-W3SVC-WP" 0xFFFFFFFE 5
"Microsoft-Windows-IIS-WMSVC" 0xFFFFFFFE 5

I have tried the above with 0xFFFFFFFE and 0xFFFFFFFF.

Answer 1

Microsoft-Windows-HttpService {DD5EF90A-6398-47A4-AD34-4DCECDEF795F}

Look at the Deliver event. It has RequestUrl, and the app pool the request got forwarded to.

This is available in Windows Vista and higher.

Answer 2

Create your own ETW provider class with System.Diagnostics.Tracing.EventSource and log here the request url in your project if you need it.

You can now also use WPT to capture the events.