Table of contents
TLS
TOC
Collapse the table of content
Expand the table of content

Save-EtwTraceSession

Brian Lich|Last Updated: 3/28/2017

SYNOPSIS

Saves the events collected by the ETW session to an .etl file.

SYNTAX

Save-EtwTraceSession [-Name] <String> [-OutputFile <FileInfo>] [-OutputFolder <DirectoryInfo>] [-Stop]
 [-Overwrite] [-CimSession <CimSession>] [-WhatIf] [-Confirm] [<CommonParameters>]

DESCRIPTION

The Save-EtwTraceSession cmdlet saves the events collected by the ETW session to an .etl file.

EXAMPLES

PARAMETERS

-CimSession

Runs the cmdlet in a remote session or on a remote computer. Enter a computer name or a session object, such as the output of a New-CimSession or Get-CimSession cmdlet. The default is the current session on the local computer.

Type: CimSession
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Confirm

Prompts you for confirmation before running the cmdlet.

Type: SwitchParameter
Parameter Sets: (All)
Aliases: cf

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

-Name

Specifies the name of the ETW session.

Type: String
Parameter Sets: (All)
Aliases: 

Required: True
Position: 0
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-OutputFile

Specifies the file to save the .etl file to for the ETW session.

Type: FileInfo
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByValue)
Accept wildcard characters: False

-OutputFolder

Specifies the folder to save the .etl file to for the ETW session.

When this parameter is set, the file name of the .etl will be selected automatically based on the session properties.

If the session is a buffering mode session, the file name will be the name of the session.

If the session is a file mode session, the file name will be the file name of the currently being written to.

To control the file name as well as the output folder, use the OutputFile parameter instead.

Type: DirectoryInfo
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: None
Accept pipeline input: True (ByValue)
Accept wildcard characters: False

-Overwrite

Controls whether an existing file should be overwritten by saving this session.

Type: SwitchParameter
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Stop

Controls whether the session should be stopped after the save is complete.

Type: SwitchParameter
Parameter Sets: (All)
Aliases: 

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type: SwitchParameter
Parameter Sets: (All)
Aliases: wi

Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

INPUTS

System.IO.FileInfo, System.IO.DirectoryInfo

OUTPUTS

System.IO.FileInfo, CIM_DataFile

This cmdlet returns a System.IO.FileInfo object that represents a file on the local computer. The object is returned when the current session is saved successfully to a file on the local machine.

This cmdlet returns a CIM_DataFile object when the current session is saved successfully to a file over a CIM session.

NOTES

Get-EtwTraceSession

New-EtwTraceSession

Send-EtwTraceSession

Start-EtwTraceSession

Stop-EtwTraceSession

Update-EtwTraceSession

© 2017 Microsoft