WFetch

A simple HTTP request that is issued by typing a URL in the address bar of a browser might produce multiple
network requests to the target server running IIS. However, the user does not see all of the resulting response data
because the browser does not display it. WFetch allows you to fully customize an HTTP request and send it to a Web
server so that you can see the raw HTTP request and response data. WFetch is included in the Internet Information
Services (IIS) 6.0 Resource Kit.
For more information about using WFetch in a testing environment, see article 284285, How To: Use Wfetch.exe to
Troubleshoot HTTP Connections in the Microsoft Knowledge Base. To find this article, see the Microsoft
Knowledge Base link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.

File Monitor and Registry Monitor

When troubleshooting IIS 6.0, you can use File Monitor and Registry Monitor to obtain two specific types of
information:

Verification that a specific file (File Monitor) or registry key (Registry Monitor) is being accessed by
a given process.

Information about whether that access results in an Access Denied error.

Both File Monitor and Registry Monitor can be downloaded from the System Internals Web site.
To install File Monitor and Registry Monitor, unzip and copy each .exe file to a desired location. To use one of these
tools, double-click the appropriate executable file (FileMon.exe or RegMon.exe). Both utilities start in capture mode,
which means that they display all file system (File Monitor) or registry (Registry Monitor) activity from all processes
as it happens. Before you begin troubleshooting a problem, stop the capture and clear the entries that have been
written.

To stop or start a capture in FileMon.exe or RegMon.exe

On the Options menu, click Capture Events.

To clear the current capture in FileMon.exe or RegMon.exe

On the Edit menu, click Clear Display.

Tips for Using File Monitor and Registry Monitor for Troubleshooting
Use the following tips to streamline the troubleshooting process when using File Monitor and Registry Monitor:

Isolate your task as much as possible. The output from a capture comes very quickly and at a high
volume. The larger the capture, the harder it is to find the information that you want. When you are
ready, perform only the tasks that will produce the file or registry access that you are trying to verify.

Avoid unnecessary clicking or activity. Performing extraneous operations while File Monitor or
Registry Monitor is running will produce unrelated and unnecessary data in the output.

Start a capture as closely as possible to when you perform the task. Separate your utility window
from the workspace that contains the process that you are using to troubleshoot so that you can
easily switch between programs. If possible, press ALT+TAB to quickly switch programs.

Create a capture filter for the process name that you are working with. Registry Monitor and
File Monitor both have capture filter functionality, which you can use to remove extraneous activity
from the capture. You can filter on any string in an entry. For example, a common filter is the IIS 6.0
worker process name, W3wp.exe.

To set a capture filter for W3wp.exe

On the Edit menu of the appropriate tool, click Filter/Highlight.

In the Include box, type W3wp.exe and then click Apply.

When you have finished the task, stop the capture and scan the results for specific output. Usually, your objective
will be to verify whether the problem is being caused by or is related to an access denial. In either tool, you can see
whether this is the case by looking for the text ACCESS DENIED in the Result column.
If you need to compare the time that an event occurred with some other activity on your network, change the time
format of the capture from the elapsed time, which is the default, to the literal time of day.

IIS 6.0 Enterprise Tracing for Windows

Windows Server 2003 includes Enterprise Tracing for Windows (ETW), a new framework for implementing tracing
providers that can be used for debugging and capacity planning. IIS 6.0 implements a number of providers to trace
key transitions and the progress that an HTTP request makes as it moves through the IIS service framework. These
providers include the following:

HTTP Service Trace. This provider traces new connections, new HTTP requests from a given
connection, HTTP kernel cache hits, application pool routing, and HTTP request completion.

IIS: WWW Server. This provider traces the transition of a request from HTTP.sys to the worker
process, start and stop events surrounding Common Gateway Interface (CGI) requests, and the
transition of a request back to HTTP.sys from the worker process. This information reveals the type
of request that is being processed.

IIS: SSL Filter. This provider traces calls into and out of the SSL Filter, which is used for SSL
traffic.

IIS ISAPI Extension. This provider traces the transition of a request into and out of ISAPI
extension processing.

IIS ASP. Traces the start and completion of the execution of an ASP request.

These tracing providers allow you to follow a request through all of its phases. This information is very useful in the
problem isolation phase of troubleshooting. For example, ISAPI filters can often cause delays or hangs in HTTP
request processing. The tracing functionality can help to determine which ISAPI filter is causing the delay for a given
request.
Use the LogMan utility, which is included with Windows Server 2003, to configure and control ETW. All of the
tracing providers are enabled through their Globally Unique ID (GUID), which you can find by using LogMan. A
GUID is a 128-bit number that is generally represented by a 32 character string of hexadecimal numbers.
The following procedure demonstrates one way that ETW tracing can be used.

To capture an ETW tracing session

List the GUIDs of the providers by using the LogMan utility. At a command prompt, type the following:
logman.exe query providers

The output will look similar to the following:

D:\>logman.exequeryproviders
ProviderGUID

ACPIDriverTraceProvider{dab01d4d2d48477db1c3daad0ce6f06b}
ActiveDirectory:Kerberos{bba3add2c2294cdbae2b57eb6966b0c4}
IIS:SSLFilter{1fbecc45c0604e7c8a0e0dbd6116181b}
IIS:WWWServer{3a2a4e844c214981ae103fda0d9b0f83}
IIS:ActiveServerPages(ASP){06b94d9ab15e456ea4ef37c984a2cb4b}
LocalSecurityAuthority(LSA){cc85922fdb4111d29244006008269001}
WindowsKernelTrace{9e814aad320411d29a82006008a86939}
ASP.NETEvents{AFF081FE024742759C4E021F3DC1DA35}

NTLMSecurityProtocol{C92CF54491B34dc08E11C580339A0BF8}
IIS:WWWISAPIExtension{a1c2040e88404c31ba119871031a19ea}
HTTPServiceTrace{dd5ef90a639847a4ad344dcecdef795f}
ActiveDirectory:NetLogon{f33959b4dbec11d2895b00c04f79ab69}
SpoolerTraceControl{94a984eff5254bf1be3cef374056a592}
Thecommandcompletedsuccessfully.
D:\>

Copy the GUIDs of the providers that you want to use into a text file, specify flags and levels, and then
save the file using an appropriate name, such as iis_providers.guid. For information about setting
flags and levels, see Create and Configure Trace Logs in Help and Support Center for Windows
Server 2003.

The file should look similar to the following, where the # character
delimits comments:
#GUID#flags#level#provider
{1fbecc45c0604e7c8a0e0dbd6116181b}05#IIS:SSLFilter
{3a2a4e844c214981ae103fda0d9b0f83}05#IIS:WWWServer
{06b94d9ab15e456ea4ef37c984a2cb4b}05#IIS:ActiveServerPages(ASP)
{AFF081FE024742759C4E021F3DC1DA35}05#ASP.NETEvents
{a1c2040e88404c31ba119871031a19ea}05#IIS:WWWISAPIExtension
{dd5ef90a639847a4ad344dcecdef795f}05#HTTPServiceTrace

Start the tracing session. At the command prompt, type the following:

logman.exe start iis_trace -pf iis_providers.guid -ct perf -o

iis_output.etl -bs 64 -nb 200 400 -ets
The output should look similar to the following:
D:\>logmanstartiis_tracepfiis_providers.guidctperfoiis_output.etlbs
64nb200400ets
Name:iis_trace
AgeLimit:15
BufferSize:64
BuffersWritten:1
ClockType:Perf
EventsLost:0
FlushTimer:0
BuffersFree:159
BuffersLost:0
FileMode:Sequential
FileName:D:\iis_output.etl
LoggerId:3
LoggerThreadId:3732
MaximumBuffers:160
MaximumFileSize:0
MinimumBuffers:160
Numberofbuffers:160
RealTimeBuffersLost:0
ProviderFlagsLevel

*"HTTPServiceTrace"0x000000000x05

{DD5EF90A639847A4AD344DCECDEF795F}0x000000000x05
*"IIS:SSLFilter"0x000000000x05
{1FBECC45C0604E7C8A0E0DBD6116181B}0x000000000x05
*"IIS:WWWServer"0x000000000x05
{3A2A4E844C214981AE103FDA0D9B0F83}0x000000000x05
*"IIS:WWWISAPIExtension"0x000000000x05
{A1C2040E88404C31BA119871031A19EA}0x000000000x05
*"IIS:ActiveServerPages(ASP)"0x000000000x05
{06B94D9AB15E456EA4EF37C984A2CB4B}0x000000000x05

Thecommandcompletedsuccessfully.
D:\>

Attempt to reproduce the problem that you are troubleshooting.

After you have reproduced the problem, stop the tracing session. At a command prompt, type the
following:

logman.exe stop iis_trace ets