In this episode of Defrag Tools, Andrew Richards, Chad Beeder and Larry Larsen continue looking at the Debugging Tools for Windows (in particular WinDbg). WinDbg is a debugger that supports user mode debugging of a process, or kernel mode debugging of a computer. This installment goes over the Event Tracing for Windows (ETW) buffers in a kernel mode dump or live session. The ETW buffers can be extracted from the dump and viewed using the Windows Performance Toolkit (WPT). The buffers give you insight in to what has beem happening recently on the computer. We use these commands: !wmitrace.strdump !wmitrace.logsave 0xNN c:example.etl !wmitrace.eventlogdump 0xNN !wmitrace.help Make sure you watch Defrag Tools Episode #1 and Defrag Tools Episode #23 for instructions on how to get the Debugging Tools for Windows and how to set the required environment variables for symbol and source code resolution. This episode shows how install the Windows Performance Toolkit.