snipz

cheat sheet

logman

Create, start, stop, and manage Data Collector Sets for performance counters, event traces, and configuration data — the command-line interface to Windows Performance Monitor for scripted monitoring and automated log collection.

#logman#windows#cli#scripting#sysadminupdated 05-26-2026

logman — Performance Monitor CLI

What it is

logman is the built-in Windows command-line interface to the Performance Logs and Alerts subsystem and Windows Performance Monitor (perfmon.exe). It manages Data Collector Sets (DCS) — named groups of performance counter logs, event trace logs (ETL), and configuration snapshots. Use logman to automate performance baseline capture, gather counter data during a load test, start/stop ETL traces without opening a GUI, and query or export existing DCS configurations. The PowerShell equivalent is cmdlets in the Microsoft.PowerShell.Diagnostics module (Get-Counter, New-PSDrive), though logman is often simpler for one-off tasks.

Availability

logman ships as C:\Windows\System32\logman.exe on Windows XP and later. Creating or modifying collectors typically requires Administrator privileges.

cmd
logman /?

Output:

arduino
Microsoft r Logman.exe (10.0.19041.1)
...
Usage:
logman [create|query|start|stop|delete|update|import|export] [options]

Syntax

cmd
logman <verb> [name] [options]

Output: (varies by verb)

Essential verbs

VerbMeaning
queryList all DCS or show details of one
query providersList available ETW providers
create counterCreate a performance-counter collector
create traceCreate an event trace (ETL) collector
start <name>Begin data collection
stop <name>End data collection
delete <name>Remove a DCS
update <name>Modify settings of an existing DCS
export <name>Export DCS configuration to XML
importImport DCS from an XML file

Listing Data Collector Sets

logman query with no additional argument lists every DCS registered on the machine, including user-defined and system DCS. Add a name to see details of one specific set.

cmd
logman query

Output:

sql
Data Collector Set                      Type                          Status
-------------------------------------------------------------------------------
\System\Active Directory Diagnostics   System Data Collector Set     Stopped
\System\Performance Diagnostic         System Data Collector Set     Stopped
\User Defined\MyPerfLog                Counter                       Running

The command completed successfully.
cmd
logman query "MyPerfLog"

Output:

vbnet
Name:                 MyPerfLog
Status:               Running
Root Path:            C:\PerfLogs\MyPerfLog
Segment:              Off
Schedules:            None
Segment Max Size:     100 MB

Name:                 MyPerfLog\MyPerfLog
Type:                 Counter
Append:               Off
Circular:             Off
Overwrite:            Off
Sample interval:      15 sec
Log file (max. 100 MB): C:\PerfLogs\MyPerfLog\MyPerfLog.blg

Creating a performance counter collector

logman create counter defines a new DCS that samples specific performance counters at a set interval and writes results to a binary log (.blg) or CSV file. The -c option lists the counter paths; -si sets the sample interval.

cmd
logman create counter CPUMemLog ^
    -c "\Processor(_Total)\% Processor Time" "\Memory\Available MBytes" ^
    -si 15 ^
    -o C:\PerfLogs\CPUMemLog.blg ^
    -f bincirc ^
    -max 100

Output:

bash
The command completed successfully.

Starting and stopping a collector

logman start begins data collection; logman stop ends it and flushes the file. These are the key verbs for test-automation scripts — start before the load test, stop after.

cmd
logman start CPUMemLog

Output:

bash
The command completed successfully.
cmd
logman stop CPUMemLog

Output:

bash
The command completed successfully.

Deleting a Data Collector Set

logman delete removes the DCS configuration. It does not delete the collected log files — those remain in the output folder.

cmd
logman delete CPUMemLog

Output:

bash
The command completed successfully.

Creating an event trace (ETL) collector

logman create trace captures ETW (Event Tracing for Windows) events from specified providers into an .etl file for analysis with tools like tracerpt, WPA (Windows Performance Analyzer), or netsh trace.

cmd
logman create trace NetworkTrace ^
    -p "Microsoft-Windows-TCPIP" ^
    -o C:\Traces\NetworkTrace.etl ^
    -f bincirc ^
    -max 256

Output:

bash
The command completed successfully.
cmd
logman start NetworkTrace

Output:

bash
The command completed successfully.
cmd
logman stop NetworkTrace

Output:

bash
The command completed successfully.

Listing available ETW providers

logman query providers enumerates all registered ETW providers on the system — the source of trace events. Filter with findstr to find providers for a specific subsystem.

cmd
logman query providers | findstr /I "tcp\|http\|network"

Output:

code
Microsoft-Windows-TCPIP                {2F07E2EE-15DB-40F1-90EF-9D7BA282188A}
Microsoft-Windows-HttpService          {DD5EF90A-6398-47A4-AD34-4DCECDEF795F}
Microsoft-Windows-Networking-Correlation {83ED54F0-4D48-4E45-B16E-726FFD1FA4AF}

Exporting and importing DCS configurations

logman export serializes a DCS to an XML file. logman import re-creates the DCS from that file — useful for replicating a monitoring configuration across multiple servers.

cmd
logman export CPUMemLog -xml C:\Config\CPUMemLog.xml

Output:

bash
The command completed successfully.
cmd
logman import -name CPUMemLog -xml C:\Config\CPUMemLog.xml

Output:

bash
The command completed successfully.

Common pitfalls

  1. Log path must existlogman create does not create the output directory; create it with mkdir first or the start command fails.
  2. Counter paths are case-sensitive on non-English systems — use logman query providers or typeperf -qx to get exact counter path strings for the local system locale.
  3. -f bincirc limits file size — circular binary logging caps the file at -max <MB> and wraps; for forensic collection use -f bin (non-circular) so no data is overwritten.
  4. ETL files require WPA or tracerpt to read.etl files are binary; convert to text with tracerpt C:\Traces\file.etl -o report.txt -of text before reading with a text editor.
  5. Remote collection requires -s <server> — add -s server01 to create, start, stop, and query to target another machine; requires admin rights on the remote host.

Real-world recipes

Capture a 60-second CPU/memory baseline

cmd
@echo off
mkdir C:\PerfLogs\Baseline 2>NUL
logman create counter Baseline60 ^
    -c "\Processor(_Total)\% Processor Time" "\Memory\Available MBytes" "\PhysicalDisk(_Total)\Disk Reads/sec" "\PhysicalDisk(_Total)\Disk Writes/sec" ^
    -si 5 ^
    -o C:\PerfLogs\Baseline\Baseline60.blg ^
    -f bin
logman start Baseline60
timeout /t 60 /nobreak >NUL
logman stop Baseline60
logman delete Baseline60
echo Baseline collected to C:\PerfLogs\Baseline\Baseline60.blg

Output:

bash
The command completed successfully.

Waiting for 60 seconds, press CTRL+C to quit ...

The command completed successfully.
The command completed successfully.
Baseline collected to C:\PerfLogs\Baseline\Baseline60.blg

Deploy the same DCS to multiple servers

cmd
@echo off
logman export MasterDCS -xml C:\Config\MasterDCS.xml
for %%S in (server01 server02 server03) do (
    logman import -name MasterDCS -xml C:\Config\MasterDCS.xml -s %%S
    logman start MasterDCS -s %%S
    echo Started on %%S
)

Output:

bash
The command completed successfully.
Started on server01
The command completed successfully.
Started on server02
The command completed successfully.
Started on server03

DCS types — counter, trace, alert, configuration, api

logman create supports five distinct collector types. Each writes a different binary format and answers a different question. Choosing the wrong type is the most common cause of "the data I want isn't in the log" — pick by the output you need, not by the source.

TypeOutputWhat it capturesWhen to use
counter.blg (or CSV/TSV)Periodic performance counter samplesBaselining, capacity planning, load tests
trace.etlETW events from registered providersNetwork/kernel/process traces, deep diagnostics
alertEvent log entries or program launchesThreshold breaches on a counterReal-time triggers, low-disk alerts
cfg.txtSnapshot of registry keys, files, WMI stateConfig drift audits
api.etl (API trace)Win32 API call tracesDeveloper diagnostics
cmd
logman create counter <name>  -c <counters>  -si <interval> -o <path>
logman create trace   <name>  -p <provider>                 -o <path>
logman create alert   <name>  --threshold <expr>            -t <action>
logman create cfg     <name>  -reg <keys>  -mgt <wmi>       -o <path>
logman create api     <name>  -exe <image>                  -o <path>

Output: (none — syntax reference, not executable as-is)

Counter collectors in depth

A counter collector is essentially perfmon automation: it polls one or more counter paths on a fixed interval and writes the values to a binary log. Counter paths have the form \<Object>(<Instance>)\<Counter>\Processor(_Total)\% Processor Time, \Memory\Available MBytes, etc.

Counter path discovery with typeperf -qx

typeperf -qx enumerates every available counter path on the machine. Pipe to findstr to find the exact spelling for the local locale.

cmd
typeperf -qx | findstr /I "logical disk"

Output:

scss
\LogicalDisk(_Total)\Current Disk Queue Length
\LogicalDisk(_Total)\% Disk Time
\LogicalDisk(_Total)\Avg. Disk Queue Length
\LogicalDisk(_Total)\% Disk Read Time
\LogicalDisk(_Total)\Avg. Disk Read Queue Length
\LogicalDisk(_Total)\% Disk Write Time
\LogicalDisk(_Total)\Avg. Disk Write Queue Length
...

Counter file formats (-f)

The -f switch chooses the binary or text output format. Use bin for forensic captures (no overwrite), bincirc for ring-buffer monitoring, csv when downstream tooling expects CSV.

FormatExtensionNotes
bin.blgBinary, non-circular — grows until -cnf <duration> or manual stop
bincirc.blgBinary, circular — capped at -max <MB>
csv.csvComma-separated, human-readable
tsv.tsvTab-separated
sql(DSN)Writes to a SQL database
cmd
rem CSV output for direct ingest into Excel or Power BI
logman create counter DiskCsv ^
    -c "\PhysicalDisk(_Total)\Avg. Disk sec/Read" "\PhysicalDisk(_Total)\Avg. Disk sec/Write" ^
    -si 10 ^
    -o C:\PerfLogs\DiskCsv.csv ^
    -f csv
logman start DiskCsv
timeout /t 30 /nobreak >NUL
logman stop DiskCsv
type C:\PerfLogs\DiskCsv_000001.csv | more

Output:

scss
"(PDH-CSV 4.0) (Coordinated Universal Time)(0)","\\MYHOST\PhysicalDisk(_Total)\Avg. Disk sec/Read","\\MYHOST\PhysicalDisk(_Total)\Avg. Disk sec/Write"
"05/25/2026 10:14:22.000","0.000123","0.000201"
"05/25/2026 10:14:32.000","0.000118","0.000198"
...

Scheduled counter collection

-b (begin) and -e (end) define a single capture window; -rf <duration> runs the collector for a fixed duration each time it starts; -cnf <duration> rolls to a new file at the interval.

cmd
rem Daily 09:00-17:00 baseline, new file every hour
logman create counter Workday ^
    -c "\Processor(_Total)\% Processor Time" "\Memory\Available MBytes" ^
    -si 30 ^
    -o C:\PerfLogs\Workday.blg ^
    -f bin ^
    -b 2026-05-25 09:00:00 ^
    -e 2026-05-25 17:00:00 ^
    -cnf 01:00:00

Output: The command completed successfully.

Reading .blg files with relog

relog converts .blg to CSV/TSV, sub-samples to a coarser interval, or filters to specific counters — a sister tool worth knowing about.

cmd
rem Convert to CSV
relog C:\PerfLogs\Workday.blg -f csv -o C:\PerfLogs\Workday.csv

Output:

text
Input
----------------
File(s):
     C:\PerfLogs\Workday.blg (Binary)

Begin:    5/25/2026 9:00:00
End:      5/25/2026 17:00:00
Samples:  5760

Output
----------------
File:    C:\PerfLogs\Workday.csv

The command completed successfully.
cmd
rem Re-sample to one row per minute and keep only CPU
relog C:\PerfLogs\Workday.blg ^
    -t 6 ^
    -c "\Processor(_Total)\% Processor Time" ^
    -o C:\PerfLogs\cpu-minute.blg

Output:

markdown
Input
----------------
File(s):
     C:\PerfLogs\Workday.blg (Binary)

Begin:    5/25/2026 9:00:00
End:      5/25/2026 17:00:00
Samples:  960

Output
----------------
File:    C:\PerfLogs\cpu-minute.blg

The command completed successfully.

Trace collectors in depth

A trace collector subscribes to one or more ETW (Event Tracing for Windows) providers and records every event they emit to an .etl file. ETW is the same plumbing Windows uses internally — every kernel subsystem, framework, and many user-mode apps expose a provider.

Finding providers

cmd
rem All providers (long — pipe to file)
logman query providers > C:\Logs\all-providers.txt

Output: (none — output redirected to all-providers.txt)

cmd
rem Provider details — keywords, levels
logman query providers Microsoft-Windows-TCPIP

Output:

markdown
Provider                                 GUID
-------------------------------------------------------------------------------
Microsoft-Windows-TCPIP                  {2F07E2EE-15DB-40F1-90EF-9D7BA282188A}

Value             Keyword              Description
-------------------------------------------------------------------------------
0x0000000000000001 ut:Default          Default
0x0000000000000004 ut:PathState        Path state events
0x0000000000000008 ut:Send             Send events
0x0000000000000010 ut:Receive          Receive events
...

Value             Level                Description
-------------------------------------------------------------------------------
0x01              win:Critical         Critical
0x02              win:Error            Error
0x03              win:Warning          Warning
0x04              win:Informational    Informational
0x05              win:Verbose          Verbose

Filtering by keyword and level

-p <provider> [0xkeyword] [level] restricts which events from the provider get captured — important for high-volume providers like Microsoft-Windows-Kernel-Network.

cmd
rem Only TCP send/receive events (keywords 0x18), Informational+ (level 4)
logman create trace TcpSendRcv ^
    -p "Microsoft-Windows-TCPIP" 0x18 4 ^
    -o C:\Traces\TcpSendRcv.etl ^
    -f bincirc -max 256

Output: The command completed successfully.

NT Kernel Logger (a special trace)

The NT Kernel Logger is a built-in trace with kernel-only providers — process create/exit, thread, image load, network, disk, registry. Only one kernel logger can run at a time. Use -kf to choose flags.

cmd
rem Kernel trace: process, thread, image, network
logman create trace "NT Kernel Logger" -ets ^
    -p "Windows Kernel Trace" 0x10007 ^
    -o C:\Traces\kernel.etl -f bin -max 512

Output:

text
The command completed successfully.
cmd
rem -kf shortcut (process, thread, network, disk)
logman start "NT Kernel Logger" -ets ^
    -p "Windows Kernel Trace" ^
    -o C:\Traces\kernel.etl -kf process,thread,network,disk

Output:

text
The command completed successfully.

Converting .etl files

The native viewer is Windows Performance Analyzer (WPA, part of the Windows ADK). For ad-hoc text inspection, tracerpt converts .etl to XML, CSV, or EVTX.

cmd
rem Generate a report (text format)
tracerpt C:\Traces\NetworkTrace.etl -o C:\Traces\NetworkReport.txt -of text

rem CSV for grep / Excel
tracerpt C:\Traces\NetworkTrace.etl -o C:\Traces\NetworkTrace.csv -of csv

Output:

markdown
Input
----------------
File(s):
    C:\Traces\NetworkTrace.etl

Output
----------------
Text (Normal):  C:\Traces\NetworkReport.txt
Summary:        C:\Traces\summary.txt
DumpFile:       C:\Traces\dumpfile.xml

The command completed successfully.

Alert collectors

An alert DCS watches one or more counters against thresholds and fires an action (event log entry, scheduled task, or another DCS start) when breached. This is the lightweight alternative to a full monitoring agent.

cmd
rem Trigger when free disk on C: drops below 10%
logman create alert LowDiskAlert ^
    --threshold "\LogicalDisk(C:)\% Free Space < 10" ^
    -si 60 ^
    --action "EventLog,LowDiskC"
logman start LowDiskAlert

Output: The command completed successfully.

When the threshold trips, an event is written to the Application log with source SysmonLog.

Configuration collectors

A configuration (cfg) DCS snapshots registry keys, files, and WMI state at start time — useful for before vs after drift audits across maintenance windows.

cmd
logman create cfg ConfigSnap ^
    -reg "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" ^
         "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" ^
    -mgt "ROOT\CIMV2:Win32_OperatingSystem.Caption" ^
    -ftc "C:\Windows\System32\drivers\etc\hosts" ^
    -o C:\Snapshots\ConfigSnap.txt
logman start ConfigSnap
logman stop ConfigSnap

Output: (text file with all queried values written to -o path)

update — modifying an existing DCS

logman update changes properties on a running or stopped DCS — add counters, change interval, swap output path. The DCS must be stopped before some changes (path, format).

cmd
rem Add a counter
logman update CPUMemLog ^
    -c "\Network Interface(*)\Bytes Total/sec"

Output:

text
The command completed successfully.
cmd
rem Change sample interval to 5 seconds
logman update CPUMemLog -si 5

Output:

text
The command completed successfully.
cmd
rem Set an end time
logman update CPUMemLog -e 2026-05-25 23:59:59

Output: The command completed successfully.

Get-Counter — PowerShell equivalent

Get-Counter is the PowerShell cmdlet equivalent of logman create counter plus typeperf. It samples counters interactively and returns objects, and -Continuous mimics a live logman collector.

powershell
# One-shot sample of CPU and memory
Get-Counter '\Processor(_Total)\% Processor Time',
            '\Memory\Available MBytes'

Output:

sql
Timestamp                 CounterSamples
---------                 --------------
5/25/2026 10:14:22 AM     \\myhost\processor(_total)\% processor time : 12.34
                          \\myhost\memory\available mbytes            : 8120
powershell
# Continuous capture, every 5 seconds for 1 minute, write to .blg
Get-Counter '\Processor(_Total)\% Processor Time',
            '\Memory\Available MBytes' `
    -SampleInterval 5 -MaxSamples 12 |
    Export-Counter -Path C:\PerfLogs\quick.blg -FileFormat blg
powershell
# List counter sets
Get-Counter -ListSet * | Sort-Object CounterSetName | Select-Object -First 10
powershell
# Counters within a set
(Get-Counter -ListSet 'PhysicalDisk').Counter

Output:

scss
\PhysicalDisk(*)\Current Disk Queue Length
\PhysicalDisk(*)\% Disk Time
\PhysicalDisk(*)\Avg. Disk Queue Length
...
powershell
# Continuous live view (Ctrl+C to stop)
Get-Counter '\Processor(_Total)\% Processor Time' `
    -SampleInterval 1 -Continuous |
    ForEach-Object {
        '{0:HH:mm:ss}  {1,6:F2}%' -f $_.Timestamp, $_.CounterSamples[0].CookedValue
    }

Output:

makefile
10:14:22   12.34%
10:14:23   14.10%
10:14:24   18.55%
...

Remote collection with -s

Every verb accepts -s <server> to operate against a remote machine. The Performance Logs Users group on the target controls who can create collectors; Remote Registry and File and Printer Sharing must be allowed through the firewall.

cmd
rem List DCS on a remote server
logman query -s server01

Output:

text
Data Collector Set                        Type                          Status
-------------------------------------------------------------------------------
RemoteCPU                                 Counter                       Running
System\System Diagnostics                 Configuration                 Stopped
System\System Performance                 Trace                         Stopped

The command completed successfully.
cmd
rem Create and start a remote counter collector
logman create counter RemoteCPU -s server01 ^
    -c "\Processor(_Total)\% Processor Time" ^
    -si 15 ^
    -o "\\server01\PerfLogs$\RemoteCPU.blg" ^
    -f bin
logman start RemoteCPU -s server01

Output: The command completed successfully.

Common pitfalls

  1. Log path must existlogman create does not create the output directory; create it with mkdir first or the start command fails.
  2. Counter paths are case-sensitive on non-English systems — use logman query providers or typeperf -qx to get exact counter path strings for the local system locale.
  3. -f bincirc limits file size — circular binary logging caps the file at -max <MB> and wraps; for forensic collection use -f bin (non-circular) so no data is overwritten.
  4. ETL files require WPA or tracerpt to read.etl files are binary; convert to text with tracerpt C:\Traces\file.etl -o report.txt -of text before reading with a text editor.
  5. Remote collection requires -s <server> — add -s server01 to create, start, stop, and query to target another machine; requires admin rights on the remote host.
  6. Only one NT Kernel Logger at a time — starting a second kernel trace returns The instance name passed was not recognized as valid by a WMI data provider. logman query -ets lists currently running ETW sessions.
  7. -ets bypasses the DCS — events-to-session traces (-ets) run as ad-hoc sessions without a persistent DCS definition. They survive logoff but not reboot. Use a regular DCS for persistence.
  8. Counter * wildcard expansion happens at start time\Processor(*)\% Processor Time expands once; if a new core comes online later it isn't captured. Re-create the DCS to pick up new instances.
  9. -max is in MB, not bytes — confusingly, wevtutil sl /ms: is bytes but logman -max is megabytes. Common copy-paste bug.
  10. logman stop flushes asynchronously — the file may not be fully written when the command returns. Add timeout /t 2 before accessing the output for forensics.

Real-world recipes

Capture a 60-second CPU/memory baseline

cmd
@echo off
mkdir C:\PerfLogs\Baseline 2>NUL
logman create counter Baseline60 ^
    -c "\Processor(_Total)\% Processor Time" "\Memory\Available MBytes" "\PhysicalDisk(_Total)\Disk Reads/sec" "\PhysicalDisk(_Total)\Disk Writes/sec" ^
    -si 5 ^
    -o C:\PerfLogs\Baseline\Baseline60.blg ^
    -f bin
logman start Baseline60
timeout /t 60 /nobreak >NUL
logman stop Baseline60
logman delete Baseline60
echo Baseline collected to C:\PerfLogs\Baseline\Baseline60.blg

Output:

bash
The command completed successfully.

Waiting for 60 seconds, press CTRL+C to quit ...

The command completed successfully.
The command completed successfully.
Baseline collected to C:\PerfLogs\Baseline\Baseline60.blg

Deploy the same DCS to multiple servers

cmd
@echo off
logman export MasterDCS -xml C:\Config\MasterDCS.xml
for %%S in (server01 server02 server03) do (
    logman import -name MasterDCS -xml C:\Config\MasterDCS.xml -s %%S
    logman start MasterDCS -s %%S
    echo Started on %%S
)

Output:

bash
The command completed successfully.
Started on server01
The command completed successfully.
Started on server02
The command completed successfully.
Started on server03

Run a load-test baseline with start/stop hooks

The classic pattern: spin up the collector, exercise the system under test, stop the collector, archive the BLG.

cmd
@echo off
set RUN=%DATE:~-4,4%%DATE:~-7,2%%DATE:~-10,2%_%TIME:~0,2%%TIME:~3,2%
mkdir C:\PerfLogs\%RUN%

logman create counter LoadTest_%RUN% ^
    -c "\Processor(*)\% Processor Time" ^
       "\Memory\Available MBytes" "\Memory\Pages/sec" ^
       "\PhysicalDisk(*)\Avg. Disk sec/Read" "\PhysicalDisk(*)\Avg. Disk sec/Write" ^
       "\Network Interface(*)\Bytes Total/sec" ^
       "\Process(myapp)\% Processor Time" ^
       "\Process(myapp)\Working Set" ^
    -si 5 ^
    -o C:\PerfLogs\%RUN%\loadtest.blg -f bin

logman start LoadTest_%RUN%
echo Running load test...
call C:\Tests\run-load.cmd
logman stop LoadTest_%RUN%
logman delete LoadTest_%RUN%

echo Baseline saved to C:\PerfLogs\%RUN%\

Output:

text
The command completed successfully.
The command completed successfully.
Running load test...
The command completed successfully.
The command completed successfully.
Baseline saved to C:\PerfLogs\20260525_0914\

Network slowdown capture

Combine TCP/IP, HTTP, and DNS providers for a 5-minute trace, then convert for analysis.

cmd
@echo off
mkdir C:\Traces\NetSlow 2>NUL

logman create trace NetSlow ^
    -p "Microsoft-Windows-TCPIP"            0xffffffffffffffff 5 ^
    -p "Microsoft-Windows-HttpService"      0xffffffffffffffff 5 ^
    -p "Microsoft-Windows-DNS-Client"       0xffffffffffffffff 5 ^
    -o C:\Traces\NetSlow\netslow.etl ^
    -f bincirc -max 1024 ^
    -nb 256 1024 -bs 1024

logman start NetSlow
echo Reproduce the issue now... press any key to stop.
pause >NUL
logman stop NetSlow
logman delete NetSlow

tracerpt C:\Traces\NetSlow\netslow.etl -o C:\Traces\NetSlow\netslow.csv -of csv
echo Trace exported to CSV

Output:

text
The command completed successfully.
The command completed successfully.
Reproduce the issue now... press any key to stop.
The command completed successfully.
The command completed successfully.
Trace exported to CSV

Battery and storage baseline for endpoint health

A lightweight always-on collector that captures battery, disk queue, and memory pressure — 1-minute intervals, 7-day rolling window.

cmd
@echo off
mkdir D:\PerfLogs\Endpoint 2>NUL
logman create counter EndpointHealth ^
    -c "\Battery Status(*)\Charge Rate" ^
       "\Battery Status(*)\Remaining Capacity" ^
       "\Memory\Available MBytes" "\Memory\Committed Bytes" ^
       "\PhysicalDisk(_Total)\Avg. Disk Queue Length" ^
    -si 60 ^
    -o D:\PerfLogs\Endpoint\Endpoint.blg ^
    -f bincirc -max 100 ^
    -cnf 24:00:00
logman start EndpointHealth

Output:

text
The command completed successfully.
The command completed successfully.

Schedule with schtasks for boot-time collection

Performance issues that happen during boot need a collector that starts automatically.

cmd
schtasks /create /tn "BootBaseline" /ru SYSTEM /sc onstart ^
    /tr "logman start BootBaseline" /f
schtasks /create /tn "BootBaselineStop" /ru SYSTEM /sc onstart /delay 0010:00 ^
    /tr "logman stop BootBaseline" /f

Output:

text
SUCCESS: The scheduled task "BootBaseline" has successfully been created.
SUCCESS: The scheduled task "BootBaselineStop" has successfully been created.

Replicate a config across a fleet in PowerShell

powershell
$servers = 'srv01','srv02','srv03'
logman export MasterDCS -xml C:\Config\MasterDCS.xml

foreach ($s in $servers) {
    logman import -name MasterDCS -xml C:\Config\MasterDCS.xml -s $s
    logman start  MasterDCS -s $s
    Write-Host "$s — started"
}

Output:

bash
The command completed successfully.
srv01 — started
The command completed successfully.
srv02 — started
The command completed successfully.
srv03 — started

Daily counter rollup into a Power BI-friendly CSV

cmd
@echo off
set Y=%DATE:~-4,4%
set M=%DATE:~-7,2%
set D=%DATE:~-10,2%
relog C:\PerfLogs\Workday.blg ^
    -t 60 ^
    -c "\Processor(_Total)\% Processor Time" "\Memory\Available MBytes" ^
    -o C:\Reports\rollup_%Y%-%M%-%D%.csv -f csv

Output: (CSV with one row per minute written to the dated path)

Sources

References consulted while writing this article. Links open in a new tab.

  • Microsoft Learn — logman command reference — Authoritative flag list and parameter semantics used to build the Essential options table.
  • SS64 — logman — Cross-version comparison and historical syntax notes.
  • wevtutil — query/manage Event Log channels (the event side of monitoring).
  • typeperf — quick one-shot counter sampling, no DCS required.
  • relog — convert and re-sample .blg files.
  • tracerpt — convert .etl traces to text/CSV/EVTX.
  • Get-Counter — PowerShell counter cmdlet.
  • powercfg/energy and /sleepstudy use ETL under the hood.
  • systeminfo — pair perf data with build/hotfix context.