Tool

What it does

PerfView equivalent

load_trace

Opens / caches a .etl. Returns trace metadata, the Capabilities keyword presence map, and per-trace symbol-server recommendations. First call 30 s – 3 min while .etlx builds; subsequent are instant.

Open a trace file (no Capabilities equivalent)

list_processes

Lists processes (sortable by cpu / wall / wait_ratio). WaitRatio = WallUs / CpuUs surfaces "high wall, low CPU" processes (blocked on minifilter / IPC / etc.). PID 0 (Idle) and PID 4 (System) hidden by default.

Processes view

process_create_timing

Per-fork timing for a parent PID. FirstImageLoadOffsetUs = the kernel-side window between ProcessStart and the first DLL load — exactly where AV / EDR process-create callbacks burn time invisibly. Median / p95 / max aggregates across all children.

(no equivalent — composite, see docs/CASE_STUDIES.md)

thread_lifetime

Per-PID chronological thread lifecycle: every ThreadStart / ThreadStop with StartTimeUs, EndTimeUs, LifetimeUs, and PeakConcurrentThreads. Catches thread-pool thrash and fork-bomb patterns. TraceResidentStart/End flags threads bounded by trace capture rather than real spawn / exit.

(no equivalent — events filter on Thread/Start + Thread/Stop manually)

Tool

What it does

PerfView equivalent

cpu_top_functions

Top-N hot functions by exclusive CPU samples in a window / for a PID. Optional excludeEtwSelfOverhead folds EtwpLogKernelEvent etc. into a single [ETW Overhead] bucket.

CPU Stacks → ByName

cpu_top_functions_batch

Same as above for multiple PIDs in a single trace load. Each PID gets an independent CallTree (its inclusive-% column normalises to that PID's samples).

(no equivalent — saves N round-trips)

cpu_caller_callee

Drill into a focus frame: callers (frames calling INTO it) and callees (frames it calls OUT to), each ranked by inclusive CPU samples. Recursion-safe.

CPU Stacks → Callers / Callees tabs

Tool

What it does

PerfView equivalent

wait_analysis

Per-thread blocked time + dominant wait reasons. The canonical answer to "why was this slow?" when CPU is low. Reasons like WrFilterContext (blocked in a Filter Manager minifilter callback) directly identify the kernel state.

Thread Time → blocked-time per thread

wait_top_stacks

Top-N call stacks ranked by blocked μs, built from the resume-point stack walk on each ThreadCSwitch event. Answers "where in the code is the wait happening" (vs wait_analysis which answers "which thread / which reason").

Thread Time / Wait Time → BlockedTime metric (ThreadTimeStackComputer)

wait_caller_callee

Drill into a focus frame; metric is blocked μs.

Thread Time → Callers / Callees tabs

Tool

What it does

PerfView equivalent

image_load_timing

Per-process chronological list of every ImageLoad event with offset from ProcessStart. Spot late-loading DLLs or per-load minifilter / sig-scan delays between loads.

(no direct equivalent — events list filtered manually)

image_load_top_gaps

Top-N largest gaps between consecutive image loads. Pairs with the chronological view; same data, ranked by gap. Response also carries FirstLoadOffsetUs (kernel-side fork tax before any DLL loads).

(no equivalent — custom view)

image_load_top_stacks

Top-N call stacks ranked by ImageLoad event count. Distinguishes eager loads (LoadLibraryEx in a main initialiser) from lazy / cascading loads (CoCreateInstance, AmsiOpenSession, EDR-injected providers).

Image Load Stacks

image_load_caller_callee

Drill into a focus frame; metric is image-load count.

Image Load Stacks → Callers / Callees tabs

Tool

What it does

PerfView equivalent

file_io_top_files

Top-N files by total read + write bytes.

File I/O view → ByFile

file_io_top_stacks

Top-N stacks by file-IO bytes. Captures all syscalls including cache-served reads — diff with disk_io_top_stacks to find cache hits. Requires the FileIO keyword (default CPU.light omits it).

File I/O Stacks

file_io_caller_callee

Drill on a focus frame; metric is file-IO bytes.

File I/O Stacks → Callers / Callees tabs

disk_io_top_stacks

Top-N stacks by physical disk-IO bytes — only events that hit physical media (no cache). Requires the DiskIO keyword.

Disk I/O Stacks

disk_io_caller_callee

Drill on a focus frame; metric is physical disk bytes.

Disk I/O Stacks → Callers / Callees tabs

hard_fault_by_file

Top-N files by hard page-in bytes. Most hard faults are mmap'd files being touched for the first time (DLLs, data files, network-share content); some also come from paged-out heap/stack pages and the page file. Identifies which file caused the page-in load. Requires the HardFaults keyword (NOT in default WPR profiles — see docs/WPR_PROFILE.md).

Memory Hard Fault → ByFile

hard_fault_top_stacks

Top-N stacks by hard-fault page-in bytes. Distinguishes eager loader-driven page-in from lazy / scanner-induced page-in.

Memory Hard Fault Stacks

hard_fault_caller_callee

Drill on a focus frame; metric is page-in bytes.

Memory Hard Fault Stacks → Callers / Callees tabs

Tool

What it does

PerfView equivalent

virtual_alloc_top_stacks

Top-N stacks by VirtualMemAlloc + VirtualMemFree bytes. Distinct from physical residence (hard_fault_*) — answers "who's reserving 4 GB of address space" / "who's leaking VirtualAllocs". Each row carries both Bytes and OpCount. Requires the VirtualAlloc kernel keyword (NOT in default WPR CPU profiles).

VirtualAlloc Stacks

virtual_alloc_caller_callee

Drill on a focus frame; metric is virtual-memory bytes.

VirtualAlloc Stacks → Callers / Callees tabs

heap_alloc_top_stacks

Top-N stacks by NT-heap allocation bytes (RtlAllocateHeap / HeapAlloc / malloc / new — anything that lands in the user-mode heap). Native-leak finder. Distinct from VirtualAlloc: VirtualAlloc reserves page-granular address space, the heap allocator sub-allocates from it. Splits AllocBytes / ReallocBytes. Free events carry no size on the wire and are not counted. Requires the Heap provider enabled per-process (default WPR profiles do NOT enable it; use PerfView's /HeapTrace flag or a custom .wprp <Heap> element).

HeapAllocStacks

heap_alloc_caller_callee

Drill on a focus frame; metric is NT-heap bytes.

HeapAllocStacks → Callers / Callees tabs

Tool

What it does

PerfView equivalent

net_top_stacks

Top-N stacks by network bytes — TCP + UDP, IPv4 + IPv6 send/recv merged. Splits TcpBytes / UdpBytes in the response. Pairs well with wait_analysis for "high wall, low CPU" cases where the wait is on a network round-trip. Connect / Accept / Disconnect events have no byte metric — use find_marker for those. Requires the NetworkTrace keyword (NOT in default CPU profiles).

TCP/IP Stacks + UDP/IP Stacks (merged)

net_caller_callee

Drill on a focus frame; metric is network bytes.

TCP/IP Stacks → Callers / Callees tabs

net_connections

Per-connection lifecycle list — Connect/Accept paired with Disconnect/Reconnect by connid to give "connection X opened at T1, closed at T2, lasted T2−T1". Useful for "connect-to-disconnect latency outliers" / "is RPC slow because of connection setup". IPv4 + IPv6 merged with an IsIPv6 flag. Connections still open at trace end have TraceResidentEnd=true.

(no direct equivalent — Events view manual pairing)

Tool

What it does

PerfView equivalent

registry_top_stacks

Top-N stacks by registry-operation count (Query / Open / Create / SetValue / EnumerateKey / etc.). Useful for "who's pounding the registry on every hot-path call". Metric is op count (no natural byte cost for registry). Requires the Registry keyword (NOT in default CPU profiles).

Registry Stacks

registry_caller_callee

Drill on a focus frame; metric is registry op count.

Registry Stacks → Callers / Callees tabs

Tool

What it does

PerfView equivalent

ready_thread_top_stacks

Top-N readier stacks (the code that did the SetEvent / lock release / IOCP completion that woke a blocked thread). Pair with wait_analysis: that one says "thread X blocked on Y for Z μs" — this one closes the loop with "and here's who finally unblocked it". Filter awakenedPid to focus on "who readied threads in this PID". Requires CSwitch / ReadyThread keywords (in default kernel profiles).

ReadyThread Stacks

ready_thread_caller_callee

Drill on a focus frame; metric is ready-event count.

ReadyThread Stacks → Callers / Callees tabs

Tool

What it does

PerfView equivalent

interrupt_top_stacks

Top-N stacks by kernel interrupt time (DPC + ISR microseconds). Surfaces hot driver routines burning CPU at high IRQL — frequent offenders are consumer-grade GPU drivers, network drivers under load, AV mini-filter callbacks. On a healthy system this should show <5% of trace CPU. Splits DpcUs / IsrUs. Requires Interrupt + DPC keywords (default CPU profiles enable both).

DPC/ISR Stacks

interrupt_caller_callee

Drill on a focus frame; metric is interrupt μs.

DPC/ISR Stacks → Callers / Callees tabs

Tool

What it does

PerfView equivalent

alpc_top_stacks

Top-N stacks by ALPC message count (Send + Receive). ALPC is the kernel IPC primitive used by RPC, COM, AppContainer broker calls, lsass, the SCM, and most of the Windows service surface — useful for "is this slow because of an LPC round-trip" / "which call chain is doing all the cross-process IPC". Requires the ALPC keyword (NOT in default CPU profiles).

ALPC Stacks

alpc_caller_callee

Drill on a focus frame; metric is ALPC message count.

ALPC Stacks → Callers / Callees tabs

Tool

What it does

PerfView equivalent

clr_gc_analysis

Per-GC list with wall duration AND stop-the-world pause time. GCStart→GCStop brackets the wall interval; GCSuspendEEStart→GCRestartEEStop is the actual mutator pause (matters for background / concurrent GC, where the wall covers far more than the pause). Reports per-row Generation / Reason / PauseUs plus aggregate TotalGcCount / Gen0Count / Gen1Count / Gen2Count / TotalPauseUs.

GCStats

clr_jit_analysis

Top-N methods by JIT compilation duration. Matches MethodJittingStarted→MethodLoadVerbose on (PID, MethodID). R2R / NGen / pre-jitted methods don't fire JittingStarted, so they're invisible — which is correct for "what's the JIT cost in this trace".

JIT Stats

clr_alloc_top_stacks

Top-N stacks by managed-heap allocation bytes, driven by GCAllocationTick events (one per ~100 KB allocated per (heap, generation, type) — sampled, low-overhead, on every CLR ≥ 4.0). Response includes TopTypes (top type names by total bytes). The canonical "who's allocating all the strings on the request hot path" tool. Requires the GC keyword.

GC Heap Alloc Stacks

clr_alloc_caller_callee

Drill on a focus frame; metric is allocation bytes.

GC Heap Alloc Stacks → Callers / Callees tabs

clr_exception_top_stacks

Top-N stacks by .NET exception throw count (ExceptionStart events). Useful for "is this code path throwing 1000 exceptions per second" / "where is FormatException being swallowed in a retry loop". Response includes TopTypes (top exception type names by count). Requires the Exception keyword.

Exceptions Stacks

clr_exception_caller_callee

Drill on a focus frame; metric is exception count.

Exceptions Stacks → Callers / Callees tabs

clr_contention_top_stacks

Top-N stacks by managed-monitor blocked μs — lock / Monitor.Enter waits. Matches ContentionStart→ContentionStop by ThreadID. Filters to ContentionFlags.Managed (native lock contention from the same provider is excluded). The canonical lock-hotspot tool for managed code. Requires the Contention keyword.

Monitor Contention Stacks

clr_contention_caller_callee

Drill on a focus frame; metric is blocked μs.

Monitor Contention Stacks → Callers / Callees tabs

clr_gc_heap_stats

Managed-heap snapshot timeline — one row per GCHeapStats event (CLR fires it at the end of each GC) with TotalHeapBytes, Gen0/1/2/LOH/POH sizes, PinnedObjectCount, GcHandleCount. Use to answer "is the heap leaking" / "are pinned objects climbing" without orchestrating multiple calls. Pairs with clr_gc_analysis.

GCStats per-GC snapshot table

clr_finalizer_analysis

Top types finalized + finalizer-thread pause batches. Aggregates GCFinalizeObject events by TypeName for the TopTypes table and pairs GCFinalizersStart→GCFinalizersStop for the per-batch list (each carries the count of finalizers run). Useful for "why are GCs slow" (finalizer queue can hold up the next GC) and "what's allocating finalizable objects".

(no equivalent — composite of GCStats fields + Events view filtering)

Tool

What it does

PerfView equivalent

find_marker

Search all ETW events whose name or task contains a substring. Default mode count_by_event returns a histogram (avoids token blow-up); also count_by_process and rows (full event detail). Useful for surfacing first-party Defender / EDR provider telemetry — e.g., the Microsoft-Antimalware-AMFilter provider's AMFilter_FileScan rows directly show what the scanner is doing.

Events view

generic_event_top_stacks

Top-N stacks by event count for any user-mode ETW provider — AspNetCore, Kestrel, EFCore, Antimalware-AMFilter, Sense (Defender for Endpoint), Microsoft-Windows-DxgKrnl (GPU), Microsoft-Windows-Kernel-Power (CPU frequency / C-state), or any custom EventSource. Use find_marker first to identify which providers are in the trace, then plug the exact ProviderName here. Optional eventNameSubstring narrows to a specific event class. Stack quality depends on whether stack-walks were enabled for the provider in the .wprp.

Any Stacks (single-provider)

generic_event_caller_callee

Drill on a focus frame; metric is event count.

Any Stacks → Callers / Callees tabs

Tool

What it does

PerfView equivalent

diagnose_slow_startup

Picks slowest-by-wait-ratio processes (or matches nameSubstring), then runs wait_analysis + image_load_timing + cpu_top_functions for each in the startup window — one call instead of orchestrating four.

(no equivalent — composite)

Tool

What it does

PerfView equivalent

set_symbol_path

Sets _NT_SYMBOL_PATH for the running server (replaces or appends).

File → Set Symbol Path…

add_symbol_server

Appends a symbol server URL with optional local cache (defaults to %LocalAppData%\WprMcp\Symbols).

File → Set Symbol Path… (single entry)

diagnose_symbols

Reports per-module symbol status for a loaded trace and suggests fixes (which servers to add) for unresolved modules.

(no equivalent — programmatic)