ETW Trace Processing Fails with Error Code 0x80070032

Jayson Maxson


New values in an existing ETW event aren’t supported, and a new version of the Windows Performance Toolkit (WPT) or the Microsoft.Windows.EventTracing.Processing.Toolkit NuGet library is needed to process traces with these events.

About this failure

We began to receive reports of WPA failing to process traces with this error code in late 2022.

Debugging revealed the error code was due to previously unseen values in an existing CLR event describing a ReJIT operation. This event is used by WPA, XPerf, and EventTracing libraries to map address references from .NET binaries to source file and line information.

A comment in our code revealed that, at the time the code was written, every existing trace had a value of zero in the ReJITID field of this event. Because no testing could be done with other values, the code was written to return ERROR_NOT_SUPPORTED rather than return potentially incorrect data.

A quick search revealed this bug which was opened in mid-2022, indicating that the CLR wasn’t correctly setting this field’s value. The bug was fixed for .NET 7 and events with the non-zero field values began appearing in traces, particularly when PowerShell updated to the latest .NET SDK.

The workaround and fix

For the short-term, we’ve removed the error case to unblock customers. This will result in the same behavior as before the CLR bug was fixed. In this case, it’s possible that the source file and line information will be incorrect for some .NET symbols. Function names and other symbol information are not impacted.

Long-term we will update our code to respect ReJIT operations to guarantee correct source file and line information after a ReJIT has been identified.

Updated release locations

EventTracing requires Microsoft.Windows.EventTracing.Processing.Toolkit v1.11.0 or later:

Windows 11 ADK Preview:

Windows 11 SDK Preview: