Using Windows registry hooks to invoke Intel® VTune™ Amplifier XE to profile Windows services

Conventional wisdom for using Intel® VTune™ Amplifier XE to profile Windows* services is to start the service and then attach VTune Amplifier XE to the running process. Often however, there may be additional constraints that prevent the use of simple attachment, such as the use of __itt APIs, or integrated JIT code that requires the application to be launched from the profiler. In these cases, hooks buried in the Windows Registry may make it possible to use VTune Amplifier XE to launch the application, even when it is invoked as a service. This article shares the details of this technique.

If the service binary path is just replaced with the path to amplxe-cl, the VTune Amplifier XE command line tool, the service start time may increase significantly. Once the service is started it needs to register with the Windows Security Control Manager (SCM). SCM has a timeout for this registration time that is not adjustable. Increased service launch time under profiling may result in a situation where the profiled service may not start in time to register in the SCM. That is where the trick we’re about to describe may prove useful.

On Windows there is a useful registry feature that specifies for some executable file another command that should be launched instead.  Originally it was created to launch a debugger instead, see, but it has many other applications such the one described here.  The important things about this feature are:

  • You can specify a "debugger" registry attribute under "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<executable name>" but use any command.  It will be launched instead of the application itself. This registry path should be used for 64-bit processes.
  • The command that is specified cannot blindly launch the application itself again: unexpected recursion will result.  Instead, you can use a batch file which copies the executable and launches it so that there is no recursive handling of the debugger property.
  • If the process that launches the executable is 32-bit, then a separate registry branch under Wow6432Node should be used.  The rest of this example uses the 32-bit alternative to the registry path listed above: "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\ Windows NT\CurrentVersion\Image File Execution Options\<executable name>".

Steps to use the workaround (for analyzing 32-bit process):

1. At the Start-> Run prompt, type "regedit"

2. Navigate to "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"

3. Under the Image File Execution Options folder, locate the name of the profiled service process (e.g. YourAnalyzedSrv.exe). If you cannot find the application you want to profile:

a. Right-click the Image File Execution Options folder and choose New Key from the shortcut menu.

b. Right-click the new key and choose Rename from the shortcut menu.

c. Edit the key name to the name of your application, e.g. YourAnalyzedSrv.exe.

4. Right-click the YourAnalyzedSrv.exe folder and choose New String Value from the shortcut menu.

5. Right-click the new string value and choose Rename from the shortcut menu.

6. Change the name to "debugger".

7. Right-click the new string value and choose Modify from the shortcut menu. The Edit String dialog box appears.

8. In the Value data box, type "cmd.exe /c C:\\temp\\profile.bat".  Click OK.

9. Create C:\temp\profile.bat file with the following content:

set AMPLXE_HOME=C:\Program Files (x86)\Intel\VTune Amplifier XE 2011\
set AMPLXE_RESULT_DIR=C:\temp\my_amplxe_results

if x%1 == x (
    echo usage: profile.bat {exe path} >&2
    exit /b 1

set CURNAME=%1
set NEWNAME=%~dpn1.copied%~x1
copy /Y %CURNAME% "%NEWNAME%" || exit /b 1 "%AMPLXE_HOME%\bin32\amplxe-cl.exe" -user-data-dir "%AMPLXE_RESULT_DIR%" -c lightweight-hotspots -- "%NEWNAME%"

Essentially it copies the executable passed in the first argument (the system passes full path to the analyzed process here) and then profiles it using Lightweight Hotspots analysis type.

10. Run the service to be analyzed. It will implicitly invoke profiling the analyzed service with VTune Amplifier XE. Results will appear in the folder specified (C:\temp\my_amplxe_results in this example).

11. You may stop your analyzed service or stop collection explicitly:

amplxe-cl -C stop -r C:\temp\my_amplxe_results\r000lh

12. When profiling is finished, delete "debugger" string value from registry and restart the profiled service.

And that's all there is to it: using a debug hook provided by Microsoft, we can actually launch services under the control of our profiling tools and gain the advantages that that technique provides.

For more complete information about compiler optimizations, see our Optimization Notice.