Trace Office Apps

Microsoft Office applications are able to provide extra logging which, along with an ETW trace, can help to troubleshoot issues.

The Short Story

Various types of logging can be enabled in Microsoft Office applications (Word, Excel, PowerPoint, OneNote, Classic Outlook).

• All of the trace scripts capture certain Office-specific event pairs to facilitate performance analysis.

• The TraceOffice script enables application-generated logs and ETW-generated traces for Word, Excel, PowerPoint and OneNote, which are automatically gathered and zipped into one, for later analysis.

• The TraceOutlook script additionally enables, gathers, and zips the logs and traces for Classic Outlook.

Quick Start

Trace and Log: Word, Excel, PowerPoint, OneNote

• Download and unzip MSO-Scripts.
  
• MSO-Scripts\TraceOffice Start [-All]
  Launch and exercise one or more Office apps. Then quit the apps.
• MSO-Scripts\TraceOffice Stop
• MSO-Scripts\TraceOffice View

List all options:

• MSO-Scripts\TraceOffice -?

Trace and Log: Classic Outlook

• Download and unzip MSO-Scripts.
  
• MSO-Scripts\TraceOutlook Start [-All]
  Launch and exercise Outlook. Then quit Outlook.
• MSO-Scripts\TraceOutlook Stop
• MSO-Scripts\TraceOutlook View

List all options:

• MSO-Scripts\TraceOutlook -?

Important

If the PowerShell script does not run, you can instead run the Batch script: MSO-Scripts\TraceOffice.BAT ...
See: What if I can't run PowerShell scripts in my environment?

The Long Story

Office-specific ETW Logging

All MSO-Scripts traces capture several classes of Office events which are mostly organized as Start/Stop pairs:

• High Value Activities:† App Launch, Load, Save, etc.
  These appear in the top chart/table of the 'Office Events' tab in WPA.
  
• Code Markers: A set of named event pairs showing elapsed time for various (sometimes cryptic) activities within MS Office apps.
  These appear in the second chart/table of the 'Office Events' tab in WPA.
• Generic Events: ProcessStart/Stop, Office Session Information, etc.
  These appear in the third chart/table of the 'Office Events' tab in WPA.

Note

† The High Value Activity events are logged only when Optional Diagnostic Data is enabled within the MS Office apps:
Options > Trust Center Settings > Privacy Settings > Enable: Send additional diagnostic data and usage to Microsoft

Caution

The High Value Activity and Code Marker events are organized using Regions of Interest and based on internal logging mechanisms, which are subject to change.

Unified Logging Service (ULS)

• In older versions of MS Office, ULS Logging was enabled via cryptic registry values located here:
  HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentEcs\<AppName>\Overrides
  The resulting diagnostic log files are created here: %TEMP%\Diagnostics\<ProcessName>\*.log
• In more recent versions of MS Office, ULS logs are created by default.
• Microsoft provides a script for controlling the diagnostic log files.
• Similarly, the TraceOffice and TraceOutlook scripts control the diagnostic log files (via registry) for:
  <AppName> = Word, Excel, PowerPoint, OneNote; Outlook
  They gather the logs from:
  %TEMP%\Diagnostics\<ProcessName> = WinWord, Excel, PowerPnt, OneNote; Outlook

Tip

There is a registry key to control the default state for all of MS Office ULS Logging.
To disable ULS logging in Office by default:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentEcs\ALL\Overrides!ofzh3kkunwubxh0 = "false" [REG_SZ]

Classic Outlook

Outlook can generate further Global Logging, which the TraceOutlook script also enables.

Capturing All Logs and ETW Providers

Additional logging is enabled with the -All switch: TraceOffice/Outlook Start -All

• Network tracing is enabled, to be viewed with: TraceNetwork View -Path <path>\MSO-TraceOffice/Outlook.etl
• For Outlook, Advanced Logging is enabled.
• Customized, Extra Logging is enabled.

Customized, Extra Logging

The TraceOffice.ps1 and TraceOutlook.ps1 scripts can be modified and customized to gather even more log types.
See $ExtraLogs, therein.

Standard User vs. Administrator

A common scenario? Apps run in a Standard User environment, but ETW traces require Administrator privilege.

• When not run as Administrator, the TraceOffice and TraceOutlook scripts will enable and gather only the application-generated log files.
• When run as Administrator, the scripts may see a CURRENT_USER registry root and a LOCALAPPDATA filesystem root different from what the applications see. In that case the scripts set registry values and gather logging files using both sets of roots.

Verbose

• TraceOffice/Outlook Start [-All] -Verbose : Reveal the WPR command and its recording profiles.
• TraceOffice/Outlook Status [-All] -Verbose : Reveal the registry logging values set and the ETW providers enabled.
• TraceOffice/Outlook Stop [-All] -Verbose : Reveal the ETW providers enabled, and the log files and ETW trace file collected.

Additional Documentation

• Diagnostic Logs for MS Office Apps
• How to Enable MS Office Logging
• How to Enable Global and Advanced Logging for MS Outlook
• What is the Enable Logging (Troubleshooting) Option in MS Outlook?
• Diagnostic Log Collection in Support and Recovery Assistant
• Scan Outlook using MS Support and Recovery Assistant
• Log Files for Office Updates
• Troubleshoot Setup Problems in MS Office
• Overview of Diagnostic Log Files for MS Office
• Diagnostic Data in Microsoft 365
• Using the Diagnostic Data Viewer with MS Office
• Change MS Office Diagnostics Settings
• Enable Trust Center Logging TCDiag