How can I add Windows Networking events to my custom wprp file?

Question

I'm trying to capture an etl trace on the HoloLens with my own events, and some generic networking events. Using WPR on my PC, I can choose Networking I/O activity, which will show events like Microsoft-Windows-TCPIP when I analyze in WPA. I can't figure out how to see these events on a HoloLens, or successfully put them in my wprp file. I've tried the following with no success, even on Windows. My own events work fine.

    <EventProvider Id="Microsoft.Windows.TCPIP" Name="2F07E2EE-15DB-40F1-90EF-9D7BA282188A"/>
...
    <EventProviderId Value="Microsoft.Windows.TCPIP"/>

Answer 1

Here is an WPRP file that captures "Microsoft-Windows-TCPIP" and "Microsoft-Windows-Kernel-Network" events.

<?xml version="1.0" encoding="utf-8"?>
<WindowsPerformanceRecorder Version="1.0" Author="MagicAndre1981" Copyright="MagicAndre1981" Company="MagicAndre1981">
  <Profiles>
    <SystemCollector Id="SystemCollector" Name="NT Kernel Logger">
      <BufferSize Value="1024" />
      <Buffers Value="512" />
    </SystemCollector>
    <EventCollector Id="EventCollector_UserModeEvents_Session" Name="UserModeEvents_Session">
      <BufferSize Value="1024" />
      <Buffers Value="512" />
    </EventCollector>
    <SystemProvider Id="SystemProvider">
      <Keywords>
        <Keyword Value="ProcessThread" />
        <Keyword Value="Loader" />
        <Keyword Value="SampledProfile" /> 
        <Keyword Value="Interrupt"/>
        <Keyword Value="DPC"/>
        <Keyword Value="ReadyThread" />
        <Keyword Value="CSwitch" /> 
        <Keyword Value="NetworkTrace" />
      </Keywords>
      <Stacks>
        <Stack Value="SampledProfile" /> 
        <Stack Value="CSwitch" />   
        <Stack Value="ReadyThread" /> 
        <Stack Value="ImageLoad" /> 
        <Stack Value="ImageUnload" />  
      </Stacks>
    </SystemProvider>
    <EventProvider Id="NetworkingCorrelation" Name="Microsoft-Windows-Networking-Correlation" Level="5" Stack="true">
          <Keywords>
            <Keyword Value="0x7FFF0000000F"/>
          </Keywords>
    </EventProvider>
    <EventProvider Id="KernelNetwork" Name="Microsoft-Windows-Kernel-Network" Level="5" Stack="true" NonPagedMemory="true"/>
    <EventProvider Id="TCP" Name="Microsoft-Windows-TCPIP" Level="5" Stack="true" NonPagedMemory="true">
       <Keywords>
        <Keyword Value="0x0000000400000000"/>
      </Keywords>
    </EventProvider>
    <Profile Id="NetworkProfile.Verbose.File" Name="NetworkProfile" Description="Network Profile" LoggingMode="File" DetailLevel="Verbose">
      <Collectors>
        <SystemCollectorId Value="SystemCollector">
          <SystemProviderId Value="SystemProvider" />
        </SystemCollectorId>
        <EventCollectorId Value="EventCollector_UserModeEvents_Session">
          <EventProviders>
            <EventProviderId Value="NetworkingCorrelation" />
            <EventProviderId Value="KernelNetwork" />
            <EventProviderId Value="TCP" />
          </EventProviders>
        </EventCollectorId>
      </Collectors>
    </Profile>
    <Profile Id="NetworkProfile.Verbose.Memory" Name="NetworkProfile" Description="Network Profile" Base="NetworkProfile.Verbose.File" LoggingMode="Memory" DetailLevel="Verbose" />
  </Profiles>
  <TraceMergeProperties>
    <TraceMergeProperty Id="BaseVerboseTraceMergeProperties" Name="BaseTraceMergeProperties" Base="">
      <FileCompression Value="true" />
      <CustomEvents>
          <CustomEvent Value="ImageId"/>
          <CustomEvent Value="BuildInfo"/>
          <CustomEvent Value="VolumeMapping"/>
          <CustomEvent Value="EventMetadata"/>
          <CustomEvent Value="PerfTrackMetadata"/>
          <CustomEvent Value="NetworkInterface"/>
      </CustomEvents>
    </TraceMergeProperty>
  </TraceMergeProperties>
</WindowsPerformanceRecorder>

Run it via "C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit\wpr.exe" -start network.wprp and next "C:\Program Files (x86)\Windows Kits\10\Windows Performance Toolkit\wpr.exe" -stop NetworkData.etl