Relog.exe - Windows Performance Counter Relogging Tool

Category: System-EXE-Files | Date: 2025-02-25

Relog.exe: Windows Performance Counter Relogging Tool

Overview

relog.exe is a command-line utility included with Windows operating systems. Its primary function is to extract data from performance counter logs (such as .blg, .csv, or .tsv files) and convert them into different formats, or to change the sampling interval and/or the specific counters included in the output. It does not create the original performance logs; tools like Performance Monitor (perfmon.exe) or logman.exe are used for that purpose. Think of relog.exe as a post-processing tool for performance data.

Origin and Purpose

relog.exe is a native Windows component developed by Microsoft. It's part of the broader performance monitoring infrastructure provided by the operating system. Its main purpose is to provide flexibility in how performance data is analyzed and presented. Common use cases include:

  • Format Conversion: Converting between binary performance logs (.blg), comma-separated values (.csv), tab-separated values (.tsv), and SQL database formats. This allows performance data to be easily imported into spreadsheet software, databases, or other analysis tools.
  • Sampling Interval Modification: Adjusting the time interval between data points. For example, you might have a log file with data collected every second, but you only need data every minute for your analysis. relog.exe can resample the data.
  • Counter Filtering: Selecting a subset of counters from the original log file. A performance log might contain hundreds of counters, but you might only be interested in a handful related to CPU, memory, or disk I/O. relog.exe allows you to create a new log file containing only the counters you specify.
  • Timestamp Filtering: Select data within a specified time range from source log.
  • Combining Logs: Combining multiple performance logs into a single log. (Although this is not a core relog function, it can often be achieved in conjunction with other tools).

Is it a Virus? / Security Concerns

relog.exe itself is not a virus. It's a legitimate Windows system file, typically located in the C:\Windows\System32 directory. However, like any executable, it could theoretically be exploited in very specific, advanced attack scenarios, though this is highly unlikely. A malicious actor would need to replace the legitimate relog.exe with a malicious one (requiring administrative privileges) or somehow trick a user into running a malicious version.

Key Security Considerations:

  • File Location: The legitimate relog.exe should reside in C:\Windows\System32. If you find a file named relog.exe in an unusual location, it should be treated with suspicion. You can check the file's digital signature to verify its authenticity.
  • Digital Signature: Right-click on relog.exe, select "Properties," and go to the "Digital Signatures" tab. It should be signed by Microsoft.
  • Context of Use: relog.exe is a command-line tool. It won't spontaneously run on its own. If you see unexpected relog.exe processes in Task Manager without having explicitly run it (or a script that uses it), investigate further.

In summary, relog.exe is safe under normal circumstances. Malware could masquerade as relog.exe, but standard security practices (keeping your system updated, running antivirus software, being cautious about downloaded files) will mitigate this risk.

Usage Instructions

relog.exe is used from the command line (Command Prompt or PowerShell). The general syntax is:

relog <input_log_file(s)> [-c <counter [counter ...]>] [-cf <file>] [-f <format>] [-t <value>] [-o <output_file>] [-a] [-b <begin_time>] [-e <end_time>] [-y]

Common Parameters:

  • <input_log_file(s)>: (Required) The path to the performance log file(s) you want to process. You can specify multiple files. Wildcards (*) are supported.
  • -c <counter [counter ...]>: Specifies the performance counters to include in the output. You can list multiple counters separated by spaces. Example: -c "\Processor(_Total)\% Processor Time" "\Memory\Available MBytes"
  • -cf <file>: Specifies a file containing a list of performance counters, one counter per line. This is useful when you have a large number of counters to include.
  • -f <format>: Specifies the output file format. Valid values include:
    • BLG (Binary Log - default)
    • CSV (Comma-Separated Values)
    • TSV (Tab-Separated Values)
    • SQL (SQL Database - requires additional parameters)
  • -t <value>: Specifies the sampling interval (in seconds) for the output file. Example: -t 60 (one sample every 60 seconds).
  • -o <output_file>: (Required) Specifies the path and filename for the output log file.
  • -a: Appends the output to an existing file (if the file already exists). Without this option, relog.exe will overwrite an existing file.
  • -b <begin_time>: Specifies the beginning time for the data extraction. Format: MM/DD/YYYY HH:MM:SS. Example: -b "01/01/2023 10:00:00"
  • -e <end_time>: Specifies the ending time for the data extraction. Format: MM/DD/YYYY HH:MM:SS.
  • -y: Answers "yes" to all prompts (overwrites existing files without asking). Use with caution!
  • -q: Display the counters contained within a log file. This option is typically used with -o to output to a file.

Examples:

  1. Convert a .blg file to a .csv file:

    relog input.blg -f CSV -o output.csv

  2. Extract specific counters and change the sampling interval:

    relog input.blg -c "\Processor(_Total)\% Processor Time" "\Memory\Available MBytes" -t 60 -o output.blg

  3. Use a counter file and specify a time range:

    relog input.blg -cf counters.txt -b "02/07/2025 09:00:00" -e "02/07/2025 17:00:00" -o output.blg

    Where counters.txt contains:

    \Processor(_Total)\% Processor Time \Memory\Available MBytes \PhysicalDisk(_Total)\Disk Read Bytes/sec \PhysicalDisk(_Total)\Disk Write Bytes/sec

  4. List the counters in a log file:

    relog input.blg -q -o counters_list.txt This outputs all the counters inside of input.blg to the text file "counters_list.txt".

  5. Relog to SQL format relog "input.blg" -f SQL -o SQL:MyDatabase!MyLog

  6. SQL: Indicates that the output format is SQL.
  7. MyDatabase: This is the name of the ODBC data source name (DSN). You must create this DSN beforehand using the ODBC Data Source Administrator tool in Windows. The DSN specifies the connection details to your SQL database (server, database name, authentication, etc.).
  8. MyLog: This is the name of the table that relog will create (or append to) within the specified database.

SQL Database Output (Important Considerations):

Relogging to a SQL database is more complex than other formats. Here's a breakdown:

  1. ODBC Data Source Name (DSN): Before using the SQL format, you must create a System DSN using the "ODBC Data Source Administrator" tool (search for "ODBC" in the Windows Start menu). This DSN defines the connection to your SQL Server database. You'll need to specify:

    • The database server (e.g., localhost, server name, IP address).
    • The authentication method (Windows Authentication or SQL Server Authentication).
    • The target database name.

  2. relog command: The -o parameter for SQL output follows the format SQL:<DSN>!<log_name>.

    • <DSN> is the name of the System DSN you created.
    • <log_name> is a user-defined name that relog uses to identify the data set within the database.

  3. Table Creation: relog will automatically create the necessary tables in your database if they don't exist. The table structure will be designed to accommodate the performance counter data.

  4. Permissions: The user account associated with your DSN needs appropriate permissions on the SQL Server database. At a minimum, it needs permissions to:

  5. Connect to the database.
  6. Create tables (if the table doesn't already exist).
  7. Insert data into the table.

Troubleshooting

  • "Error: Unable to open input file(s)": Check that the input file path is correct and that you have read permissions to the file.
  • "Error: Invalid counter path": Verify that the counter paths you've specified are valid. Use perfmon.exe or typeperf -qx to get a list of available counters.
  • "Error: Unable to create output file": Check that you have write permissions to the output directory and that the filename is valid.
  • "Error: Unable to connect to SQL Server": Make sure your DSN is configured correctly, the SQL Server instance is running, and the credentials are valid. Also, check firewall settings.
  • "The data is not valid": This error can occur if the input log file is corrupted. Try running lodctr /r to rebuild the performance counter library, and create a fresh log.

By understanding these parameters and examples, you can effectively use relog.exe to manipulate performance counter logs to meet your specific analysis needs.