Do I need administrator rights to capture RPC events?

Yes. RpcViewer captures RPC events from the system, which requires running elevated. Without administrator privileges the capture cannot be started.

Can I analyze RPC activity captured on another machine?

Yes. RpcViewer can open a saved ETL trace file, so you can collect RPC activity on one machine and analyze it offline on another. This is useful for customer repros and CI failures you cannot reproduce locally.

How do I cut down the volume of RPC events?

RPC is high volume. Use the quick filter to narrow by any field as you type, compound filters to combine conditions with AND/OR logic, and highlight rules to color-code rows that match a process, interface, or status code so they stand out.

How do I tell which call failed?

Each event has a Status column showing the RPC call status code, and a duration column. Filter or highlight on non-success status values to surface failing calls, then open the event to read its full details and properties.

How to Monitor Windows RPC Activity in Real Time

How to Monitor Windows RPC Activity

Capture live RPC calls and narrow them to the ones that matter.

When a service interaction fails with a vague error or hangs on another component, the call almost always crosses an RPC boundary you cannot see from a normal debugger. RpcViewer captures that traffic live and lets you reduce it to the handful of calls you care about. This guide covers the full loop: capture, reproduce, filter, inspect.

Download RpcViewer (free)

Start a Capture

Run RpcViewer elevated, since capturing RPC events requires administrator privileges. Start the capture and events begin streaming into the list as calls are made on the system. Stop the capture when you have collected the window you need; you can clear the list and start again at any time.

If you already have an ETL trace from another machine, open it instead of capturing live. The same columns, filtering, and inspection apply to saved traces.

RpcViewer capturing live RPC activity with process, interface, procedure, endpoint, status, and duration — A live RPC capture in progress, filtered to a single service.

Reproduce the Behavior

With the capture running, trigger the operation you are investigating: restart the service, run the failing command, open the tool that hangs. The RPC calls behind it are recorded as they happen, including the client and server phases of each call.

Filter Out the Noise

A busy Windows system generates a lot of RPC traffic, so filtering is where most of the work happens:

Type in the quick filter to narrow by any field instantly, such as a process name or interface.
Build a compound filter to combine conditions, for example one process AND a non-success status.
Add highlight rules to color-code rows that match an interface, endpoint, or status code.
Use Find with regex or whole-word options to jump to specific calls forward or backward.

Inspect the Call

Select an event to see its details and a structured property view. Check the status code to confirm a failure, the protocol and endpoint to see how the call was routed, and the duration to spot slow paths. When stack information is available for an event, the stack pane shows the call site. To make procedure names readable instead of raw GUIDs, build the RPC interface database.

Frequently Asked Questions

Do I need administrator rights to capture RPC events?: Yes. RpcViewer captures RPC events from the system, which requires running elevated. Without administrator privileges the capture cannot be started.
Can I analyze RPC activity captured on another machine?: Yes. RpcViewer can open a saved ETL trace file, so you can collect RPC activity on one machine and analyze it offline on another. This is useful for customer repros and CI failures you cannot reproduce locally.
How do I cut down the volume of RPC events?: RPC is high volume. Use the quick filter to narrow by any field as you type, compound filters to combine conditions with AND/OR logic, and highlight rules to color-code rows that match a process, interface, or status code so they stand out.
How do I tell which call failed?: Each event has a Status column showing the RPC call status code, and a duration column. Filter or highlight on non-success status values to surface failing calls, then open the event to read its full details and properties.