Evnet Tracing of ACPI.SYS in Windows 7

Gernot_Buselmeier · October 13, 2011, 5:54am

Hello all,

I am a bit stuck in trying to apply ETW on ACPI in Windows 7.

I am new to the ETW topic and it is a bit confusing which tools to use, where to find appropriate files, which direction to go, etc.

I want to explore what’s going on regarding acpi.sys on Windows 7 butI obviously miss the acpi .MOF or .TMF files (don’t know which).

I achieved to get a fairly readable event trace files (dumpfile.csv and summary.txt) on Windows XP using the tracelog.exe and tracerpt.exe utilities.

The summary file presents the GUIDs for Event and Event Header…

±------------------------------------------------------------------------------------
+
|Event Count Event Name Event Type
Guid |
±------------------------------------------------------------------------------------
+
| 1 EventTrace Header {68fdd900-4a3e-11d1-84f4-0000f80464e3}|
| 17 AMLIEvent Start {f2e0e060-bf32-4b88-b8e4-5cad15af6ae9} |
| 17 AMLIEvent End {f2e0e060-bf32-4b88-b8e4-5cad15af6ae9}|
±------------------------------------------------------------------------------------
+

…and the dumpfile shows a reasonable content (Start and End of AMLIEvents occurred durint the trace session along with ACPI objects addressed, etc.).

Example:
AMLIEvent, Start, 0x0000, 129628869904062500, 5548035, 0, “Object = _GPE._L08”, 0, 0

When I move to Windows 7 and use the same tools (same means: tracelog is identical since it comes from the WDK, tracerpt is different because it is included in the Windows distribution) I get the following which is much the same as with XP:

±------------------------------------------------------------------------------------------------------------------------
+
|Event Count Event Name Task Opcode
Version Guid |
±------------------------------------------------------------------------------------------------------------------------
+
| 1 EventTrace 0 Header 2 {68fdd900-4a3e-11d1-84f4-0000f80464e3}|
| 18 AMLIEvent 0 End 0 {f2e0e060-bf32-4b88-b8e4-5cad15af6ae9}|
| 18 AMLIEvent 0 Start 0 {f2e0e060-bf32-4b88-b8e4-5cad15af6ae9}|
±------------------------------------------------------------------------------------------------------------------------
+

However, I am obviously missing trace format information for the
AMLIEvents since the AMLIEvents are not decoded:

AMLIEvent, Start, 0, 0,
0, 1, 1, 0, 0x0000000000000000, 0x00000000,
0x00000000,
1, , ,
{00000000-0000-0000-0000-000000000000}, ,
129628945003125000, 308325, 0, DataSize=20

I think that I must provide something like a acpi.tmf file or an adequate MOF.
Trying to get out more information using the traceview.exe GUI utility didn’t help either.

Any help appreciated.

Thanks,
Gernot

Peter_Viscarola_OSR · October 13, 2011, 10:11am

Right. You need the TMF in order to make sense of the logs.

Microsoft only provides certain, few, TMFs to the outside world. For example, the NDIS team (YAY!!) has made their TMF files available (KUDOS!):

http://blogs.msdn.com/b/ndis/archive/2011/04/06/tmf-download-page.aspx

But TMF files for drivers and such are not typically available. Mr. Roddy – a regular here on NTDEV – a while back called Windows use of ETW “the trace facility that nobody can use” (http://www.osronline.com/showthread.cfm?link=204173).

This is a big problem. Many of us, me included, have lobbied long and hard for making more TMF files – such as those that relate to the core set of drivers – available to the driver development community. So far, nobody within MSFT has had the time and energy to get this done.

I seriously miss DbgPrint…

Peter
OSR