wpp ? wmitrace ? DebugTrace?

well i wrote

btw if you had # defined DBG then you can get the traces too in a
thread and i thought it must be simple like choosing the checked build
to build the driver

but it seems it isnt that simple

basically i built the cdo sample in wdk again with checked build and
reloaded it but i didnt see any msgs in windbg

***** buildchk_win7_x86.log
1> /DDEVL=1
1> /DDBG=1
1> /D__BUILDMACHINE__=WinDDK
***** BUILDFRE_WIN7_X86.LOG
1> /DDEVL=1
1> /D__BUILDMACHINE__=WinDDK
*****

loading the cdo as dumpfile and disassembling it i can see the strings
compiled into the driver when i built it as checked

0:000> !grep -e “string” -c “uf cdo!CdoUnload”
291 0001502d 68b06a0100 push offset cdo! ??
::NNGAKEGL::string' (00016ab0) 296 0001504a 68906a0100 push offset cdo! ?? ::NNGAKEGL::string’ (00016a90)
309 0001507e 68406a0100 push offset cdo! ??
::NNGAKEGL::`string’ (00016a40)
0:000> da 00016ab0
00016ab0 “EX: Pageable code called at IRQL”
00016ad0 " %d."
0:000> da 00016a90
00016a90 “[Cdo]: Unloading driver.”
0:000> da 00016a40
00016a40 “[Cdo]: Fail unloading driver sin”
00016a60 “ce the unload is optional and th”
00016a80 “e CDO is open.”

but dbgprint doesnt happen because some dword at
cdo!Globals+0x48 isnt set properly

how can i set it ??

cdo!CdoUnload+0x2f
[c:\winddk\7600.16385.1\src\filesys\minifilter\cdo\cdoinit.c @ 296]:
296 0001503f 8b15c8400100 mov edx,dword ptr [cdo!Globals+0x48
(000140c8)]
296 00015045 83e202 and edx,2
296 00015048 740d je cdo!CdoUnload+0x47 (00015057)

so i started looking around and i see people calling it moron
is it so ?

http://www.osronline.com/showThread.cfm?link=57594

i tried fltkd!traceflags and windbg says it cant find the global
Could not GetExpression for “FltMgr!WPP_Global_Control”

i can see fltkd! other args though

lkd> !grep -e FLT_F -c !filters
FLT_FILTER: 86b73788 “aswFsBlk” “388400”
FLT_FILTER: 86bcc5c0 “aswSnx” “137600”
lkd> !filter 86b73788

FLT_FILTER: 86b73788 “aswFsBlk” “388400”
FLT_OBJECT: 86b73788 [02000000] Filter
RundownRef : 0x0000000e (7)
PointerCount : 0x00000002
PrimaryLink : [86bcc5cc-8640005c]

isnt this working for xp (docs sems to say wpp is avl from windows 2000

can someone enumerate the simple steps to make this work?

i tried tracepdb and fed the pdb but it says cant find some magic in it

i opened up the traceview and set a new logging session

(it doesnt even find the pdb which i select in the file selection box
:)) says file cannot be found

so just tried to log all the kernel logs using system.tmf
and filtered messages that had cdo in it to be colored brown
i see some cdo messages in registry operations
but no load unload messages

how can i get to see the
DebugTrace( DEBUG_TRACE_LOAD_UNLOAD,
(“[Cdo]: Driver being loaded\n”) );

or

this message in windbg if at all

DebugTrace( DEBUG_TRACE_LOAD_UNLOAD,
(“[Cdo]: Unloading driver\n”) );

in cdo sample

If you look at CdoStruct.h you will see DebugTrace resolves to DbgPrint,
also if you look at CdoInit you will see that it expects a registry variable
to be set to see the information. Finally, you need to be aware of the data
in this article http://www.osronline.com/article.cfm?article=295

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
Sent: Thursday, February 16, 2012 4:21 PM
To: Kernel Debugging Interest List
Subject: [windbg] wpp ? wmitrace ? DebugTrace?

well i wrote

btw if you had # defined DBG then you can get the traces too in a thread and
i thought it must be simple like choosing the checked build to build the
driver

but it seems it isnt that simple

basically i built the cdo sample in wdk again with checked build and
reloaded it but i didnt see any msgs in windbg

***** buildchk_win7_x86.log
1> /DDEVL=1
1> /DDBG=1
1> /D__BUILDMACHINE__=WinDDK
***** BUILDFRE_WIN7_X86.LOG
1> /DDEVL=1
1> /D__BUILDMACHINE__=WinDDK
*****

loading the cdo as dumpfile and disassembling it i can see the strings
compiled into the driver when i built it as checked

0:000> !grep -e “string” -c “uf cdo!CdoUnload”
291 0001502d 68b06a0100 push offset cdo! ??
::NNGAKEGL::string' (00016ab0) 296 0001504a 68906a0100 push offset cdo! ?? ::NNGAKEGL::string’ (00016a90)
309 0001507e 68406a0100 push offset cdo! ??
::NNGAKEGL::`string’ (00016a40)
0:000> da 00016ab0
00016ab0 “EX: Pageable code called at IRQL”
00016ad0 " %d."
0:000> da 00016a90
00016a90 “[Cdo]: Unloading driver.”
0:000> da 00016a40
00016a40 “[Cdo]: Fail unloading driver sin”
00016a60 “ce the unload is optional and th”
00016a80 “e CDO is open.”

but dbgprint doesnt happen because some dword at
cdo!Globals+0x48 isnt set properly

how can i set it ??

cdo!CdoUnload+0x2f
[c:\winddk\7600.16385.1\src\filesys\minifilter\cdo\cdoinit.c @ 296]:
296 0001503f 8b15c8400100 mov edx,dword ptr [cdo!Globals+0x48
(000140c8)]
296 00015045 83e202 and edx,2
296 00015048 740d je cdo!CdoUnload+0x47 (00015057)

so i started looking around and i see people calling it moron is it so ?

http://www.osronline.com/showThread.cfm?link=57594

i tried fltkd!traceflags and windbg says it cant find the global Could not
GetExpression for “FltMgr!WPP_Global_Control”

i can see fltkd! other args though

lkd> !grep -e FLT_F -c !filters
FLT_FILTER: 86b73788 “aswFsBlk” “388400”
FLT_FILTER: 86bcc5c0 “aswSnx” “137600”
lkd> !filter 86b73788

FLT_FILTER: 86b73788 “aswFsBlk” “388400”
FLT_OBJECT: 86b73788 [02000000] Filter
RundownRef : 0x0000000e (7)
PointerCount : 0x00000002
PrimaryLink : [86bcc5cc-8640005c]

isnt this working for xp (docs sems to say wpp is avl from windows 2000

can someone enumerate the simple steps to make this work?

i tried tracepdb and fed the pdb but it says cant find some magic in it

i opened up the traceview and set a new logging session

(it doesnt even find the pdb which i select in the file selection box
:)) says file cannot be found

so just tried to log all the kernel logs using system.tmf and filtered
messages that had cdo in it to be colored brown i see some cdo messages in
registry operations but no load unload messages

how can i get to see the
DebugTrace( DEBUG_TRACE_LOAD_UNLOAD,
(“[Cdo]: Driver being loaded\n”) );

or

this message in windbg if at all

DebugTrace( DEBUG_TRACE_LOAD_UNLOAD,
(“[Cdo]: Unloading driver\n”) );

in cdo sample

WINDBG is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

yes don i saw the cdostruct.h

if ((Level) & Globals.DebugLevel) { \

the dis-assembly i posted in earlier post was for that line only

296 f8d9d03f 8b15c8c0d9f8 mov edx,dword ptr [cdo!Globals+0x48
(f8d9c0c8)]
296 f8d9d045 83e202 and edx,2

#define DEBUG_TRACE_LOAD_UNLOAD 0x00000002
// Loading/unloading of the filter

so who sets it in xp ( iam aware of the hectors memo but it doesnt
apply to xp isnt it anyway xp doesnt have that kd_default global

kd> x *!*DE*MASK*
806b3940 nt!PsEmbeddedNTMask =
805535c4 nt!Kd_VIDEO_Mask =
80553644 nt!Kd_IDEP_Mask =
805535cc nt!Kd_VIDEOPRT_Mask =
804e6708 nt!MiDetermineUserGlobalPteMask =
80553614 nt!Kd_UNIMODEM_Mask =
80553698 nt!Kd_IHVVIDEO_Mask =
80553648 nt!Kd_PCIIDE_Mask =
8068e994 nt!PiLoggedErrorEventsMask =
fc1cfce4 ndiswan!glDebugMask =
fc4771dc ACPI!ACPIGpeBuildEventMasks =
kd> g

this DebugLevel var it must probably be somewhere in inf file i think
let me run through it

On 2/17/12, Don Burn wrote:
> If you look at CdoStruct.h you will see DebugTrace resolves to DbgPrint,
> also if you look at CdoInit you will see that it expects a registry variable
> to be set to see the information. Finally, you need to be aware of the data
> in this article http://www.osronline.com/article.cfm?article=295
>
>
> Don Burn
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>
>
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
> Sent: Thursday, February 16, 2012 4:21 PM
> To: Kernel Debugging Interest List
> Subject: [windbg] wpp ? wmitrace ? DebugTrace?
>
> well i wrote
>
> btw if you had # defined DBG then you can get the traces too in a thread and
> i thought it must be simple like choosing the checked build to build the
> driver
>
> but it seems it isnt that simple
>
> basically i built the cdo sample in wdk again with checked build and
> reloaded it but i didnt see any msgs in windbg
>
> buildchk_win7_x86.log
> 1> /DDEVL=1
> 1> /DDBG=1
> 1> /D BUILDMACHINE =WinDDK
> BUILDFRE_WIN7_X86.LOG
> 1> /DDEVL=1
> 1> /D BUILDMACHINE =WinDDK
> *****
>
> loading the cdo as dumpfile and disassembling it i can see the strings
> compiled into the driver when i built it as checked
>
> 0:000> !grep -e “string” -c “uf cdo!CdoUnload”
> 291 0001502d 68b06a0100 push offset cdo! ??
> ::NNGAKEGL::string' (00016ab0)<br>&gt; 296 0001504a 68906a0100 push offset cdo! ??<br>&gt; ::NNGAKEGL::string’ (00016a90)
> 309 0001507e 68406a0100 push offset cdo! ??
> ::NNGAKEGL::`string’ (00016a40)
> 0:000> da 00016ab0
> 00016ab0 “EX: Pageable code called at IRQL”
> 00016ad0 " %d.“
> 0:000> da 00016a90
> 00016a90 “[Cdo]: Unloading driver.”
> 0:000> da 00016a40
> 00016a40 “[Cdo]: Fail unloading driver sin”
> 00016a60 “ce the unload is optional and th”
> 00016a80 “e CDO is open.”
>
>
> but dbgprint doesnt happen because some dword at
> cdo!Globals+0x48 isnt set properly
>
> how can i set it ??
>
> cdo!CdoUnload+0x2f
> [c:\winddk\7600.16385.1\src\filesys\minifilter\cdo\cdoinit.c @ 296]:
> 296 0001503f 8b15c8400100 mov edx,dword ptr [cdo!Globals+0x48
> (000140c8)]
> 296 00015045 83e202 and edx,2
> 296 00015048 740d je cdo!CdoUnload+0x47 (00015057)
>
>
> so i started looking around and i see people calling it moron is it so ?
>
> http://www.osronline.com/showThread.cfm?link=57594
>
> i tried fltkd!traceflags and windbg says it cant find the global Could not
> GetExpression for “FltMgr!WPP_Global_Control”
>
> i can see fltkd! other args though
>
> lkd> !grep -e FLT_F -c !filters
> FLT_FILTER: 86b73788 “aswFsBlk” “388400”
> FLT_FILTER: 86bcc5c0 “aswSnx” “137600”
> lkd> !filter 86b73788
>
> FLT_FILTER: 86b73788 “aswFsBlk” “388400”
> FLT_OBJECT: 86b73788 [02000000] Filter
> RundownRef : 0x0000000e (7)
> PointerCount : 0x00000002
> PrimaryLink : [86bcc5cc-8640005c]
>
> isnt this working for xp (docs sems to say wpp is avl from windows 2000
>
> can someone enumerate the simple steps to make this work?
>
> i tried tracepdb and fed the pdb but it says cant find some magic in it
>
> i opened up the traceview and set a new logging session
>
> (it doesnt even find the pdb which i select in the file selection box
> :)) says file cannot be found
>
> so just tried to log all the kernel logs using system.tmf and filtered
> messages that had cdo in it to be colored brown i see some cdo messages in
> registry operations but no load unload messages
>
> how can i get to see the
> DebugTrace( DEBUG_TRACE_LOAD_UNLOAD,
> (”[Cdo]: Driver being loaded\n") );
>
>
> or
>
> this message in windbg if at all
>
> DebugTrace( DEBUG_TRACE_LOAD_UNLOAD,
> (“[Cdo]: Unloading driver\n”) );
>
> in cdo sample
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

ok i think i got a grip

like i posted it is in the addreg section of the inf file

so i queried the registry and changed it got the spew
C:\WINDOWS\system32>reg query hklm\system\currentcontrolset\services\cdo /v Debu
gLevel

and then changed the inf accordingly

now i can install it several times and i can get the spew

changed this

[MiniFilter.AddRegistry]
HKR,“DebugLevel”,0x00010001,0x00000001
HKR,“Instances”,“DefaultInstance”,0x00000000,%DefaultInstance%

to

[MiniFilter.AddRegistry]
HKR,“DebugLevel”,0x00010001,0xFFFFFFFF

#define DEBUG_TRACE_ALL 0xFFFFFFFF // All flags

HKR,“Instances”,“DefaultInstance”,0x00000000,%DefaultInstance%

kd> g
[Cdo]: Unloading driver
[Cdo]: Deleting CDO …
[Cdo]: Deleting CDO successful
[Cdo]: Driver being loaded
[Cdo]: Creating CDO …
[Cdo]: Creating CDO successful

cant i attach this to c: ?

C:\cdotest>fltmc attach cdo c:

Attach failed with error: 0x801f000f
Do not attach the filter to the volume at this time.

C:\cdotest>

kd> !fltkd.frames

Frame List: fc3e98e0
FLTP_FRAME: ffa60000 “Frame 0” “0 to 370080”
FLT_FILTER: ffb9e3a8 “CDO” “370080”
kd> !fltkd.filter ffb9e3a8

FLT_FILTER: ffb9e3a8 “CDO” “370080”
FLT_OBJECT: ffb9e3a8 [02000000] Filter
RundownRef : 0x00000002 (1)
PointerCount : 0x00000001
PrimaryLink : [ffa6005c-ffa6005c]
Frame : ffa60000 “Frame 0”
Flags : [00000002] FilteringInitiated
DriverObject : 81208e20
FilterLink : [ffa6005c-ffa6005c]
PreVolumeMount : 00000000 (null)
PostVolumeMount : 00000000 (null)
FilterUnload : f8baa010 cdo!CdoUnload
InstanceSetup : f8ba6120 cdo!CdoInstanceSetup
InstanceQueryTeardown : 00000000 (null)
InstanceTeardownStart : 00000000 (null)
InstanceTeardownComplete : 00000000 (null)
ActiveOpens : (ffb9e46c) mCount=0
Client Port List : (ffb9e498) mCount=0
VerifierExtension : 00000000
Operations : 00000000
OldDriverUnload : 00000000 (null)
SupportedContexts : (ffb9e438)
VolumeContexts : (ffb9e438)
InstanceContexts : (ffb9e43c)
FileContexts : (ffb9e440)
StreamContexts : (ffb9e444)
StreamHandleContexts : (ffb9e448)
TransactionContext : (ffb9e44c)
InstanceList : (ffb9e3d8)

On 2/17/12, raj_r wrote:
> yes don i saw the cdostruct.h
>
> if ((Level) & Globals.DebugLevel) { <br>>
> the dis-assembly i posted in earlier post was for that line only
>
> 296 f8d9d03f 8b15c8c0d9f8 mov edx,dword ptr [cdo!Globals+0x48
> (f8d9c0c8)]
> 296 f8d9d045 83e202 and edx,2
>
> #define DEBUG_TRACE_LOAD_UNLOAD 0x00000002
> // Loading/unloading of the filter
>
> so who sets it in xp ( iam aware of the hectors memo but it doesnt
> apply to xp isnt it anyway xp doesnt have that kd_default global
>
>
> kd> x !DEMASK
> 806b3940 nt!PsEmbeddedNTMask =
> 805535c4 nt!Kd_VIDEO_Mask =
> 80553644 nt!Kd_IDEP_Mask =
> 805535cc nt!Kd_VIDEOPRT_Mask =
> 804e6708 nt!MiDetermineUserGlobalPteMask =
> 80553614 nt!Kd_UNIMODEM_Mask =
> 80553698 nt!Kd_IHVVIDEO_Mask =
> 80553648 nt!Kd_PCIIDE_Mask =
> 8068e994 nt!PiLoggedErrorEventsMask =
> fc1cfce4 ndiswan!glDebugMask =
> fc4771dc ACPI!ACPIGpeBuildEventMasks =
> kd> g
>
>
> this DebugLevel var it must probably be somewhere in inf file i think
> let me run through it
>
>
> On 2/17/12, Don Burn wrote:
>> If you look at CdoStruct.h you will see DebugTrace resolves to DbgPrint,
>> also if you look at CdoInit you will see that it expects a registry
>> variable
>> to be set to see the information. Finally, you need to be aware of the
>> data
>> in this article http://www.osronline.com/article.cfm?article=295
>>
>>
>> Don Burn
>> Windows Filesystem and Driver Consulting
>> Website: http://www.windrvr.com
>> Blog: http://msmvps.com/blogs/WinDrvr
>>
>>
>>
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com
>> [mailto:xxxxx@lists.osr.com] On Behalf Of raj_r
>> Sent: Thursday, February 16, 2012 4:21 PM
>> To: Kernel Debugging Interest List
>> Subject: [windbg] wpp ? wmitrace ? DebugTrace?
>>
>> well i wrote
>>
>> btw if you had # defined DBG then you can get the traces too in a thread
>> and
>> i thought it must be simple like choosing the checked build to build the
>> driver
>>
>> but it seems it isnt that simple
>>
>> basically i built the cdo sample in wdk again with checked build and
>> reloaded it but i didnt see any msgs in windbg
>>
>> buildchk_win7_x86.log
>> 1> /DDEVL=1
>> 1> /DDBG=1
>> 1> /D BUILDMACHINE =WinDDK
>> BUILDFRE_WIN7_X86.LOG
>> 1> /DDEVL=1
>> 1> /D BUILDMACHINE =WinDDK
>> *****
>>
>> loading the cdo as dumpfile and disassembling it i can see the strings
>> compiled into the driver when i built it as checked
>>
>> 0:000> !grep -e “string” -c “uf cdo!CdoUnload”
>> 291 0001502d 68b06a0100 push offset cdo! ??
>> ::NNGAKEGL::string' (00016ab0)<br>&gt;&gt; 296 0001504a 68906a0100 push offset cdo! ??<br>&gt;&gt; ::NNGAKEGL::string’ (00016a90)
>> 309 0001507e 68406a0100 push offset cdo! ??
>> ::NNGAKEGL::`string’ (00016a40)
>> 0:000> da 00016ab0
>> 00016ab0 “EX: Pageable code called at IRQL”
>> 00016ad0 " %d.“
>> 0:000> da 00016a90
>> 00016a90 “[Cdo]: Unloading driver.”
>> 0:000> da 00016a40
>> 00016a40 “[Cdo]: Fail unloading driver sin”
>> 00016a60 “ce the unload is optional and th”
>> 00016a80 “e CDO is open.”
>>
>>
>> but dbgprint doesnt happen because some dword at
>> cdo!Globals+0x48 isnt set properly
>>
>> how can i set it ??
>>
>> cdo!CdoUnload+0x2f
>> [c:\winddk\7600.16385.1\src\filesys\minifilter\cdo\cdoinit.c @ 296]:
>> 296 0001503f 8b15c8400100 mov edx,dword ptr [cdo!Globals+0x48
>> (000140c8)]
>> 296 00015045 83e202 and edx,2
>> 296 00015048 740d je cdo!CdoUnload+0x47 (00015057)
>>
>>
>> so i started looking around and i see people calling it moron is it so ?
>>
>> http://www.osronline.com/showThread.cfm?link=57594
>>
>> i tried fltkd!traceflags and windbg says it cant find the global Could
>> not
>> GetExpression for “FltMgr!WPP_Global_Control”
>>
>> i can see fltkd! other args though
>>
>> lkd> !grep -e FLT_F -c !filters
>> FLT_FILTER: 86b73788 “aswFsBlk” “388400”
>> FLT_FILTER: 86bcc5c0 “aswSnx” “137600”
>> lkd> !filter 86b73788
>>
>> FLT_FILTER: 86b73788 “aswFsBlk” “388400”
>> FLT_OBJECT: 86b73788 [02000000] Filter
>> RundownRef : 0x0000000e (7)
>> PointerCount : 0x00000002
>> PrimaryLink : [86bcc5cc-8640005c]
>>
>> isnt this working for xp (docs sems to say wpp is avl from windows 2000
>>
>> can someone enumerate the simple steps to make this work?
>>
>> i tried tracepdb and fed the pdb but it says cant find some magic in it
>>
>> i opened up the traceview and set a new logging session
>>
>> (it doesnt even find the pdb which i select in the file selection box
>> :)) says file cannot be found
>>
>> so just tried to log all the kernel logs using system.tmf and filtered
>> messages that had cdo in it to be colored brown i see some cdo messages
>> in
>> registry operations but no load unload messages
>>
>> how can i get to see the
>> DebugTrace( DEBUG_TRACE_LOAD_UNLOAD,
>> (”[Cdo]: Driver being loaded\n") );
>>
>>
>> or
>>
>> this message in windbg if at all
>>
>> DebugTrace( DEBUG_TRACE_LOAD_UNLOAD,
>> (“[Cdo]: Unloading driver\n”) );
>>
>> in cdo sample
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>