Hi All,
I have tried various options but unable to succeed. Please help me if i am
doing some silly thing.
My objective - I have a kernel mode driver which runs in Kernel process and
is loaded at system boot time. I have implemented WPP trace
logging in my driver and is working fine i.e. i am able to generate .etl
file from my driver after system gets started and my driver gets
loaded . I implemented Trace logging via DoTraceMessage calls. I created a
session via TraceView or Tracefmt.
Now when i put my DoTraceMessage fn calls inside my DriverEntry fn (After
WPP_INIT_TRACING) or functions that are called by DriverEntry,
these trace messages are not logged in .etl file. Reason is that since i
started a session (via TraceView or Tracelog) after driver gets
loaded so no logs are obtained that are present in DriverEntry fn.
So my first question is Is it Possible to do Tracing during Driver loading
(i.e. in DriverEntry fn) via DoTraceMessage calls???
If No then what are the other options?
I have gone through “AutoLogger” and “Global Logger” sessions which do Boot
time logging and i have tried following things
- For Global Logger Session
a. I have created following registry keys at
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\GlobalLogger
- EnableKernelFlags
- FileName
- FlushTimer
- Start
b. Created subkey at
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\GlobalLogger with
value - "Control Guid used by Kernel mode
Driver". See WPP_DEFINE_CONTROL_GUID Macro
C. Reboot the system
Based on Value of EnableKernelFlags logs are generated at path define by
FileName key above. But these logs does not contain my Driver logs.
The values that can use for EnableKernelFlags are taken from the values of
the EnableFlags member of the EVENT_TRACE_PROPERTIES structure. I
have tried various options from EnableFlags member but i could not obtained
trace logs from my kernel mode driver (i.e. which is using
DoTraceMessage). The etl files generated is decoded via system.tmf file.
If I did not use EnableKernelFlags then no logs would be generated.
- For AutoLogger Session
a. I have created following registry entries at
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\AutoLogger
- Created subkey with name MyDriverName
- Define keys like Start, FileName, Guid, BufferSize, FlushTimer(1 sec) in
subkey created above.
b. reboot the system
Now etl file is generated at path define by FileName key above with size
equal to BufferSize but no trace logs are found inside this file
i.e this is empty file. So again no trace logs are generated.
It looks i have given up as i don’t know which option should i try.
Note: I have kernel mode driver.
Please tell if someone from OSR implements this type of logging.
On Thu, Jul 4, 2013 at 7:26 PM, Umesh Bansal wrote:
> I have gone through AutoLogger session and create necessary registry
> entries at
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger. After
> system reboot etl file is created at %SystemRoot%\System32\LogFiles\WMI
> path but it does not contain My driver trace messages. In fact etl file of
> size 4KB is created.
>
> As already told that i can generate trace message after my driver has
> loaded in system but trace message from DriverEntry could not be logged. I
> am using DoTraceMessage fn to trace messages.
> Is there anything else i need to do.
> I have used WPP_INIT_TRACING call in my DriverEntry function too. It seems
> DoTraceMessages calls in DriverEntry is not directed to etl file via
> AutoLogger session. I have created following register entries at
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger
>
> Autologger
> SessionName
> Guid that is defined in Trace.h
>
> In SessionName key i have defined Start and Guid key. And in Guid sub key
> i defined the key Enabled with Value 1.
>
> Here is my Trace.h file.
>
> #define WPP_CONTROL_GUIDS <br>>
> WPP_DEFINE_CONTROL_GUID(ServiceSampleDriverCtlGuid,(f0cc34b3,a482,4dc0,b978,b5cf42aec4fd),
> <br>> WPP_DEFINE_BIT(TRACE_FLAG_ALL)
> <br>> WPP_DEFINE_BIT(TRACE_FLAG_WARNING)
> <br>> WPP_DEFINE_BIT(TRACE_FLAG_ERROR)
> <br>> WPP_DEFINE_BIT(TRACE_FLAG_CRITICAL)
> <br>> WPP_DEFINE_BIT(TRACE_FLAG_INFORMATION)
> <br>> WPP_DEFINE_BIT(FuncTrace)
> <br>> WPP_DEFINE_BIT(WSM_ERROR)
> <br>> )
>
> //
> // DoTraceLevelMessage is a custom macro that adds support for levels to
> the
> // default DoTraceMessage, which supports only flags. In this version, both
> // flags and level are conditions for generating the trace message.
> // The preprocessor is told to recognize the function by using the -func
> argument
> // in the RUN_WPP line on the source file. In the source file you will find
> // -func:DoTraceLevelMessage(LEVEL,FLAGS,MSG,…). The conditions for
> triggering
> // this event in the macro are the Levels defined in evntrace.h and the
> flags
> // defined above and are evaluated by the macro WPP_LEVEL_FLAGS_ENABLED
> below.
> //
> #define WPP_LEVEL_FLAGS_LOGGER(level,flags) WPP_LEVEL_LOGGER(flags)
> #define WPP_LEVEL_FLAGS_ENABLED(level, flags) (WPP_LEVEL_ENABLED(flags) &&
> WPP_CONTROL(WPP_BIT_ ## flags).Level >= level)
> .
> .
> .
> .
> #define WPP_FLAG_EXP_ENABLED(FLAGS, HR) WPP_FLAG_ENABLED(FLAGS)
> #define WPP_FLAG_EXP_LOGGER(FLAGS, HR) WPP_FLAG_LOGGER(FLAGS)
>
> #define WPP_AUTOLOGGER L"MyDriverName"
>
>
>
> Please tell me if i am missing some thing or i have to do something else.
> Also Is DoTraceMessage fn works with AutoLogger or GlobalLogger sessions?
>
>
> On Thu, Jul 4, 2013 at 11:08 AM, Speer, Kenny wrote:
>
>> And it might be obvious, but make sure you’re WPP_INIT_TRACING call is
>> executed before any of your actual trace statements 
>>
>> -----Original Message-----
>> From: xxxxx@lists.osr.com [mailto:
>> xxxxx@lists.osr.com] On Behalf Of Pavel A.
>> Sent: Wednesday, July 3, 2013 3:50 PM
>> To: Windows System Software Devs Interest List
>> Subject: Re:[ntdev] ETL logging - how to generate trace logs in
>> DriverEntry function.
>>
>> On 03-Jul-2013 10:58, xxxxx@gmail.com wrote:
>> > Hi,
>> > I have a kernel mode driver and i how want to implement WPP based trace
>> logging. I am able to generate trace logs in my kernel mode driver (i.e.
>> etl files) but logs are not generated for messages that are in my
>> DriverEnrty function. Reason for this is that my driver gets loaded during
>> system boot and during sysyem boot DriverEntry was called. So when i
>> created a session via Tracelog DriverEntry has already been called. So only
>> those function generated logs that called via IOCTL calls.
>> >
>> > So how can i generate trace messages that are in DriverEntry function?
>> Since Tracelog is user mode app and it started only when driver gets
>> loaded, so is there any way that i can log messages in DriverEntry function?
>> >
>> >
>>
>> Read this:
>>
>> http://msdn.microsoft.com/en-us/library/windows/desktop/aa363687(v=vs.85).aspx
>>
>> – pa
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>>
>> OSR is HIRING!! See http://www.osr.com/careers
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>>
>> OSR is HIRING!! See http://www.osr.com/careers
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
>
> –
> Regards,
> Umesh Bansal
>
–
Regards,
Umesh Bansal