Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


How do you install a manifest in a "universal inf?"

Kerry_GruberKerry_Gruber Member Posts: 37
We currently install manifest items in the INF using AddReg directives, such as shown below:

HKLM,%EventLogProviderKey%,,%FLG_ADDREG_TYPE_SZ%,"DPTF"
HKLM,%EventLogProviderKey%,"ResourceFileName",%REG_EXPAND_SZ%,"%%SystemRoot%%\system32\xyz.dll"
HKLM,%EventLogProviderKey%,"MessageFileName",%REG_EXPAND_SZ%,"%%SystemRoot%%\system32\xyz.dll"
HKLM,%EventLogProviderKey%,"Enabled",%FLG_ADDREG_TYPE_DWORD%,1
HKLM,%EventLogProviderKey%"\ChannelReferences","Count",%FLG_ADDREG_TYPE_DWORD%,1
HKLM,%EventLogProviderKey%"\ChannelReferences\0\",,%FLG_ADDREG_TYPE_SZ%,"Application"
HKLM,%EventLogProviderKey%"\ChannelReferences\0\","Flags",%FLG_ADDREG_TYPE_DWORD%,1
HKLM,%EventLogProviderKey%"\ChannelReferences\0\","Id",%FLG_ADDREG_TYPE_DWORD%,9
HKLM,%EventLogChannelKey%,"Enabled",%FLG_ADDREG_TYPE_DWORD%,1
HKLM,%EventLogChannelKey%,"EnableLevel",%FLG_ADDREG_TYPE_DWORD%,0
HKLM,%EventLogChannelKey%,"EnableProperty",%FLG_ADDREG_TYPE_DWORD%,1
HKLM,%EventLogChannelKey%,"LoggerName",%REG_EXPAND_SZ%,"EventLog-Application"
HKLM,%EventLogChannelKey%,"MatchAnyKeyword",%FLG_ADDREG_TYPE_QWORD%,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x80
HKLM,%EventLogChannelKey%,"MatchAllKeyword",%FLG_ADDREG_TYPE_QWORD%,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00

But in "universal" INFs, it says we can only use HKR relative paths in the registry. We cannot use wevtutil.exe within an INF, and they also don't want co-installers.

So, how exactly are we supposed install manifests for ETW-based event logging or just ETW events as a standard provider? I see no documentation on this at all.

Comments

  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Because there's currently no better way to do it, Universal INFs currently allow you to write out keys under both HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels and HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers. You can verify this via InfVerif with the /universal switch.

    As a side note, the idea behind universal INFs is that they should only be the steps necessary to get the device up and functional. Things like coinstallers and exe's shouldn't ever be required to do that, and hence they're not supported.
  • Kerry_GruberKerry_Gruber Member Posts: 37
    The keys we use also include autologger key (SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\). Are the keys under the autologger also allowed in a universal INF?

    (I should have shown the path instead of the replacement token...)
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Yes, this is also supported. I should note that you're only allowed to AddReg any of these keys.
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Internals & Software Drivers 25 Jan 2021 LIVE ONLINE
Developing Minifilters 8 March 2021 LIVE ONLINE