Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting... Please check out the Community Guidelines in the
Announcements and Administration Category.

Driver Event Logging

Hi All,

I wanted to log message from my driver based on NTSTATUS. I was following the way explained Art Bakers-Win2000DeviceDriver it looks little hard to implement. Is there any easy way with latest VS 2017. I tried API available IoAllocateErrorLogEntry and IoWriteErrorLogEntry and was able to create a event but with no information

any help, thanks in advance.
(intermediate developer)

Comments

  • Do you need more information than what's available on MSDN:

    <https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/writing-to-the-system-event-log>;


    Toss the Baker book. The best thing I can say about it is that it's out of date. Some of it, like the section on Power Management, was out of date when it was written, but I digress.

    You should almost certainly be writing whatever code you're writing in WDF, not in WDM.

    ANYhow... yeah.

    Peter
    OSR
    @OSRDrivers

    Peter Viscarola
    OSR
    @OSRDrivers

  • Thank you Peter for the info,

    I have followed the same like below..

    this is function for logging event log..!

    VOID XXXXLogEvent(PVOID ioObject, NTSTATUS status, const CHAR * Msg)
    {
    PIO_ERROR_LOG_PACKET pErrLogDetails = NULL;
    UNREFERENCED_PARAMETER(status);
    UNREFERENCED_PARAMETER(Msg);

    pErrLogDetails = IoAllocateErrorLogEntry(ioObject, sizeof(IO_ERROR_LOG_PACKET));
    if (NULL != pErrLogDetails) {
    RtlSecureZeroMemory(pErrLogDetails, sizeof(IO_ERROR_LOG_PACKET));

    pErrLogDetails->ErrorCode = status;
    }

    IoWriteErrorLogEntry(pErrLogDetails);
    return;
    }


    From Driver : for demo i removed rest code
    ...
    ..
    .
    status = ZwEnumerateValueKey(hRegKey, 0, KeyValuePartialInformation, pKeyValuelInfo, 256, &retSize);
    SmartAVLogEvent(pDrvObj, status, L"This is test");
    .
    .

    MC file:
    MessageIdTypedef = NTSTATUS

    SeverityNames = (
    Success = 0x0:STATUS_SEVERITY_SUCCESS
    Informational = 0x1:STATUS_SEVERITY_INFORMATIONAL
    Warning = 0x2:STATUS_SEVERITY_WARNING
    Error = 0x3:STATUS_SEVERITY_ERROR
    )

    FacilityNames = (
    System = 0x0
    RpcRuntime = 0x2:FACILITY_RPC_RUNTIME
    RpcStubs = 0x3:FACILITY_RPC_STUBS
    Io = 0x4:FACILITY_IO_ERROR_CODE
    Driver = 0x7:FACILITY_DRIVER_ERROR_CODE
    )


    MessageId=0x0001
    Facility=Driver
    Severity=Informational
    SymbolicName=MSG_LOGGING_ENABLED
    Language=English
    Event logging enabled for XXXXXX Driver.
    .

    MessageId=+1
    Facility=Driver
    Severity=Informational
    SymbolicName=MSG_DRIVER_STARTING
    Language=English
    XXXX Driver has successfully initialized.
    .

    MessageId=+1
    Facility=Driver
    Severity=Informational
    SymbolicName=MSG_DRIVER_STOPPING
    Language=English
    XXXXXX Driver has unloaded.
    .

    I was able to log Event in Evnt viewer which is not i wanted..!
    ===========================================
    The description for Event ID 0 from source xxxxx cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

    If the event originated on another computer, the display information had to be saved with the event.

    The following information was included with the event:


    the message resource is present but the message is not found in the string/message table
    =============================
  • <quote>
    I have followed the same like below..
    </quote>

    OK. But that's not what I asked you.

    I asked you if you need more information that is available on the MSDN pages to which I referred you.

    Specifically, I'll ask again: Did you follow all those steps? Did you REGISTER your driver (by creating the appropriate values in the Registry) as an error message source?

    Peter
    OSR
    @OSRDrivers

    Peter Viscarola
    OSR
    @OSRDrivers

  • Yes Peter I did,, followed https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/registering-as-a-source-of-error-messages

    \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\XXXXX

    with entries EventMessageFile with path and TypesSupported
  • OK.

    Hmmmm... well, from your code, it looks like you're writing an error log packet that is completely empty?

    <quote>
    VOID XXXXLogEvent(PVOID ioObject, NTSTATUS status, const CHAR * Msg)
    {
    PIO_ERROR_LOG_PACKET pErrLogDetails = NULL;
    UNREFERENCED_PARAMETER(status);
    UNREFERENCED_PARAMETER(Msg);

    pErrLogDetails = IoAllocateErrorLogEntry(ioObject,
    sizeof(IO_ERROR_LOG_PACKET));
    if (NULL != pErrLogDetails) {
    RtlSecureZeroMemory(pErrLogDetails, sizeof(IO_ERROR_LOG_PACKET));

    pErrLogDetails->ErrorCode = status;
    }

    IoWriteErrorLogEntry(pErrLogDetails);
    return;
    }
    </quote>

    The ErrorCode field should correspond with one of the message IDs that you created. So, MSG_LOGGING_ENABLED or MSG_DRIVER_STOPPING or whatever.

    You appear to be passing an NTSTATUS in this field, and from the message you provided, I'd bet that status is STATUS_SUCCESS??

    Peter
    OSR
    @OSRDrivers

    Peter Viscarola
    OSR
    @OSRDrivers

  • Thank You Peter, Perfect Guru :)

    I will code same into KMDF it was just pilot for the one of our requirement
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!