Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Instructions on tracelogging with kernel drivers

craniumratcraniumrat Member Posts: 1

Hello everyone,

I have declared and defined a TraceLogProvider in my kernel driver along with a bunch of TraceLogging messages. The instructions for viewing those TraceLogging events in WinDbg during a live debug session is not clear. I have tried to follow instructions based on these 2 pages from MSDN.

https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/how-do-i-send-trace-messages-to-a-kernel-debugger-

which says I have to use logman start TraceSession -ets -mode KernelFilter -bs 3

and
https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/capture-and-view-tracelogging-data

which I have to use to create a WPRP file to register my Trace Provider.

Right now, with my driver installed and working, logman query providers does not list my driver as a trace provider. I am also not seeing any TraceLogging events in WinDbg.

Also, if I have to register my TraceProvider using wevtutil, how do I do that during driver installation?

Please help!

Regards,
Mridul.

(Cross-posted on WDK forum on MSDN).

Comments

  • Vadim_SirotnikovVadim_Sirotnikov Member Posts: 4

    I have never viewed TraceLogging traces in WinDbg. I usually use KdPrint or WPP to view in Windbg, and use TraceLogging for recording detailed scenarios.

    However, I think you should be seeing your provider, either by name, or by GUID, once your driver is running.

    Make sure you called TraceLoggingRegister(g_hMyProvider); in DriverEntry (and TraceLoggingUnregister appropriately)
    see https://docs.microsoft.com/en-us/windows/desktop/tracelogging/tracelogging-native-quick-start

    If you've done this, the provider self registers itself, and the first message sent, has the manifest encoded, so you don't need wevtutil.

  • Mark_RoddyMark_Roddy Member - All Emails Posts: 4,277
    via Email
    If it takes more than 5 minutes to enable logging then there is something
    distinctly lacking in the logging facility.

    Mark Roddy
  • Bill_WandelBill_Wandel Member - All Emails Posts: 214
    via Email
    I could not get the WPR recorder to work following the directions. I ended up using logman to start/stop the trace and then the WPA analyzer to view the results.

    Bill Wandel
  • Vadim_SirotnikovVadim_Sirotnikov Member Posts: 4

    Try this WPRP file. Just replace with your GUID

    <?xml version="1.0" encoding="utf-8"?>
    <WindowsPerformanceRecorder Version="1.0" Author="Microsoft Corporation" 
        Copyright="Microsoft Corporation" Company="Microsoft Corporation">
      <Profiles>
        <EventCollector Id="EventCollector_DummyCollector" Name="DummyCollector">
          <BufferSize Value="1024" />
          <Buffers Value="256" />
        </EventCollector>
    
        <EventProvider Id="EventProvider_DummyMyProvider" Name="GUID_GOES_HERE" NonPagedMemory="true">
        </EventProvider>
    
        <Profile Id="Dummy.Verbose.File" Name="Dummy" Description="Dummy" LoggingMode="File" DetailLevel="Verbose">
          <Collectors>
            <EventCollectorId Value="EventCollector_MyCollector">
              <EventProviders>
                <EventProviderId Value="EventProvider_MyProvider">
                </EventProviderId>
              </EventProviders>
            </EventCollectorId>
          </Collectors>
        </Profile>
    
        <Profile Id="Dummy.Light.File" Name="Dummy" Description="Dummy" Base="Dummy.Verbose.File" LoggingMode="File" DetailLevel="Light" />    
        <Profile Id="Dummy.Verbose.Memory" Name="Dummy" Description="Dummy" Base="Dummy.Verbose.File" LoggingMode="Memory" DetailLevel="Verbose" />       
        <Profile Id="Dummy.Light.Memory" Name="Dummy" Description="Dummy" Base="Dummy.Verbose.File" LoggingMode="Memory" DetailLevel="Light" />    
      </Profiles>
    </WindowsPerformanceRecorder>
    
  • Bill_WandelBill_Wandel Member - All Emails Posts: 214
    via Email
    The file you included is not here.

    Thanks,
    Bill Wandel
  • Vadim_SirotnikovVadim_Sirotnikov Member Posts: 4

    @Bill_Wandel said:
    The file you included is not here.

    Thanks,
    Bill Wandel

    I included the code inline

  • Bill_WandelBill_Wandel Member - All Emails Posts: 214
    via Email
    Only the first line made it through.

    Thanks,
    Bill
  • Vadim_SirotnikovVadim_Sirotnikov Member Posts: 4
    via Email
    Try opening the webpage directly
  • Bill_WandelBill_Wandel Member - All Emails Posts: 214
    via Email
    I got it. I will try this later this week.
    Thanks,
    Bill
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!