Instructions on tracelogging with kernel drivers

craniumratcraniumrat Member Posts: 4

Hello everyone,

I have declared and defined a TraceLogProvider in my kernel driver along with a bunch of TraceLogging messages. The instructions for viewing those TraceLogging events in WinDbg during a live debug session is not clear. I have tried to follow instructions based on these 2 pages from MSDN.

which says I have to use logman start TraceSession -ets -mode KernelFilter -bs 3


which I have to use to create a WPRP file to register my Trace Provider.

Right now, with my driver installed and working, logman query providers does not list my driver as a trace provider. I am also not seeing any TraceLogging events in WinDbg.

Also, if I have to register my TraceProvider using wevtutil, how do I do that during driver installation?

Please help!


  • Vadim_SirotnikovVadim_Sirotnikov Member Posts: 17

    I have never viewed TraceLogging traces in WinDbg. I usually use KdPrint or WPP to view in Windbg, and use TraceLogging for recording detailed scenarios.

    However, I think you should be seeing your provider, either by name, or by GUID, once your driver is running.

    Make sure you called TraceLoggingRegister(g_hMyProvider); in DriverEntry (and TraceLoggingUnregister appropriately)

    If you've done this, the provider self registers itself, and the first message sent, has the manifest encoded, so you don't need wevtutil.

  • Mark_RoddyMark_Roddy Member - All Emails Posts: 4,305
    If it takes more than 5 minutes to enable logging then there is something
    distinctly lacking in the logging facility.

    Mark Roddy
  • Bill_WandelBill_Wandel Member - All Emails Posts: 228
    I could not get the WPR recorder to work following the directions. I ended up using logman to start/stop the trace and then the WPA analyzer to view the results.

    Bill Wandel
  • Vadim_SirotnikovVadim_Sirotnikov Member Posts: 17

    Try this WPRP file. Just replace with your GUID

    <?xml version="1.0" encoding="utf-8"?>
    <WindowsPerformanceRecorder Version="1.0" Author="Microsoft Corporation" 
        Copyright="Microsoft Corporation" Company="Microsoft Corporation">
        <EventCollector Id="EventCollector_DummyCollector" Name="DummyCollector">
          <BufferSize Value="1024" />
          <Buffers Value="256" />
        <EventProvider Id="EventProvider_DummyMyProvider" Name="GUID_GOES_HERE" NonPagedMemory="true">
        <Profile Id="Dummy.Verbose.File" Name="Dummy" Description="Dummy" LoggingMode="File" DetailLevel="Verbose">
            <EventCollectorId Value="EventCollector_MyCollector">
                <EventProviderId Value="EventProvider_MyProvider">
        <Profile Id="Dummy.Light.File" Name="Dummy" Description="Dummy" Base="Dummy.Verbose.File" LoggingMode="File" DetailLevel="Light" />    
        <Profile Id="Dummy.Verbose.Memory" Name="Dummy" Description="Dummy" Base="Dummy.Verbose.File" LoggingMode="Memory" DetailLevel="Verbose" />       
        <Profile Id="Dummy.Light.Memory" Name="Dummy" Description="Dummy" Base="Dummy.Verbose.File" LoggingMode="Memory" DetailLevel="Light" />    
  • Bill_WandelBill_Wandel Member - All Emails Posts: 228
    The file you included is not here.

    Bill Wandel
  • Vadim_SirotnikovVadim_Sirotnikov Member Posts: 17

    @Bill_Wandel said:
    The file you included is not here.

    Bill Wandel

    I included the code inline

  • Bill_WandelBill_Wandel Member - All Emails Posts: 228
    Only the first line made it through.

  • Vadim_SirotnikovVadim_Sirotnikov Member Posts: 17
    Try opening the webpage directly
  • Bill_WandelBill_Wandel Member - All Emails Posts: 228
    I got it. I will try this later this week.
