Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at:

Clarification on ETW decoding requirements

massoud_navabmassoud_navab Member Posts: 265

I use netsh trace start/convert on a provider and get some results. But most of the lines in the converted file indicate that they cannot be decoded.

Is it because MS leaves some TMF info in public symbol files but full set is only available in private PDBs.
Are ETWs closely gaurded or MS wants to give developers access.


  • Jeffrey_Tippet_[MSFT]Jeffrey_Tippet_[MSFT] Member - All Emails Posts: 573

    An ETL file can contain multiple flavors of traces:

    • ETW
    • WPP
    • TraceLogging

    Each has their own requirements to "decode" the trace.

    ETW events are decoded through a manifest that's usually shipped with the OS. Most ETW events aren't "secret". If you get errors decoding an ETW event, the most likely cause is that you're trying to decode the events on a different OS than they were captured on.

    We generally try to maintain backwards compatibility with ETW events, so if you're running OS version N+1, you can usually decode events from OS version N. But mistakes happen, so this isn't always 100% perfect. Also, sometimes the manifests can be removed by the featureset of the OS. E.g., if you are collecting Hyper-V traces, you might need to install Hyper-V on your OS in order to decode its traces.

    WPP events are decoded through a TMF, which is typically bundled into a PDB. WPP traces have historically been considered "secret", so by default our toolchain strips them out of PDBs before we publish the PDBs. A small handful of platform components (like NDIS) do the extra work to re-enable WPP traces in the public PDBs. A few other components ship the raw TMF files. But in general, you can't decode most WPP traces. You'll get messages like Unknown( ##): GUID=### (No Format Information found). when this happens.

    TraceLogging events don't really need a decode phase; they're just JSON. You can extract the event payload as text and run it through your favorite JSON reader. Although some tools can do a nicer job of formatting, e.g., timestamps and other standard metadata.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA