Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
More Info on Driver Writing and Debugging
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.problem with Event register
i want to Generate Log into Event viewer
when i install manifest file everything is good and i see my provider create in event viewer
but when i go to register event in filterDriver i get failed
this is manifest file content i used:
?xml version='1.0' encoding='utf-8' standalone='yes'?
instrumentationManifest
xmlns="http://schemas.microsoft.com/win/2004/08/events"
xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://schemas.microsoft.com/win/2004/08/events eventman.xsd"
#
#instrumentation#
#events#
#provider
guid="{XXXXXXXXXXXXX}"
messageFileName="%SystemDrive%\Sample\Driver.sys"
name="ProcessMonitor"
resourceFileName="%SystemDrive%\Sample\Driver.sys"
symbol="Process_Monitor"#
#channels#
#channel name="ProcessMonitor" chid="c1" symbol="Process_Monitor_Channel" type="Operational" enabled="true"##/channel#
#/channels#
#templates#
#template tid="load_Unload"#
#data
inType="win:UnicodeString"
name="Devname"
outType="xs:string"/#
#data
inType="win:UnicodeString"
name="Message"
outType="xs:string"/#
#data
inType="win:UInt32"
name="Status"
outType="xs:unsignedInt"/#
#/template#
#template tid="Event_Process"#
#data
inType="win:UInt32"
name="Processid"
outType="xs:unsignedInt"/#
#data
inType="win:UnicodeString"
name="ProcessName"
outType="xs:string"/#
#data
inType="win:UnicodeString"
name="ProcessArg"
outType="xs:string"/#
.........
.........
.........
#/template#
#/templates#
#events#
#event
channel="c1"
level="win:Informational"
message="$(string.EvtLoad.EventMessage)"
opcode="win:Start"
symbol="EvtLoad"
template="load_Unload"
value="1"/#
#event
channel="c1"
level="win:Informational"
message="$(string.EvtProcessLog.EventMessage)"
opcode="win:Info"
symbol="EvtProcessLog"
template="Event_Process"
value="2"/#
#event
channel="c1"
level="win:Informational"
message="$(string.EvtUnload.EventMessage)"
opcode="win:Stop"
symbol="EvtUnload"
template="load_Unload"
value="3"/#
#/events#
#/provider#
#/events#
#/instrumentation#
#localization xmlns="http://schemas.microsoft.com/win/2004/08/events"#
#resources culture="en-US"#
#stringTable#
#string
id="EvtLoad.EventMessage"
value="Driver Loaded"/#
#string
id="EvtProcessLog.EventMessage"
value="Process Created"/#
#string
id="EvtUnload.EventMessage"
value="Driver Unloaded"/#
#/stringTable#
#/resources#
#/localization#
/instrumentationManifest
i get error in this function:
if (*RegHandle != 0)
{
Error = 0; // ERROR_SUCCESS
}
else
{
Error = MCGEN_EVENTREGISTER(ProviderId, EnableCallback, CallbackContext, RegHandle); // i got this
}
return Error;
thank you
Howdy, Stranger!
| Upcoming OSR Seminars | ||
|---|---|---|
| OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
| Developing Minifilters | 24 May 2021 | Live, Online |
| Writing WDF Drivers | 14 June 2021 | Live, Online |
| Internals & Software Drivers | 27 September 2021 | Live, Online |
| Kernel Debugging | 15 November 2021 | Live, Online |