Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.More Info on Driver Writing and Debugging
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
problem with Event register
i want to Generate Log into Event viewer
when i install manifest file everything is good and i see my provider create in event viewer
but when i go to register event in filterDriver i get failed
this is manifest file content i used:
?xml version='1.0' encoding='utf-8' standalone='yes'?
instrumentationManifest
xmlns="http://schemas.microsoft.com/win/2004/08/events"
xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://schemas.microsoft.com/win/2004/08/events eventman.xsd"
#
#instrumentation#
#events#
#provider
guid="{XXXXXXXXXXXXX}"
messageFileName="%SystemDrive%\Sample\Driver.sys"
name="ProcessMonitor"
resourceFileName="%SystemDrive%\Sample\Driver.sys"
symbol="Process_Monitor"#
#channels#
#channel name="ProcessMonitor" chid="c1" symbol="Process_Monitor_Channel" type="Operational" enabled="true"##/channel#
#/channels#
#templates#
#template tid="load_Unload"#
#data
inType="win:UnicodeString"
name="Devname"
outType="xs:string"/#
#data
inType="win:UnicodeString"
name="Message"
outType="xs:string"/#
#data
inType="win:UInt32"
name="Status"
outType="xs:unsignedInt"/#
#/template#
#template tid="Event_Process"#
#data
inType="win:UInt32"
name="Processid"
outType="xs:unsignedInt"/#
#data
inType="win:UnicodeString"
name="ProcessName"
outType="xs:string"/#
#data
inType="win:UnicodeString"
name="ProcessArg"
outType="xs:string"/#
.........
.........
.........
#/template#
#/templates#
#events#
#event
channel="c1"
level="win:Informational"
message="$(string.EvtLoad.EventMessage)"
opcode="win:Start"
symbol="EvtLoad"
template="load_Unload"
value="1"/#
#event
channel="c1"
level="win:Informational"
message="$(string.EvtProcessLog.EventMessage)"
opcode="win:Info"
symbol="EvtProcessLog"
template="Event_Process"
value="2"/#
#event
channel="c1"
level="win:Informational"
message="$(string.EvtUnload.EventMessage)"
opcode="win:Stop"
symbol="EvtUnload"
template="load_Unload"
value="3"/#
#/events#
#/provider#
#/events#
#/instrumentation#
#localization xmlns="http://schemas.microsoft.com/win/2004/08/events"#
#resources culture="en-US"#
#stringTable#
#string
id="EvtLoad.EventMessage"
value="Driver Loaded"/#
#string
id="EvtProcessLog.EventMessage"
value="Process Created"/#
#string
id="EvtUnload.EventMessage"
value="Driver Unloaded"/#
#/stringTable#
#/resources#
#/localization#
/instrumentationManifest
i get error in this function:
if (*RegHandle != 0)
{
Error = 0; // ERROR_SUCCESS
}
else
{
Error = MCGEN_EVENTREGISTER(ProviderId, EnableCallback, CallbackContext, RegHandle); // i got this
}
return Error;
thank you
Howdy, Stranger!
| Upcoming OSR Seminars | ||
|---|---|---|
| OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
| Internals & Software Drivers | 7 February 2022 | Live, Online |
| Kernel Debugging | 21 March 2022 | Live, Online |
| Developing Minifilters | 23 May 2022 | Live, Online |
| Writing WDF Drivers | 12 September 2022 | Live, Online |