IFR does exactly what I want: provide an always on logging ringbuffer available from a debugger both live and in a dump. So just for shirts and jiggles I have been playing around with putting IFR support in non WDF drivers, like for example the MSFT ndis LWF sample here: https://github.com/microsoft/Windows-driver-samples/tree/f28183b782d1f113492f6eea424172f2addaf565/network/ndis/filter
As always, replacing a legacy debug print macro with ETW is painful to get right, especially as level based logging does not fit well with ETW’s native flag based logging, and the docs and examples for how to do that are confusing due to an extremely unfortunate misnaming 20 years or so ago, that is now cast in concrete. Anyway, that is not why I am posting this, I assumed that pain would exist as always.
After getting everything working my log was oddly wrong. Newlines were being eaten on some messages. Not only newlines, entire portions of the format message text could also be missing. After much trial and error, a goat sacrifice, but alas no rending of hair as there is no hair left to rend, I actually discovered the problem.
The code for the sample logs function entrance/exit using the following style:
DEBUGP(DL_TRACE, "===>DriverEntry...\n");
DEBUGP(DL_TRACE, "<===DriverEntry, Status = %8x\n", Status);
In every message with a ‘<’ character in the format string, ETW breaks the format text at the ‘<’ character. Nothing gets logged starting with that character.
Seems pretty wrong to me.