Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


WinDbg !wmitrace.start failing due to missing symbols?

dbarriedbarrie Member Posts: 10
in NTDEV

I'm trying to set up a good workflow for getting trace logs displayed nicely in WinDbg for my kernel-mode driver that doesn't involve having to remember to copy files and muck about first on the target machine every time I start a new debug session. I am currently able to use traceview to load the driver's PDB file and get traces displayed in WinDbg, but it seems like the !wmitrace group of commands should allow me to do exactly the same operation from within the debugger, entirely on the host machine. Save the commands off as a script I can run easily, whatever.

However, attempting to start a new trace reports a bunch of missing symbols:

2: kd> !wmitrace.start myloggerid -kd
sym lookup 'nt!EtwpHostSiloState' failure
sym lookup 'nt!EtwpHostSiloState' failure
sym lookup 'nt!EtwpHostSiloState' failure
sym lookup 'nt!EtwpHostSiloState' failure
sym lookup 'nt!EtwpSiloState' failure
sym lookup 'nt!EtwpSiloState' failure
------------------------------------------------------
|                                                    |
|            NT symbols are not available            |
|   Kernel hints available (reduced functionality)   |
|                                                    |
------------------------------------------------------

sym lookup 'nt!EtwpHostSiloState' failure
sym lookup 'nt!EtwpHostSiloState' failure
sym lookup 'nt!EtwpSiloState' failure
sym lookup 'nt!EtwpSiloState' failure
sym lookup 'nt!EtwWmitraceWork' failure
sym lookup 'nt!EtwWmitraceWork' failure
sym lookup 'nt!ExpDebuggerWork' failure
sym lookup 'nt!ExpDebuggerWork' failure
Symbols are wrong or this version of the operating system does not support this command.

Obviously the command fails, and no myloggerid is created.

I'm pulling symbols down from MS' symbol store

2: kd> .sympath
Symbol search path is: srv*
Expanded Symbol search path is: cache*;SRV*https://msdl.microsoft.com/download/symbols

and other nt symbols show up just fine in the callstack. Running .symfix does not change the behavior. Symbols for the driver I'm debugging are also available, and I can step through code just fine. Everything else seems to be working, is what I'm getting at.

Both host and target machines are using the same version of Windows 10.

What gives?

· Share on Facebook
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Sign In Register
Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 16-20 October 2023 Live, Online
Developing Minifilters 13-17 November 2023 Live, Online
Internals & Software Drivers 4-8 Dec 2023 Live, Online
Writing WDF Drivers 10-14 July 2023 Live, Online

Categories