Driver Event Logging

Hi All,

I wanted to log message from my driver based on NTSTATUS. I was following the way explained Art Bakers-Win2000DeviceDriver it looks little hard to implement. Is there any easy way with latest VS 2017. I tried API available IoAllocateErrorLogEntry and IoWriteErrorLogEntry and was able to create a event but with no information

any help, thanks in advance.
(intermediate developer)

Do you need more information than what’s available on MSDN:

https:

Toss the Baker book. The best thing I can say about it is that it’s out of date. Some of it, like the section on Power Management, was out of date when it was written, but I digress.

You should almost certainly be writing whatever code you’re writing in WDF, not in WDM.

ANYhow… yeah.

Peter
OSR
@OSRDrivers</https:>

Thank you Peter for the info,

I have followed the same like below…

this is function for logging event log…!

VOID XXXXLogEvent(PVOID ioObject, NTSTATUS status, const CHAR * Msg)
{
PIO_ERROR_LOG_PACKET pErrLogDetails = NULL;
UNREFERENCED_PARAMETER(status);
UNREFERENCED_PARAMETER(Msg);

pErrLogDetails = IoAllocateErrorLogEntry(ioObject, sizeof(IO_ERROR_LOG_PACKET));
if (NULL != pErrLogDetails) {
RtlSecureZeroMemory(pErrLogDetails, sizeof(IO_ERROR_LOG_PACKET));

pErrLogDetails->ErrorCode = status;
}

IoWriteErrorLogEntry(pErrLogDetails);
return;
}

From Driver : for demo i removed rest code
…
…
.
status = ZwEnumerateValueKey(hRegKey, 0, KeyValuePartialInformation, pKeyValuelInfo, 256, &retSize);
SmartAVLogEvent(pDrvObj, status, L"This is test");
.
.

MC file:
MessageIdTypedef = NTSTATUS

SeverityNames = (
Success = 0x0:STATUS_SEVERITY_SUCCESS
Informational = 0x1:STATUS_SEVERITY_INFORMATIONAL
Warning = 0x2:STATUS_SEVERITY_WARNING
Error = 0x3:STATUS_SEVERITY_ERROR
)

FacilityNames = (
System = 0x0
RpcRuntime = 0x2:FACILITY_RPC_RUNTIME
RpcStubs = 0x3:FACILITY_RPC_STUBS
Io = 0x4:FACILITY_IO_ERROR_CODE
Driver = 0x7:FACILITY_DRIVER_ERROR_CODE
)

MessageId=0x0001
Facility=Driver
Severity=Informational
SymbolicName=MSG_LOGGING_ENABLED
Language=English
Event logging enabled for XXXXXX Driver.
.

MessageId=+1
Facility=Driver
Severity=Informational
SymbolicName=MSG_DRIVER_STARTING
Language=English
XXXX Driver has successfully initialized.
.

MessageId=+1
Facility=Driver
Severity=Informational
SymbolicName=MSG_DRIVER_STOPPING
Language=English
XXXXXX Driver has unloaded.
.

I was able to log Event in Evnt viewer which is not i wanted…!

The description for Event ID 0 from source xxxxx cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

the message resource is present but the message is not found in the string/message table

OK. But that’s not what I asked you.

I asked you if you need more information that is available on the MSDN pages to which I referred you.

Specifically, I’ll ask again: Did you follow all those steps? Did you REGISTER your driver (by creating the appropriate values in the Registry) as an error message source?

Peter
OSR
@OSRDrivers

Yes Peter I did, followed https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/registering-as-a-source-of-error-messages

\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\XXXXX

with entries EventMessageFile with path and TypesSupported

OK.

Hmmmm… well, from your code, it looks like you’re writing an error log packet that is completely empty?

The ErrorCode field should correspond with one of the message IDs that you created. So, MSG_LOGGING_ENABLED or MSG_DRIVER_STOPPING or whatever.

You appear to be passing an NTSTATUS in this field, and from the message you provided, I’d bet that status is STATUS_SUCCESS??

Peter
OSR
@OSRDrivers

Thank You Peter, Perfect Guru :slight_smile:

I will code same into KMDF it was just pilot for the one of our requirement