No resource for ETW

Hello! I am learning how to use ETW. I was able to create manifest file and use generated macroses (EventWrite…). However I can’t successfully install the manifest: C:\Users\adm\Desktop>wevtutil im iomon_etw.man **** Warning: The resource file for publisher Iomon was not found or could not be opened. resourceFileName: %Systemroot%\System32\drivers\iomon.sys **** Warning: Publisher Iomon resources could not be found or are not accessible to the Local Service account. As I understand that means that some resources aren’t compiled in sys file(maybe I’m wrong). I am doing everything step by step according to tutorial https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/adding-event-tracing-to-kernel-mode-drivers . What should I do to fix this?

In your .man file you’ve specified two binaries:

  1. resourceFileName - contains the main compiled manifest resource
  2. messageFileName - contains localized string resource(s)
    see: https://docs.microsoft.com/en-us/windows/desktop/WES/identifying-the-provider

When you compile the .man, MC creates the binary resources (.bin files) and a .rc (resource compiler) file:
https://docs.microsoft.com/en-us/windows/desktop/WES/message-compiler--mc-exe-
The .rc and .bin resources need to be compiled and linked to some PE file that can contain resources.
It can be the .sys file itself, or a separate resource-only DLL.
This is probably the step you’re missing.

Finally, run wevtutil to get all bits together. So simple and intuitive :wink:

– pa

Thank you!
I’ll try that

Sent from my iPhone

I have a same issue. I tried adding the resource file to the visual studio project, but i get linking error. As i have another .rc file in the driver which is the reason. So how can i add both existing .mc along with the this new .man.

CVTRES : fatal error CVT1100: duplicate resource. type:MESSAGETABLE, name:1, language:0x0409
LINK : fatal error LNK1123: failure during conversion to COFF: file invalid or corrupt

1.rc - this is from manifest
LANGUAGE 0x9,0x1
1 11 “rev_etw_evts_MSG00001.bin”
1 WEVT_TEMPLATE “rev_etw_evtsTEMP.BIN”

2.rc - existing for wpp logs.
LANGUAGE 0x9,0x1
1 11 “drvlog_MSG00001.bin”

Please help here.