Addng ETW provider for tracing

Mrutyunjaya_Mahapatra · July 31, 2018, 8:14am

I would like to register one custom ETW provider for tracing through command line tool like netsh and logman . How can I do that ?

-Mrutyunjaya

Tim_Roberts · July 31, 2018, 11:22pm

On Jul 31, 2018, at 5:15 AM, xxxxx@hotmail.com wrote:
>
> I would like to register one custom ETW provider for tracing through command line tool like netsh and logman . How can I do that ?

Again, I need to assure you that Google is much faster than this list, and provides more complete solutions.
—
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Mrutyunjaya_Mahapatra · August 1, 2018, 1:36am

Could you please point out to any msdn url. I am not getting exact document for this.
-Mrutyunjaya

Jan_Bottorff · August 1, 2018, 2:17am

TraceLogging is super easy, like about 7 lines of code, and my preferred tracing API at the moment.

https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/tracelogging-for-kernel-mode-drivers-and-components

#include <traceloggingprovider.h>
TRACELOGGING_DECLARE_PROVIDER(logger);

TRACELOGGING_DEFINE_PROVIDER(logger, “MyTraceLoggingProviderKM”,
(0xb3864c38, 0x4273, 0x58c5, 0x54, 0x5b, 0x8b, 0x36, 0x08, 0x34, 0x34, 0x71));

TraceLoggingRegister(logger); // in DriverEntry

TraceLoggingWrite(logger, “MyCodeRan”, TraceLoggingHexUInt32(value, “theValue”));

TraceLoggingUnregister(logger); // in DriverUnload

The value logging function (macros really) TraceLoggingHexUInt32 comes in many flavors to match your value type. You can also have a bunch of ways to filter events, like keywords, levels, channels.

Traces generated using TraceLogging have the formatting embedded, so you don’t need matching pdb (like WPP) or etw manifests to decode them. The downside of this self-describing format is it uses more space. There are a variety of tools to capture and view the traces. For viewing I like the filter expressions in Message Analyzer, but for simple use you can use TraceView or PerfView. Unlike pure printf style logs, ETW and as a result TraceLogging makes structured data, which you can programmatically manipulate in interesting ways. With two simple commands, you can also get TraceLogging events to show up in windbg.

Jan

-----Original Message-----
From: xxxxx@lists.osr.com On Behalf Of xxxxx@hotmail.com
Sent: Tuesday, July 31, 2018 5:16 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Addng ETW provider for tracing

I would like to register one custom ETW provider for tracing through command line tool like netsh and logman . How can I do that ?

-Mrutyunjaya

—
NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:></traceloggingprovider.h>