Hi,
I’ve been adding WMI support into a virtual bus driver this week and have a
few holes in my understanding.
I can fire events using IoWMIWriteEvent, and can get those saved in a trace
log using tracelog.exe. I have not figured out what program could read the
log file and interface with the WMI schema to interpret the binary data.
LogParser (which if you’ve never played with you should) seems to be willing
to input the log file, but doesn’t seem to know where to look for the schema
data that goes with the event guid’s.
I also see the MMC plugin called Performance Logs and Alerts seems to have a
facility to write trace logs, but could not figure out how to get it to log
MY events.
I’m looking for logging support for both development (high performance
logging) and for customer site support (something built into the OS). WPP
seemed only appropriate for development use, so am figuring out how to do
“real” WMI. I’m also NOT using wmilib, as it says it can’t handle dynamic
instance names, and I will have instances of data coming and going over
time.
One more question, any guidelines about what should be reported via WMI and
what should go into the system event log? The event log is easy, but a lot
less rich data than WMI. LogParser basically allows me to do SQL queries on
the data in a log, and output it in formats ranging from pie charts to XML.
A documentation hint to Microsoft: making some pictures of the data layouts
for the WMI minor irp codes would help a lot. The word description is a
little unclear, like it says to have an offset to a counted string, but
nowhere does it say what a counted string actually is, it’s NOT a
UNICODE_STRING header followed by the Unicode string, it’s a Unicode string
with the first 16 bits being the length, with the offset pointing at the
length. Other places in the DDK docs seems to use the term “counted string”
interchangeable with UNICODE_STRING.
- Jan