Driver event logging, and FacilityNames

Michael_Bailey · April 26, 2015, 2:14am

I have some questions about writing to the event log from a driver. I’ve been looking at some MSDN resources about logging errors, here:

https://msdn.microsoft.com/en-us/library/windows/hardware/ff554312(v=vs.85).aspx

I’m unclear about what facility names are and how I should define them in my .mc file. I did find a userspace-oriented reference with a concrete example:

https://msdn.microsoft.com/en-us/library/windows/desktop/aa363680(v=vs.85).aspx

It seems to suggest that I should define four facility names:

FacilityNames=(System=0x0:FACILITY_SYSTEM
Runtime=0x2:FACILITY_RUNTIME
Stubs=0x3:FACILITY_STUBS
Io=0x4:FACILITY_IO_ERROR_CODE
)

I also found C:\WinDDK\7600.16385.1\src\serial\serial\serlog.mc, which defines them slightly differently (note the references to “RPC”:

FacilityNames=(System=0x0
RpcRuntime=0x2:FACILITY_RPC_RUNTIME
RpcStubs=0x3:FACILITY_RPC_STUBS
Io=0x4:FACILITY_IO_ERROR_CODE
Serial=0x6:FACILITY_SERIAL_ERROR_CODE
)

Comparing these two, it seems as if the serial example has defined its own unique facility name, which is consistent with my (probably inaccurate) understanding that the facility name is meant to distinguish messages from one driver versus another. So, what facility name should I define for my driver, and how do I ensure that the number I assign to it does not collide with anybody else’s driver?

Am I overthinking this? Should I just move forward copying the first example I cited above for FacilityNames and simply specify System as the facility for each of the messages I define? Or should I define an 0x6 of my own and call it whatever I want, and move on from there? Are there other resources I should be looking at? Am I going about driver event logging all wrong?

Based on the information available to me, I did concoct a .mc file that I was able to feed through mc.exe, then rc.exe, then link.exe, resulting in a DLL. It looks similar to this (note that I used Runtime for my facility, though on further consideration, I suspect that System makes more sense, or better yet, a facilityname of my own [but with what number assigned to it?]):

MessageIdTypedef=NTSTATUS

SeverityNames = (
Success = 0x0:STATUS_SEVERITY_SUCCESS
Informational = 0x1:STATUS_SEVERITY_INFORMATIONAL
Warning = 0x2:STATUS_SEVERITY_WARNING
Error = 0x3:STATUS_SEVERITY_ERROR
)

FacilityNames=(System=0x0:FACILITY_SYSTEM
Runtime=0x2:FACILITY_RUNTIME
Stubs=0x3:FACILITY_STUBS
Io=0x4:FACILITY_IO_ERROR_CODE
)

LanguageNames=(English=0x409:MSG00409)

MessageId=0x1
Severity=Error
Facility=Runtime
SymbolicName=MSG_TEST
Language=English
Test message: %1
Insertion string percent two: %2
.

What is the correct way to proceed.

Thanks,
Mike

Peter_Viscarola_OSR · April 26, 2015, 12:42pm

Yeah, the docs are old and kinda crufty. You should define your own facility name. I don’t recall how you choose the facility name value… which is really your question… but this IS defined somewhere (sorry).

For example, this is exactly what I used for a recent project (obviously, the project name wasn’t “Fred” but…)

MessageIdTypedef=NTSTATUS

SeverityNames=(Success=0x0:STATUS_SEVERITY_SUCCESS
Informational=0x1:STATUS_SEVERITY_INFORMATIONAL
Warning=0x2:STATUS_SEVERITY_WARNING
Error=0x3:STATUS_SEVERITY_ERROR
)

FacilityNames=(System=0x0
RpcRuntime=0x2:FACILITY_RPC_RUNTIME
RpcStubs=0x3:FACILITY_RPC_STUBS
Io=0x4:FACILITY_IO_ERROR_CODE
Fred=0x142:FACILITY_Fred_ERROR_CODE
)

MessageId=0x1 Facility=Fred Severity=Informational SymbolicName=Fred_READY
Language=English
%1: The Fred Device is initialized and ready
.
MessageId=0x2 Facility=Fred Severity=Informational SymbolicName=Fred_MSG_CARD_FAILURE
Language=English
%1: The Fred Device has failed
.

Peter
OSR
@OSRDrivers

Michael_Bailey · April 26, 2015, 3:10pm

Thanks for the example, I feel a little better about my little event log
experiment, then. I also reason that, since the registration for a message
catalog is unique to the driver’s name, choosing a facility *value* that
has already been chosen by another driver present on the system shouldn’t
cause any confusion looking up the correct message for the events my driver
might create. The only danger seems to be choosing a driver name that
collides with some other driver already present on the system. Let me know
if you think this is wrong, otherwise, I think I’m good to go!

On Sun, Apr 26, 2015 at 10:41 AM, wrote:

> Yeah, the docs are old and kinda crufty. You should define your own
> facility name. I don’t recall how you choose the facility name value…
> which is really your question… but this IS defined somewhere (sorry).
>
> For example, this is exactly what I used for a recent project (obviously,
> the project name wasn’t “Fred” but…)
>
> MessageIdTypedef=NTSTATUS
>
> SeverityNames=(Success=0x0:STATUS_SEVERITY_SUCCESS
> Informational=0x1:STATUS_SEVERITY_INFORMATIONAL
> Warning=0x2:STATUS_SEVERITY_WARNING
> Error=0x3:STATUS_SEVERITY_ERROR
> )
>
> FacilityNames=(System=0x0
> RpcRuntime=0x2:FACILITY_RPC_RUNTIME
> RpcStubs=0x3:FACILITY_RPC_STUBS
> Io=0x4:FACILITY_IO_ERROR_CODE
> Fred=0x142:FACILITY_Fred_ERROR_CODE
> )
>
> MessageId=0x1 Facility=Fred Severity=Informational SymbolicName=Fred_READY
> Language=English
> %1: The Fred Device is initialized and ready
> .
> MessageId=0x2 Facility=Fred Severity=Informational
> SymbolicName=Fred_MSG_CARD_FAILURE
> Language=English
> %1: The Fred Device has failed
> .
>
>
> Peter
> OSR
> @OSRDrivers
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>