Enabling logging through an Exe

NTFSD
1

Hi All,

I am working on a file system filter driver. In this driver, i am tracing
the operations by means of an EXE which enables the tracing on the filter
driver (WPP software tracing mechansim).

Now considering it as a general case where the Filter driver is loaded at
the boot time and there is an exectuable which is enabling tracing on it
later, when at the earliest i can start this Exe, so that i do not miss any
logs.
Approach i was thinking was to keep that Exe as a service but services are
loaded much later than a filter driver.

So what can i do about it.

Regards,
Shreshth

2

> when at the earliest i can start this Exe, so that i do not miss any logs
The following worked for me: I queued all log messages inside the driver in memory and emptied the queue when an exe reported to the driver “I am ready to accept your messages” (through an IOCTL).

The drawbacks of such internal queueing: (a) if system crashes before an exe is ready, you miss the logs, and (b) if queued log size is not kept at bay, you take your chances with memory (so you’d better leave all formatting and the like to the exe and make queued messages as small as possible, numbers only).

----- Original Message -----
From: Shreshth Luthra
To: Windows File Systems Devs Interest List
Sent: Wednesday, April 19, 2006 5:56 AM
Subject: [ntfsd] Enabling logging through an Exe

Hi All,

I am working on a file system filter driver. In this driver, i am tracing the operations by means of an EXE which enables the tracing on the filter driver (WPP software tracing mechansim).

Now considering it as a general case where the Filter driver is loaded at the boot time and there is an exectuable which is enabling tracing on it later, when at the earliest i can start this Exe, so that i do not miss any logs.
Approach i was thinking was to keep that Exe as a service but services are loaded much later than a filter driver.

So what can i do about it.

Regards,
Shreshth
— Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17 You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank email to xxxxx@lists.osr.com

3

>The drawbacks of such internal queueing: (a) if system crashes before an
exe is ready, you miss the logs, and (b) if queued log size is >not kept at
bay, you take your chances with memory (so you’d better leave all
formatting and the like to the exe and make queued

messages as small as possible, numbers only).

Thanks for your reply. But this is what i was trying to avoid. I know i can
use my own exe and do IOCTL for this. But due to the drawbacks as mentioned
by you, i wanted to use the WPP mechanism that IFS kit is providing.
So, in such a case, i m having the EXE named TraceLog (source code not
available) and it will simply enable the logging. Rest of the mechanism
(Queuing messages and putting them in a file) is taken care by tracelog
itself.

If such is the case, is it possible by any means that i get my EXE started
as soon as the Filter Driver loads (as closely as possible), so that i do
not miss any logs generated by my filter driver.

Regards,
Shreshth

On 4/19/06, sh_alex wrote:
>
> > when at the earliest i can start this Exe, so that i do not miss any
> logs
> The following worked for me: I queued all log messages inside the driver
> in memory and emptied the queue when an exe reported to the driver “I am
> ready to accept your messages” (through an IOCTL).
>
> The drawbacks of such internal queueing: (a) if system crashes before an
> exe is ready, you miss the logs, and (b) if queued log size is not kept at
> bay, you take your chances with memory (so you’d better leave all
> formatting and the like to the exe and make queued messages as small as
> possible, numbers only).
>
>
>
>
> ----- Original Message -----
> From: Shreshth Luthra
> To: Windows File Systems Devs Interest List
> Sent: Wednesday, April 19, 2006 5:56 AM
> Subject: [ntfsd] Enabling logging through an Exe
>
> Hi All,
>
> I am working on a file system filter driver. In this driver, i am tracing
> the operations by means of an EXE which enables the tracing on the filter
> driver (WPP software tracing mechansim).
>
> Now considering it as a general case where the Filter driver is loaded at
> the boot time and there is an exectuable which is enabling tracing on it
> later, when at the earliest i can start this Exe, so that i do not miss any
> logs.
> Approach i was thinking was to keep that Exe as a service but services are
> loaded much later than a filter driver.
>
> So what can i do about it.
>
>
> Regards,
> Shreshth
> — Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17 You are currently subscribed
> to ntfsd as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank
> email to xxxxx@lists.osr.com
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
>
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

4

Actually, if you did not realize it the sources of TraceLog are available in
the platform SDK. As far as using the logging, you do have the problem of
you cannot for present OS’es get the log before you can issue the Win32
calls that Tracelog does. So if you have a filter at boot time, you are out
of luck. There is some boot time capability for WPP tracing with Vista, but
I have not explored this.


Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

“Shreshth Luthra” wrote in message
news:xxxxx@ntfsd…
Thanks for your reply. But this is what i was trying to avoid. I know i can
use my own exe and do IOCTL for this. But due to the drawbacks as mentioned
by you, i wanted to use the WPP mechanism that IFS kit is providing.
So, in such a case, i m having the EXE named TraceLog (source code not
available) and it will simply enable the logging. Rest of the mechanism
(Queuing messages and putting them in a file) is taken care by tracelog
itself.

If such is the case, is it possible by any means that i get my EXE started
as soon as the Filter Driver loads (as closely as possible), so that i do
not miss any logs generated by my filter driver.

5

Actually, there is boot-time logging available from at LEAST XP onwards using a “global logger.” As Don mentioned, this facility is augmented by additional Vista logging features.

I found info on tracing during boot in the (draft) WDK, which for the moment at least is at this URL: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/DevTest_g/hh/DevTest_g/traceboot_8f532a14-1b0e-440d-a412-7dbeead60c09.xml.asp

HTH,

Peter
OSR

6

> you cannot for present OS’es get the log before you can issue the Win32

calls that Tracelog does. So if you have a filter at boot time, you are out
of luck.
Exactly my point.

is it possible by any means that i get my EXE started as soon as the
Filter Driver loads (as closely as possible),
Files and are also available only pretty much later, natives also do not
start early enough.

I would not ever do that myself, but what about registry as a temp storage
(very bad idea, but if you insist…)? Never tried to write into them, but
my very own [sub]keys in hklm\ccs\services\mydriver\mylogstuff are
accessible at mydriver’s DriverEntry.

They are surely available for reading, as you know.

An alternative might be a completely crazy thing of stealing a COM port
from OS and manually feeding info into it. I would certainly absolutely
positively love it in production though.

Maybe, queueing is not that bad for your purposes? Maybe some on-disk
flag that lets you know that you did not miss a beat (that’s what I used)?

----- Original Message -----
From: Shreshth Luthra
To: Windows File Systems Devs Interest List
Sent: Wednesday, April 19, 2006 8:21 AM
Subject: Re: [ntfsd] Enabling logging through an Exe

The drawbacks of such internal queueing: (a) if system crashes before an exe is ready, you miss the logs, and (b) if queued log size is >not kept at bay, you take your chances with memory (so you’d better leave all formatting and the like to the exe and make queued
>messages as small as possible, numbers only).

Thanks for your reply. But this is what i was trying to avoid. I know i can use my own exe and do IOCTL for this. But due to the drawbacks as mentioned by you, i wanted to use the WPP mechanism that IFS kit is providing.
So, in such a case, i m having the EXE named TraceLog (source code not available) and it will simply enable the logging. Rest of the mechanism (Queuing messages and putting them in a file) is taken care by tracelog itself.

If such is the case, is it possible by any means that i get my EXE started as soon as the Filter Driver loads (as closely as possible), so that i do not miss any logs generated by my filter driver.

Regards,
Shreshth

On 4/19/06, sh_alex wrote:
> when at the earliest i can start this Exe, so that i do not miss any logs
The following worked for me: I queued all log messages inside the driver in memory and emptied the queue when an exe reported to the driver “I am ready to accept your messages” (through an IOCTL).

The drawbacks of such internal queueing: (a) if system crashes before an exe is ready, you miss the logs, and (b) if queued log size is not kept at bay, you take your chances with memory (so you’d better leave all formatting and the like to the exe and make queued messages as small as possible, numbers only).

----- Original Message -----
From: Shreshth Luthra
To: Windows File Systems Devs Interest List
Sent: Wednesday, April 19, 2006 5:56 AM
Subject: [ntfsd] Enabling logging through an Exe

Hi All,

I am working on a file system filter driver. In this driver, i am tracing the operations by means of an EXE which enables the tracing on the filter driver (WPP software tracing mechansim).

Now considering it as a general case where the Filter driver is loaded at the boot time and there is an exectuable which is enabling tracing on it later, when at the earliest i can start this Exe, so that i do not miss any logs.
Approach i was thinking was to keep that Exe as a service but services are loaded much later than a filter driver.

So what can i do about it.

Regards,
Shreshth

— Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17 You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

— Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17 You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank email to xxxxx@lists.osr.com