I will briefly explain my situation and then post my questions at the end. I have implemented ETW in a driver for my company and it works great. Currently, I have some events that are written to the System channel and therefore show up in the Sytem event log in Event Viewer. However, no events are being written out to the System event log on a Server03 machine (even though it works fine on Vista an Win7). When compiling my manifest using mc.exe, I include the “-MOF” option which generates an MOF file and creates a header file that is compatible with Win XP (or Server03). One theory I have why events aren’t showing in the log for an XP machine is that my provider is not being properly registered with the system (I run mofcomp.exe to install the appropriate classes in WMI). However, when I run something like “logman query providers” my provider shows up in the list, so maybe that theory is out the window. Also, the header file that is generated when I compile my manifest maps a macro that should register my provider depending on what Operating System the machine is running (e.g. it calls PfnEtwRegister for Vista or newer and IoWMIRegistrationControl for XP). Something else I have come across in my research is that the idea of “channels” in a manifest-based provider is new to Vista. Because it is the channel that partly determines where an event is written, maybe this is my problem. So here are my questions:
-
Is there an appropriate way to have a manifest-based event provider write to the System Event log on a Server03/XP machine? Is using “channels” incorrect (assuming that they are new to Vista), and if they are incorrect, is there a right way to do it?
-
Is the EventRegister macro in the generated header file adequate to register my provider on any Windows OS? I know it works for Vista because I have thoroughly tested it, but do I need to take more steps for an XP machine (e.g. should I be calling something like StartTrace / EnableTrace or is this taken care of for me)?
I hope this makes sense. I am quite new to driver-level coding (I graduated from college in December) so I apologize if this is a newbie question. I have spent a couple days researching and testing theories and seem to be stuck. There are obviously many details I have left out as ETW is fairly complex, but I am happy to provide more detail as needed. Thanks in advance for any guidance/suggestions.