EVENT_TRACE_KD_FILTER_MODE in Windows Server 2003

There was a post a couple of years ago:
http://www.osronline.com/showThread.CFM?link=137290

I am experiencing the same problem. How WPP’s kd logging should be used in Windows Server 2003 properly?

So do you define WPP_DEBUG macro to send output to kernel debugger, like this?

#define WPP_DEBUG(args) DbgPrint args

Then, do you also define WPP_CHECK_FOR_NULL_STRING to protect against referencing 0 pointers?
Any custom complex types?

– pa

I do not define WPP_DEBUG macro.
I do not define NO_CHECK_FOR_NULL_STRING, so WPP_CHECK_FOR_NULL_STRING defines to 1.
No complex types.
I use EVENT_TRACE_KD_FILTER_MODE flag to send traces to kernel debugger.
Here is the code I am using in Vista+ to start tracing session:

TRACEHANDLE handle;
struct EVENT_TRACE_PROPERTIES2 : EVENT_TRACE_PROPERTIES
{
TCHAR LoggerName [1024];
TCHAR LogFileName[1024];
} trace;
ZeroMemory(&trace, sizeof(trace));
_tcscpy_s(trace.LogFileName, _T(“LogFile.etl”));
trace.Wnode.BufferSize = sizeof(trace);
trace.Wnode.Flags = WNODE_FLAG_TRACED_GUID;
trace.FlushTimer = 1;
trace.LoggerNameOffset = FIELD_OFFSET(EVENT_TRACE_PROPERTIES2, LoggerName);
trace.LogFileNameOffset = FIELD_OFFSET(EVENT_TRACE_PROPERTIES2, LogFileName);
trace.LogFileMode = EVENT_TRACE_KD_FILTER_MODE | EVENT_TRACE_REAL_TIME_MODE | EVENT_TRACE_FILE_MODE_SEQUENTIAL;
if (HIWORD(GetVersion()) == 3790) trace.LogFileMode &= ~EVENT_TRACE_KD_FILTER_MODE; // WS2003 hack
if (StartTrace(&handle, _T(“SessionName”), &trace) == ERROR_SUCCESS)
{
EnableTrace(TRUE, 0xFFFFFFFF, 0xFF, &WppDriverGuid, handle);
EnableTrace(TRUE, 0xFFFFFFFF, 0xFF, &WppRpcLibGuid, handle);
}

It crashes only in Windows Server 2003.

KD_FILTER_MODE has 3K maximum trace buffer size restriction. If I remember correctly the validation was not done properly prior to Vista. Also prior to Vista enabling KD_FILTER_MODE, but not having debugger attached also had problems.
Thanks,
Alex

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@Gmail.com
Sent: Wednesday, March 16, 2011 9:15 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] EVENT_TRACE_KD_FILTER_MODE in Windows Server 2003

I do not define WPP_DEBUG macro.
I do not define NO_CHECK_FOR_NULL_STRING, so WPP_CHECK_FOR_NULL_STRING defines to 1.
No complex types.
I use EVENT_TRACE_KD_FILTER_MODE flag to send traces to kernel debugger.
Here is the code I am using in Vista+ to start tracing session:

TRACEHANDLE handle;
struct EVENT_TRACE_PROPERTIES2 : EVENT_TRACE_PROPERTIES {
TCHAR LoggerName [1024];
TCHAR LogFileName[1024];
} trace;
ZeroMemory(&trace, sizeof(trace));
_tcscpy_s(trace.LogFileName, _T(“LogFile.etl”)); trace.Wnode.BufferSize = sizeof(trace); trace.Wnode.Flags = WNODE_FLAG_TRACED_GUID; trace.FlushTimer = 1; trace.LoggerNameOffset = FIELD_OFFSET(EVENT_TRACE_PROPERTIES2, LoggerName); trace.LogFileNameOffset = FIELD_OFFSET(EVENT_TRACE_PROPERTIES2, LogFileName); trace.LogFileMode = EVENT_TRACE_KD_FILTER_MODE | EVENT_TRACE_REAL_TIME_MODE | EVENT_TRACE_FILE_MODE_SEQUENTIAL; if (HIWORD(GetVersion()) == 3790) trace.LogFileMode &= ~EVENT_TRACE_KD_FILTER_MODE; // WS2003 hack if (StartTrace(&handle, _T(“SessionName”), &trace) == ERROR_SUCCESS) {
EnableTrace(TRUE, 0xFFFFFFFF, 0xFF, &WppDriverGuid, handle);
EnableTrace(TRUE, 0xFFFFFFFF, 0xFF, &WppRpcLibGuid, handle); }

It crashes only in Windows Server 2003.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer