Let me start with :WPP is for software Tracing, not really intended for diagnostics.
The library that decodes the events is not public. Traceprt.
In vista Traceprt is a static lib and we have solved several decoding problems and made improvements, down level is a DLL.
Some further details.
It may be hard to do this work without calling the LIB, because the Lib APIs decode the header, and then find the TMF information that matches the message GUID in the Event, and finally decodes the event, providing you a string.
EVENT_HEADER is public, and the header has the EVENT_HEADER_FLAG_TRACE_MESSAGE flag indicating that this event was logged with WPP (WPP uses TraceMessage/WmiTraceMessage W2K and above).
So in the callback you only have access to the message GUID and the message number. The message ID is used to find the file that contains the decoding info, and the message number finds the description of the event in the file. Still this may not be enough for you because you need the payload to make a decision.
What you can do is to actually define the events that you will be interested into, and write the MOF file, and log this events. I am sure that there are not many of them.
You will have to define a provider GUID for this type of events and register with ETW.
You can then enable just the provider with the appropriate flags.
Then on the callback you know if this if your fatal event and take appropriate action.
I you are running in Vista, you will be able to decode the events. Vista provides Trace Data Helper (TDH) APIs which are able to decode the WPP events. Take a look in MSDN.
In the processtrace callback you can call TDH to crack the message and you can take a look at the decoded event. But the payload is provided to the user as the formatted string specified in the TMF file.
Hope this helps.
Thanks,
Jose Sua
Microsoft Corporation
This posting is provided “AS IS” with no warranties and confers no rights.
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Thursday, January 25, 2007 1:37 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Help Regarding Some WPP Questions
Peter thanks once again for your reply.
Regarding your questions/suggestions, yes the systems were built with the guidelines that the Fatal event would be sent to the IT department personal. And since we are already paying, performance wise, for a global logger adding this capability would not have greater impact.
By the way, I haven’t mentioned it before because I don’t think is relevant but the systems are Win32 Services.
Apparently a mistake was made when evaluating WPP and it’s ease to interpret the event data, unfortunately only now is being implemented.
I would ask for your help once again, if could answer my following questions so I can clearly evaluate the situation and how to solve it.
- Is the WPP interpretation shared by Microsoft in any way (General Public, Microsoft Parteners, …) ?
- Is the traceprt.dll usage/documentation, the DLL I’m guessing does the WPP interpretation shared by Microsoft in any way (General Public, Microsoft Parteners, …) ?
Thanks In Advance
Cl?udio Albuquerque
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer