Help Regarding Some WPP Questions

NTDEV
1

Hi All,

I’ve trying to find some information about WPP / ETW and that’s proven to be quite difficult until Matt Pietrek was kind enough to indicate this forum.
I already reviewed most of the posts regarding WPP, hopefully I didn’t missed the one that answer to these questions:

I need to get some information on processing the ETL files in conjunction with TMF files, I searched on this subject but didn’t find any information on how to implement this. I use the Tracefmt and Traceview but I need to implement something that fires and event (email, …) when a Fatal event is logged. I would need to detect this type of event (Flag) and then get the textual information regarding the event.

Additionally is there anyway to register my trace provider so that it shows up in the Nonsystem Providers of the Trace Logs Management Console (under Performance Logs and Alerts)

I also did a sample app to stress the WPP/ETW system, it was something like:
….
for (DWORD dw1=0;dw1<100000;dw1++) {
Sleep(0);
DoTraceMessage(Debug, L"Test = %d", dw1);
}
……
And I could not log all the events doing a simple StartTrace() / StopTrace(), a log of events were lost. Is there something specific I should configure in the EVENT_TRACE_PROPERTIES ?

I would be grateful if you could dispense any help on these subjects.

Thanks
Cláudio Albuquerque

2

You should use for WPP for diagnostic tracing. If you want to trigger an event (sending an email) then you should use the event log instead.

-p

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Wednesday, January 24, 2007 11:51 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Help Regarding Some WPP Questions

Hi All,

I’ve trying to find some information about WPP / ETW and that’s proven to be quite difficult until Matt Pietrek was kind enough to indicate this forum.
I already reviewed most of the posts regarding WPP, hopefully I didn’t missed the one that answer to these questions:

I need to get some information on processing the ETL files in conjunction with TMF files, I searched on this subject but didn’t find any information on how to implement this. I use the Tracefmt and Traceview but I need to implement something that fires and event (email, ?) when a Fatal event is logged. I would need to detect this type of event (Flag) and then get the textual information regarding the event.

Additionally is there anyway to register my trace provider so that it shows up in the Nonsystem Providers of the Trace Logs Management Console (under Performance Logs and Alerts)

I also did a sample app to stress the WPP/ETW system, it was something like:
?.
for (DWORD dw1=0;dw1<100000;dw1++) {
Sleep(0);
DoTraceMessage(Debug, L"Test = %d", dw1);
}
?..
And I could not log all the events doing a simple StartTrace() / StopTrace(), a log of events were lost. Is there something specific I should configure in the EVENT_TRACE_PROPERTIES ?

I would be grateful if you could dispense any help on these subjects.

Thanks
Cl?udio Albuquerque

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

3

Beforehand thanks for the reply Peter.

Your suggestion makes perfect sense it only has one big problem for me, It implies the duplication of information on the code (event log + WPP statements) and we already walked down that path once (using LogEvent but not WPP) and proved to be quite difficult to maintain a cohesive set of information.

The actual system now has an global aggregator of WPP/ETW events generated, in the sum of it all it’s a globally a low event rate. The system performance paid is well worth it having the knowledge of what went wrong.

So to this aggregator we would like to had a little more intelligence and interpret the event and do whatever with it. So this interpretation is it possible?

Do you have any other info/advice regarding my other questions?

Regards
Cláudio Albuquerque

4

Switch entirely over to ETW events?

I understand what you’re saying about not wanting to duplicate data. But unless you’ve really been diligent about it trace entries are usually things that are interesting to the developer, not things that are interesting to a software agent, and they’re usually formatted in a way that’s only useable by the developer.

If you want to drive the agent through events from your driver then you should go through and actually design your events - look at what the agents need to do then figure out the right things to report in your driver and report them. You’re creating an actual interface for your driver & should be certain you’ve really thought it through.

-p

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Thursday, January 25, 2007 2:53 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Help Regarding Some WPP Questions

Beforehand thanks for the reply Peter.

Your suggestion makes perfect sense it only has one big problem for me, It implies the duplication of information on the code (event log + WPP statements) and we already walked down that path once (using LogEvent but not WPP) and proved to be quite difficult to maintain a cohesive set of information.

The actual system now has an global aggregator of WPP/ETW events generated, in the sum of it all it’s a globally a low event rate. The system performance paid is well worth it having the knowledge of what went wrong.

So to this aggregator we would like to had a little more intelligence and interpret the event and do whatever with it. So this interpretation is it possible?

Do you have any other info/advice regarding my other questions?

Regards
Cl?udio Albuquerque

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

5

Peter thanks once again for your reply.

Regarding your questions/suggestions, yes the systems were built with the guidelines that the Fatal event would be sent to the IT department personal. And since we are already paying, performance wise, for a global logger adding this capability would not have greater impact.
By the way, I haven’t mentioned it before because I don’t think is relevant but the systems are Win32 Services.

Apparently a mistake was made when evaluating WPP and it’s ease to interpret the event data, unfortunately only now is being implemented.

I would ask for your help once again, if could answer my following questions so I can clearly evaluate the situation and how to solve it.

  • Is the WPP interpretation shared by Microsoft in any way (General Public, Microsoft Parteners, …) ?
  • Is the traceprt.dll usage/documentation, the DLL I’m guessing does the WPP interpretation shared by Microsoft in any way (General Public, Microsoft Parteners, …) ?

Thanks In Advance
Cláudio Albuquerque

6

Let me start with :WPP is for software Tracing, not really intended for diagnostics.

The library that decodes the events is not public. Traceprt.

In vista Traceprt is a static lib and we have solved several decoding problems and made improvements, down level is a DLL.

Some further details.
It may be hard to do this work without calling the LIB, because the Lib APIs decode the header, and then find the TMF information that matches the message GUID in the Event, and finally decodes the event, providing you a string.
EVENT_HEADER is public, and the header has the EVENT_HEADER_FLAG_TRACE_MESSAGE flag indicating that this event was logged with WPP (WPP uses TraceMessage/WmiTraceMessage W2K and above).

So in the callback you only have access to the message GUID and the message number. The message ID is used to find the file that contains the decoding info, and the message number finds the description of the event in the file. Still this may not be enough for you because you need the payload to make a decision.

What you can do is to actually define the events that you will be interested into, and write the MOF file, and log this events. I am sure that there are not many of them.
You will have to define a provider GUID for this type of events and register with ETW.
You can then enable just the provider with the appropriate flags.
Then on the callback you know if this if your fatal event and take appropriate action.

I you are running in Vista, you will be able to decode the events. Vista provides Trace Data Helper (TDH) APIs which are able to decode the WPP events. Take a look in MSDN.

In the processtrace callback you can call TDH to crack the message and you can take a look at the decoded event. But the payload is provided to the user as the formatted string specified in the TMF file.

Hope this helps.

Thanks,
Jose Sua
Microsoft Corporation
This posting is provided “AS IS” with no warranties and confers no rights.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Thursday, January 25, 2007 1:37 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Help Regarding Some WPP Questions

Peter thanks once again for your reply.

Regarding your questions/suggestions, yes the systems were built with the guidelines that the Fatal event would be sent to the IT department personal. And since we are already paying, performance wise, for a global logger adding this capability would not have greater impact.
By the way, I haven’t mentioned it before because I don’t think is relevant but the systems are Win32 Services.

Apparently a mistake was made when evaluating WPP and it’s ease to interpret the event data, unfortunately only now is being implemented.

I would ask for your help once again, if could answer my following questions so I can clearly evaluate the situation and how to solve it.

  • Is the WPP interpretation shared by Microsoft in any way (General Public, Microsoft Parteners, …) ?
  • Is the traceprt.dll usage/documentation, the DLL I’m guessing does the WPP interpretation shared by Microsoft in any way (General Public, Microsoft Parteners, …) ?

Thanks In Advance
Cl?udio Albuquerque

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

7

Hi Jose,

Thanks a lot for your detail explanation, it was really helpful.

All systems run on server machines so Vista is out of the question, and I don’t think the upgrade will be immediate once longhorn server comes out.
This leads to a couple of maybe naive questions, and hopefully I won’t get flamed a lot on this ones.

  • Making the TDH.dll work on 2003 and XP is out of the question and Microsoft isn’t planning on it right?
  • Downgrade of the Traceprt static lib is not in Microsoft plans and it would be difficult for me to try correct?

Thanks once again
Cláudio Albuquerque

8

  • TDH Will not work down-level

  • We provide TDH Only.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Friday, January 26, 2007 12:24 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Help Regarding Some WPP Questions

Hi Jose,

Thanks a lot for your detail explanation, it was really helpful.

All systems run on server machines so Vista is out of the question, and I don’t think the upgrade will be immediate once longhorn server comes out.
This leads to a couple of maybe naive questions, and hopefully I won’t get flamed a lot on this ones.

  • Making the TDH.dll work on 2003 and XP is out of the question and Microsoft isn’t planning on it right?
  • Downgrade of the Traceprt static lib is not in Microsoft plans and it would be difficult for me to try correct?

Thanks once again
Cl?udio Albuquerque

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

9

Hi Jose,

Thanks for all your replies, still regarding the details of your previous question, which was most helpful. So in conclusion the structure of the payload is the structure not publicity available. So I hope you can answer my final question, the payload will be pointed by the MofData pointer?

Kind Regards and Thanks for all your help
Cláudio Albuquerque

Some further details.
It may be hard to do this work without calling the LIB, because the >Lib APIs decode the header, and then find the TMF information that >matches the message GUID in the Event, and finally decodes the >event, providing you a string. EVENT_HEADER is public, and the >header has the EVENT_HEADER_FLAG_TRACE_MESSAGE flag indicating that >this event was logged with WPP (WPP uses >TraceMessage/WmiTraceMessage W2K and above).

So in the callback you only have access to the message GUID and the >message number. The message ID is used to find the file that >contains the decoding info, and the message number finds the >description of the event in the file. Still this may not be enough >for you because you need the payload to make a decision.