I’m working on a Windows KMDF driver that is part of a larger system where logs from the kernel side are uploaded in real-time to one of the major cloud services providers for later analysis. The driver uses WdfRequest queues and IoCompletion routines, and I would like to integrate a mechanism where, upon certain error conditions, I capture a mini-dump or kernel trace and push it to a cloud backend (via REST) so I can correlate device-driver faults with higher-level system events.
My questions:
Are there recommended practices in kernel-mode (or WDF) for minimal-impact logging that still supports an upload to cloud infrastructure without killing performance?
For remote upload from kernel space, is it better to hand off logging to a user-mode service (which then interfaces with the cloud service) rather than attempt to implement HTTP(s) inside driver code?
Has anyone combined WinDbg live kernel-debugging (or dump-analyze workflows) with data captured via cloud services providers and then used that enriched data to enhance root-cause analysis of device drivers?
implementing an HTTP client in KM could be done, but the ever changing standards around security make this a difficult proposition from a maintenance point of view if nothing else. A UM service written in C# can do the same job with a hand full of lines of code and is much easier to upgrade when the next security patch is needed
the de facto tracing technology is ETW. It can be annoying to setup, but there is lot’s of data readily available on an out of the box system without you needing to code anything. Again this is available directly from UM with no need for driver support - except your driver(s) need to define the counters and traces that they will produce
when you say ‘real time’, how close to real time are you thinking? How serious is it is some data is lost? If you want to upload a dump of the system, you won’t do that while the system is crashing, but maybe after the next boot
windows error reporting does that now. It just uploads to Microsoft and you have to signup (somehow) to find out about crashes that relate to your UM or KM components. Since the crashes that I am interested in happen on servers that are on premises for us, I just collect local dumps and have never worried about this part