Hello! I am learning how to use ETW. I was able to create manifest file and use generated macroses (EventWrite…). However I can’t successfully install the manifest: C:\Users\adm\Desktop>wevtutil im iomon_etw.man **** Warning: The resource file for publisher Iomon was not found or could not be opened. resourceFileName: %Systemroot%\System32\drivers\iomon.sys **** Warning: Publisher Iomon resources could not be found or are not accessible to the Local Service account. As I understand that means that some resources aren’t compiled in sys file(maybe I’m wrong). I am doing everything step by step according to tutorial https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/adding-event-tracing-to-kernel-mode-drivers . What should I do to fix this?
In your .man file you’ve specified two binaries:
- resourceFileName - contains the main compiled manifest resource
- messageFileName - contains localized string resource(s)
see: https://docs.microsoft.com/en-us/windows/desktop/WES/identifying-the-provider
When you compile the .man, MC creates the binary resources (.bin files) and a .rc (resource compiler) file:
https://docs.microsoft.com/en-us/windows/desktop/WES/message-compiler--mc-exe-
The .rc and .bin resources need to be compiled and linked to some PE file that can contain resources.
It can be the .sys file itself, or a separate resource-only DLL.
This is probably the step you’re missing.
Finally, run wevtutil to get all bits together. So simple and intuitive
– pa
Thank you!
I’ll try that
Sent from my iPhone
I have a same issue. I tried adding the resource file to the visual studio project, but i get linking error. As i have another .rc file in the driver which is the reason. So how can i add both existing .mc along with the this new .man.
CVTRES : fatal error CVT1100: duplicate resource. type:MESSAGETABLE, name:1, language:0x0409
LINK : fatal error LNK1123: failure during conversion to COFF: file invalid or corrupt
1.rc - this is from manifest
LANGUAGE 0x9,0x1
1 11 “rev_etw_evts_MSG00001.bin”
1 WEVT_TEMPLATE “rev_etw_evtsTEMP.BIN”
2.rc - existing for wpp logs.
LANGUAGE 0x9,0x1
1 11 “drvlog_MSG00001.bin”
Please help here.