RegisterTraceGuids parameter's doubts

Hi All,

I’ve been using WPP / ETW for a while now, and I do enjoy it’s conjunct
capabilities. Though I think that the biggest problem of WPP is the lack of
documentation (please point me in right direction if I’m wrong) and this
remark somewhat applies to ETW.

So for sometime I “discovered” that for WPP I can #define
WPP_MOF_RESOURCENAME with a value that will end up on the MofResourceName
parameter of RegisterTraceGuids.

Though after reading the documentation regarding the MofResourceName
parameter of RegisterTraceGuids I still I’m not quite sure of what it’s
expecting has a parameter and what’s the effect if I pass in the correct
parameter.

Anyone can clear these issues up for me?

Regards
Cláudio Albuquerque

In user mode internally WPP calls RegisterTraceGuids which takes MofImagePath and MofResourceName.

It is documented as not supported starting from Server2003. On Vista we actually stopped supporting it. The reason is that RegisterTraceGuids was bypassing security check for registering MOF, which was a vulnerability.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Cl?udio Albuquerque
Sent: Tuesday, May 29, 2007 12:29 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] RegisterTraceGuids parameter’s doubts

Hi All,

I’ve been using WPP / ETW for a while now, and I do enjoy it’s conjunct
capabilities. Though I think that the biggest problem of WPP is the lack of
documentation (please point me in right direction if I’m wrong) and this
remark somewhat applies to ETW.

So for sometime I “discovered” that for WPP I can #define
WPP_MOF_RESOURCENAME with a value that will end up on the MofResourceName
parameter of RegisterTraceGuids.

Though after reading the documentation regarding the MofResourceName
parameter of RegisterTraceGuids I still I’m not quite sure of what it’s
expecting has a parameter and what’s the effect if I pass in the correct
parameter.

Anyone can clear these issues up for me?

Regards
Cl?udio Albuquerque

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Hi Jose, thanks for your reply.

We have chosen to migrate from our tracing implementation to WPP due to it’s
merits. But with the advent of the new tracing APIs in Vista some question
arise. Since you are the one person that keeps answering questions regarding
WPP/ETW could you, if possible, answer some or all of the following
questions regarding the future of the WPP/ETW:

• With the new APIs regarding of ETW where does stand the future of WPP?
• Since I had to hack my way around TPL files to get WPP working with a C++
  user-mode application so we can standardize usage of tracing technologies.
  Is WPP going eventually to evolve to a “complete” technology (have
  documentation on MSDN,…) or will it continue to be a “marginal”
  technology?
• In the Vista SDK there is a tracewpp.exe application but the TPL files and
  INI files are missing, why?

PS: By the way is there another newsgroup that you know of that could help
me with my battle against sysmonlog (Computer Management->Trace Logs) and it
not capture my event logs.

Thanks for your time
Cláudio Albuquerque

“Jose Sua” wrote in message
news:xxxxx@ntdev…
In user mode internally WPP calls RegisterTraceGuids which takes
MofImagePath and MofResourceName.

It is documented as not supported starting from Server2003. On Vista we
actually stopped supporting it. The reason is that RegisterTraceGuids was
bypassing security check for registering MOF, which was a vulnerability.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Cláudio Albuquerque
Sent: Tuesday, May 29, 2007 12:29 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] RegisterTraceGuids parameter’s doubts

Hi All,

I’ve been using WPP / ETW for a while now, and I do enjoy it’s conjunct
capabilities. Though I think that the biggest problem of WPP is the lack of
documentation (please point me in right direction if I’m wrong) and this
remark somewhat applies to ETW.

So for sometime I “discovered” that for WPP I can #define
WPP_MOF_RESOURCENAME with a value that will end up on the MofResourceName
parameter of RegisterTraceGuids.

Though after reading the documentation regarding the MofResourceName
parameter of RegisterTraceGuids I still I’m not quite sure of what it’s
expecting has a parameter and what’s the effect if I pass in the correct
parameter.

Anyone can clear these issues up for me?

Regards
Cláudio Albuquerque

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Hi Claudio, sure I keep answering because I take care of WPP. Its great that you are moving to WPP/ETW

There is plenty of documentation for WPP in MSDN and in this archive. It supports User mode and Kernel mode for drivers.

I will try to answer this as best as I can.

1- WPP is for software tracing, normally to figure out what is happening in your application, and the logs are targeted to the developer not to users. WPP uses the legacy API, and we will continue to support maintain and improve WPP.

Now for customer facing events, events that will be processed by tools, and so on you should use the new ETW API. Because of all the features it includes.

In the future you should expect a tool that given a manifest will generated the required code for logging the events, this is in our efforts to simplify usage. Currently there is a tool that generates the manifest, its mangen.exe, this is the first version and we are working on improving it to simplify and make it easier for devs to define the events.

2. so what did you have to change on the templates ?
   You should install the WDK and use the vista templates for WPP. Also take a look at the driver sample distributed with the WDK it shows new features, which you can use in user mode.

3.I was not aware about templates not shipping with the SDK, can you tell me what version did you install to follow up on that. But you can always install the WDK and use the templates from there.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Cl?udio Albuquerque
Sent: Wednesday, May 30, 2007 1:27 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] RegisterTraceGuids parameter’s doubts

Hi Jose, thanks for your reply.

We have chosen to migrate from our tracing implementation to WPP due to it’s
merits. But with the advent of the new tracing APIs in Vista some question
arise. Since you are the one person that keeps answering questions regarding
WPP/ETW could you, if possible, answer some or all of the following
questions regarding the future of the WPP/ETW:

• With the new APIs regarding of ETW where does stand the future of WPP?
• Since I had to hack my way around TPL files to get WPP working with a C++
  user-mode application so we can standardize usage of tracing technologies.
  Is WPP going eventually to evolve to a “complete” technology (have
  documentation on MSDN,…) or will it continue to be a “marginal”
  technology?
• In the Vista SDK there is a tracewpp.exe application but the TPL files and
  INI files are missing, why?

PS: By the way is there another newsgroup that you know of that could help
me with my battle against sysmonlog (Computer Management->Trace Logs) and it
not capture my event logs.

Thanks for your time
Cl?udio Albuquerque

“Jose Sua” wrote in message
news:xxxxx@ntdev…
In user mode internally WPP calls RegisterTraceGuids which takes
MofImagePath and MofResourceName.

It is documented as not supported starting from Server2003. On Vista we
actually stopped supporting it. The reason is that RegisterTraceGuids was
bypassing security check for registering MOF, which was a vulnerability.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Cl?udio Albuquerque
Sent: Tuesday, May 29, 2007 12:29 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] RegisterTraceGuids parameter’s doubts

Hi All,

I’ve been using WPP / ETW for a while now, and I do enjoy it’s conjunct
capabilities. Though I think that the biggest problem of WPP is the lack of
documentation (please point me in right direction if I’m wrong) and this
remark somewhat applies to ETW.

So for sometime I “discovered” that for WPP I can #define
WPP_MOF_RESOURCENAME with a value that will end up on the MofResourceName
parameter of RegisterTraceGuids.

Though after reading the documentation regarding the MofResourceName
parameter of RegisterTraceGuids I still I’m not quite sure of what it’s
expecting has a parameter and what’s the effect if I pass in the correct
parameter.

Anyone can clear these issues up for me?

Regards
Cl?udio Albuquerque

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Hi Jose, that’s great to finally, know who to direct my question regarding
WPP :-), do you have a technical blog?

1. Thanks for the incite.

2. Well we did 3 “major” changes that I will list in order of importance:

• One of the alterations was regarding the difficulty compiling WPP with
  our user mode framework that makes use of heavy template classes. Since they
  are all .h files and it being the very important to instrument since it’s
  reused in all of our C++ projects, I was getting redefinition with the
  “WPP_INLINE void WPP_SF_i.Name…” functions. So I just put all of the
  definitions into a namespace.
• Additionally we add the support to “log ETW events through WPP”. So now we
  use the trace session created by WPP to log our own ETW events.
• Finally to force everyone to use the same trace definitions we just
  removed all of control.tpl code and put it in a #include of our framework
  where you only state the GUID.

3. The directory of the SDK is …\Microsoft SDKs\Windows\v6.0. I’ve looked
   at the release notes and did not see anything regarding the SDK version.
   Thanks I was already thinking of getting the lasted version of the WDK, but
   if you mentioned that WPP as new features and since we are starting with
   WPP, now I will sure get it.

Thanks, Kind Regards
Cláudio Albuquerque

“Jose Sua” wrote in message
news:xxxxx@ntdev…
Hi Claudio, sure I keep answering because I take care of WPP. Its great that
you are moving to WPP/ETW

There is plenty of documentation for WPP in MSDN and in this archive. It
supports User mode and Kernel mode for drivers.

I will try to answer this as best as I can.

1- WPP is for software tracing, normally to figure out what is happening in
your application, and the logs are targeted to the developer not to users.
WPP uses the legacy API, and we will continue to support maintain and
improve WPP.

Now for customer facing events, events that will be processed by tools, and
so on you should use the new ETW API. Because of all the features it
includes.

In the future you should expect a tool that given a manifest will generated
the required code for logging the events, this is in our efforts to simplify
usage. Currently there is a tool that generates the manifest, its
mangen.exe, this is the first version and we are working on improving it to
simplify and make it easier for devs to define the events.

2. so what did you have to change on the templates ?
You should install the WDK and use the vista templates for WPP. Also take a
look at the driver sample distributed with the WDK it shows new features,
which you can use in user mode.

3.I was not aware about templates not shipping with the SDK, can you tell me
what version did you install to follow up on that. But you can always
install the WDK and use the templates from there.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Cláudio Albuquerque
Sent: Wednesday, May 30, 2007 1:27 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] RegisterTraceGuids parameter’s doubts

Hi Jose, thanks for your reply.

We have chosen to migrate from our tracing implementation to WPP due to it’s
merits. But with the advent of the new tracing APIs in Vista some question
arise. Since you are the one person that keeps answering questions regarding
WPP/ETW could you, if possible, answer some or all of the following
questions regarding the future of the WPP/ETW:

- With the new APIs regarding of ETW where does stand the future of WPP?
- Since I had to hack my way around TPL files to get WPP working with a C++
user-mode application so we can standardize usage of tracing technologies.
Is WPP going eventually to evolve to a “complete” technology (have
documentation on MSDN,…) or will it continue to be a “marginal”
technology?
- In the Vista SDK there is a tracewpp.exe application but the TPL files and
INI files are missing, why?

PS: By the way is there another newsgroup that you know of that could help
me with my battle against sysmonlog (Computer Management->Trace Logs) and it
not capture my event logs.

Thanks for your time
Cláudio Albuquerque

“Jose Sua” wrote in message
news:xxxxx@ntdev…
In user mode internally WPP calls RegisterTraceGuids which takes
MofImagePath and MofResourceName.

It is documented as not supported starting from Server2003. On Vista we
actually stopped supporting it. The reason is that RegisterTraceGuids was
bypassing security check for registering MOF, which was a vulnerability.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Cláudio Albuquerque
Sent: Tuesday, May 29, 2007 12:29 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] RegisterTraceGuids parameter’s doubts

Hi All,

I’ve been using WPP / ETW for a while now, and I do enjoy it’s conjunct
capabilities. Though I think that the biggest problem of WPP is the lack of
documentation (please point me in right direction if I’m wrong) and this
remark somewhat applies to ETW.

So for sometime I “discovered” that for WPP I can #define
WPP_MOF_RESOURCENAME with a value that will end up on the MofResourceName
parameter of RegisterTraceGuids.

Though after reading the documentation regarding the MofResourceName
parameter of RegisterTraceGuids I still I’m not quite sure of what it’s
expecting has a parameter and what’s the effect if I pass in the correct
parameter.

Anyone can clear these issues up for me?

Regards
Cláudio Albuquerque

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Yes please install and use the Vista WDK templates.

You can have tracing in the header files, no problem. -ext and -preserveext are your options make sure they are the first parameter to WPP.
Also take a look at the PRE/POST macros for defining you events.
Pre- and post-logging macros define WPP_LEVEL_PRE(level) and WPP_LEVEL_POST(level) macros which is user code that becomes part of the tracing function’s expansion. Customers can use this for any on-the-fly setup or cleanup around trace points.
The WDK driver sample shows a sample of this.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Cl?udio Albuquerque
Sent: Friday, June 01, 2007 5:26 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] RegisterTraceGuids parameter’s doubts

Hi Jose, that’s great to finally, know who to direct my question regarding
WPP :-), do you have a technical blog?

1. Thanks for the incite.

2. Well we did 3 “major” changes that I will list in order of importance:

• One of the alterations was regarding the difficulty compiling WPP with
  our user mode framework that makes use of heavy template classes. Since they
  are all .h files and it being the very important to instrument since it’s
  reused in all of our C++ projects, I was getting redefinition with the
  “WPP_INLINE void WPP_SF_i.Name…” functions. So I just put all of the
  definitions into a namespace.
• Additionally we add the support to “log ETW events through WPP”. So now we
  use the trace session created by WPP to log our own ETW events.
• Finally to force everyone to use the same trace definitions we just
  removed all of control.tpl code and put it in a #include of our framework
  where you only state the GUID.

3. The directory of the SDK is …\Microsoft SDKs\Windows\v6.0. I’ve looked
   at the release notes and did not see anything regarding the SDK version.
   Thanks I was already thinking of getting the lasted version of the WDK, but
   if you mentioned that WPP as new features and since we are starting with
   WPP, now I will sure get it.

Thanks, Kind Regards
Cl?udio Albuquerque

“Jose Sua” wrote in message
news:xxxxx@ntdev…
Hi Claudio, sure I keep answering because I take care of WPP. Its great that
you are moving to WPP/ETW

There is plenty of documentation for WPP in MSDN and in this archive. It
supports User mode and Kernel mode for drivers.

I will try to answer this as best as I can.

1- WPP is for software tracing, normally to figure out what is happening in
your application, and the logs are targeted to the developer not to users.
WPP uses the legacy API, and we will continue to support maintain and
improve WPP.

Now for customer facing events, events that will be processed by tools, and
so on you should use the new ETW API. Because of all the features it
includes.

In the future you should expect a tool that given a manifest will generated
the required code for logging the events, this is in our efforts to simplify
usage. Currently there is a tool that generates the manifest, its
mangen.exe, this is the first version and we are working on improving it to
simplify and make it easier for devs to define the events.

2. so what did you have to change on the templates ?
You should install the WDK and use the vista templates for WPP. Also take a
look at the driver sample distributed with the WDK it shows new features,
which you can use in user mode.

3.I was not aware about templates not shipping with the SDK, can you tell me
what version did you install to follow up on that. But you can always
install the WDK and use the templates from there.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Cl?udio Albuquerque
Sent: Wednesday, May 30, 2007 1:27 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] RegisterTraceGuids parameter’s doubts

Hi Jose, thanks for your reply.

We have chosen to migrate from our tracing implementation to WPP due to it’s
merits. But with the advent of the new tracing APIs in Vista some question
arise. Since you are the one person that keeps answering questions regarding
WPP/ETW could you, if possible, answer some or all of the following
questions regarding the future of the WPP/ETW:

- With the new APIs regarding of ETW where does stand the future of WPP?
- Since I had to hack my way around TPL files to get WPP working with a C++
user-mode application so we can standardize usage of tracing technologies.
Is WPP going eventually to evolve to a “complete” technology (have
documentation on MSDN,…) or will it continue to be a “marginal”
technology?
- In the Vista SDK there is a tracewpp.exe application but the TPL files and
INI files are missing, why?

PS: By the way is there another newsgroup that you know of that could help
me with my battle against sysmonlog (Computer Management->Trace Logs) and it
not capture my event logs.

Thanks for your time
Cl?udio Albuquerque

“Jose Sua” wrote in message
news:xxxxx@ntdev…
In user mode internally WPP calls RegisterTraceGuids which takes
MofImagePath and MofResourceName.

It is documented as not supported starting from Server2003. On Vista we
actually stopped supporting it. The reason is that RegisterTraceGuids was
bypassing security check for registering MOF, which was a vulnerability.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Cl?udio Albuquerque
Sent: Tuesday, May 29, 2007 12:29 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] RegisterTraceGuids parameter’s doubts

Hi All,

I’ve been using WPP / ETW for a while now, and I do enjoy it’s conjunct
capabilities. Though I think that the biggest problem of WPP is the lack of
documentation (please point me in right direction if I’m wrong) and this
remark somewhat applies to ETW.

So for sometime I “discovered” that for WPP I can #define
WPP_MOF_RESOURCENAME with a value that will end up on the MofResourceName
parameter of RegisterTraceGuids.

Though after reading the documentation regarding the MofResourceName
parameter of RegisterTraceGuids I still I’m not quite sure of what it’s
expecting has a parameter and what’s the effect if I pass in the correct
parameter.

Anyone can clear these issues up for me?

Regards
Cl?udio Albuquerque

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer