Search available logs in a kernel crash dump

Say, if I’m working with a full kernel memory dump in WinDbg, and then want to see which logging options were included in the dump by running:


It spits out a long list of logger IDs and their short names, which are not very user-friendly.

Is there a way to search through all of the included logs for containing a certain string?

PS. Sometimes all I have is a logging string that I take from an Assembly code, but I may not be sure which logger was used there.

Short answer: No, you’d have to manually run !wmitrace.logdump on each logger ID and search the output.

Long answer: Those are all ETW and WPP loggers, so the metadata describing the event (including strings) aren’t actually logged. You need to match them up with the corresponding manifest file (ETW) or TMF (WPP) to interpret the events. !wmitrace.logdump will automatically do this for you for providers it knows about (e.g. EventLog-System). For custom providers you need to provide the manifest or TMF yourself and use !wmitrace.searchpath and/or !wmitrace.manpath to see the logs.