The DiskIO Class

Bedanto · November 30, 2012, 7:58am

All,

is there a way of getting the output of ETW based tracing features in the
kernel as well?

http://msdn.microsoft.com/en-us/library/aa363705(v=VS.85).aspx
http://msdn.microsoft.com/en-us/library/aa363703(v=VS.85).aspx

Thanks

B

Peter_Viscarola_OSR · November 30, 2012, 10:05am

Your question is all of one sentence long, which forces us all to guess at what you’re asking SPECIFICALLY. But, I’ll take a shot:

TraceView lets you collect/display this information. The TMF for (many) system tracing features has historically shipped in the \tools\tracing\ directory of the WDK.

Peter
OSR

Bedanto · November 30, 2012, 10:46am

sorry my bad,

i want to get the traces from the DiskIO event class in the kernel in my
own driver instead of the user land.
are the traces from DiskIO reliable? or is there a chance that some IO
ops could be missed?
assuming that some one takes a snap shot of a volume on the disk we are
tracing, some IO will be made on the snapshot volume by the VSS writers,
would those IOs also we tracked by ETW?
Assuming that #1 is not feasible, then is it possible that the traces
from DiskIO class in user land be continued across reboots *continously*
that is I need the continous logging even in the case of a system reboot,
that is IO while sgtdown and boot up is also captured.

On Fri, Nov 30, 2012 at 8:36 PM, wrote:

> Your question is all of one sentence long, which forces us all to guess at
> what you’re asking SPECIFICALLY. But, I’ll take a shot:
>
> TraceView lets you collect/display this information. The TMF for (many)
> system tracing features has historically shipped in the \tools\tracing<br>> directory of the WDK.
>
> Peter
> OSR
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Don_Burn · November 30, 2012, 10:50am

You can’t collect trace events in kernel space. You need to look at a
different approach, write your own disk filter for this.

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“Bedanto” wrote in message news:xxxxx@ntdev:

> sorry my bad,
>
> 1. i want to get the traces from the DiskIO event class in the kernel in my
> own driver instead of the user land.
>
> 2. are the traces from DiskIO reliable? or is there a chance that some IO
> ops could be missed?
>
> 3. assuming that some one takes a snap shot of a volume on the disk we are
> tracing, some IO will be made on the snapshot volume by the VSS writers,
> would those IOs also we tracked by ETW?
>
> 4. Assuming that #1 is not feasible, then is it possible that the traces
> from DiskIO class in user land be continued across reboots continously
> that is I need the continous logging even in the case of a system reboot,
> that is IO while sgtdown and boot up is also captured.
>
>
>
> On Fri, Nov 30, 2012 at 8:36 PM, wrote:
>
> > Your question is all of one sentence long, which forces us all to guess at
> > what you’re asking SPECIFICALLY. But, I’ll take a shot:
> >
> > TraceView lets you collect/display this information. The TMF for (many)
> > system tracing features has historically shipped in the \tools\tracing<br>> > directory of the WDK.
> >
> > Peter
> > OSR
> >
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > For our schedule of WDF, WDM, debugging and other seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >

Peter_Viscarola_OSR · November 30, 2012, 10:54am

I know of no way to do that.
Yes. In my experience, they are very reliable. Would I stake my life on this? Not without a lot of testing, no.
The last time I looked, the trace points for disk I/O were in the Partition Manager. So, assuming that’s still the case and that I understand your questions, yes.
Well… no. Well… “IO while… but up is also captured”? You realize that some of that I/O is done in the PreBoot environment, via either BIOS calls our via UEFI. Windows really isn’t “there” yet so this I/O most certainly will not be logged by… anything other than a drive analyzer.

Now for my standard question: Perhaps we’d be able to help you more if you told us the overall goal you were trying to accomplish, rather than asking us about the feasibility of a solution that you’ve chosen to accomplish this overall goal. It is very possible that the solution you’ve chosen is not the best one. Thus, if you explain your overall goal, we will perhaps be able to suggest a better solution.

Peter
OSR

Bedanto · November 30, 2012, 11:28am

don, peter,

thanks for the answers. yes i realize that there is always some IO beyond
windows scxope, but that is okay, for all practical purposes i am only
interested in IO that windows vlumes see.

now to answer your qn, i am trying to figure out a way of tracking writes
on a volume/disk in an unconventional way, if there is any at all. we all
know of volume and disk filters who do this, we also know of etw traces in
user land that can do it, but i need to see if ETW can be used in the
kernel space. why? well, apparantly the logging will only start when a user
land service registers and starts the traces, but as i said i need IO when
the system goes down (or volume is unmounted) and at boot time when the
volume is mounted.

i am open to other solutuions as well id there are any other/better ones.

On Fri, Nov 30, 2012 at 9:24 PM, wrote:

> 1. I know of no way to do that.
>
> 2. Yes. In my experience, they are very reliable. Would I stake my life
> on this? Not without a lot of testing, no.
>
> 3. The last time I looked, the trace points for disk I/O were in the
> Partition Manager. So, assuming that’s still the case and that I
> understand your questions, yes.
>
> 4. Well… no. Well… “IO while… but up is also captured”? You
> realize that some of that I/O is done in the PreBoot environment, via
> either BIOS calls our via UEFI. Windows really isn’t “there” yet so this
> I/O most certainly will not be logged by… anything other than a drive
> analyzer.
>
> Now for my standard question: Perhaps we’d be able to help you more if
> you told us the overall goal you were trying to accomplish, rather than
> asking us about the feasibility of a solution that you’ve chosen to
> accomplish this overall goal. It is very possible that the solution you’ve
> chosen is not the best one. Thus, if you explain your overall goal, we
> will perhaps be able to suggest a better solution.
>
> Peter
> OSR
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Don_Burn · November 30, 2012, 11:43am

Why do you want an unconventional solution? There are a ton of
challenges in the OS (and Windows) world that don’t have a good
solution, this one does so why reinvent it?

Don Burn
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“Bedanto” wrote in message news:xxxxx@ntdev:

> don, peter,
>
> thanks for the answers. yes i realize that there is always some IO beyond
> windows scxope, but that is okay, for all practical purposes i am only
> interested in IO that windows vlumes see.
>
> now to answer your qn, i am trying to figure out a way of tracking writes
> on a volume/disk in an unconventional way, if there is any at all. we all
> know of volume and disk filters who do this, we also know of etw traces in
> user land that can do it, but i need to see if ETW can be used in the
> kernel space. why? well, apparantly the logging will only start when a user
> land service registers and starts the traces, but as i said i need IO when
> the system goes down (or volume is unmounted) and at boot time when the
> volume is mounted.
>
> i am open to other solutuions as well id there are any other/better ones.
>
> On Fri, Nov 30, 2012 at 9:24 PM, wrote:
>
> > 1. I know of no way to do that.
> >
> > 2. Yes. In my experience, they are very reliable. Would I stake my life
> > on this? Not without a lot of testing, no.
> >
> > 3. The last time I looked, the trace points for disk I/O were in the
> > Partition Manager. So, assuming that’s still the case and that I
> > understand your questions, yes.
> >
> > 4. Well… no. Well… “IO while… but up is also captured”? You
> > realize that some of that I/O is done in the PreBoot environment, via
> > either BIOS calls our via UEFI. Windows really isn’t “there” yet so this
> > I/O most certainly will not be logged by… anything other than a drive
> > analyzer.
> >
> > Now for my standard question: Perhaps we’d be able to help you more if
> > you told us the overall goal you were trying to accomplish, rather than
> > asking us about the feasibility of a solution that you’ve chosen to
> > accomplish this overall goal. It is very possible that the solution you’ve
> > chosen is not the best one. Thus, if you explain your overall goal, we
> > will perhaps be able to suggest a better solution.
> >
> > Peter
> > OSR
> >
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > For our schedule of WDF, WDM, debugging and other seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >

Peter_Viscarola_OSR · November 30, 2012, 12:39pm

I don’t understand what you want to accomplish, so there’s no further help I can offer.

BTW, the “shift” key on your keyboard appears to be broken. You might want to swap keyboards… in my experience, a broken shift key makes it hard to make use of input parameters to a function.

Peter
OSR