To get logs in kernel driver, is file writing is the good choice?

Hi,
I am developing display driver. I wanted to add logs in driver so that it
will get to know if any thing went wrong in release mode of driver. I am
planning for file writing. Is there any better way than this? If yes, please
let me know.

As file writing is the only option that I know, I am planning to use
ZwCreateFile(),ZwWriteFile()… APIs but I am confused between
CreateFile() and ZwCreateFile(), because I want to log function calls in the
.DLL not in .SYS.

May be my doubt is very basic but please help me to get it cleared.

/sarbojit

Are you saying that you want to the logging in user mode?

mm

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Sarbojit Sarkar
Sent: Thursday, August 19, 2010 6:25 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] To get logs in kernel driver, is file writing is the good
choice?

Hi,

I am developing display driver. I wanted to add logs in driver so that it
will get to know if any thing went wrong in release mode of driver. I am
planning for file writing. Is there any better way than this? If yes, please
let me know.

As file writing is the only option that I know, I am planning to use
ZwCreateFile(),ZwWriteFile()… APIs but I am confused between
CreateFile() and ZwCreateFile(), because I want to log function calls in the
.DLL not in .SYS.

May be my doubt is very basic but please help me to get it cleared.

/sarbojit

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

DbgPrint(Ex)/KdPrint(Ex)

No, my kernel mode driver is having two parts one .sys and another .dll. I
wanted to have logs for all function available in .dll library.

On Thu, Aug 19, 2010 at 5:33 PM, M. M. O’Brien <
xxxxx@gmail.com> wrote:

Are you saying that you want to the logging in user mode?

mm

*From:* xxxxx@lists.osr.com [mailto:
xxxxx@lists.osr.com] *On Behalf Of *Sarbojit Sarkar
*Sent:* Thursday, August 19, 2010 6:25 AM
*To:* Windows System Software Devs Interest List
*Subject:* [ntdev] To get logs in kernel driver, is file writing is the
good choice?

Hi,

I am developing display driver. I wanted to add logs in driver so that it
will get to know if any thing went wrong in release mode of driver. I am
planning for file writing. Is there any better way than this? If yes, please
let me know.

As file writing is the only option that I know, I am planning to use
ZwCreateFile(),ZwWriteFile()… APIs but I am confused between
CreateFile() and ZwCreateFile(), because I want to log function calls in the
.DLL not in .SYS.

May be my doubt is very basic but please help me to get it cleared.

/sarbojit

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

---

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

@changpei1982,

DbgPrint(Ex)/KdPrint(Ex) to get print in debugger, will it write into file
as well? I am looking for logging options into a file in case of free
version of driver. So that if any problem occur I will get to know with the
log only.

/sarbojit

On Thu, Aug 19, 2010 at 5:45 PM, Sarbojit Sarkar wrote:

> No, my kernel mode driver is having two parts one .sys and another .dll. I
> wanted to have logs for all function available in .dll library.
>
>
> On Thu, Aug 19, 2010 at 5:33 PM, M. M. O’Brien <
> xxxxx@gmail.com> wrote:
>
>> Are you saying that you want to the logging in user mode?
>>
>>
>>
>>
>>
>> mm
>>
>>
>>
>> From: xxxxx@lists.osr.com [mailto:
>> xxxxx@lists.osr.com] *On Behalf Of *Sarbojit Sarkar
>> Sent: Thursday, August 19, 2010 6:25 AM
>> To: Windows System Software Devs Interest List
>> Subject: [ntdev] To get logs in kernel driver, is file writing is the
>> good choice?
>>
>>
>>
>> Hi,
>>
>> I am developing display driver. I wanted to add logs in driver so that
>> it will get to know if any thing went wrong in release mode of driver. I am
>> planning for file writing. Is there any better way than this? If yes, please
>> let me know.
>>
>>
>>
>> As file writing is the only option that I know, I am planning to use
>> ZwCreateFile(),ZwWriteFile()… APIs but I am confused between
>> CreateFile() and ZwCreateFile(), because I want to log function calls in the
>> .DLL not in .SYS.
>>
>>
>>
>> May be my doubt is very basic but please help me to get it cleared.
>>
>>
>>
>> /sarbojit
>>
>>
>>
>>
>>
>> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
>> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
>> the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>

On 19/08/2010 11:24, Sarbojit Sarkar wrote:

Hi,
I am developing display driver. I wanted to add logs in driver so
that it will get to know if any thing went wrong in release mode of
driver. I am planning for file writing. Is there any better way than
this? If yes, please let me know.

• System debugging: DbgPrint.
• Performance debug: ETW Event tracing.
• Hardware error monitoring / customer failure reporting: Write to
  Windows Event Log.

MH.

They can’t write logs to files with them. Return to ZwCreateFile/ZwWriteFile.
But you can add some special prifix to log string when using DbgPrint/KdPrint(Ex), and then use filter function to list only these logs (in such as dbgview, and then save them as a file).

2010-08-19

Re: [ntdev] To get logs in kernel driver, is file writing is the good choice?

@changpei1982,

DbgPrint(Ex)/KdPrint(Ex) to get print in debugger, will it write into file as well? I am looking for logging options into a file in case of free version of driver. So that if any problem occur I will get to know with the log only.

/sarbojit

On Thu, Aug 19, 2010 at 5:45 PM, Sarbojit Sarkar wrote:

No, my kernel mode driver is having two parts one .sys and another .dll. I wanted to have logs for all function available in .dll library.

On Thu, Aug 19, 2010 at 5:33 PM, M. M. O’Brien wrote:

Are you saying that you want to the logging in user mode?

mm

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Sarbojit Sarkar
Sent: Thursday, August 19, 2010 6:25 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] To get logs in kernel driver, is file writing is the good choice?

Hi,
I am developing display driver. I wanted to add logs in driver so that it will get to know if any thing went wrong in release mode of driver. I am planning for file writing. Is there any better way than this? If yes, please let me know.

As file writing is the only option that I know, I am planning to use ZwCreateFile(),ZwWriteFile()… APIs but I am confused between CreateFile() and ZwCreateFile(), because I want to log function calls in the .DLL not in .SYS.

May be my doubt is very basic but please help me to get it cleared.

/sarbojit

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

OK. Then I’m confused why you’re confused between CreateFile() and
ZwCreateFile() - one’s user mode and the other’s kernel mode.

mm

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Sarbojit Sarkar
Sent: Thursday, August 19, 2010 8:15 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] To get logs in kernel driver, is file writing is the
good choice?

No, my kernel mode driver is having two parts one .sys and another .dll. I
wanted to have logs for all function available in .dll library.

On Thu, Aug 19, 2010 at 5:33 PM, M. M. O’Brien
wrote:

Are you saying that you want to the logging in user mode?

mm

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Sarbojit Sarkar
Sent: Thursday, August 19, 2010 6:25 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] To get logs in kernel driver, is file writing is the good
choice?

Hi,

I am developing display driver. I wanted to add logs in driver so that it
will get to know if any thing went wrong in release mode of driver. I am
planning for file writing. Is there any better way than this? If yes, please
let me know.

As file writing is the only option that I know, I am planning to use
ZwCreateFile(),ZwWriteFile()… APIs but I am confused between
CreateFile() and ZwCreateFile(), because I want to log function calls in the
.DLL not in .SYS.

May be my doubt is very basic but please help me to get it cleared.

/sarbojit

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

No, they won’t.

mm

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Sarbojit Sarkar
Sent: Thursday, August 19, 2010 8:34 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] To get logs in kernel driver, is file writing is the
good choice?

@changpei1982,

DbgPrint(Ex)/KdPrint(Ex) to get print in debugger, will it write into file
as well? I am looking for logging options into a file in case of free
version of driver. So that if any problem occur I will get to know with the
log only.

/sarbojit

On Thu, Aug 19, 2010 at 5:45 PM, Sarbojit Sarkar
wrote:

No, my kernel mode driver is having two parts one .sys and another .dll. I
wanted to have logs for all function available in .dll library.

On Thu, Aug 19, 2010 at 5:33 PM, M. M. O’Brien
wrote:

Are you saying that you want to the logging in user mode?

mm

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Sarbojit Sarkar
Sent: Thursday, August 19, 2010 6:25 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] To get logs in kernel driver, is file writing is the good
choice?

Hi,

I am developing display driver. I wanted to add logs in driver so that it
will get to know if any thing went wrong in release mode of driver. I am
planning for file writing. Is there any better way than this? If yes, please
let me know.

As file writing is the only option that I know, I am planning to use
ZwCreateFile(),ZwWriteFile()… APIs but I am confused between
CreateFile() and ZwCreateFile(), because I want to log function calls in the
.DLL not in .SYS.

May be my doubt is very basic but please help me to get it cleared.

/sarbojit

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

@M.M.
I was confused because both are not working for me. It seems I might have
missed something.

Anyways thanks for response.

On Thu, Aug 19, 2010 at 6:10 PM, M. M. O’Brien <
xxxxx@gmail.com> wrote:

No, they won?t.

mm

*From:* xxxxx@lists.osr.com [mailto:
xxxxx@lists.osr.com] *On Behalf Of *Sarbojit Sarkar
*Sent:* Thursday, August 19, 2010 8:34 AM

*To:* Windows System Software Devs Interest List
*Subject:* Re: [ntdev] To get logs in kernel driver, is file writing is
the good choice?

@changpei1982,

DbgPrint(Ex)/KdPrint(Ex) to get print in debugger, will it write into file
as well? I am looking for logging options into a file in case of free
version of driver. So that if any problem occur I will get to know with the
log only.

/sarbojit

On Thu, Aug 19, 2010 at 5:45 PM, Sarbojit Sarkar
> wrote:
>
> No, my kernel mode driver is having two parts one .sys and another .dll. I
> wanted to have logs for all function available in .dll library.
>
>
>
> On Thu, Aug 19, 2010 at 5:33 PM, M. M. O’Brien <
> xxxxx@gmail.com> wrote:
>
> Are you saying that you want to the logging in user mode?
>
>
>
>
>
> mm
>
>
>
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] *On Behalf Of *Sarbojit Sarkar
> Sent: Thursday, August 19, 2010 6:25 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] To get logs in kernel driver, is file writing is the
> good choice?
>
>
>
> Hi,
>
> I am developing display driver. I wanted to add logs in driver so that it
> will get to know if any thing went wrong in release mode of driver. I am
> planning for file writing. Is there any better way than this? If yes, please
> let me know.
>
>
>
> As file writing is the only option that I know, I am planning to use
> ZwCreateFile(),ZwWriteFile()… APIs but I am confused between
> CreateFile() and ZwCreateFile(), because I want to log function calls in the
> .DLL not in .SYS.
>
>
>
> May be my doubt is very basic but please help me to get it cleared.
>
>
>
> /sarbojit
>
>
>
>
>
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
>
>
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Sarbojit Sarkar wrote:

Hi,
I am developing display driver. I wanted to add logs in driver so
that it will get to know if any thing went wrong in release mode of
driver. I am planning for file writing. Is there any better way than
this? If yes, please let me know.

As file writing is the only option that I know, I am planning to use
ZwCreateFile(),ZwWriteFile()… APIs but I am confused between
CreateFile() and ZwCreateFile(), because I want to log function calls
in the .DLL not in .SYS.

Are you writing an XPDM driver or a WDDM driver?

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Have you considered writing to the event log?

Gary G. Little

H (952) 223-1349

C (952) 454-4629

xxxxx@comcast.net

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Sarbojit Sarkar
Sent: Thursday, August 19, 2010 7:58 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] To get logs in kernel driver, is file writing is the
good choice?

@M.M.

I was confused because both are not working for me. It seems I might have
missed something.

Anyways thanks for response.

On Thu, Aug 19, 2010 at 6:10 PM, M. M. O’Brien
wrote:

No, they won’t.

mm

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Sarbojit Sarkar
Sent: Thursday, August 19, 2010 8:34 AM

To: Windows System Software Devs Interest List

Subject: Re: [ntdev] To get logs in kernel driver, is file writing is the
good choice?

@changpei1982,

DbgPrint(Ex)/KdPrint(Ex) to get print in debugger, will it write into file
as well? I am looking for logging options into a file in case of free
version of driver. So that if any problem occur I will get to know with the
log only.

/sarbojit

On Thu, Aug 19, 2010 at 5:45 PM, Sarbojit Sarkar
wrote:

No, my kernel mode driver is having two parts one .sys and another .dll. I
wanted to have logs for all function available in .dll library.

On Thu, Aug 19, 2010 at 5:33 PM, M. M. O’Brien
wrote:

Are you saying that you want to the logging in user mode?

mm

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Sarbojit Sarkar
Sent: Thursday, August 19, 2010 6:25 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] To get logs in kernel driver, is file writing is the good
choice?

Hi,

I am developing display driver. I wanted to add logs in driver so that it
will get to know if any thing went wrong in release mode of driver. I am
planning for file writing. Is there any better way than this? If yes, please
let me know.

As file writing is the only option that I know, I am planning to use
ZwCreateFile(),ZwWriteFile()… APIs but I am confused between
CreateFile() and ZwCreateFile(), because I want to log function calls in the
.DLL not in .SYS.

May be my doubt is very basic but please help me to get it cleared.

/sarbojit

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

First, what do you plan to write? For example, if you want to write
information about why your driver has failed to do something, and it is not
something that will write tons of data, the event log is probably the place
to put it. If you need to enable debug output, you need to look into WPP
reporting. The first method deals with trying to help tech support for some
serious error that happens infrequently. If there is lots of output,
overloading the event log is considered antisocial, and WPP is a better
solution. Otherwise, you can “roll your own” using ZwCreateFile and
friends, but the problem there is that you can only call these from a
passive thread (you can do event logging from DPC level) so you have to use
a driver thread or the worker thread pool to get a thread that can actually
write to files. The last I looked, reliable logging required the sequence
open-file, append-log-entry, close-file, otherwise after a BSOD you don’t
know what is in the file (you still can’t be sure you haven’t lost the last
log entry or six, but your uncertainty is lower if you use the
open/append/close sequence, which can be very inefficient). If you use the
event log, it is useful to learn how to use the message compiler (mc) to
create your log messages.
joe

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Sarbojit Sarkar
Sent: Thursday, August 19, 2010 8:34 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] To get logs in kernel driver, is file writing is the
good choice?

@changpei1982,

DbgPrint(Ex)/KdPrint(Ex) to get print in debugger, will it write into file
as well? I am looking for logging options into a file in case of free
version of driver. So that if any problem occur I will get to know with the
log only.

/sarbojit

On Thu, Aug 19, 2010 at 5:45 PM, Sarbojit Sarkar
wrote:
No, my kernel mode driver is having two parts one .sys and another .dll. I
wanted to have logs for all function available in .dll library.

On Thu, Aug 19, 2010 at 5:33 PM, M. M. O’Brien
wrote:
Are you saying that you want to the logging in user mode?

mm

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Sarbojit Sarkar
Sent: Thursday, August 19, 2010 6:25 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] To get logs in kernel driver, is file writing is the good
choice?

Hi,
I am developing display driver. I wanted to add logs in driver so that it
will get to know if any thing went wrong in release mode of driver. I am
planning for file writing. Is there any better way than this? If yes, please
let me know.

As file writing is the only option that I know, I am planning to use
ZwCreateFile(),ZwWriteFile()… APIs but I am confused between
CreateFile() and ZwCreateFile(), because I want to log function calls in the
.DLL not in .SYS.

May be my doubt is very basic but please help me to get it cleared.

/sarbojit

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
–
This message has been scanned for viruses and
dangerous content by http:</http:> MailScanner, and is
believed to be clean.

WPP/ETW

or

Windows System log

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

“Sarbojit Sarkar” wrote in message news:xxxxx@ntdev…
Hi,
I am developing display driver. I wanted to add logs in driver so that it will get to know if any thing went wrong in release mode of driver. I am planning for file writing. Is there any better way than this? If yes, please let me know.

As file writing is the only option that I know, I am planning to use ZwCreateFile(),ZwWriteFile()… APIs but I am confused between CreateFile() and ZwCreateFile(), because I want to log function calls in the .DLL not in .SYS.

May be my doubt is very basic but please help me to get it cleared.

/sarbojit

>is lots of output, overloading the event log is considered antisocial,

With Vista+ - not so bad.

a) OS itself writes a lot there
b) there is good filtering

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

For event logging in a production driver, I’d recommend ETW tracing. One
major advantage of ETW tracing is you can enable a variety of different ETW
event providers and get unified timing across all the providers. It helps
debugging in end user environments to see selectable other trace data along
with the data from your driver. Your text log file will only have events for
your driver.

ETW event writes can also happen at higher IRQL levels. You will have to
write to memory buffers and then have a worker thread that flushes them out
to a disk file if you do this yourself. Look at the IRQL limitations on the
file write API’s.

ETW data is also structured, which when you generate large logs becomes
important for analysis. Looking at a gigabyte text log is not much fun, but
loading the ETW events into a database, and filtering them based on event
patterns or time is doable.

People doing OS support also know how to create ETW logs, and will not
instantly know to deal with your custom logs.

ETW logs also store the raw data, so don’t have the performance overhead of
printf style formatting generally used for text logs. This can make a big
difference if you’re debugging performance issues.

There is a tool in the Windows SDK for making ETW manifest files. I believe
there are samples of ETW driver tracing in the WDK. Making ETW tracing takes
a little extra time upfront, like a day of development fiddling, but then
gives benefits afterwards. It would be nice of the WDK just came with
precreated ETW tracing files that allowed you to output text strings, so the
initial time to use it would be almost nothing to get a “hello world” trace
event.

There are a number of viewers for ETW trace files, I’ve been using Microsoft
Network Monitor 3.4 recently, because I’ve been debugging networks and it’s
very handy to have trace events interleaved with network packets, which are
decoded by Network Monitor. Anybody know where I can find the ETW Ethernet
packet record definitions, so I can make my device spit out ETW packet
events that Network Monitor will decode? I actually LOVE to be able to spit
out ETW packet events with extra meta data (like the packet OOB data).

I suppose a downside of ETW tracing is I think it’s not (or is poorly)
supported in pre Vista OS’s.

Jan

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Sarbojit Sarkar
Sent: Thursday, August 19, 2010 3:25 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] To get logs in kernel driver, is file writing is the good
choice?

Hi,

I am developing display driver. I wanted to add logs in driver so that it
will get to know if any thing went wrong in release mode of driver. I am
planning for file writing. Is there any better way than this? If yes, please
let me know.

As file writing is the only option that I know, I am planning to use
ZwCreateFile(),ZwWriteFile()… APIs but I am confused between
CreateFile() and ZwCreateFile(), because I want to log function calls in the
.DLL not in .SYS.

May be my doubt is very basic but please help me to get it cleared.

/sarbojit

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer