Hello,
I’m adding code to my driver to allow writing to the system log. I’ve been able to get a custom error code defined in a ‘mc’ file to display more-or-less correctly. I’m seeing two issues however.
The first is that each log entry has 28 bytes of data dump attached to it, even though I’m setting the DataDumpSize value in IO_ERROR_LOG_PACKET to zero.
The other problem is that I can’t get standard NTSTATUS errors to log correctly. The log entry description says “The description for Event ID (x) in Source (x) cannot be found.” I’ve added IoLogMsg.dll to the EventMessageFile registry setting. I don’t know what else I need to do.
Any suggestions regarding either of these issues would be welcome. If more details are needed just ask.
Thanks in advance!
Josh
Post your code and inf which writes the reg values
d
Sent from my phone with no t9, all spilling mistakes are not intentional.
-----Original Message-----
From: xxxxx@rtd.com
Sent: Monday, April 06, 2009 10:31 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Trouble writing to Windows’ System Log
Hello,
I’m adding code to my driver to allow writing to the system log. I’ve been able to get a custom error code defined in a ‘mc’ file to display more-or-less correctly. I’m seeing two issues however.
The first is that each log entry has 28 bytes of data dump attached to it, even though I’m setting the DataDumpSize value in IO_ERROR_LOG_PACKET to zero.
The other problem is that I can’t get standard NTSTATUS errors to log correctly. The log entry description says “The description for Event ID (x) in Source (x) cannot be found.” I’ve added IoLogMsg.dll to the EventMessageFile registry setting. I don’t know what else I need to do.
Any suggestions regarding either of these issues would be welcome. If more details are needed just ask.
Thanks in advance!
Josh
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Thanks Doron,
Here’s the inf section used to register the driver:
[RTDGPD_Event_Log_Inst]
AddReg = RTDGPD_Event_Log_AddReg
[RTDGPD_Event_Log_AddReg]
HKR,EventMessageFile,0x00020000,“%%SystemRoot%%\System32\IoLogMsg.dll;%%SystemRoot%%\System32\drivers\RTDGPD.sys”
HKR,TypesSupported,0x00010001,7
Here is the function I’m using to log the message. Note: I’ve removed error checking for brevity and the error log packet is filled with static values for testing purposes.
VOID RTDGPD_Log_ToSystemLog(RTDGPD_Device_Extension* DevExt,
RTDGPD_Log_Type Type,
PCHAR Filename,
ULONG Line,
PCHAR Function,
PCHAR Message)
{
IO_ERROR_LOG_PACKET* packet;
PVOID device_obj;
// Get the device object needed to create the log entry
device_obj = (PVOID)WdfDeviceWdmGetDeviceObject(DevExt->wdf_device);
// Allocate space for the log entry structure
packet = (IO_ERROR_LOG_PACKET*)IoAllocateErrorLogEntry(
device_obj,
sizeof(IO_ERROR_LOG_PACKET));
// Fill in the log entry structure
packet->MajorFunctionCode = 0;
packet->RetryCount = 0;
packet->DumpDataSize = 0;
packet->NumberOfStrings = 0;
packet->StringOffset = 0;
packet->EventCategory = 0;
packet->ErrorCode = STATUS_CRC_ERROR;
// Write the log entry, which also frees the allocated entry structure
IoWriteErrorLogEntry((PVOID)packet);
}
Thanks again,
Josh
wrote in message news:xxxxx@ntdev…
> Hello,
>
> I’m adding code to my driver to allow writing to the system log. I’ve
> been able to get a custom error code defined in a ‘mc’ file to display
> more-or-less correctly. I’m seeing two issues however.
> The first is that each log entry has 28 bytes of data dump attached to
> it, even though I’m setting the DataDumpSize value in IO_ERROR_LOG_PACKET
> to zero.
This may be the packet header, not a dump (does the error code appear
there?)
> The other problem is that I can’t get standard NTSTATUS errors to log
> correctly. The log entry description says “The description for Event ID
> (x) in Source (x) cannot be found.” I’ve added IoLogMsg.dll to the
> EventMessageFile registry setting. I don’t know what else I need to do.
Not every NTSTATUS value is defined in the iologmsg.dll
(STATUS_CRC_ERROR should be)
Regards,
–pa
Pavel,
I think you’re right about the dump data. It looks like it is the error log packet. Is the packet header always displayed? Can I turn it off somehow?
Also, I checked iologmsg.dll using the strings utility from sysinternals. I haven’t been able to find any strings in it which correspond to error messages in ntstatus.h. Any ideas there?
Thanks,
Josh
> Also, I checked iologmsg.dll using the strings utility from sysinternals. I haven’t been able to find any
strings in it which correspond to error messages in ntstatus.h.
Open it with Visual Studio and see its resources.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
On vista and later there will be no localized resources in the binary itself, it will have a MUI file which will contain them
d
Sent from my phone with no t9, all spilling mistakes are not intentional.
-----Original Message-----
From: Maxim S. Shatskih
Sent: Tuesday, April 07, 2009 7:21 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Trouble writing to Windows’ System Log
> Also, I checked iologmsg.dll using the strings utility from sysinternals. I haven’t been able to find any
>strings in it which correspond to error messages in ntstatus.h.
Open it with Visual Studio and see its resources.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
I’m testing this under xp sp3, so that’s not an issue. BTW, I’m using WDK6000 and building the driver as 2K/free.
Also, I opened iologmsg.dll, as suggested by Maxim, and saw the same messages.
Josh
xxxxx@rtd.com wrote:
Pavel,
I think you’re right about the dump data. It looks like it is the error log packet. Is the packet header always displayed? Can I turn it off somehow?
I couldn’t find how to turn it off for kernel side API
(IoWriteErrorLogEntry), but haven’t tried too hard.
regards,
Regarding the dump data that is always shown, I’ve found a post from Maxim (http://www.tech-archive.net/Archive/Development/microsoft.public.development.device.drivers/2004-09/0867.html) saying that this can’t be turned off. Maxim, any comment?
Josh
> I couldn’t find how to turn it off for kernel side API
(IoWriteErrorLogEntry), but haven’t tried too hard.
I never ever managed to turn it off, probably this is impossible.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
>saying that this can’t be turned off. Maxim, any comment?
I can only repeat this - I never managed to turn these 24 extra bytes (before your payload) off.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
>On vista and later there will be no localized resources in the binary itself, it will have a MUI file which
will contain them
Yes, but English ones are in the binary.
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com