USB trace information

NTDEV
1

Hi there,

I’m trying to hunt down a USB problem on Win7 which I suspect is either in the USB stack or in the USB device itself.

In order to see what’s going on at usb stack level, I saw with logman that there are 2 trace providers available for USB:
Microsoft-Windows-USB-USBHUB and Microsoft-Windows-USB-USBPORT.

So I set up a trace session with these 2 providers and managed to reproduce the problem. Now I have a 20MB etl file but I’m unable to decode it with TraceView since I’m lacking the tmf files to symbolize them. I tried to extract the tmf files from the usbport.sys and usbhub.sys pdb files as well, but they don’t contain trace information (says tracepdb)

What am I missing here ?

Thanks,

Filip-

2

You are missing the parts of ETW that renders it usable, as are many
people. A trace facility tied to secret decoder rings is not a great
idea. The issue of missing tmf files and the consequent fragility of
ETW has been raised at every winhec and ddc since its introduction as
the recommended tracing mechanism for kernel components.

Mark Roddy

On Fri, Jul 17, 2009 at 4:47 AM, wrote:
> Hi there,
>
> I’m trying to hunt down a USB problem on Win7 which I suspect is either in the USB stack or in the USB device itself.
>
> In order to see what’s going on at usb stack level, I saw with logman that there are 2 trace providers available for USB:
> Microsoft-Windows-USB-USBHUB and Microsoft-Windows-USB-USBPORT.
>
> So I set up a trace session with these 2 providers and managed to reproduce the problem. Now I have a 20MB etl file but I’m unable to decode it with TraceView since I’m lacking the tmf files to symbolize them. I tried to extract the tmf files from the usbport.sys and usbhub.sys pdb files as well, but they don’t contain trace information (says tracepdb)
>
> What am I missing here ?
>
> Thanks,
>
> Filip-
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>

3

That is very unfortunate. Is there any way at all to get hold of them ?

4

“any way AT ALL” (emphasis mine)?

Certainly. If you work for Microsoft, or otherwise have either a Windows source code enlistment or full set of build outputs handy, you either build them yourself or grab them out of the appropriate directory.

For us community members… not really.

Peter
OSR

5

As Mark and Peter said, it is a feature, not the bug. Absurd feature, of
course. If they at least don’t strip this info from PDBs when invented
something as complicated…

Well, if you’re sure the problem is in USB stack, open PSS case. Then
you can send traces to MS support and they should be able to decode
them.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@option.com
Sent: Friday, July 17, 2009 10:48 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] USB trace information

Hi there,

I’m trying to hunt down a USB problem on Win7 which I suspect
is either in the USB stack or in the USB device itself.

In order to see what’s going on at usb stack level, I saw
with logman that there are 2 trace providers available for USB:
Microsoft-Windows-USB-USBHUB and Microsoft-Windows-USB-USBPORT.

So I set up a trace session with these 2 providers and
managed to reproduce the problem. Now I have a 20MB etl file
but I’m unable to decode it with TraceView since I’m lacking
the tmf files to symbolize them. I tried to extract the tmf
files from the usbport.sys and usbhub.sys pdb files as well,
but they don’t contain trace information (says tracepdb)

What am I missing here ?

Thanks,

Filip-

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online
at http://www.osronline.com/page.cfm?name=ListServer

6

You don’t need tmf files to view the USB ETW traces and you don’t use TraceView. The ETW event manifests are compiled into the USBPORT.SYS and USBHUB.SYS binaries and the maifests can be extracted and used by xperf to decode the traces.

You can use “xperf -i usb.etl -o usb.txt” to decode the trace into a text file, or use “xperf usb.etl” to view the trace using the GUI.

The USB ETW events description are not not public yet. It is not that they are “undocumented”, it is just that the documents are not completed for publication yet.

-Glen

7

Here’s an example of a couple of Windows 7 USB ETW events as decoded by xperf.

Each event is designed to be fairly self-contained and as a result each event contains a large number of data fields.

The two events below show when USBPORT receives a URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER and then subsequently completes it.

Each event has the standard timestamp, event provider, task, and opcode. The USBPORT specific data for these example events includes indentifying information on the host controller (VEN_1002&DEV_4397), which device (VID_0693&PID_003) and where the device is attached (root hub port 3), which endpoint (Bulk IN 0x81), and the contents of the URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER URB. Also the completion event contains up to the first 0x20 bytes of the IN transfer buffer.

6.796381927, Microsoft-Windows-USB-USBPORT, URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER , Dispatch ,
{0xfffffa80081d3050; 0x00000000; 0x0012; 0x0000; 0x1002; 0x4397},
{0xfffffa80088dea00; 0x0693; 0x0003; 1; [3 : 0 : 0 : 0 : 0 : 0]; 1; 1},
{0xfffffa8007667d20; 0xfffffa80088de848; 0xfffffa80088dea00},
{0x07; 0x05; 0x81; 0x02; 0x0040; 0x00}, 0xfffffa80076a4c60, 0xfffffa800766aaf8,
{0x0080; 0x0009; 0x00000000; 0xfffffa80088dea00; 0x0000000000000022; 0xfffffa80088de848; 0x00000001; 0x0000000d; 0xfffffa800766ab98; 0xfffffa800a21fa70; 0x0000000000000000; [0xfffffa800a2f1410 : 0xdeadf00ddeadf00d : 0x0000000000000000 : 0x0000000000000000 : 0x0000000000000000 : 0x0000000000000000 : 0x0000000000000000 : 0x0000000000000000]},

6.797356534, Microsoft-Windows-USB-USBPORT, URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER , Complete with Data ,
{0xfffffa80081d3050; 0x00000000; 0x0012; 0x0000; 0x1002; 0x4397},
{0xfffffa80088dea00; 0x0693; 0x0003; 1; [3 : 0 : 0 : 0 : 0 : 0]; 1; 1},
{0xfffffa8007667d20; 0xfffffa80088de848; 0xfffffa80088dea00},
{0x07; 0x05; 0x81; 0x02; 0x0040; 0x00}, 0xfffffa80076a4c60, 0xfffffa800766aaf8,
{0x0080; 0x0009; 0x00000000; 0xfffffa80088dea00; 0x0000000000000022; 0xfffffa80088de848; 0x00000001; 0x0000000d; 0xfffffa800766ab98; 0xfffffa800a21fa70; 0x0000000000000000; [0xfffffa800a2f1410 : 0xdeadf00ddeadf00d : 0x0000000000000000 : 0x0000000000000000 : 0x0000000000000000 : 0x0000000000000000 : 0x0000000000000000 : 0x0000000000000000]},
0x000d, [0x55 : 0x53 : 0x42 : 0x53 : 0x60 : 0x4c : 0x6a : 0x07 : 0x00 : 0x00 : 0x00 : 0x00 : 0x00]

8

> You don’t need tmf files to view the USB ETW traces and you

don’t use TraceView. The ETW event manifests are compiled
into the USBPORT.SYS and USBHUB.SYS binaries and the maifests
can be extracted and used by xperf to decode the traces.

Are there docs on how we can compile ETW event manifests into our drivers? I
like ETW tracing a lot but the extra step of installing the xml manifest is
a little annoying. If the OS could just pull the data from the .sys, like it
does for WMI definitions, that would be super.

Jan

9

There are two separate steps:
(1) compiling the ETW event manifests into a driver
(2) installing the manifest

These steps are addressed in this article:
http://msdn.microsoft.com/en-us/library/aa468726.aspx

If you are asking specificially about (2) installing the manifest, I’m not aware of any way around the need to use wevtutil.exe to install the manifest.

-Glen