WPP, Win2K and Minifilters (was: WPP on Win2K?)

NTFSD
1

BTW, where do you get the DeviceObject for WPP_INIT_TRACING in your
minifilter?

For my minifilter, DriverObject->DeviceObject is NULL in DriverEntry (which
seems like the logical place to invoke WPP_INIT_TRACING).

There are other things that look like WPP hasn’t really been wrung out on
Win2K. For instance, on line 438 of km-init.tpl:

WppDebug(0,(“IoWMIRegistrationControl status = %08X\n”));

Note the lack of a value for the format (caused BSOD on my system).
Similarly on line 88:

WppDebug(0,(“WPP Create of Registry name failed 0x%X”));

The bottom line is that if I disable WPP completely in W2K, my driver works.
If I enable it, I haven’t been able to get beyond a BSOD. I finally gave up
and just disabled WPP on Win2K.

Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ted Hess
Sent: Thursday, March 10, 2005 11:34 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] WPP on Win2K?

One more thing…

You need to call WPP_INIT_TRACING() with a DeviceObject and not a
DriverObject on W2K.

/ted

-----Original Message-----
From: Ken Cross [mailto:xxxxx@comcast.net]
Sent: Thursday, March 10, 2005 10:28 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] WPP on Win2K?

The -dll didn’t seem to improve anything and added another error:

error C2496: ‘WPP_GLOBAL_Control’ : ‘selectany’ can only be applied to data
items with external linkage

Anyhow, it looks like this handles the bulk of the problems I’ve seen. This
is in the common header I use:

#include <fltkernel.h>

// Suppress invocation of ntddk.h
#define NTDDK

#ifndef UNICODE_STRING_MAX_BYTES
#define UNICODE_STRING_MAX_BYTES ((USHORT) 65534)
#endif

#ifndef RTL_NUMBER_OF
#define RTL_NUMBER_OF(x) (sizeof(x)/sizeof(x[0]))
#endif

#ifndef RtlInitEmptyUnicodeString
#define RtlInitEmptyUnicodeString(_ucStr,_buf,_bufSize) <br> ((_ucStr)->Buffer = (_buf), <br> (_ucStr)->Length = 0, <br> (_ucStr)->MaximumLength = (USHORT)(_bufSize))
#endif

For some reason, the last 3 macros aren’t defined in the W2K version of
ntifs.h (there may be more that I’m not using, too).

HTH,
Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ted Hess
Sent: Thursday, March 10, 2005 9:30 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] WPP on Win2K?

Ken -

Your WPP command line should look something like this for W2K (notice the
undocumented -dll option!)

RUN_WPP=$(SOURCES) -km -dll -gen:{km-w2k.tpl}.tmh

If you ever figure out a way to build a single Filter Manager based driver
image for W2K/XP/WS03 with WPP tracing enabled, let me know. I gave up on
that one.

/ted

-----Original Message-----
From: Ken Cross [mailto:xxxxx@comcast.net]
Sent: Thursday, March 10, 2005 8:35 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] WPP on Win2K?

NTFSD Folk:

I’m having problems getting WPP working on Win2K. Everything builds and
executes fine on XP/2003. (It’s a minifilter, but I don’t think that’s a
factor.)

Per the documentation, I’ve added this line in sources:

RUN_WPP=$(SOURCES) -km -gen:{km-w2k.tpl}.tmh

But it still gets roughly a zillion compile errors (mostly macro and struct
redefinitions). I can’t seem to find a combination of #includes that work.

I’m using IFS build 1414. Any clues?

Thanks,
Ken


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@livevault.com To unsubscribe
send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net To unsubscribe
send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@livevault.com To unsubscribe
send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com</fltkernel.h>

2

More frustrations, but some success…

Using WPP (also affectionately known as Event Tracing for Windows) in
Minifilters on Win2K is a royal pain. I eventually got it to work, but
here’s what I had to do and I’m not sure if it’s all legal:

  1. Add “-gen:{km-w2k.tpl}*.tmh” to RUN_WPP in SOURCES (this is actually
    documented).

  2. Add “#define NTDDK” after “#include <fltkernel.h>” but before
    #include module.tmh”. This suppresses ntddk.h which conflicts with
    ntifs.h.

    3. Get a DEVICE_OBJECT that WPP can use (WPP_INIT_TRACING requires this for
    Win2K). This was the biggest hurdle, and the part I’m not sure is legal.
    Since minifilters don’t seem to have device objects
    (DriverObject->DeviceObject is NULL), I added code in InstanceSetup to grab
    the first DeviceObject I could find and invoke WPP_INIT_TRACING there.
    (BTW, use FltGetDeviceObject(), not FltGetDiskDeviceObject()).

    4. Add a pre-IRP_MJ_SYSTEM_CONTROL callback to handle the WMI calls. The
    contents of this was hacked from some of the WPP headers. This is in lieu
    of WPP_SYSTEMCONTROL(), which is undocumented but required for Win2K to
    handle WMI calls. It doesn’t work for minifilters, though.

    After all this (and many, many other unsuccessful attempts), I finally have
    it working. I hope this helps others trying to do the same thing.

    It just doesn’t seem like it should be this hard…

    Ken

    -----Original Message-----
    From: xxxxx@lists.osr.com
    [mailto:xxxxx@lists.osr.com] On Behalf Of Ken Cross
    Sent: Saturday, March 12, 2005 1:45 PM
    To: Windows File Systems Devs Interest List
    Subject: WPP, Win2K and Minifilters (was: [ntfsd] WPP on Win2K?)

    BTW, where do you get the DeviceObject for WPP_INIT_TRACING in your
    minifilter?

    For my minifilter, DriverObject->DeviceObject is NULL in DriverEntry (which
    seems like the logical place to invoke WPP_INIT_TRACING).

    There are other things that look like WPP hasn’t really been wrung out on
    Win2K. For instance, on line 438 of km-init.tpl:

    WppDebug(0,(“IoWMIRegistrationControl status = %08X\n”));

    Note the lack of a value for the format (caused BSOD on my system).
    Similarly on line 88:

    WppDebug(0,(“WPP Create of Registry name failed 0x%X”));

    The bottom line is that if I disable WPP completely in W2K, my driver works.
    If I enable it, I haven’t been able to get beyond a BSOD. I finally gave up
    and just disabled WPP on Win2K.

    Ken

    -----Original Message-----
    From: xxxxx@lists.osr.com
    [mailto:xxxxx@lists.osr.com] On Behalf Of Ted Hess
    Sent: Thursday, March 10, 2005 11:34 AM
    To: Windows File Systems Devs Interest List
    Subject: RE: [ntfsd] WPP on Win2K?

    One more thing…

    You need to call WPP_INIT_TRACING() with a DeviceObject and not a
    DriverObject on W2K.

    /ted

    -----Original Message-----
    From: Ken Cross [mailto:xxxxx@comcast.net]
    Sent: Thursday, March 10, 2005 10:28 AM
    To: Windows File Systems Devs Interest List
    Subject: RE: [ntfsd] WPP on Win2K?

    The -dll didn’t seem to improve anything and added another error:

    error C2496: ‘WPP_GLOBAL_Control’ : ‘selectany’ can only be applied to data
    items with external linkage

    Anyhow, it looks like this handles the bulk of the problems I’ve seen. This
    is in the common header I use:

    #include <fltkernel.h>

    // Suppress invocation of ntddk.h
    #define NTDDK

    #ifndef UNICODE_STRING_MAX_BYTES
    #define UNICODE_STRING_MAX_BYTES ((USHORT) 65534)
    #endif

    #ifndef RTL_NUMBER_OF
    #define RTL_NUMBER_OF(x) (sizeof(x)/sizeof(x[0]))
    #endif

    #ifndef RtlInitEmptyUnicodeString
    #define RtlInitEmptyUnicodeString(_ucStr,_buf,_bufSize) <br> ((_ucStr)->Buffer = (_buf), <br> (_ucStr)->Length = 0, <br> (_ucStr)->MaximumLength = (USHORT)(_bufSize))
    #endif

    For some reason, the last 3 macros aren’t defined in the W2K version of
    ntifs.h (there may be more that I’m not using, too).

    HTH,
    Ken

    -----Original Message-----
    From: xxxxx@lists.osr.com
    [mailto:xxxxx@lists.osr.com] On Behalf Of Ted Hess
    Sent: Thursday, March 10, 2005 9:30 AM
    To: Windows File Systems Devs Interest List
    Subject: RE: [ntfsd] WPP on Win2K?

    Ken -

    Your WPP command line should look something like this for W2K (notice the
    undocumented -dll option!)

    RUN_WPP=$(SOURCES) -km -dll -gen:{km-w2k.tpl}.tmh

    If you ever figure out a way to build a single Filter Manager based driver
    image for W2K/XP/WS03 with WPP tracing enabled, let me know. I gave up on
    that one.

    /ted

    -----Original Message-----
    From: Ken Cross [mailto:xxxxx@comcast.net]
    Sent: Thursday, March 10, 2005 8:35 AM
    To: Windows File Systems Devs Interest List
    Subject: [ntfsd] WPP on Win2K?

    NTFSD Folk:

    I’m having problems getting WPP working on Win2K. Everything builds and
    executes fine on XP/2003. (It’s a minifilter, but I don’t think that’s a
    factor.)

    Per the documentation, I’ve added this line in sources:

    RUN_WPP=$(SOURCES) -km -gen:{km-w2k.tpl}    .tmh

    But it still gets roughly a zillion compile errors (mostly macro and struct
    redefinitions). I can’t seem to find a combination of #includes that work.

    I’m using IFS build 1414. Any clues?

    Thanks,
    Ken


    Questions? First check the IFS FAQ at
    https://www.osronline.com/article.cfm?id=17

    You are currently subscribed to ntfsd as: xxxxx@livevault.com To unsubscribe
    send a blank email to xxxxx@lists.osr.com


    Questions? First check the IFS FAQ at
    https://www.osronline.com/article.cfm?id=17

    You are currently subscribed to ntfsd as: xxxxx@comcast.net To unsubscribe
    send a blank email to xxxxx@lists.osr.com


    Questions? First check the IFS FAQ at
    https://www.osronline.com/article.cfm?id=17

    You are currently subscribed to ntfsd as: xxxxx@livevault.com To unsubscribe
    send a blank email to xxxxx@lists.osr.com


    Questions? First check the IFS FAQ at
    https://www.osronline.com/article.cfm?id=17

    You are currently subscribed to ntfsd as: xxxxx@comcast.net
    To unsubscribe send a blank email to xxxxx@lists.osr.com


    Questions? First check the IFS FAQ at
    https://www.osronline.com/article.cfm?id=17

    You are currently subscribed to ntfsd as: xxxxx@comcast.net
    To unsubscribe send a blank email to xxxxx@lists.osr.com</fltkernel.h></fltkernel.h>

3

My minifilter has a CDO created with IoCreateDevice() in DriverEntry. I
don’t think I use it for anything anymore other WPP_INIT_TRACING() on W2K.

And, yes – I gave up on tracing in release builds altogether so I can have
1 driver for all platforms. Sigh…

/ted

-----Original Message-----
From: Ken Cross [mailto:xxxxx@comcast.net]
Sent: Saturday, March 12, 2005 1:45 PM
To: Windows File Systems Devs Interest List
Subject: WPP, Win2K and Minifilters (was: [ntfsd] WPP on Win2K?)

BTW, where do you get the DeviceObject for WPP_INIT_TRACING in your
minifilter?

For my minifilter, DriverObject->DeviceObject is NULL in DriverEntry (which
seems like the logical place to invoke WPP_INIT_TRACING).

There are other things that look like WPP hasn’t really been wrung out on
Win2K. For instance, on line 438 of km-init.tpl:

WppDebug(0,(“IoWMIRegistrationControl status = %08X\n”));

Note the lack of a value for the format (caused BSOD on my system).
Similarly on line 88:

WppDebug(0,(“WPP Create of Registry name failed 0x%X”));

The bottom line is that if I disable WPP completely in W2K, my driver works.
If I enable it, I haven’t been able to get beyond a BSOD. I finally gave up
and just disabled WPP on Win2K.

Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ted Hess
Sent: Thursday, March 10, 2005 11:34 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] WPP on Win2K?

One more thing…

You need to call WPP_INIT_TRACING() with a DeviceObject and not a
DriverObject on W2K.

/ted

-----Original Message-----
From: Ken Cross [mailto:xxxxx@comcast.net]
Sent: Thursday, March 10, 2005 10:28 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] WPP on Win2K?

The -dll didn’t seem to improve anything and added another error:

error C2496: ‘WPP_GLOBAL_Control’ : ‘selectany’ can only be applied to data
items with external linkage

Anyhow, it looks like this handles the bulk of the problems I’ve seen. This
is in the common header I use:

#include <fltkernel.h>

// Suppress invocation of ntddk.h
#define NTDDK

#ifndef UNICODE_STRING_MAX_BYTES
#define UNICODE_STRING_MAX_BYTES ((USHORT) 65534)
#endif

#ifndef RTL_NUMBER_OF
#define RTL_NUMBER_OF(x) (sizeof(x)/sizeof(x[0]))
#endif

#ifndef RtlInitEmptyUnicodeString
#define RtlInitEmptyUnicodeString(_ucStr,_buf,_bufSize) <br> ((_ucStr)->Buffer = (_buf), <br> (_ucStr)->Length = 0, <br> (_ucStr)->MaximumLength = (USHORT)(_bufSize))
#endif

For some reason, the last 3 macros aren’t defined in the W2K version of
ntifs.h (there may be more that I’m not using, too).

HTH,
Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ted Hess
Sent: Thursday, March 10, 2005 9:30 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] WPP on Win2K?

Ken -

Your WPP command line should look something like this for W2K (notice the
undocumented -dll option!)

RUN_WPP=$(SOURCES) -km -dll -gen:{km-w2k.tpl}.tmh

If you ever figure out a way to build a single Filter Manager based driver
image for W2K/XP/WS03 with WPP tracing enabled, let me know. I gave up on
that one.

/ted

-----Original Message-----
From: Ken Cross [mailto:xxxxx@comcast.net]
Sent: Thursday, March 10, 2005 8:35 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] WPP on Win2K?

NTFSD Folk:

I’m having problems getting WPP working on Win2K. Everything builds and
executes fine on XP/2003. (It’s a minifilter, but I don’t think that’s a
factor.)

Per the documentation, I’ve added this line in sources:

RUN_WPP=$(SOURCES) -km -gen:{km-w2k.tpl}.tmh

But it still gets roughly a zillion compile errors (mostly macro and struct
redefinitions). I can’t seem to find a combination of #includes that work.

I’m using IFS build 1414. Any clues?

Thanks,
Ken


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@livevault.com To unsubscribe
send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net To unsubscribe
send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@livevault.com To unsubscribe
send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net To unsubscribe
send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@livevault.com To unsubscribe
send a blank email to xxxxx@lists.osr.com</fltkernel.h>

4

Ted:

That’s a good thought about using the CDO DeviceObject. Of course, I
finally got rid of all the CDO stuff from my driver when I switched to the
communications port.

I don’t mind having multiple drivers if they come from one set of sources.
Both the build and installation procedures can handle that. And it’s really
nice to be able to turn on tracing if you need it on some system whose
behavior defies all logic… :wink:

Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ted Hess
Sent: Monday, March 14, 2005 6:11 PM
To: Windows File Systems Devs Interest List
Subject: RE: WPP, Win2K and Minifilters (was: [ntfsd] WPP on Win2K?)

My minifilter has a CDO created with IoCreateDevice() in DriverEntry. I
don’t think I use it for anything anymore other WPP_INIT_TRACING() on W2K.

And, yes – I gave up on tracing in release builds altogether so I can have
1 driver for all platforms. Sigh…

/ted

-----Original Message-----
From: Ken Cross [mailto:xxxxx@comcast.net]
Sent: Saturday, March 12, 2005 1:45 PM
To: Windows File Systems Devs Interest List
Subject: WPP, Win2K and Minifilters (was: [ntfsd] WPP on Win2K?)

BTW, where do you get the DeviceObject for WPP_INIT_TRACING in your
minifilter?

For my minifilter, DriverObject->DeviceObject is NULL in DriverEntry (which
seems like the logical place to invoke WPP_INIT_TRACING).

There are other things that look like WPP hasn’t really been wrung out on
Win2K. For instance, on line 438 of km-init.tpl:

WppDebug(0,(“IoWMIRegistrationControl status = %08X\n”));

Note the lack of a value for the format (caused BSOD on my system).
Similarly on line 88:

WppDebug(0,(“WPP Create of Registry name failed 0x%X”));

The bottom line is that if I disable WPP completely in W2K, my driver works.
If I enable it, I haven’t been able to get beyond a BSOD. I finally gave up
and just disabled WPP on Win2K.

Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ted Hess
Sent: Thursday, March 10, 2005 11:34 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] WPP on Win2K?

One more thing…

You need to call WPP_INIT_TRACING() with a DeviceObject and not a
DriverObject on W2K.

/ted

-----Original Message-----
From: Ken Cross [mailto:xxxxx@comcast.net]
Sent: Thursday, March 10, 2005 10:28 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] WPP on Win2K?

The -dll didn’t seem to improve anything and added another error:

error C2496: ‘WPP_GLOBAL_Control’ : ‘selectany’ can only be applied to data
items with external linkage

Anyhow, it looks like this handles the bulk of the problems I’ve seen. This
is in the common header I use:

#include <fltkernel.h>

// Suppress invocation of ntddk.h
#define NTDDK

#ifndef UNICODE_STRING_MAX_BYTES
#define UNICODE_STRING_MAX_BYTES ((USHORT) 65534)
#endif

#ifndef RTL_NUMBER_OF
#define RTL_NUMBER_OF(x) (sizeof(x)/sizeof(x[0]))
#endif

#ifndef RtlInitEmptyUnicodeString
#define RtlInitEmptyUnicodeString(_ucStr,_buf,_bufSize) <br> ((_ucStr)->Buffer = (_buf), <br> (_ucStr)->Length = 0, <br> (_ucStr)->MaximumLength = (USHORT)(_bufSize))
#endif

For some reason, the last 3 macros aren’t defined in the W2K version of
ntifs.h (there may be more that I’m not using, too).

HTH,
Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ted Hess
Sent: Thursday, March 10, 2005 9:30 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] WPP on Win2K?

Ken -

Your WPP command line should look something like this for W2K (notice the
undocumented -dll option!)

RUN_WPP=$(SOURCES) -km -dll -gen:{km-w2k.tpl}.tmh

If you ever figure out a way to build a single Filter Manager based driver
image for W2K/XP/WS03 with WPP tracing enabled, let me know. I gave up on
that one.

/ted

-----Original Message-----
From: Ken Cross [mailto:xxxxx@comcast.net]
Sent: Thursday, March 10, 2005 8:35 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] WPP on Win2K?

NTFSD Folk:

I’m having problems getting WPP working on Win2K. Everything builds and
executes fine on XP/2003. (It’s a minifilter, but I don’t think that’s a
factor.)

Per the documentation, I’ve added this line in sources:

RUN_WPP=$(SOURCES) -km -gen:{km-w2k.tpl}.tmh

But it still gets roughly a zillion compile errors (mostly macro and struct
redefinitions). I can’t seem to find a combination of #includes that work.

I’m using IFS build 1414. Any clues?

Thanks,
Ken


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@livevault.com To unsubscribe
send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net To unsubscribe
send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@livevault.com To unsubscribe
send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net To unsubscribe
send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@livevault.com To unsubscribe
send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com</fltkernel.h>

5

An update:

The ugliest part (using another driver’s DEVICE_OBJECT) of this has been
resolved by creating a CDO just for the purpose of tracing. Seems a bit
much, but…

I then use the standard WPP_SYSTEMCONTROL() macro on the CDO DeviceObject.
This replaces the Filter Driver’s entry for the IRP_MJ_SYSTEM_CONTROL
function for the minifilter’s DriverObject. I hope this doesn’t break
something in the future.

Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ken Cross
Sent: Sunday, March 13, 2005 12:15 PM
To: Windows File Systems Devs Interest List
Subject: RE: WPP, Win2K and Minifilters (was: [ntfsd] WPP on Win2K?)

More frustrations, but some success…

Using WPP (also affectionately known as Event Tracing for Windows) in
Minifilters on Win2K is a royal pain. I eventually got it to work, but
here’s what I had to do and I’m not sure if it’s all legal:

1. Add "-gen:{km-w2k.tpl}.tmh" to RUN_WPP in SOURCES (this is actually
documented).

2. Add “#define NTDDK” after “#include <fltkernel.h>” but before
#include module.tmh”. This suppresses ntddk.h which conflicts with
ntifs.h.

3. Get a DEVICE_OBJECT that WPP can use (WPP_INIT_TRACING requires this for
Win2K). This was the biggest hurdle, and the part I’m not sure is legal.
Since minifilters don’t seem to have device objects
(DriverObject->DeviceObject is NULL), I added code in InstanceSetup to grab
the first DeviceObject I could find and invoke WPP_INIT_TRACING there.
(BTW, use FltGetDeviceObject(), not FltGetDiskDeviceObject()).

4. Add a pre-IRP_MJ_SYSTEM_CONTROL callback to handle the WMI calls. The
contents of this was hacked from some of the WPP headers. This is in lieu
of WPP_SYSTEMCONTROL(), which is undocumented but required for Win2K to
handle WMI calls. It doesn’t work for minifilters, though.

After all this (and many, many other unsuccessful attempts), I finally have
it working. I hope this helps others trying to do the same thing.

It just doesn’t seem like it should be this hard…

Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ken Cross
Sent: Saturday, March 12, 2005 1:45 PM
To: Windows File Systems Devs Interest List
Subject: WPP, Win2K and Minifilters (was: [ntfsd] WPP on Win2K?)

BTW, where do you get the DeviceObject for WPP_INIT_TRACING in your
minifilter?

For my minifilter, DriverObject->DeviceObject is NULL in DriverEntry (which
seems like the logical place to invoke WPP_INIT_TRACING).

There are other things that look like WPP hasn’t really been wrung out on
Win2K. For instance, on line 438 of km-init.tpl:

WppDebug(0,(“IoWMIRegistrationControl status = %08X\n”));

Note the lack of a value for the format (caused BSOD on my system).
Similarly on line 88:

WppDebug(0,(“WPP Create of Registry name failed 0x%X”));

The bottom line is that if I disable WPP completely in W2K, my driver works.
If I enable it, I haven’t been able to get beyond a BSOD. I finally gave up
and just disabled WPP on Win2K.

Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ted Hess
Sent: Thursday, March 10, 2005 11:34 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] WPP on Win2K?

One more thing…

You need to call WPP_INIT_TRACING() with a DeviceObject and not a
DriverObject on W2K.

/ted

-----Original Message-----
From: Ken Cross [mailto:xxxxx@comcast.net]
Sent: Thursday, March 10, 2005 10:28 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] WPP on Win2K?

The -dll didn’t seem to improve anything and added another error:

error C2496: ‘WPP_GLOBAL_Control’ : ‘selectany’ can only be applied to data
items with external linkage

Anyhow, it looks like this handles the bulk of the problems I’ve seen. This
is in the common header I use:

#include <fltkernel.h>

// Suppress invocation of ntddk.h
#define NTDDK

#ifndef UNICODE_STRING_MAX_BYTES
#define UNICODE_STRING_MAX_BYTES ((USHORT) 65534)
#endif

#ifndef RTL_NUMBER_OF
#define RTL_NUMBER_OF(x) (sizeof(x)/sizeof(x[0]))
#endif

#ifndef RtlInitEmptyUnicodeString
#define RtlInitEmptyUnicodeString(_ucStr,_buf,_bufSize) <br> ((_ucStr)->Buffer = (_buf), <br> (_ucStr)->Length = 0, <br> (_ucStr)->MaximumLength = (USHORT)(_bufSize))
#endif

For some reason, the last 3 macros aren’t defined in the W2K version of
ntifs.h (there may be more that I’m not using, too).

HTH,
Ken

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ted Hess
Sent: Thursday, March 10, 2005 9:30 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] WPP on Win2K?

Ken -

Your WPP command line should look something like this for W2K (notice the
undocumented -dll option!)

RUN_WPP=$(SOURCES) -km -dll -gen:{km-w2k.tpl}.tmh

If you ever figure out a way to build a single Filter Manager based driver
image for W2K/XP/WS03 with WPP tracing enabled, let me know. I gave up on
that one.

/ted

-----Original Message-----
From: Ken Cross [mailto:xxxxx@comcast.net]
Sent: Thursday, March 10, 2005 8:35 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] WPP on Win2K?

NTFSD Folk:

I’m having problems getting WPP working on Win2K. Everything builds and
executes fine on XP/2003. (It’s a minifilter, but I don’t think that’s a
factor.)

Per the documentation, I’ve added this line in sources:

RUN_WPP=$(SOURCES) -km -gen:{km-w2k.tpl}*.tmh

But it still gets roughly a zillion compile errors (mostly macro and struct
redefinitions). I can’t seem to find a combination of #includes that work.

I’m using IFS build 1414. Any clues?

Thanks,
Ken


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@livevault.com To unsubscribe
send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net To unsubscribe
send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@livevault.com To unsubscribe
send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com</fltkernel.h></fltkernel.h>