Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

ETW tracing via WinDbg

667 views
Skip to first unread message

clackmannan

unread,
Sep 25, 2009, 10:47:12 AM9/25/09
to
Does anyone have any experience with doing ETW tracing through a
kernel-mode session?

I have Windbg installed and running just fine with correct symbols via
a serial cable at 115200 baud.

I have ETW tracing working locally on a test machine using Traceview
2.1.1

What I need to do now is get the ETW trace output from the target to
the host, so I enabled the 'Windbg' option in TraceView thinking that
would be all I need to do (documentation on this is a little sparse,
so maybe I'm missing something here?)

Since I'm specifically tracing a keyboard filter driver, pressing a
key on the keyboard of the target machine generates me ETW trace data
in TraceView, but all I get in WinDbg on the host is the line "invalid
paramater passed to c runtime function"

TIA,
Paul

Ivan Brugiolo [MSFT]

unread,
Sep 25, 2009, 12:45:19 PM9/25/09
to

I have never used TraceView myself, so,
I cannot help with the tool, but, using built-in tools:
Assuming you have a tracing session on an event publisher
whose guid is 8c9dd1ad-e6e5-4b07-b455-684a9d879900

Start the trace session on the machine:
c:\>logman.exe
-start DwmTrace
-p 8c9dd1ad-e6e5-4b07-b455-684a9d879900 0xFFFFFFFF 0x6
-ets
-o %temp%\DwmTrace.etl

You can inspect the state of the trace session from KD.

0: kd> !wmitrace.logger DwmTrace
(WmiTrace)LogDump for Logger Id 0x15
Logger Id 0x15 @ 0x8A763D80 Named 'DwmTrace'
CollectionOn = 1
LoggerMode = 0x00000001 ( seq )
BufferSize = 64 KB
BuffersAvailable = 62
MinimumBuffers = 64
NumberOfBuffers = 64
MaximumBuffers = 320
EventsLost = 0
LogBuffersLost = 0
RealTimeBuffersLost = 0
LastFlushedBuffer = 16
MaximumFileSize = 0
FlushTimer = 0 sec
LoggerThread = 0x89fbd030
PoolType = NonPaged
SequenceNumber = 79
ClockType = PerfCounter
EventsLogged = 9097
LogFileName = 'E:\Users\admin\AppData\Local\Temp\DwmTrace.etl'

Save the in-memory-portion of the session for further processing

0: kd>!wmitrace.logsave DwmTrace f:\temp\DwmTrace.etl
WMI Trace Save: Debugger Extension. LoggerId = 21, Save File =
'f:\temp\DwmTrace.etl'

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


"clackmannan" <clack...@hotmail.com> wrote in message
news:459bb63b-a79f-4095...@o35g2000vbi.googlegroups.com...

clackmannan

unread,
Sep 25, 2009, 1:16:32 PM9/25/09
to
On Sep 25, 12:45 pm, "Ivan Brugiolo [MSFT]"

<ivanb...@online.microsoft.com> wrote:
> I have never used TraceView myself, so,
> I cannot help with the tool, but, using built-in tools:
> Assuming you have a tracing session on an event publisher
> whose guid is 8c9dd1ad-e6e5-4b07-b455-684a9d879900
>
<snip>

Thanks Ivan, I'll give that a go.
I've been using TraceView and TraceLog until now, I'd never heard of
Logman of before.
But now I have an example to work from :)

Paul

0 new messages