1

I have a Driver configured with WPP tracing.

I'm interested in seeing my driver's WPP tracing messages appearing in the WPA timeline, alongside the rest of the system events.

I tried adding the driver's WPP provider GUID as an EventProvider to a custom profile, but it didn't work.

There's no documentation on how to add WPP (classic) providers to the profile, and its also unclear whether I should initiate the session myself, or will WPR do it for me.

David Gardiner
  • 16,892
  • 20
  • 80
  • 117
Sirotnikov
  • 444
  • 4
  • 10
  • I always use xperf to start logging. Try if this works: **xperf.exe -start UserLogger -on GUID -BufferSize 1024 -f User.etl** – magicandre1981 Aug 12 '14 at 19:44
  • wouldn't that only log my driver? I want to see it together with all kernel events, DPC/ISR, stacks etc – Sirotnikov Aug 13 '14 at 02:45
  • to log kernel events run for example this: **xperf.exe -on PROC_THREAD+LOADER+PROFILE+INTERRUPT+DPC+DISPATCHER+CSwitch+POWER -stackwalk Profile+CSwitch+ReadyThread+ImageLoad+ImageUnload -BufferSize 1024 -MinBuffers 256 -MaxBuffers 512 -MaxFile 1518 -FileMode Circular -f Kernel.etl** Now run **xperf.exe -stop** and **xperf.exe -stop UserLogger** and merge both files: **xperf.exe -merge User.etl kernel.etl Result.etl**. But I never tried this with WPP providers, only new ETW providers. – magicandre1981 Aug 13 '14 at 08:00
  • Ah, so there's a "merge" function. Handy. Will test an report. – Sirotnikov Aug 13 '14 at 16:52

1 Answers1

1

I had a similar problem adding WPP providers to WPR. It seems WPP uses an inverted logic for the keyword bitmask (1 is off, 0 is on), so you need to override the default for these providers with the following in the profile's file.

<EventProvider Name="0ec9af87-f800-477d-9eec-f69fd9056506" Id="MyWppProvider">
    <Keywords>
        <Keyword Value="0x0"/>
    </Keywords>
</EventProvider>
Thales Carvalho
  • 186
  • 1
  • 4