0

Like in topic I would like to know how to "turn on" ETW or WPP for particular windows driver. Lets for an example take a vdrvroot.sys. When we disassemble this driver we see at the beginning of DriverEntry couple function calls:

McGenEventRegister();
WppLoadTracingSupport()
WppInitKm()

which turns on tracing functionality. For ETW in McGenEventRegister I see the following provider registration:

result = EtwRegister(
   &VDRVROOT_PROVIDER_ID,
   McGenControlCallbackV2,
   &VDRVROOT_PROVIDER_ID_Context,
   &Microsoft_Windows_VDRVROOTHandle);

where VDRVROOT_PROVIDER_ID equals 900448e4-b685-dd11-ad8b-0800200c9a66. I tried to log eventual logs doing:

tracelog.exe -start MyTrace -guid #900448e4-b685-dd11-ad8b-0800200c9a66
(...) //some actions here
tracelog.exe -start MyTrace

and view the log file via TraceView. Nothing caught but in this driver EtwWrite is called only in one place which I probably did not trigger with my actions. Question is whether I can turn on mentioned tracing mechanisms without reversing driver ;) ?

user3305379
  • 35
  • 1
  • 7

1 Answers1

0

I'm not sure what you'll get for the GUID you show. I see E4480490-85B6-11DD-AD8B-0800200C9A66 as the GUID for VDRVROOT_PROVIDER_ID. I'm not sure what the 900448E4 GUID is for. Note also that TraceView will only show WPP events (written via TraceMessage or TraceMessageVa), not manifest-based ETW events. Also note that WPP events require access to a PDB or TMF file -- otherwise TraceView won't be able to decode them. (You will be able to decode manifest-based events automatically as long as the correct manifest has been registered on your system.)

You might try decoding the ETL file using tracerpt, as it supports more types of ETW event encodings.

In general, ETW doesn't provide a really good way to say "how to get events from a particular driver". You can use tracelog to list all of the active GUIDs from all active providers in the system, and you can use tracelog to list all of the registered manifests, but there isn't a way to say "what providers have been activated by this particular DLL". One DLL might activate more than one provider GUID (maybe one for manifest-based events and another for WPP-based events), or perhaps many DLLs all share the same manifest so they all use the same provider GUID. And even if you do have the correct GUID for a driver, if the driver is just using WPP (which is common), you can't decode the events without access to the TMF or PDB file.

Doug Cook - MSFT
  • 121
  • 6