0

I'm working on Windows user space app development. Also in the same time i'm developing Windows kernel mode driver. Driver has enabled WPP traces on particular GUID. Let's call it DRIVER_PROVIDER_GUID. For now i was using tool like TraceView to collect logs (By attach *.pdb file and then put it into *.etl or *.txt). I found a nice API provided by MSFT whcih can collect ETW (and also WPP) traces in realtime and parse it using some methods. I tried to implement that by I can't even catch one event on my driver (I'm sure that a lot of traces should appears when I'm trying to get it).

My snippet:

void StartETWSession()
{
    ENABLE_TRACE_PARAMETERS traceParameters;
    ZeroMemory(&traceParameters, sizeof(traceParameters));
    traceParameters.Version = ENABLE_TRACE_PARAMETERS_VERSION_2;
    traceParameters.EnableFilterDesc = NULL;
    traceParameters.FilterDescCount = 0;

    bufferSize = sizeof(EVENT_TRACE_PROPERTIES) + sizeof(SessionName);
    pSessionProperties = (EVENT_TRACE_PROPERTIES*)malloc(bufferSize);

    ZeroMemory(pSessionProperties, bufferSize);
    pSessionProperties->Wnode.BufferSize = bufferSize;
    pSessionProperties->Wnode.Flags = WNODE_FLAG_TRACED_GUID;
    pSessionProperties->Wnode.ClientContext = 1;
    pSessionProperties->Wnode.Guid = SessionGuid; **<-- any GUID here?**
    pSessionProperties->EnableFlags = EVENT_TRACE_FLAG_CSWITCH;
    pSessionProperties->LogFileMode = EVENT_TRACE_REAL_TIME_MODE | EVENT_TRACE_SYSTEM_LOGGER_MODE;
    pSessionProperties->MaximumFileSize = 100;
    pSessionProperties->FlushTimer = 1;
    pSessionProperties->LoggerNameOffset = sizeof(EVENT_TRACE_PROPERTIES);
    StringCbCopy((LPWSTR)((char*)pSessionProperties + pSessionProperties->LoggerNameOffset), sizeof(SessionName), SessionName);

    status = StartTrace((PTRACEHANDLE)&SessionHandle, SessionName, pSessionProperties);

    status = TdhLoadManifest(pdbPath); **<-- PDB or TMF files here?**

    status = EnableTraceEx2(
        SessionHandle,
        &ProviderGuid,** <-- Here provider which I used to enable WPP traces in my driver?**
        EVENT_CONTROL_CODE_ENABLE_PROVIDER,
        TRACE_LEVEL_VERBOSE,
        0, // Match any keyword
        0, // Match any keyword
        0, // No timeout
        NULL
    );

    EVENT_TRACE_LOGFILE logFile;
    ZeroMemory(&logFile, sizeof(EVENT_TRACE_LOGFILE));
    logFile.LoggerName = SessionName;
    logFile.ProcessTraceMode = PROCESS_TRACE_MODE_REAL_TIME | PROCESS_TRACE_MODE_EVENT_RECORD | PROCESS_TRACE_MODE_RAW_TIMESTAMP;
    logFile.EventRecordCallback = EventRecordCallback;
    logFile.Context = &context;

    hTrace = OpenTrace(&logFile);
    if (INVALID_PROCESSTRACE_HANDLE == hTrace) 
    {
        wprintf(L"OpenTrace() failed with status: %lu\n", GetLastError());
        goto cleanup;
    }

    status = ProcessTrace(&hTrace, 1, NULL, NULL);
}

VOID WINAPI EventRecordCallback(EVENT_RECORD* pEventRecord) { **<-- Some events are catch here**
    if (IsEqualGUID(pEventRecord->EventHeader.ProviderId, ProviderGuid))
    {
**<-- BREAKPOINT HERE -->** But no event's here. 
     }

I can catch events which provider 68FDD900-4A3E-11D1-84F4-0000F80464E3 which is EventTraceEvent class.

Is it possible to collect WPP traces in realtime? What can be wrong on my side?

I tried a few combinations of providers and session guid like kernelSession (but i understand that this is for sessions provided by Windows). I checked also and I can collect ETW traces, but my goal is to collect WPP traces. I'd expect to get to know what is wrong in my code and why I can't collect WPP traces (Or if it is not possible)

TheKwiatek666
  • 101
  • 3
  • I've done this before and know that it works. Can you post `complete` reproducible code, including both user-mode and kernel-mode code? – Luke Jun 21 '23 at 12:21
  • I cannot share complete code for kernel driver. But logging it's basing on https://learn.microsoft.com/en-gb/windows-hardware/drivers/devtest/adding-wpp-software-tracing-to-a-windows-driver. Code which i shared above is fro user space app. All functions which are called before ProcessTrace are copied here. It doesn't work and i cannot see WPP events in EventRecordCallback. – TheKwiatek666 Jun 27 '23 at 13:47
  • I mean just a minimal "hello world" driver.c and app.c that can be compiled to see what exactly you're doing. In any event, I'm guessing that the issue is with how you set up WPP in the driver. You're looking for events with a specific ProviderId, but by default WPP generates a random ProviderId (in the context of the event callback). If you want WPP to use your ProviderId then you need to #define WPP_USER_MSG_GUID using the same GUID as in your WPP_CONTROL_GUIDS macro. Additionally, for WPP you need to use TdhGetWppProperty() to get the data. – Luke Jun 28 '23 at 09:30
  • On DriverEntry i'm calling WPP_INIT_TRACING(_pDriverObject, _pRegistryPath); https://learn.microsoft.com/en-us/previous-versions/windows/hardware/kernel/ff556193(v=vs.85) In one file i have defined provider GUID: #define INTC_CONTROL_GUID (XXXXXXX) I have deifned log function: void LOG(const LogLevel _Level, const char* _Message, ...); And two defines below: #define WPP_FLAGS_LEVEL_ENABLED(FLAGS, LVL) (WPP_LEVEL_ENABLED(FLAGS) && WPP_CONTROL(WPP_BIT_ ## FLAGS).Level >= LVL) #define WPP_FLAGS_LEVEL_LOGGER(FLAGS, LVL) WPP_LEVEL_LOGGER(FLAGS) – TheKwiatek666 Jul 25 '23 at 12:47

0 Answers0