none
USB ETW/Logman/Netmon/WinUSB: How to see USB data transferred? RRS feed

  • Question

  • Capturing USB ETW with logman and netmon in order to watch data transferred in WinUSB.

    However, opening the USBTrace or WinUSB trace, I don't see any of the actual payload data that I can see when using a Beagle USB hardware capture device.   That is to say, I can't see the commands that my application is sending or receiving in the ETW trace.

    Using:

    set ETW_KEYWORDS=Default,FullDataBusTrace,StateMachine

    logman create trace -n usbtrace -o %SystemRoot%\Tracing\usbtrace.etl -ct perf -nb 128 640 -bs 128
    logman update trace -n usbtrace -u Vision Vision -p Microsoft-Windows-USB-USBXHCI (%ETW_KEYWORDS%)
    logman update trace -n usbtrace -u Vision Vision -p Microsoft-Windows-USB-UCX (%ETW_KEYWORDS%)
    logman update trace -n usbtrace -u Vision Vision -p Microsoft-Windows-USB-USBHUB3 (%ETW_KEYWORDS%)
    logman update trace -n usbtrace -u Vision Vision -p Microsoft-Windows-USB-USBPORT
    logman update trace -n usbtrace -u Vision Vision -p Microsoft-Windows-USB-USBHUB
    logman update trace -n usbtrace -u Vision Vision -p Microsoft-Windows-Kernel-IoTrace 0 2

    logman start -n usbtrace
    logman start -ets usbhub3 -ct perf -p {6e6cc2c5-8110-490e-9905-9f2ed700e455} 0xffffffff 0xff  -o %SystemRoot%\Tracing\usbhub3.etl
    logman start -ets ucx01000 -ct perf -p {6fb6e467-9ed4-4b73-8c22-70b97e22c7d9}  0xffffffff 0xff  -o %SystemRoot%\Tracing\ucx01000.etl
    logman start -ets usbxhci -ct perf -p {9F7711DD-29AD-C1EE-1B1B-B52A0118A54C} 0xffffffff 0xff  -o %SystemRoot%\Tracing\usbxhci.etl
    logman start -ets usbhub -ct perf -p {b10d03b8-e1f6-47f5-afc2-0fa0779b8188} 0xffffffff 0xff  -o %SystemRoot%\Tracing\usbhub.etl
    logman start -ets usbport -ct perf -p {d75aedbe-cfcd-42b9-94ab-f47b224245dd} 0xffffffff 0xff  -o %SystemRoot%\Tracing\usbport.etl
    logman start -ets usbccgp -ct perf -p {bc6c9364-fc67-42c5-acf7-abed3b12ecc6} 0xffffffff 0xff  -o %SystemRoot%\Tracing\usbccgp.etl
    logman start -ets winusb -ct perf -p {ef201d1b-4e45-4199-9e9e-74591f447955} 0xffffffff 0xff  -o %SystemRoot%\Tracing\winusb.etl
    logman start -ets pci -ct perf -p {47711976-08c7-44ef-8fa2-082da6a30a30} 0xffffffff 0xff  -o %SystemRoot%\Tracing\pci.etl

    and to close:

    logman stop -n usbtrace
    logman delete -n usbtrace

    logman stop -ets usbhub3
    logman stop -ets ucx01000
    logman stop -ets usbxhci
    logman stop -ets usbhub
    logman stop -ets usbport
    logman stop -ets usbccgp
    logman stop -ets winusb
    logman stop -ets pci

    I open Netmon with WinUSB.etl, have the USB parsers loaded (from NplAutoProfile.ps1 and set to AutoProfile).

    I can find my device using the VID.   In any events I open, I see a "userdata" field but I don't recognize any of the data in it.    My application sends essentially text based commands ("XYZ nn", so I should see something like I see in the HW capture.

    Is this userdata field encoded somehow, or where else should I look for the data?

    BTW, this is Win10 IoT Ent 1809.

    Wednesday, February 12, 2020 5:14 PM

All replies

  • Does USB ETW not include the payload (bytes of data transmitted over USB) at all ?

    If so, is the data readable in NetMon?

    Wednesday, February 19, 2020 1:56 PM
  • By "netmon", do you mean Message Analyzer?

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Thursday, February 20, 2020 12:23 AM
    Moderator
  • Thank you for replying.

    I am using this script in Boot Capture mode: 

       GitHub dot com /microsoft /busiotools /blob /master /usb /tracing/ usbtrace.cmd

    This script creates an .ETL capture file, which I can open in Message Analyzer (which is now removed from Microsoft web sites).  

    I can filter on the VID/PID of my USB device.   I do see a field named "Payload". 

    However, I don't still don't see the data which my program is sending via WinUSB, which should be very short, simple ASCII text strings.

    Can you tell me where to look, or how to modify the script above to perform this capture?

    Thursday, February 20, 2020 3:06 PM