none
Consuming WPP output through netsh trace RRS feed

  • Question

  • Hi!

    I've added WPP support into my NWIFI miniport driver. I can consume/capture the output through logman just fine, but I can't do this through netsh trace start provider= <my driver's GUID>. I'm guessing that I may need to register my driver as a ETW/WPP provider, but I'm not sure how that can be done.

    Can someone tell me how I can consume WPP output through netsh trace that is provided by my driver?

    Also, one of the reasons I want to use netsh trace is to take advantage of the persist (persist = yes) setting. That way, any produced output prior to a system reboot can be consumed when the system comes back up. As an alternative, if I enable autologger for WPP output, will it cache output produced before a reboot so that I can consume it through logman when the system comes up? If so, is there a way to immediately force a flush of the cached output on each line of output? I want to be able to capture as much output as possible to avoid loss due to a kernel crash.

    Thanks!

    Monday, December 8, 2014 1:48 AM

Answers

  • Netsh tracing is for manifest-based eventing, which is why you don't get anything (try "netsh trace show providers" to see what providers can be specified; all of which have a manifest registered). For WPP, you'll need to use LogMan. To meet your requirement of persistence, create an AutoLogger. The docs are here

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Tuesday, December 9, 2014 4:28 AM
    Moderator

All replies

  • Why do you think netsh trace would be able to consume ETW events? Netsh is an ETW controller, not a consumer. You need to learn more about ETW. Start here

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Tuesday, December 9, 2014 2:48 AM
    Moderator
  • OK, wrong terms:

    Can someone tell me how I can capture WPP output through netsh trace that is provided by my driver? Again, my driver supports WPP, which AFAIK is built on top of ETW. But netsh trace start provider= <my driver's GUID> does not capture output through the WPP interface provided by my driver?

    Do I need to register my driver as a provider through an XML manifest, similar to that described here?

    Tuesday, December 9, 2014 3:53 AM
  • Yes, WPP sits on top of ETW, as does manifest-based logging. The differences are that manifest-based logging is automatically surfaced by the event logging system, you need to register your manifest file, and each event must be described in the manifest. Both WPP and manifest-based tracing are available simultaneously. WPP should be used primarily for debugging and deep diagnostics, while manifest-based tracing should be used for operational messages and end-user diagnostics.

    Is the GUID that you're specifying your WPP GUID? What is the full command? How big is the .ETL file?

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Tuesday, December 9, 2014 4:02 AM
    Moderator
  • Yes, I use the GUID that is specified by my driver through WPP_CONTROL_GUIDS. The full command I use for netsh is netsh trace start wireless_dbg
    provider={<My GUID>} 0xffffffff
    globallevel=0xff. The full command I use for logman is logman start test -p {<My Guid>} 0xFFFFFFFF 255 -o testlogs.etl -ets. The buffer size for the log is 8K.
    Tuesday, December 9, 2014 4:19 AM
  • Netsh tracing is for manifest-based eventing, which is why you don't get anything (try "netsh trace show providers" to see what providers can be specified; all of which have a manifest registered). For WPP, you'll need to use LogMan. To meet your requirement of persistence, create an AutoLogger. The docs are here

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Tuesday, December 9, 2014 4:28 AM
    Moderator