none
Information regarding Autologger RRS feed

  • Question

  • Hi all,

    I am currently developing a driver for EC and for debugging i have included logs in my code.

    since writing these logs to a file effects CPU performance i have decided to opt for Autologging.

    i have these challenges:

    First issue i am facing is the files are only generated once the system is rebooted.

    Is there a way to avoid this?

    Secondly i tried using this mechanism by specifying the maximum file size to see if the logs generated are routed to a new etl file. 

    this does not happen either ,  on every reboot i see only one new file being generated.

    even if there are new files created,  the logs get updated only in a single file leaving all other files empty.

    Is there a way to avoid this ?


    Third issue is, i have a etl file generated and the logs are also being routed to that file and i use LogFileMode set to 0x00000002 (EVENT_TRACE_FILE_MODE_CIRCULAR) even after this, i stil see from the time stamps that the latest logs have not been updated over the old logs.

    The registry format which i used is :

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Trial]
    "FileName"="C:\\LogFiles_VC80\\lol.etl"
    "Guid"="{a811c45b-113d-4858-ae4f-0c9aec910634}"
    "Start"=dword:00000001
    "FileMax"=dword:00000005
    "Status"=dword:00000000
    "MaxFileSize"=dword:00000001
    "FileCounter"=dword:00000002
    "LogFileMode"=dword:00000002

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\Trial\{4d32ef87-0cbf-4b13-b3d2-2508fe954933}]
    "EnableProperty"=dword:00000000
    "Enabled"=dword:00000001
    "EnableLevel"=dword:00000004
    "MatchAnyKeyword"=hex(b):0f,00,00,00,00,00,00,00
    "MatchAllKeyword"=hex(b):00,00,00,00,00,00,00,00
    "Status"=dword:00000000


    can anyone please help me through this.

    Thanks.

    Monday, February 2, 2015 2:37 PM

Answers

  • The AutoLogger is designed to start logging for drivers early in the boot sequence, and as such, the relevant registry keys are only examined during boot, so that is when the logging starts. If you want to log messages after boot, you can start a listener using TraceLog or LogMan (in the WDK). You can also use those tools to flush and close existing logs, so you can examine them.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Monday, February 2, 2015 10:59 PM
    Moderator

All replies

  • The AutoLogger is designed to start logging for drivers early in the boot sequence, and as such, the relevant registry keys are only examined during boot, so that is when the logging starts. If you want to log messages after boot, you can start a listener using TraceLog or LogMan (in the WDK). You can also use those tools to flush and close existing logs, so you can examine them.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Monday, February 2, 2015 10:59 PM
    Moderator
  • Thanks Brian.

    Like you mentioned i used Tracelog and i just wanted to know if there is any limit on number of files created when tracelog.exe with flag -newfile flag is used.

    I tried logging and observed that more than 30 files were created. is there any way to fix the number of files.

    Thanks.


    Wednesday, February 4, 2015 10:18 AM