locked
ETW and Traceview RRS feed

  • Question

  • Hi All, 

    I am trying to get ETW events on Traceview.exe from the Windows sample driver Eventdrv. I am not able to see any events in the real time display. I can start and stop the trace session using tracelog and display the events using tracerpt. 

    Is it not possible to view ETW events live on Traceview.exe?

    Thanks,

    Jay

    Tuesday, November 26, 2019 3:42 AM

Answers

  • Start traceview -> Create new Log Session -> "Sample Driver" 

    Then enable trace provider, (admin prompt):

    tracelog -enable "Sample Driver" -rt -guid #b5a0bda9-50fe-4d0e-a83d-bae3f58c94d6

    With kind regards

    • Marked as answer by skri Wednesday, November 27, 2019 5:03 PM
    Tuesday, November 26, 2019 5:55 PM

All replies

  • I haven't used TraceView in a long time; instead, I have found TraceView Plus to work much better. Are you creating an AutoLogger? If so, then you'll have to reboot the system before you see events. There are three critical parameters: ETW GUID, bitmask, and logging level. Are you certain that you've set them properly when you enabled your logger?

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Tuesday, November 26, 2019 3:46 AM
  • I have used Eventdrv sample driver available here as it as https://github.com/microsoft/Windows-driver-samples/tree/master/general/tracing/evntdrv
    Tuesday, November 26, 2019 3:51 AM
  • You still have to enable a listener. You can do this with TraceLog.exe or PowerShell (e.g. New-AutologgerConfig and Add-EtwTraceProvider). Here is an example command for enabling a simple session logger (non-AutoLogger) using TraceLog:

    tracelog -kd -rt -level 0xffffffff -flag 0xff -ft 1 -noprocess -nothread -nodisk  -start HijackRAM -f HijackRAM.etl -guid #6CB4BFC5-B99F-ADDC-9B48-BFD5C85F0004

    Replace HijackRAM with your logger name, e.g. TestETW, and the GUID with the GUID your provider registered. Note, this logger will not be remembered across reboots

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Tuesday, November 26, 2019 4:00 AM
  • This is setting in Traceview
    Tuesday, November 26, 2019 4:00 AM
  • I understand tracelog can be used to log the events in ETL file, which can be later consumed by tracerpt.exe or traceview.exe. 

    My confusion, why i can't use traceview.log to consume the events in real time, instead of using tracelog.exe to collect the events in ETL file.

    Tuesday, November 26, 2019 4:10 AM
  • You can, as long as you create a session. You really should review the ETW docs that explain providers, controllers, and consumers, which you can find here. Did you create a new session in TraceView, first? If not, that is why you aren't seeing the events. You can either create the session in TraceView or use the command I gave you for TraceLog

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Tuesday, November 26, 2019 4:15 AM
  • Yes i created a session. You can see in my previous post with attached screenshot. I created a new log session and added "Sample driver" as the ETW provider. "Sample driver" this is the name of Eventdrv provider as mentioned in the manifest file.
    Tuesday, November 26, 2019 4:27 AM
  • Can anyone point me what i am missing?
    Tuesday, November 26, 2019 4:59 PM
  • Start traceview -> Create new Log Session -> "Sample Driver" 

    Then enable trace provider, (admin prompt):

    tracelog -enable "Sample Driver" -rt -guid #b5a0bda9-50fe-4d0e-a83d-bae3f58c94d6

    With kind regards

    • Marked as answer by skri Wednesday, November 27, 2019 5:03 PM
    Tuesday, November 26, 2019 5:55 PM
  • Thank you so much.
    Wednesday, November 27, 2019 5:03 PM