none
Device Drivers:How to get trace logs for testing of windows drivers(on Windows IOT core device)? RRS feed

  • Question

  • We are developing windows driver for windows IOT core device, for testing propose we have to use trace logs, , unfortunately we are unable to  get trace logs,Does we  have to enable any option to get trace logs or does we have to follow any prescribed procedure.Could anybody please help us to resolve .

    Thank you




    Tuesday, February 4, 2020 6:24 PM

Answers

  • No, .NET assemblies are not supported in kernel mode. From a driver, you have two choices, WPP and TraceLogging. WPP is used primarily as a replacement for DebugPrint, while TraceLogging is used more for event notification. For WPP, there is an example in the WDK samples: WDK10-Samples\general\tracing\tracedriver\tracedrv. For TraceLogging, you can see how it is used in WDK10-Samples\network\wlan\WDI\PLATFORM\NDIS6\SDIO\N6Sdio_main.c 

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Wednesday, February 12, 2020 6:57 PM
    Moderator

All replies

  • Yes, you have to enable tracing for the provider using its GUID. Search the archive of this forum for more information

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Tuesday, February 4, 2020 7:01 PM
    Moderator
  • hi brian,

    we were followed the steps which was given in this link

    https://docs.microsoft.com/en-us/windows-hardware/drivers/usbcon/tutorial--write-your-first-usb-client-driver--kmdf-

    we were able to installed a sample driver into  "Windows IOT core device",but we were not able to get tracelogs, "log.etl" file  was also created but it was empty.

    >Is it possible to enable ETW tracing through windows device portal , if it is possible how should  i register a provider? please let me know the process

    Thank you


    Thursday, February 6, 2020 11:16 AM
  • I haven't tried that tutorial, but I use WPP/ETW every day, and it works fine. The Device Portal has nothing to do with tracing. Your driver is a provider - assuming that you make the right calls. Ensure that the GUID that you register in your driver is the same GUID that you're enabling with TraceLog

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Thursday, February 6, 2020 6:38 PM
    Moderator

  • Could you please elaborate it,I didn't get you.

    Can you please explain which procedure you follow to get trace logs in detail,It should have help to get trace logs.

    Note: We were able to get trace logs on windows 10 PC(Target PC), But  we are not getting Trace logs with

    windows IOT core device.

    > we are getting  a few event from windows device portal by adding GUID as a custom provider,but those are not in readable format, here i was included those image .please review it and suggest us better way to get trace logs.





    Thank you


    Friday, February 7, 2020 6:17 AM
  • Sorry, I was wrong; I was thinking about the driver portal, not the device portal. Most logs - except for those created by the new TraceLogging APIs - require PDB (symbol) files to decode the messages. Have you tried decoding the .ETL files with TraceView?

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Friday, February 7, 2020 6:58 PM
    Moderator
  • yes, I tried it but logs were not recorded.

    I had follwed following steps

    > I had provided TMF file information along with the ETL file to generate readable messages in Traceview tool.

    > TMF files can be generated using Tracepdb.exe tool by passing PDB file.

    > PDB file would be generated by visual studio, it would be available in the Debug folder on successful build.

    NOTE : With target PC(Windows 10) everything works fine,But with Windows IOT core device i could not have get relevant output.

     

    In windows IOT core device if i use LOGMAN for ETW tracing it shows "The term 'logman' is not recognized as the name of a cmdlet".

    How to enable logman or xpref etc.. on Device side(windows IOT core) to get trace logs... 

    

    Monday, February 10, 2020 1:00 PM
  • You should be able to get TraceLog.exe from the WDK for whatever CPU architecture you're running on your target system. TraceLog is functionally equivalent to LogMan, but does have a different command line interface, e.g. tracelog -start SecureUSB -f C:\Temp\SecureUSB.etl -guid #69365857-4862-41AE-8881-A539AEE6B57C -kd -rt -level 0xffffffff -flag 0xff -ft 1 -b 1024 -max 64 -noprocess -nothread -nodisk

    The exact path to the binaries will vary, depending on which WDK version is installed

    C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\arm\tracelog.exe
    C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\arm64\tracelog.exe
    C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x64\tracelog.exe
    C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x86\tracelog.exe

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Monday, February 10, 2020 6:29 PM
    Moderator
  • Already we tried this command for tracing, It was working with Target PC(Windows 10 machine), But when i use this command in Device (Windows IOT core) ,we were got blank file.

    Here i was included screen shote of ".etl file".

    when we try to open traceview  "Create new session --> Manualluy entered control GUID or harshed Name"  in Device(Windows IOT core), we are getting like this

    regards,

    hemanth kumar velooru.

    Tuesday, February 11, 2020 6:09 AM
  • Have you seen this tutorial?

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Tuesday, February 11, 2020 7:17 PM
    Moderator
  • When i try to install Microsoft.Diagnostics.Tracing.EventSource, I had got this error.

    Here i was used a "KMDF driver template" which was readly available in visual studio 2017.

    Does Microsoft.Diagnostics.Tracing.EventSource is supports driver components.


    Wednesday, February 12, 2020 9:39 AM
  • No, .NET assemblies are not supported in kernel mode. From a driver, you have two choices, WPP and TraceLogging. WPP is used primarily as a replacement for DebugPrint, while TraceLogging is used more for event notification. For WPP, there is an example in the WDK samples: WDK10-Samples\general\tracing\tracedriver\tracedrv. For TraceLogging, you can see how it is used in WDK10-Samples\network\wlan\WDI\PLATFORM\NDIS6\SDIO\N6Sdio_main.c 

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Wednesday, February 12, 2020 6:57 PM
    Moderator
  • Thanks brian now we are getting trace logs.

    Thanks you very much.


    Thursday, February 13, 2020 1:08 PM