How to make log file that collects data from the kernel buffer RRS feed

  • Question

  • Hi experts..
    My aim is to create a log file that collects data from the kernel buffer and to save a log file in windows.

    In linux reference code they created misc drive to handle the log sequence and copying the content to the user space by accessing the driver
    so how can i achieve this in windows driver ie i need to save the content that is filling in the created kernel buffer as a file.
    I Google it and misc drivers its acts more like a char driver so they use snprintf and copy_to_user to log it 
    Friday, November 6, 2015 9:39 AM


  • In Windows, kernel drivers just can open a file and write the data, without help of any usermode code.

    Also, in Windows we have Event tracing (ETW) API and other possibilities.

    Of course you can also create a "char driver" like in Linux, but it's not worth it only to get stuff from the kernel and write it to a file.

    -- pa

    Friday, November 6, 2015 10:54 AM

All replies

  • As was stated above, there are lots of Windows approaches.  The first thing to do is recognize that the Windows driver model is different enough from the Linux model, that you should not be looking for a Linux like solution, but instead the best solution for the actual needs.

    Now having said that, if you do need to get the data back to user space to be processed or written, consider creating either a control device or a separate driver, that a user space application can call to retrieve buffers.  In Windows this would be have the user space application send a number of read requests (or IOCTL's that do something similar) to the logging device then pend for data.

    Don Burn Windows Driver Consulting Website:

    Friday, November 6, 2015 11:59 AM
  • That's not true. Drivers running < IRQL 2 can read and write files using the Zw file APIs; however, it isn't the best way of getting data from drivers. Using ETW is probably the best


    Azius Developer Training Windows device driver, internals, security, & forensics training and consulting. Blog at

    Friday, November 6, 2015 6:15 PM