none
Trying to get NT kernel call trace RRS feed

  • Question

  • Hi,

    My objective is to log/trace NT kernel APIs while calling any Win32 API from my Win32 console application.

    I am using VS2015.

    I am trying to compile the following code I got from one of Microsoft's websites:

    https://msdn.microsoft.com/en-us/library/windows/desktop/aa363691(v=vs.85).aspx

    I am getting this error during linking:

    "Error LNK2001 unresolved external symbol _SystemTraceControlGuid"

    Kindly help me in fixing this linking issue.

    Thanks in advance.


    Thanks & Regards, Mayank Agarwal

    Thursday, October 13, 2016 6:18 AM

Answers

  • Or if I just copy the necessary definitions at beginning, it also compile for me :

    #ifndef GUID_DEFINED
    #define GUID_DEFINED
    #if defined(__midl)
    typedef struct {
    	unsigned long  Data1;
    	unsigned short Data2;
    	unsigned short Data3;
    	byte           Data4[8];
    } GUID;
    #else
    typedef struct _GUID {
    	unsigned long  Data1;
    	unsigned short Data2;
    	unsigned short Data3;
    	unsigned char  Data4[8];
    } GUID;
    #endif
    #endif
    
    #ifndef FAR
    #ifdef _WIN32
    #define FAR
    #else
    #define FAR _far
    #endif
    #endif
    
    #ifdef DEFINE_GUID
    #undef DEFINE_GUID
    #endif
    
    #ifdef INITGUID
    #define DEFINE_GUID(name, l, w1, w2, b1, b2, b3, b4, b5, b6, b7, b8) \
    	EXTERN_C const GUID DECLSPEC_SELECTANY name \
    	= { l, w1, w2, { b1, b2, b3, b4, b5, b6, b7, b8 } }
    #else
    #define DEFINE_GUID(name, l, w1, w2, b1, b2, b3, b4, b5, b6, b7, b8) \
    	const GUID FAR name
    #endif // INITGUID
    
    DEFINE_GUID( /* 9e814aad-3204-11d2-9a82-006008a86939 */
    	SystemTraceControlGuid,
    	0x9e814aad,
    	0x3204,
    	0x11d2,
    	0x9a, 0x82, 0x00, 0x60, 0x08, 0xa8, 0x69, 0x39
    	);

    • Marked as answer by MayankAg Monday, October 24, 2016 11:26 AM
    Monday, October 24, 2016 10:37 AM

All replies

  • Hi MayankAg,

    thanks for posting here.

    The code works fine on my vs2015 update3. Sorry that I can't reproduce your problem.

    I suggest you check if you have installed the Windows Driver Kit for Win 10 and if you have configure event tracing session correctly.

    For details on starting an event tracing session, see Configuring and Starting an Event Tracing Session.

    For details on starting a private logger session, see Configuring and Starting a Private Logger Session.

    For details on starting a Global Logger session, see Configuring and Starting the Global Logger Session.

    For details on starting an AutoLogger session, see Configuring and Starting an AutoLogger Session.

    Hope this could be help of you.

    Best Regards,
    Sera Yu


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.

    Thursday, October 13, 2016 7:48 AM
  • Thanks Sera Yu,

    Ya I didnt had Windows driver kit for win10.

    I downloaded from https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit

    It automatically installed the windows kit in my C:\Program Files (x86)\Windows Kits\

    After installing WDK I tried to compile the same program, but same linking error is still coming.

    I am working on Windows 7 and VS2015 express edition

    Does this linking issue has any relation with my Visual studio express. My V studio is not having SDK as well.

    Or after installing WDK do I have to do any project settings change?

    Kindly guide.

    Thanks in advance. 


    Thanks & Regards, Mayank Agarwal

    Thursday, October 13, 2016 9:19 AM
  • Have you set

    #define INITGUID

    as noticed ?

    It compiles fine for me on Windows 7 with Windows 7 SDK.

    If I remove this define,  I will get the same error.

    You can also use :

    #include <initguid.h>


    Thursday, October 13, 2016 12:25 PM

  • Please find the screenshot attached. I included the header file also, still getting the same linking error while compilation.

    Please guide how can I further troubleshoot this problem.

    Thanks in Advance.


    Thanks & Regards, Mayank Agarwal


    • Edited by MayankAg Monday, October 24, 2016 11:38 AM
    Monday, October 17, 2016 5:40 AM
  • Hi MayankAg,

    The NT Kernel Logger session is the only session that can accept events from kernel event providers. The NT Kernel Logger session does not accept events from other providers. If you want to capture kernel events and events from other providers, you must use two separate sessions and the consumer would need to merge the events from the log files to provide end-to-end results.

    ETW uses the DEFINE_GUID macro to define GUIDs. The following values define the possible class GUIDs for kernel events that an NT Kernel Logger session can trace. You can pass the class GUIDs to the SetTraceCallback function to set up special processing for each event class.

    https://msdn.microsoft.com/en-us/library/windows/desktop/aa364085(v=vs.85).aspx

    Hope this could be help of you.

    Best Regards,

    Sera Yu


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.

    Wednesday, October 19, 2016 8:53 AM
  • Maybe the link error is because the Express VS version does not pick the libraries from SDK or WDK. Try to find which library contains the missing function(s), then add its path to linker input paths in the project properties.

    -- pa


    Wednesday, October 19, 2016 4:09 PM
  • hmmm.. no success till now.

    Still trying to figure out which library it is looking for. Please let me know the name, so that I can search and add its path in the project setting.

    Actully I would like to tell you my main purpose of using/executing this sample code.

    I am trying to get the all the NT(Native) APIs along with kernal APIs(system calls) behind a particular win32API call.

    For example, CreateFile().

    When I am making a call to CreateFile() API from my MFC/Win32 Application, which all internal(NT & Kernal) APIs get called. Do I have to write the device driver for this or is there any APIs/methods which can give the desired results.

    Any help with be of great help for me.

    Please guide me in achieving my target.


    Thanks & Regards, Mayank Agarwal

    Monday, October 24, 2016 9:23 AM
  • Or if I just copy the necessary definitions at beginning, it also compile for me :

    #ifndef GUID_DEFINED
    #define GUID_DEFINED
    #if defined(__midl)
    typedef struct {
    	unsigned long  Data1;
    	unsigned short Data2;
    	unsigned short Data3;
    	byte           Data4[8];
    } GUID;
    #else
    typedef struct _GUID {
    	unsigned long  Data1;
    	unsigned short Data2;
    	unsigned short Data3;
    	unsigned char  Data4[8];
    } GUID;
    #endif
    #endif
    
    #ifndef FAR
    #ifdef _WIN32
    #define FAR
    #else
    #define FAR _far
    #endif
    #endif
    
    #ifdef DEFINE_GUID
    #undef DEFINE_GUID
    #endif
    
    #ifdef INITGUID
    #define DEFINE_GUID(name, l, w1, w2, b1, b2, b3, b4, b5, b6, b7, b8) \
    	EXTERN_C const GUID DECLSPEC_SELECTANY name \
    	= { l, w1, w2, { b1, b2, b3, b4, b5, b6, b7, b8 } }
    #else
    #define DEFINE_GUID(name, l, w1, w2, b1, b2, b3, b4, b5, b6, b7, b8) \
    	const GUID FAR name
    #endif // INITGUID
    
    DEFINE_GUID( /* 9e814aad-3204-11d2-9a82-006008a86939 */
    	SystemTraceControlGuid,
    	0x9e814aad,
    	0x3204,
    	0x11d2,
    	0x9a, 0x82, 0x00, 0x60, 0x08, 0xa8, 0x69, 0x39
    	);

    • Marked as answer by MayankAg Monday, October 24, 2016 11:26 AM
    Monday, October 24, 2016 10:37 AM
  • Thanks Castorix31, this solution really worked.

    Also thanks to Sera Yu, Pavel A for help.

    I am now able to execute the program.

    Did anyone executed this same program?

    I opened this file(FULLPATHTOTHELOGFILE.etl) with event viewer, I found no relevant data.


    Thanks & Regards, Mayank Agarwal

    Monday, October 24, 2016 11:37 AM
  • I am trying to get the all the NT(Native) APIs along with kernal APIs(system calls) behind a particular win32API call.

    For example, CreateFile().

    When I am making a call to CreateFile() API from my MFC/Win32 Application, which all internal(NT & Kernal) APIs get called. Do I have to write the device driver for this or is there any APIs/methods which can give the desired results.

    Any help with be of great help for me.

    Please guide me in achieving my target.

     If you want to trace Win32 APIs calls, you must use API Hooks, but it is complicated (I use MS Detours for simple interceptions)

    But there are some advanced tools that already do that.

    One of the best ones I use is API Monitor


    • Edited by Castorix31 Monday, October 24, 2016 12:41 PM
    Monday, October 24, 2016 12:39 PM