I'm working on Windows user space app development. Also in the same time i'm developing Windows kernel mode driver. Driver has enabled WPP traces on particular GUID. Let's call it DRIVER_PROVIDER_GUID. For now i was using tool like TraceView to collect logs (By attach *.pdb file and then put it into *.etl or *.txt). I found a nice API provided by MSFT whcih can collect ETW (and also WPP) traces in realtime and parse it using some methods. I tried to implement that by I can't even catch one event on my driver (I'm sure that a lot of traces should appears when I'm trying to get it).
My snippet:
void StartETWSession()
{
ENABLE_TRACE_PARAMETERS traceParameters;
ZeroMemory(&traceParameters, sizeof(traceParameters));
traceParameters.Version = ENABLE_TRACE_PARAMETERS_VERSION_2;
traceParameters.EnableFilterDesc = NULL;
traceParameters.FilterDescCount = 0;
bufferSize = sizeof(EVENT_TRACE_PROPERTIES) + sizeof(SessionName);
pSessionProperties = (EVENT_TRACE_PROPERTIES*)malloc(bufferSize);
ZeroMemory(pSessionProperties, bufferSize);
pSessionProperties->Wnode.BufferSize = bufferSize;
pSessionProperties->Wnode.Flags = WNODE_FLAG_TRACED_GUID;
pSessionProperties->Wnode.ClientContext = 1;
pSessionProperties->Wnode.Guid = SessionGuid; **<-- any GUID here?**
pSessionProperties->EnableFlags = EVENT_TRACE_FLAG_CSWITCH;
pSessionProperties->LogFileMode = EVENT_TRACE_REAL_TIME_MODE | EVENT_TRACE_SYSTEM_LOGGER_MODE;
pSessionProperties->MaximumFileSize = 100;
pSessionProperties->FlushTimer = 1;
pSessionProperties->LoggerNameOffset = sizeof(EVENT_TRACE_PROPERTIES);
StringCbCopy((LPWSTR)((char*)pSessionProperties + pSessionProperties->LoggerNameOffset), sizeof(SessionName), SessionName);
status = StartTrace((PTRACEHANDLE)&SessionHandle, SessionName, pSessionProperties);
status = TdhLoadManifest(pdbPath); **<-- PDB or TMF files here?**
status = EnableTraceEx2(
SessionHandle,
&ProviderGuid,** <-- Here provider which I used to enable WPP traces in my driver?**
EVENT_CONTROL_CODE_ENABLE_PROVIDER,
TRACE_LEVEL_VERBOSE,
0, // Match any keyword
0, // Match any keyword
0, // No timeout
NULL
);
EVENT_TRACE_LOGFILE logFile;
ZeroMemory(&logFile, sizeof(EVENT_TRACE_LOGFILE));
logFile.LoggerName = SessionName;
logFile.ProcessTraceMode = PROCESS_TRACE_MODE_REAL_TIME | PROCESS_TRACE_MODE_EVENT_RECORD | PROCESS_TRACE_MODE_RAW_TIMESTAMP;
logFile.EventRecordCallback = EventRecordCallback;
logFile.Context = &context;
hTrace = OpenTrace(&logFile);
if (INVALID_PROCESSTRACE_HANDLE == hTrace)
{
wprintf(L"OpenTrace() failed with status: %lu\n", GetLastError());
goto cleanup;
}
status = ProcessTrace(&hTrace, 1, NULL, NULL);
}
VOID WINAPI EventRecordCallback(EVENT_RECORD* pEventRecord) { **<-- Some events are catch here**
if (IsEqualGUID(pEventRecord->EventHeader.ProviderId, ProviderGuid))
{
**<-- BREAKPOINT HERE -->** But no event's here.
}
I can catch events which provider 68FDD900-4A3E-11D1-84F4-0000F80464E3 which is EventTraceEvent class.
Is it possible to collect WPP traces in realtime? What can be wrong on my side?
I tried a few combinations of providers and session guid like kernelSession (but i understand that this is for sessions provided by Windows). I checked also and I can collect ETW traces, but my goal is to collect WPP traces. I'd expect to get to know what is wrong in my code and why I can't collect WPP traces (Or if it is not possible)