Versions Compared

Old Version 6

changes.mady.by.user Matthew Sykes (Deactivated)

Saved on

compared with

New Version 7

changes.mady.by.user Everton Constantino

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Adding ETW support to the driver

Defined above in the Architecture section

Defining events

These are defined in then xml Schema file. A number of events can be defined with different levels and parameters. You need to add an Instrumentation Manifest to all applications that make calls to EventWrite* outputting events to ETW or a log channel. The manifest defines all the type of events and providers. You should compile your manifest with the Message Compiler (Message Compiler (MC.exe) - Win32 apps | Microsoft Learn)

Documentation says that inside the Windows SDK there is the tool ECManGen.exe which is a GUI to facilitate writing mainfests however this link Windows 10 SDK Preview Build 16267 and Mobile Emulator Build 15240 Released - Windows Developer Blog shows that the tool was removed.

Sample manifest

Code Block
languagexml
<instrumentationManifest
    xmlns="http://schemas.microsoft.com/win/2004/08/events" 
    xmlns:win="http://manifests.microsoft.com/win/2004/08/windows/events"
    xmlns:xs="http://www.w3.org/2001/XMLSchema"
    >

    <instrumentation>
        <events>
            <provider ...>
                <channels>
                    <importChannel .../>
                    <channel .../>
                </channels>
                <levels>
                    <level .../>
                </levels>
                <tasks>
                    <task .../>
                </tasks>
                <opcodes>
                    <opcode .../>
                </opcodes>
                <keywords>
                    <keyword .../>
                </keywords>
                <filters>
                    <filter .../>
                </filters>
                <maps>
                    <valueMap ...>
                        <map .../>
                    </valueMap>
                    <bitMap ...>
                        <map .../>
                    </bitMap>
                </maps>
                <templates>
                    <template ...>
                        <data .../>
                        <UserData>
                            <!-- valid XML fragment -->
                        </UserData>
                    </template>
                </templates>
                <events>
                    <event .../>
                </events>
            </provider>
        </events>
    </instrumentation>

    <localization>
        <resources ...>
            <stringTable>
                <string id="" value=""/>
            </stringTable>
        </resources>
    </localization>

</instrumentationManifest>

Some of this entries are optional e.g. tasks and opcodes are for organizational purposes.

Defining events

DRAFT

“If administrators will be consuming your events using a tool like Windows Event Viewer, then you must set the channel attribute.”

Events that have more than a single message seem to need a message template. You can define an event template like so

Code Block
languagexml
                    <template tid="t4">
                        <data name="FilesCount" inType="win:UInt16" />
                        <data name="Files" inType="win:UnicodeString" count="FilesCount"/>
                        <data name="Path" inType="win:UnicodeString" />
                    </template>

And the event to use it like so

Code Block
languagexml
                    <event value="3"
                        level="NotValid"
                        keywords="Local Write"
                        task="Validate"
                        opcode="Cleanup"
                        template="t4"
                        channel="c2"
                        symbol="TEMPFILE_CLEANUP_EVENT"
                        message ="$(string.Event.TempFilesNotDeleted)"/>

Custom .wprpand how to plug the driver

...