Event
...
Event tracing in its simplest form uses the system Event Log. (Computer Management, Event Viewer).
A more complex use is WPA/WPR Windows Performance Recorder and Analyser, available on the Windows Performance Toolkit
https://learn.microsoft.com/en-us/windows-hardware/test/wpt/
You can download the Windows Performance Toolkit through https://learn.microsoft.com/en-gb/windows-hardware/get-started/adk-install
Architecture
A driver which produces such logs is registered with the system with an xml file, which identifies the source of the logs, and the form they take (data types), names, and other details.
The xml file is added to the project and will end up in the Resource Files folder.
The xml is processed by the Message Compiler by adding this to the project file in each ItemDeffinitionGroup ItemDefinitionGroup (ie, Debug|ARM64 and Release|ARM64)
| Code Block |
|---|
<MessageCompile> <HeaderFilePath>.\\</HeaderFilePath> <RCFilePath>.\\</RCFilePath> <GenerateKernelModeLoggingMacros>true</GenerateKernelModeLoggingMacros> <UseBaseNameOfInput>true</UseBaseNameOfInput> </MessageCompile> |
...
You will be presented with logs like this
WPR / WPA
...
Windows Performance Recorder / Windows Performance Analyzer
Windows Performance Recorder is a tool to enable/disable the recording of trace acquisition. You can configure it either via a GUI or CLI wpr.
...
You can either use default profiles for recording or create your own custom profiles which use the .wprp extension but are just normal xml files.
After selecting the set of profiles just click Start and it will start tracing.
...
After the workload runs you can click Save which will create a .etl file that you can open on WPA. It will somewhat look like this
...
Adding ETW support to the driver
…
Defining events
…
Custom .wprpand how to plug the driver
…
Running traces for PMU counters
…