Skip to end of banner
Go to start of banner

Event Tracing for Windows

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Event tracing in its simplest form uses the system Event Log. (Computer Management, Event Viewer).

A more complex use is WPA/WPR Windows Performance Recorder and Analyser, available on the Windows Performance Toolkit https://learn.microsoft.com/en-us/windows-hardware/test/wpt/

You can download the Windows Performance Toolkit through https://learn.microsoft.com/en-gb/windows-hardware/get-started/adk-install

Architecture


A driver which produces such logs is registered with the system with an xml file, which identifies the source of the logs, and the form they take (data types), names, and other details.

The xml file is added to the project and will end up in the Resource Files folder.

The xml is processed by the Message Compiler by adding this to the project file in each ItemDefinitionGroup (ie, Debug|ARM64 and Release|ARM64)

<MessageCompile>
  <HeaderFilePath>.\\</HeaderFilePath>
  <RCFilePath>.\\</RCFilePath>
  <GenerateKernelModeLoggingMacros>true</GenerateKernelModeLoggingMacros>
  <UseBaseNameOfInput>true</UseBaseNameOfInput>
</MessageCompile>


The generated header file is then included in the source code, and the generated binary file is added to the end of the resources file like this:

LANGUAGE 0x9,0x1
1 11 "Wperf_DriverETW_schema_MSG00001.bin"
1 WEVT_TEMPLATE "Wperf_driverETW_schemaTEMP.BIN"

Registering


This xml file is copied with the driver to the system32\drivers directory, and needs to be registered with the system on install with wevtutil.exe im Wperf_DriverETW_schema.xml from the drivers directory.

To unregister call wevtutil.exe um Wperf_DriverETW_schema.xml.

Viewing logs

Open Event Viewer. Right click Custom View and select Create Custom View.


Click OK, give it a useful name, and OK again.

You will be presented with logs like this


Windows Performance Recorder / Windows Performance Analyzer

Windows Performance Recorder is a tool to enable/disable the recording of trace acquisition. You can configure it either via a GUI or CLI wpr.

image-20240124-192024.png

You can either use default profiles for recording or create your own custom profiles which use the .wprp extension but are just normal xml files.

After selecting the set of profiles just click Start and it will start tracing.

image-20240124-192553.png

After the workload runs you can click Save which will create a .etl file that you can open on WPA. It will somewhat look like this

image-20240124-192748.png

Adding ETW support to the driver

Defining events

Custom .wprpand how to plug the driver

Running traces for PMU counters

References

  1. Recording Hardware Performance (PMU) Events | Microsoft Learn

  2. Recording with Custom Profiles | Microsoft Learn

  3. Record a Heap Snapshot | Microsoft Learn

  4. Recording Profiles | Microsoft Learn

  5. Using the Windows Performance Toolkit (WPT) with WDF - Windows drivers | Microsoft Learn

  6. Writing an Instrumentation Manifest - Win32 apps | Microsoft Learn

  • No labels