0

I am developing a UMDF driver, and I am able to use its PDB file to confirm events/function calls during its lifetime. However, I am also able to capture events prior to its DriverEntry function. This events have become a concern for me, because I suspect that they alter some values initialized by the driver, thereby causing issues. I would like to know more about these events, but information on TraceView shows them as 'Unknown' as shown below:

enter image description here

Is there a way to capture these trace logs better? It seems like the driver pdb does not contain information for these logs to show up correctly.

EDIT: I extracted TMF files from my PDB file using tracepdb, and it seems like I do not have a TMF file that corresponds to the message GUIDs that are marked "No format information found". Could it be that these trace messages are from external entities, and not coming from the driver?

Jer Yango
  • 582
  • 2
  • 8
  • 22
  • How is the session configured in TraceView? Do you have system events enabled in addition to your driver events? – Luke Jan 26 '21 at 14:06
  • The session is configured such that a `PDB` file is added as provider, the Level is `verbose` and all flags are checked, meaning all my `TMH` files are selected, including a `"MYDRIVE_ALL_INFO"` flag. I don't seem to find and setting for enabling system events on Traceview. – Jer Yango Jan 26 '21 at 16:37
  • Ah, the key is that you're using the UMDF framework which seems to do its own tracing: https://learn.microsoft.com/en-us/windows-hardware/drivers/wdf/using-wpp-software-tracing-in-umdf-drivers – Luke Jan 27 '21 at 11:20
  • I was able to locate the `WDF` trace files, but it seems like there are no matches found on the unknown GUIDs. I suppose these files are meant to be used by the `WUDFTrace.etl` file, but on my case this ETL file is outdated, implying it did not even record anything from the driver with the issue. – Jer Yango Jan 28 '21 at 06:47
  • 1
    Well, if you get messages in traceview than clearly something is actively logging to the session. Maybe the provided tmh files are outdated. I would try debugging the driver and then going up the stack to see what higher level code is logging messages and see if you can figure it out from there. – Luke Jan 29 '21 at 21:43

1 Answers1

0

Fortunately, we have the complete list of PDB files that have been released. We found the a matching trace file after looking at each one of these files, and therefore got the information we wanted.

Jer Yango
  • 582
  • 2
  • 8
  • 22