Need help: Event Viewer, Event Logs and Trace Logs

Need help: Event Viewer, Event Logs and Trace Logs

Post by GeodeL » Sat, 14 Feb 2009 03:36:14


I抦 working on a Windows XP device driver which contains WPP event
tracing calls. NOTE: I can move it to Windows Server 2003 if it would
make any difference.

In addition to source code, I also have:
Driver binary (driver.sys)
Driver debug symbols (driver.pdb)
Driver Trace Message Format file (driver.tmf)
The appropriate DDK (WINDDK 6001.18001) installed on my
development system.

I also have a System Event Log file (*.evt) suitable for viewing in
Event Viewer, and this file is supposed to contain events from my
driver.

I抦 trying to view the event log so I can see what went wrong with the
driver. Unfortunately, Event Viewer doesn抰 have details for the
events I抦 most interested in. When I view one of those events, the
Description of the event reads:

"The description for Event ID ( XX ) in Source ( YYYY ) cannot be
found. The local computer may not have the necessary registry
information or message DLL files to display messages from a remote
computer. You may be able to use the /AUXSOURCE= flag to retrieve this
description; see Help and Support for details. The following
information is part of the event: \Device\ZZZZZZZZ."

Does anyone know how I can turn those Event Viewer entries into
readable text? My reading shows that I should be using tracelog (and
tracefmt, tracepdb, TraceView, etc.), but those appear to work only
with Trace Log (*.etl) files. I抦 not tied to using Event Viewer; I抎
be content to find any way to view these events in human-readable
form.

Again, I have *.tmf and *.mof files; I nave no *.mc file. If I did, I
could build a resource DLL and have Event Viewer decode the entries
for me.

Does anyone have a suggestion/solution for this? Anything at all?

Thanks for any help you can provide!
-- Steve G.
 
 
 

Need help: Event Viewer, Event Logs and Trace Logs

Post by Doron Hola » Sat, 14 Feb 2009 04:06:44

nless wpp is doing something I am not aware of, you are mixing and matching
two different things.
1 you need to use an MC file to create the desriptions
2 you need to compile the mc file as a resource in your driver
3 you need to add the right registry keys/values so that the event viewer
knows where to find your actual sys file so it can extract the compiled MC
resource in it and then find the right message string

the simplest wdk sample is probably mouser, src\input\mouser
a) sermlog.mc is included in the sources file, so is mouser.rc
b) mouser.rc includes sermlog.rc (which is autogenerated in $(O) when you
build and contains the compiled MC resource)
c) %windir%\inf\msmouse.inf contains the directives to add the values to the
registry

[Ser_Inst.Services]
AddService = sermouse, 0x00000002, sermouse_Service_Inst,
sermouse_EventLog_Inst ; Port Driver

^^^^^^

[sermouse_EventLog_Inst]
AddReg = sermouse_EventLog_AddReg

[sermouse_EventLog_AddReg]
HKR,,EventMessageFile,0x00020000,"%%SystemRoot%%\System32\IoLogMsg.dll;%%SystemRoot%%\System32\drivers\sermouse.sys"
<-- you would put your driver name here
HKR,,TypesSupported,0x00010001,7


d

--

This posting is provided "AS IS" with no warranties, and confers no rights.


"GeodeLX" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...


 
 
 

Need help: Event Viewer, Event Logs and Trace Logs

Post by GeodeL » Sat, 14 Feb 2009 05:27:47

he driver in question was built based on the tracedrv example:
WINDDK\6001.18001\src\general\tracedrv

But those events appear to end up in the Event Log (the tester did not
record any Trace Log). I agree with you, it would be nice if I had an
MC file. Life would be easier.

Unfortunately, I don't, and it isn't. :-(

So back to the question: Does anyone know how I can turn those Event
Viewer entries into readable text?

Thanks,
-- Steve G.


On Feb 12, 12:06爌m, "Doron Holan [MSFT]"
< XXXX@XXXXX.COM > wrote:

 
 
 

Need help: Event Viewer, Event Logs and Trace Logs

Post by Maxim S. S » Wed, 18 Feb 2009 11:17:09

>Again, I have *.tmf and *.mof files; I nave no *.mc file.

It is a must for Event Viewer, it has nothing to do with ETW.


No need, embed the .mc file to the .rc of the .sys itself.

Then:

...\CurrentControlSet\Services\EventLog\System\YourDriverServiceKeyName
EventMessageFile expand_sz PathToYourDriverSysFile
TypesSupported dword 7

--
Maxim S. Shatskih
Windows DDK MVP
XXXX@XXXXX.COM
http://www.yqcomputer.com/
 
 
 

Need help: Event Viewer, Event Logs and Trace Logs

Post by GeodeL » Fri, 20 Feb 2009 05:55:48

Thanks for all the replies. It turns out that the Trace Log data was
not included in the Event Log (I was led to believe all the debug info
was in the Event Log, but the driver in question puts out only Trace
Log data). I had placed the driver in question in the registry
under ...\EventLog\System\MyDriver (EventMessageFIle, TypesSupported),
but the messages would not appear in the Event Viewer. In the end I
wrote my own Event Log Parser (in C# -- it was a good learning
project). I can now decode and display the messages, and so I've
determined that the logs don't hold anything I need.

<sigh>

Ah well, it looks like I get to go for some on-site work! :-)

-- Steve G.