Need help: Event Viewer, Event Logs and Trace Logs

I’m working on a Windows XP device driver which contains WPP event
tracing calls. NOTE: I can move it to Windows Server 2003 if it would
make any difference.

In addition to source code, I also have:
Driver binary (driver.sys)
Driver debug symbols (driver.pdb)
Driver Trace Message Format file (driver.tmf)
The appropriate DDK (WINDDK 6001.18001) installed on my
development system.

I also have a System Event Log file (*.evt) suitable for viewing in
Event Viewer, and this file is supposed to contain events from my
driver.

I’m trying to view the event log so I can see what went wrong with the
driver. Unfortunately, Event Viewer doesn’t have details for the
events I’m most interested in. When I view one of those events, the
Description of the event reads:

"The description for Event ID ( XX ) in Source ( YYYY ) cannot be
found. The local computer may not have the necessary registry
information or message DLL files to display messages from a remote
computer. You may be able to use the /AUXSOURCE= flag to retrieve this
description; see Help and Support for details. The following
information is part of the event: \Device\ZZZZZZZZ."

Does anyone know how I can turn those Event Viewer entries into
readable text? My reading shows that I should be using tracelog (and
tracefmt, tracepdb, TraceView, etc.), but those appear to work only
with Trace Log (*.etl) files. I’m not tied to using Event Viewer; I’d
be content to find any way to view these events in human-readable
form.

Again, I have *.tmf and *.mof files; I nave no *.mc file. If I did, I
could build a resource DLL and have Event Viewer decode the entries
for me.

Does anyone have a suggestion/solution for this? Anything at all?

Thanks for any help you can provide!
-- Steve G.

unless wpp is doing something I am not aware of, you are mixing and matching
two different things.
1 you need to use an MC file to create the desriptions
2 you need to compile the mc file as a resource in your driver
3 you need to add the right registry keys/values so that the event viewer
knows where to find your actual sys file so it can extract the compiled MC
resource in it and then find the right message string

the simplest wdk sample is probably mouser, src\input\mouser
a) sermlog.mc is included in the sources file, so is mouser.rc
b) mouser.rc includes sermlog.rc (which is autogenerated in $(O) when you
build and contains the compiled MC resource)
c) %windir%\inf\msmouse.inf contains the directives to add the values to the
registry

[Ser_Inst.Services]
AddService = sermouse, 0x00000002, sermouse_Service_Inst,
sermouse_EventLog_Inst ; Port Driver

^^^^^^

[sermouse_EventLog_Inst]
AddReg = sermouse_EventLog_AddReg

[sermouse_EventLog_AddReg]
HKR,,EventMessageFile,0x00020000,"%%SystemRoot%%\S ystem32\IoLogMsg.dll;%%SystemRoot%%\System32\drive rs\sermouse.sys"
<-- you would put your driver name here
HKR,,TypesSupported,0x00010001,7


d

--

This posting is provided "AS IS" with no warranties, and confers no rights.


"GeodeLX" <> wrote in message
news:56aab722-8894-4c3b-b8be-...
> I’m working on a Windows XP device driver which contains WPP event
> tracing calls. NOTE: I can move it to Windows Server 2003 if it would
> make any difference.
>
> In addition to source code, I also have:
> Driver binary (driver.sys)
> Driver debug symbols (driver.pdb)
> Driver Trace Message Format file (driver.tmf)
> The appropriate DDK (WINDDK 6001.18001) installed on my
> development system.
>
> I also have a System Event Log file (*.evt) suitable for viewing in
> Event Viewer, and this file is supposed to contain events from my
> driver.
>
> I’m trying to view the event log so I can see what went wrong with the
> driver. Unfortunately, Event Viewer doesn’t have details for the
> events I’m most interested in. When I view one of those events, the
> Description of the event reads:
>
> "The description for Event ID ( XX ) in Source ( YYYY ) cannot be
> found. The local computer may not have the necessary registry
> information or message DLL files to display messages from a remote
> computer. You may be able to use the /AUXSOURCE= flag to retrieve this
> description; see Help and Support for details. The following
> information is part of the event: \Device\ZZZZZZZZ."
>
> Does anyone know how I can turn those Event Viewer entries into
> readable text? My reading shows that I should be using tracelog (and
> tracefmt, tracepdb, TraceView, etc.), but those appear to work only
> with Trace Log (*.etl) files. I’m not tied to using Event Viewer; I’d
> be content to find any way to view these events in human-readable
> form.
>
> Again, I have *.tmf and *.mof files; I nave no *.mc file. If I did, I
> could build a resource DLL and have Event Viewer decode the entries
> for me.
>
> Does anyone have a suggestion/solution for this? Anything at all?
>
> Thanks for any help you can provide!
> -- Steve G.

>Again, I have *.tmf and *.mof files; I nave no *.mc file.

It is a must for Event Viewer, it has nothing to do with ETW.

>If I did, I could build a resource DLL

No need, embed the .mc file to the .rc of the .sys itself.

Then:

...\CurrentControlSet\Services\EventLog\System\You rDriverServiceKeyName
EventMessageFile expand_sz PathToYourDriverSysFile
TypesSupported dword 7

--
Maxim S. Shatskih
Windows DDK MVP

http://www.storagecraft.com

Thanks for all the replies. It turns out that the Trace Log data was
not included in the Event Log (I was led to believe all the debug info
was in the Event Log, but the driver in question puts out only Trace
Log data). I had placed the driver in question in the registry
under ...\EventLog\System\MyDriver (EventMessageFIle, TypesSupported),
but the messages would not appear in the Event Viewer. In the end I
wrote my own Event Log Parser (in C# -- it was a good learning
project). I can now decode and display the messages, and so I've
determined that the logs don't hold anything I need.

<sigh>

Ah well, it looks like I get to go for some on-site work! :-)

-- Steve G.