Need help: Event Viewer, Event Logs and Trace Logs

Discussion in 'Windows Vista Drivers' started by GeodeLX, Feb 12, 2009.

  1. GeodeLX

    GeodeLX Guest

    I’m working on a Windows XP device driver which contains WPP event
    tracing calls. NOTE: I can move it to Windows Server 2003 if it would
    make any difference.

    In addition to source code, I also have:
    Driver binary (driver.sys)
    Driver debug symbols (driver.pdb)
    Driver Trace Message Format file (driver.tmf)
    The appropriate DDK (WINDDK 6001.18001) installed on my
    development system.

    I also have a System Event Log file (*.evt) suitable for viewing in
    Event Viewer, and this file is supposed to contain events from my
    driver.

    I’m trying to view the event log so I can see what went wrong with the
    driver. Unfortunately, Event Viewer doesn’t have details for the
    events I’m most interested in. When I view one of those events, the
    Description of the event reads:

    "The description for Event ID ( XX ) in Source ( YYYY ) cannot be
    found. The local computer may not have the necessary registry
    information or message DLL files to display messages from a remote
    computer. You may be able to use the /AUXSOURCE= flag to retrieve this
    description; see Help and Support for details. The following
    information is part of the event: \Device\ZZZZZZZZ."

    Does anyone know how I can turn those Event Viewer entries into
    readable text? My reading shows that I should be using tracelog (and
    tracefmt, tracepdb, TraceView, etc.), but those appear to work only
    with Trace Log (*.etl) files. I’m not tied to using Event Viewer; I’d
    be content to find any way to view these events in human-readable
    form.

    Again, I have *.tmf and *.mof files; I nave no *.mc file. If I did, I
    could build a resource DLL and have Event Viewer decode the entries
    for me.

    Does anyone have a suggestion/solution for this? Anything at all?

    Thanks for any help you can provide!
    -- Steve G.
     
    GeodeLX, Feb 12, 2009
    #1
    1. Advertisements

  2. unless wpp is doing something I am not aware of, you are mixing and matching
    two different things.
    1 you need to use an MC file to create the desriptions
    2 you need to compile the mc file as a resource in your driver
    3 you need to add the right registry keys/values so that the event viewer
    knows where to find your actual sys file so it can extract the compiled MC
    resource in it and then find the right message string

    the simplest wdk sample is probably mouser, src\input\mouser
    a) sermlog.mc is included in the sources file, so is mouser.rc
    b) mouser.rc includes sermlog.rc (which is autogenerated in $(O) when you
    build and contains the compiled MC resource)
    c) %windir%\inf\msmouse.inf contains the directives to add the values to the
    registry

    [Ser_Inst.Services]
    AddService = sermouse, 0x00000002, sermouse_Service_Inst,
    sermouse_EventLog_Inst ; Port Driver

    ^^^^^^

    [sermouse_EventLog_Inst]
    AddReg = sermouse_EventLog_AddReg

    [sermouse_EventLog_AddReg]
    HKR,,EventMessageFile,0x00020000,"%%SystemRoot%%\System32\IoLogMsg.dll;%%SystemRoot%%\System32\drivers\sermouse.sys"
    <-- you would put your driver name here
    HKR,,TypesSupported,0x00010001,7


    d
     
    Doron Holan [MSFT], Feb 12, 2009
    #2
    1. Advertisements

  3. Again, I have *.tmf and *.mof files; I nave no *.mc file.

    It is a must for Event Viewer, it has nothing to do with ETW.
    No need, embed the .mc file to the .rc of the .sys itself.

    Then:

    ...\CurrentControlSet\Services\EventLog\System\YourDriverServiceKeyName
    EventMessageFile expand_sz PathToYourDriverSysFile
    TypesSupported dword 7
     
    Maxim S. Shatskih, Feb 17, 2009
    #3
  4. GeodeLX

    GeodeLX Guest

    Thanks for all the replies. It turns out that the Trace Log data was
    not included in the Event Log (I was led to believe all the debug info
    was in the Event Log, but the driver in question puts out only Trace
    Log data). I had placed the driver in question in the registry
    under ...\EventLog\System\MyDriver (EventMessageFIle, TypesSupported),
    but the messages would not appear in the Event Viewer. In the end I
    wrote my own Event Log Parser (in C# -- it was a good learning
    project). I can now decode and display the messages, and so I've
    determined that the logs don't hold anything I need.

    <sigh>

    Ah well, it looks like I get to go for some on-site work! :)

    -- Steve G.
     
    GeodeLX, Feb 18, 2009
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.