Tools for Software Tracing
The Microsoft Windows Driver Kit (WDK) includes a set of applications and command-line tools for software tracing. These tools are designed to support Event Tracing for Windows (ETW) and to supplement the tracing tools that are included in Windows.
The tools include trace controllers that configure, start, update, and stop trace sessions, and trace consumers that receive trace messages generated during the sessions and convert the binary data into human-readable format for files or display. It also includes tools that combine both functions and tools that support the procedures.
The tools support a variety of trace providers, including user-mode applications and kernel-mode drivers, which are instrumented for software tracing by using WPP software tracing or (Event Tracing for Windows (ETW). The tools also can access reserved trace sessions that are built into Windows, such as the Global Logger trace session and the NT Kernel Logger trace session.
Some of these tools are located in the tools\<Platform> subdirectory of the Windows Driver Kit (WDK), where <Platform> is either x86 or x64. Other tools are either included with Windows or are located in the bin\<Platform> subdirectory of the WDK.
This section begins with a survey of software tracing tools, discusses the concepts underlying the tools, and then includes documentation of the software tracing tools in the WDK.
This section includes:
For conceptual information About Event Tracing, see the Microsoft Windows SDK documentation.
Use the kernel-mode Event Tracing for Windows (ETW) API if you want to publish events that can be consumed by applications interested in administrative, operational and analytical events, in addition to the detailed tracing you might require during development. Use WPP Software Tracing if you are interested in primarily collecting trace data for development and debugging purposes and your driver needs to support this capability in Windows 2000 and later.
|WPP software tracing||ETW kernel-mode API|
|Supported on Windows 2000 and later.||Supported on Windows Vista and later.|
|Tracing events for development and debugging. Mostly internal developer focused.||Tracing events for administrative, operational, analytical and debugging purposes.|
|Does not require a manifest to describe events||Needs a manifest to describe events.|
|Not easy to discover. Need TMF files to decode the events.||Easy to discover and can be programmatically decoded. The metadata to decode the events is contained in the binary.|
|Can be only one active session per trace provider.||
Strings can be localized.
Provider can be secured to protect sensitive data.
Multiplexing of events to multiple consumers.
Activity Id support for correlating events.
For information about using Windows software trace preprocessor (WPP) macros to add software tracing to a driver or application, see WPP Software Tracing.
For information about the using the kernel-mode ETW API for drivers, see Event Tracing for Windows (ETW).
For information about using the Windows Management Instrumentation (WMI) extensions to the Windows Driver Model (WDM) to add software tracing to any driver, see WMI Event Tracing.
For the most current information about software tracing for drivers, see the Windows Hardware Developer Central Event Tracing website.
Note ETW and WPP support most types of kernel-mode drivers and user-mode applications. However, ETW and WPP use types that are not available for certain types of drivers, such as miniport drivers. To determine whether a particular driver type is supported, add basic WPP macros to the driver, such as WPP_INIT_TRACING and WPP_CLEANUP. If the code does not compile because the types that are used are not defined, then ETW and WPP cannot support the driver type.
Build date: 2/13/2014