Creating an NT Kernel Logger Trace Session

You can use TraceView to create an NT Kernel Logger trace session, a trace session built into Windows that records events that are generated by the Windows kernel.

When you create an NT Kernel Logger trace session, you can select a category of system events, such as "Process". TraceView configures the trace session to record all system events in that category; that is, it sets the EnableFlags parameter for the trace to, for example, ENABLE_TRACE_FLAG_PROCESS (0x7FFFFFFF). For more information, see the Microsoft Windows SDK documentation.

To create an NT Kernel Logger Trace Session

  1. Start TraceView.

  2. On the File menu, click Create New Log Session.

  3. Click Add Provider.

  4. Click Kernel Logger, select one or more of the check boxes that identify NT Kernel Logger session event types, and click OK.

  5. In the Open dialog box, locate System.tmf, the trace message format (TMF) file for system events. System.tmf is included in the WDK in the tools\tracing subdirectory.

  6. To add additional providers of any type, click Add Provider. This step is optional.

  7. Click Next.

  8. Set basic trace session options, if desired.

  9. Set advanced trace session options, if desired.

  10. Click Finish.

Comments

The NT Kernel Logger trace session appears in the list of the Named Provider Selection dialog box as "Windows Kernel Trace." You can use either the Named Provider Selection dialog box or the Kernel Logger option on the Provider Control GUID Setup dialog box to create an NT Kernel Logger trace session. However, only the Provider Control GUID Setup dialog box lets you select the kernel components that are traced. For more information about using the Named Provider Selection dialog box, see Creating a trace session for a registered provider.

 

 

Send comments about this topic to Microsoft

Show:
© 2014 Microsoft