Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

OSR Seminars


Go Back   OSR Online Lists > ntdev
Welcome, Guest
You must login to post to this list
  Message 1 of 7  
22 May 18 07:48
Parihar Naresh Singh
xxxxxx@gmail.com
Join Date: 23 Apr 2015
Posts To This List: 10
Driver Event Logging

Hi All, I wanted to log message from my driver based on NTSTATUS. I was following the way explained Art Bakers-Win2000DeviceDriver it looks little hard to implement. Is there any easy way with latest VS 2017. I tried API available IoAllocateErrorLogEntry and IoWriteErrorLogEntry and was able to create a event but with no information any help, thanks in advance. (intermediate developer)
  Message 2 of 7  
23 May 18 12:27
Peter Viscarola
xxxxxx@osr.com
Join Date:
Posts To This List: 6183
List Moderator
Driver Event Logging

Do you need more information than what's available on MSDN: <https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/writing-to-the- system-event-log> Toss the Baker book. The best thing I can say about it is that it's out of date. Some of it, like the section on Power Management, was out of date when it was written, but I digress. You should almost certainly be writing whatever code you're writing in WDF, not in WDM. ANYhow... yeah. Peter OSR @OSRDrivers
  Message 3 of 7  
24 May 18 10:09
Parihar Naresh Singh
xxxxxx@gmail.com
Join Date: 23 Apr 2015
Posts To This List: 10
Driver Event Logging

Thank you Peter for the info, I have followed the same like below.. this is function for logging event log..! VOID XXXXLogEvent(PVOID ioObject, NTSTATUS status, const CHAR * Msg) { PIO_ERROR_LOG_PACKET pErrLogDetails = NULL; UNREFERENCED_PARAMETER(status); UNREFERENCED_PARAMETER(Msg); pErrLogDetails = IoAllocateErrorLogEntry(ioObject, sizeof(IO_ERROR_LOG_PACKET)); if (NULL != pErrLogDetails) { RtlSecureZeroMemory(pErrLogDetails, sizeof(IO_ERROR_LOG_PACKET)); pErrLogDetails->ErrorCode = status; } IoWriteErrorLogEntry(pErrLogDetails); return; } From Driver : for demo i removed rest code ... .. . status = ZwEnumerateValueKey(hRegKey, 0, KeyValuePartialInformation, pKeyValuelInfo, 256, &retSize); SmartAVLogEvent(pDrvObj, status, L"This is test"); . . MC file: MessageIdTypedef = NTSTATUS SeverityNames = ( Success = 0x0:STATUS_SEVERITY_SUCCESS Informational = 0x1:STATUS_SEVERITY_INFORMATIONAL Warning = 0x2:STATUS_SEVERITY_WARNING Error = 0x3:STATUS_SEVERITY_ERROR ) FacilityNames = ( System = 0x0 RpcRuntime = 0x2:FACILITY_RPC_RUNTIME RpcStubs = 0x3:FACILITY_RPC_STUBS Io = 0x4:FACILITY_IO_ERROR_CODE Driver = 0x7:FACILITY_DRIVER_ERROR_CODE ) MessageId=0x0001 Facility=Driver Severity=Informational SymbolicName=MSG_LOGGING_ENABLED Language=English Event logging enabled for XXXXXX Driver. . MessageId=+1 Facility=Driver Severity=Informational SymbolicName=MSG_DRIVER_STARTING Language=English XXXX Driver has successfully initialized. . MessageId=+1 Facility=Driver Severity=Informational SymbolicName=MSG_DRIVER_STOPPING Language=English XXXXXX Driver has unloaded. . I was able to log Event in Evnt viewer which is not i wanted..! =========================================== The description for Event ID 0 from source xxxxx cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. If the event originated on another computer, the display information had to be saved with the event. The following information was included with the event: the message resource is present but the message is not found in the string/message table =============================
  Message 4 of 7  
24 May 18 10:47
Peter Viscarola
xxxxxx@osr.com
Join Date:
Posts To This List: 6183
List Moderator
Driver Event Logging

<quote> I have followed the same like below.. </quote> OK. But that's not what I asked you. I asked you if you need more information that is available on the MSDN pages to which I referred you. Specifically, I'll ask again: Did you follow all those steps? Did you REGISTER your driver (by creating the appropriate values in the Registry) as an error message source? Peter OSR @OSRDrivers
  Message 5 of 7  
24 May 18 11:20
Parihar Naresh Singh
xxxxxx@gmail.com
Join Date: 23 Apr 2015
Posts To This List: 10
Driver Event Logging

Yes Peter I did,, followed https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/registering-as-a -source-of-error-messages \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\XXXXX with entries EventMessageFile with path and TypesSupported
  Message 6 of 7  
24 May 18 15:56
Peter Viscarola
xxxxxx@osr.com
Join Date:
Posts To This List: 6183
List Moderator
Driver Event Logging

OK. Hmmmm... well, from your code, it looks like you're writing an error log packet that is completely empty? <quote> VOID XXXXLogEvent(PVOID ioObject, NTSTATUS status, const CHAR * Msg) { PIO_ERROR_LOG_PACKET pErrLogDetails = NULL; UNREFERENCED_PARAMETER(status); UNREFERENCED_PARAMETER(Msg); pErrLogDetails = IoAllocateErrorLogEntry(ioObject, sizeof(IO_ERROR_LOG_PACKET)); if (NULL != pErrLogDetails) { RtlSecureZeroMemory(pErrLogDetails, sizeof(IO_ERROR_LOG_PACKET)); pErrLogDetails->ErrorCode = status; } IoWriteErrorLogEntry(pErrLogDetails); return; } </quote> The ErrorCode field should correspond with one of the message IDs that you created. So, MSG_LOGGING_ENABLED or MSG_DRIVER_STOPPING or whatever. You appear to be passing an NTSTATUS in this field, and from the message you provided, I'd bet that status is STATUS_SUCCESS?? Peter OSR @OSRDrivers
  Message 7 of 7  
25 May 18 03:20
Parihar Naresh Singh
xxxxxx@gmail.com
Join Date: 23 Apr 2015
Posts To This List: 10
Driver Event Logging

Thank You Peter, Perfect Guru :) I will code same into KMDF it was just pilot for the one of our requirement
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 23:39.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license