JustKernel

The requrement grew and so does ETW’s restriction and scope. The requirement was to log message ids to log file which is generated at end user’s end. Then the log file can be brought to developer who can combine it with actual string with the resultant being a log file with all the message string. This will provide security as end user will not be able to see the actual strings.
I was very much confident that ETW being such an extensive framework will provide this basic functionality . But I was wrong. ETW is basically for event logging and poor on tracing . With this disappointment came a shimmer of hope with the finding of -import flag in tracelog utility which was introduced in Winodws 7. (Means Microsoft also realised its mistake of providing such basic functionality which it tried to rectify in Windows 7).
But as usual , as has always been the case , Microsoft disappointed its most loyal fan (as has Vista done to all). I thought of backporting tracelog so that along with it “-import ” flag will also be go and which will help me to achieve the desired functionality. But it turned out to be a bad assumption. Tracelog is dependent on ntdll.dll and thus cant be backported.
The release date was coming near and I was left no aware. All hopes were shattered. But as people say , being a Windows kernel developer you should never leave hope, you will find something.
So I continued with my R&D and found WPP , which is built over ETW, is a specialiized in tracing and provides the required functionality.
With the help of Microsofts mailing list and support staff I implemnted it and presented the working sample (both at application and kernel layer) in 2 days and proposal got accepted. Alex Bendetov was really generous in answering my queries. Thanks to him.
It was a face saver to me.

Anshul Makkar

Posted On: 2010-03-27 10:15:40

Tags: ETW, WPP