To start tracing file, registry, image, and module load on Vista use the following script:
@echo off
echo Load Filetrace filter...
fltmc load filetrace
echo Enable
OpSet1...
tracelog -start vistatrace -rt -b 10000 -min 10 -ft 1 -f c:\vistatrace.etl -guid #D75D8303-6C21-4bde-9C98-ECC6320F9291 -flags 0xE
echo Enable
OpSet2...
tracelog -enable vistatrace -guid #058DD951-7604-414d-A5D6-A56D35367A46 -flags 0xFFFFFFF
echo Enable Optional...
tracelog -enable vistatrace -guid #7DA1385C-F8F5-41cc-B9D0-02FCA090F1EC -flags 0xFFFFFFF
echo Enable
Volumes...
tracelog -enable vistatrace -guid #127D46AF-4AD3-489f-9165-F00BA64D5467 -flags
0x04000000
echo Enable
Kernel Registry,Image and Process Tracing...
tracelog -start -nodisk -nonet
-img -cm -f c:\vistakernel.etl
To stop tracing, use:
@echo off
echo Stop file
tracing...
tracelog -stop vistatrace
echo Stop
kernel tracing...
tracelog –stop
Note:
Details on tracelog can be found here. Alternatively the Vista tool LogMan.exe can
be used, details found here.
The
Registry, File, and Image tracers are part of the Windows Kernel Logger,
details can be found here.
The
remainder of the document describes the filetrace
tracer for collecting file information on Vista. The ETW event layout for the
file trace events is described here.
ddDescribe the architecture of your feature. Include any block diagrams necessary. Describe the components (identifying which are changed by this feature or are left alone), internal interfaces, data flow, and other interactions.
The file trace driver is a mini-filter that leverages both the Filter Manager and ETW infrastructures. It supports the following features and each is discussed in subsequent sections.
1. Control through Filter Manager
2. Control through ETW
3. Optional Operation Logging
4. Optional Property Logging
5. Attaching to Volumes
6. Multi session support
7. Schematized data via WMI
8. Boot Tracing
Before the filter can trace any volume activity, it must be loaded. This can be achieved by utilizing the fltmc.exe command line or the FilterLoad API (or automatically by the system when boot logging is enabled). The filter explicitly rejects requests to attach to a specific volume via the “attach” option of fltmc or the FilterAttach API. The filter only creates instances (one instance per volume) in response to ETW requests. The filter may be loaded and unloaded at any time, even when there are active ETW sessions utilizing the filter. When a filter is unloaded while a session is active, the session will stop receiving data. When the filter is subsequently loaded, ETW will notify the filter of the active session and the filter will resume logging to that session.
ISSUE: At the time of this writing, ETW does not provide adequate session support. If there are 2 or more sessions running at the time of an unload request, then only that session that was created last will resume logging when a filter is reloaded. ETW only informs the filter of the session that was created last. All other sessions will appear active when queried via ETW, but only the most recent session will show any logging activity, as evidenced by the increasing number of buffers written to the session.
The mini-filter is controlled via ETW. The client can utilize ETW to specify which volumes to monitor, which operations to monitor, and which properties to retrieve from a set of optional properties. In order to specify which operations, volumes, and properties to log, the client utilizes ETW’s mechanism for passing 32 bit flags to a provider. In order to support all of the possible combinations of operations, volumes, and optional properties the mini-filter exposes 4 distinct ETW control GUIDS as shown below.
The filter uses ETW in a non standard way. Typically, a provider is a producer of events. A user enables a provider and then receives and consumes the events produced. This model suffers from the restriction that a provider only has 32 bits of information that control its production behavior. In order to bypass this restriction, the file trace mini-filter combines 4 providers into a single “logical” provider. In order to fully express which events to generate, the client should view the 4 providers as a single provider and set the flags appropriately. At a minimum, the client must at least configure 1 operation provider and 1 volume provider in order to log events.
The details of what properties, volumes, and operations are supported and how they map to a bit in the flags are provided in subsequent sections.
D75D8303-6C21-4bde-9C98-ECC6320F9291
– Operation Set 1
058DD951-7604-414d-A5D6-A56D35367A46
– Operation Set 2
7DA1385C-F8F5-41cc-B9D0-02FCA090F1EC
– Optional Properties
127D46AF-4AD3-489f-9165-F00BA64D5467
– Volumes
Using the control GUIDs shown above, a client can start a logging session and enable and disable logging of operations, properties, or volumes using the standard tools provided by ETW as shown below:
After installing the filter using its associated inf file, the client must load the filter using either the filter manager API or fltmc.exe:
fltmc load filetrace
After the filter is loaded, ETW tools may be used to create a tracing session. The example below illustrates creating a session that enables tracing of all operations, all properties, and all volumes. The example below shows a session by the name of f2. The client creates the session using the start command and then enables other trace operations. Any control GUID can be used to create the session. In general, it is best to enable the volume GUID for last so that all the operation and optional property options are enable before logging begins. Once the volume GUID is enabled, logging will commence.
tracelog -start f2 -rt -ft 1 -f %SystemDrive%\filetrace\f2.trc -guid #D75D8303-6C21-4bde-9C98-ECC6320F9291 -flags 0xFFFFFFF
tracelog -enable f2 -guid #058DD951-7604-414D-A5D6-A56D35367A46 -flags 0xFFFFFFF
tracelog -enable f2 -guid #7DA1385C-F8F5-41CC-B9D0-02FCA090F1EC -flags 0x0
tracelog -enable f2 -guid #127D46AF-4AD3-489F-9165-F00BA64D5467 -flags 0x4000000
Once the session is created, clients can use the following command to query the state of the session:
tracelog –q f2
OR
traceclog –l (to enumerate the state of all sessions)
See the documentation for tracelog for the meaning of the options utilized above. Clients may also use ETW APIs or the logman tool to achieve the same effects as above.
As mentioned previously, the mini-filter supports logging all of the known file system operations. The complete set is shown below:
|
Operation |
Control
Bit |
|
Set 1
GUID D75D8303-6C21-4bde-9C98-ECC6320F9291 |
|
|
IRP_MJ_CREATE |
0 |
|
IRP_MJ_CREATE_NAMED_PIPE |
1 |
|
IRP_MJ_CLOSE |
2 |
|
IRP_MJ_READ |
3 |
|
IRP_MJ_WRITE |
4 |
|
IRP_MJ_QUERY_INFORMATION |
5 |
|
IRP_MJ_SET_INFORMATION |
6 |
|
IRP_MJ_QUERY_EA |
7 |
|
IRP_MJ_SET_EA |
8 |
|
IRP_MJ_FLUSH_BUFFERS |
9 |
|
IRP_MJ_QUERY_VOLUME_INFORMATION |
10 |
|
IRP_MJ_SET_VOLUME_INFORMATION |
11 |
|
IRP_MJ_DIRECTORY_CONTROL |
12 |
|
IRP_MJ_FILE_SYSTEM_CONTROL |
13 |
|
IRP_MJ_DEVICE_CONTROL |
14 |
|
IRP_MJ_INTERNAL_DEVICE_CONTROL |
15 |
|
IRP_MJ_SHUTDOWN |
16 |
|
IRP_MJ_LOCK_CONTROL |
17 |
|
IRP_MJ_CLEANUP |
18 |
|
IRP_MJ_CREATE_MAILSLOT |
19 |
|
IRP_MJ_QUERY_SECURITY |
20 |
|
IRP_MJ_SET_SECURITY |
21 |
|
IRP_MJ_POWER |
22 |
|
IRP_MJ_SYSTEM_CONTROL |
23 |
|
IRP_MJ_DEVICE_CHANGE |
24 |
|
IRP_MJ_QUERY_QUOTA |
25 |
|
IRP_MJ_SET_QUOTA |
26 |
|
IRP_MJ_PNP |
27 |
|
Set 2 - GUID - 058DD951-7604-414d-A5D6-A56D35367A46 |
|
|
IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION |
1 |
|
IRP_MJ_RELEASE_FOR_SECTION_SYNCHRONIZATION |
2 |
|
IRP_MJ_ACQUIRE_FOR_MOD_WRITE |
3 |
|
IRP_MJ_RELEASE_FOR_MOD_WRITE |
4 |
|
IRP_MJ_ACQUIRE_FOR_CC_FLUSH |
5 |
|
IRP_MJ_RELEASE_FOR_CC_FLUSH |
6 |
|
IRP_MJ_NOTIFY_STREAM_FILE_OBJECT |
7 |