6:[["$","$Le",null,{}],["$","div",null,{"className":"min-h-screen bg-gray-100 p-6","children":[["$","$Lf",null,{}],["$","script",null,{"type":"application/ld+json","dangerouslySetInnerHTML":{"__html":"{\"@context\":\"https://schema.org\",\"@type\":\"QAPage\",\"mainEntity\":{\"@type\":\"Question\",\"name\":\"Call Tracing Windows Driver\",\"text\":\"

I wish to be able to record, in real time, the activity of a kernel mode driver (I have the full symbols for it). It's a HID miniclass driver. I wish to record the execution of calls in this driver (stacktraces every time an IRP enters and leaves the driver).

\\n\\n

Is this possible (maybe with EWT and/or WPT)?

\\n\",\"author\":{\"@type\":\"Person\",\"name\":\"Aram Hăvărneanu\"},\"upvoteCount\":1,\"answerCount\":2,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"

How about ETW tracing? MS uses it all over inside windows. It will give you call-stacks also.

\\n\\n

Here is the link

\\n\",\"author\":{\"@type\":\"Person\",\"name\":\"Naveen\"},\"upvoteCount\":2}}}"}}],["$","div",null,{"className":"bg-white shadow-md rounded-lg p-6 mb-6 relative","children":[["$","div",null,{"className":"absolute top-4 right-4 flex flex-wrap space-x-2","children":[["$","span","c",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L10",null,{"href":"/discussion/tag/c/1","children":"c"}]}],["$","span","kernel",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L10",null,{"href":"/discussion/tag/kernel/1","children":"kernel"}]}],["$","span","driver",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L10",null,{"href":"/discussion/tag/driver/1","children":"driver"}]}],["$","span","trace",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L10",null,{"href":"/discussion/tag/trace/1","children":"trace"}]}],["$","span","stack-trace",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L10",null,{"href":"/discussion/tag/stack-trace/1","children":"stack-trace"}]}]]}],["$","div",null,{"className":"flex items-center mb-4","children":[["$","img",null,{"src":"https://www.gravatar.com/avatar/a9f751ca58c94bacecb837700da5ef1d?s=256&d=identicon&r=PG","alt":"Aram Hăvărneanu","className":"w-16 h-16 rounded-full border"}],["$","div",null,{"className":"ml-4","children":[["$","a",null,{"href":"https://stackoverflow.com/users/184992/aram-h%c4%83v%c4%83rneanu","target":"_blank","rel":"noopener noreferrer","className":"text-lg font-semibold text-blue-600 hover:underline","children":"Aram Hăvărneanu"}],["$","p",null,{"className":"text-sm text-gray-500","children":["Reputation: ",784]}]]}]]}],["$","h1",null,{"className":"text-2xl font-bold text-gray-800 mb-4","children":"Call Tracing Windows Driver"}],["$","p",null,{"className":"text-gray-700 mt-4","dangerouslySetInnerHTML":{"__html":"

\n\n

Is this possible (maybe with EWT and/or WPT)?

\n"}}],["$","div",null,{"className":"text-gray-600 text-sm mt-4","children":[["$","p",null,{"children":["Upvotes: ",1]}],["$","p",null,{"children":["Views: ",835]}]]}]]}],["$","div",null,{"className":"container mx-auto","children":[["$","h2",null,{"className":"text-2xl font-semibold text-gray-800 mb-6","children":["Answers (",2,")"]}],[["$","div","2585175",{"className":"bg-white shadow-md rounded-lg p-6 mb-6","children":[["$","div",null,{"className":"flex items-center mb-4","children":[["$","img",null,{"src":"https://www.gravatar.com/avatar/e7a5fd849317529c9eac6eea84c50f03?s=256&d=identicon&r=PG","alt":"Naveen","className":"w-12 h-12 rounded-full border"}],["$","div",null,{"className":"ml-4","children":[["$","a",null,{"href":"https://stackoverflow.com/users/19407/naveen","target":"_blank","rel":"noopener noreferrer","className":"text-lg font-semibold text-blue-600 hover:underline","children":"Naveen"}],["$","p",null,{"className":"text-sm text-gray-500","children":["Reputation: ",4120]}]]}]]}],["$","p",null,{"className":"text-gray-700 mb-4","dangerouslySetInnerHTML":{"__html":"

How about ETW tracing? MS uses it all over inside windows. It will give you call-stacks also.

\n\n

Here is the link

\n"}}],["$","div",null,{"className":"text-gray-600 text-sm","children":["$","p",null,{"children":["Upvotes: ",2]}]}]]}],["$","div","1838249",{"className":"bg-white shadow-md rounded-lg p-6 mb-6","children":[["$","div",null,{"className":"flex items-center mb-4","children":[["$","img",null,{"src":"https://www.gravatar.com/avatar/689d383717f92bc02f16fbb8ce47683f?s=256&d=identicon&r=PG","alt":"Sergey Podobry","className":"w-12 h-12 rounded-full border"}],["$","div",null,{"className":"ml-4","children":[["$","a",null,{"href":"https://stackoverflow.com/users/122951/sergey-podobry","target":"_blank","rel":"noopener noreferrer","className":"text-lg font-semibold text-blue-600 hover:underline","children":"Sergey Podobry"}],["$","p",null,{"className":"text-sm text-gray-500","children":["Reputation: ",7189]}]]}]]}],["$","p",null,{"className":"text-gray-700 mb-4","dangerouslySetInnerHTML":{"__html":"

If you need to monitor only IRPs you can use Irp Tracker utility.

\n"}}],["$","div",null,{"className":"text-gray-600 text-sm","children":["$","p",null,{"children":["Upvotes: ",1]}]}]]}]]]}],["$","div",null,{"className":"bg-white shadow-md rounded-lg p-6 mt-6","children":[["$","h2",null,{"className":"text-2xl font-semibold text-gray-800 mb-4","children":"Related Questions"}],["$","ul",null,{"className":"list-disc list-inside","children":[["$","li","60710292",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/60710292","className":"text-blue-600 hover:underline","children":"Linux kernel function call flow"}]}],["$","li","105659",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/105659","className":"text-blue-600 hover:underline","children":"How can one grab a stack trace in C?"}]}],["$","li","54787115",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/54787115","className":"text-blue-600 hover:underline","children":"How to debug a Windows kernel driver properly?"}]}],["$","li","53011107",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/53011107","className":"text-blue-600 hover:underline","children":"TRACE32 debugging --Tracing Function Call"}]}],["$","li","8859300",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/8859300","className":"text-blue-600 hover:underline","children":"xperf callstack tracing, specific to dlls"}]}],["$","li","4734335",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/4734335","className":"text-blue-600 hover:underline","children":"Kernel trace Windows 7 WinDbg"}]}],["$","li","7631908",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/7631908","className":"text-blue-600 hover:underline","children":"Library for logging Call Stack at runtime (Windows/Linux)"}]}],["$","li","11809804",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/11809804","className":"text-blue-600 hover:underline","children":"DebugTrace in Microsoft driver examples"}]}],["$","li","19209116",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/19209116","className":"text-blue-600 hover:underline","children":"DriverEntry caller"}]}],["$","li","9712096",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/9712096","className":"text-blue-600 hover:underline","children":"Consuming Windows NT Kernel System Call Trace Session Dumps"}]}]]}]]}]]}],["$","$L11",null,{}],["$","$L12",null,{}],["$","$L13",null,{}],["$","$L14",null,{}],["$","$L15",null,{}]]

Call Tracing Windows Driver

Answers (2)

Related Questions