@lowleveldesign lowleveldesign released this Oct 25, 2017 · 3 commits to master since this release

Assets 3

Changes

  • PowerShell commands tracing added
  • Basic filtering for event names (-f switch)

Please have a look at the post on my blog to learn more.

2.1

@lowleveldesign lowleveldesign released this Sep 12, 2017 · 7 commits to master since this release

Assets 3

Changes

  • You may trace only drivers, with no process specified (wtrace -s)
  • Trace all child processes started by the parent process (-c switch)
2.0

@lowleveldesign lowleveldesign released this Aug 13, 2017 · 14 commits to master since this release

Assets 3

Changes

  • Summary events are back again displayed at the end of the trace
  • Collecting statistics for drivers execution during the trace session (-s option) - DPC/ISR events, eg.:
> wtrace -s notepad
...
--------------------------------
              ISR
--------------------------------
'C:\WINDOWS\System32\drivers\HDAudBus.sys', total: 4,047ms (338 event(s))
'C:\WINDOWS\system32\drivers\Wdf01000.sys', total: 1,831ms (372 event(s))
'C:\WINDOWS\System32\drivers\USBPORT.SYS', total: 0,599ms (66 event(s))

--------------------------------
              DPC
--------------------------------
'C:\WINDOWS\system32\drivers\Wdf01000.sys', total: 27,645ms (372 event(s))
'C:\WINDOWS\System32\drivers\dxgkrnl.sys', total: 11,721ms (665 event(s))
'C:\WINDOWS\system32\ntoskrnl.exe', total: 10,388ms (526 event(s))
'C:\WINDOWS\System32\drivers\USBPORT.SYS', total: 3,768ms (321 event(s))
'C:\WINDOWS\System32\drivers\HDAudBus.sys', total: 1,581ms (338 event(s))
'C:\WINDOWS\system32\drivers\ndis.sys', total: 1,162ms (99 event(s))
'C:\WINDOWS\System32\drivers\tcpip.sys', total: 0,637ms (30 event(s))
'C:\WINDOWS\system32\DRIVERS\igdkmd64.sys', total: 0,571ms (93 event(s))
'C:\WINDOWS\System32\drivers\storport.sys', total: 0,469ms (17 event(s))
'C:\WINDOWS\System32\drivers\vmswitch.sys', total: 0,311ms (35 event(s))
'C:\WINDOWS\System32\drivers\dxgmms2.sys', total: 0,174ms (27 event(s))
'C:\WINDOWS\System32\drivers\CLASSPNP.SYS', total: 0,046ms (1 event(s))
'C:\WINDOWS\System32\drivers\vmbusr.sys', total: 0,033ms (6 event(s))
'C:\WINDOWS\System32\drivers\bridge.sys', total: 0,019ms (4 event(s))
'C:\WINDOWS\system32\drivers\hvservice.sys', total: 0,009ms (3 event(s))
'C:\WINDOWS\System32\drivers\storahci.sys', total: 0,005ms (2 event(s))
'C:\WINDOWS\system32\Drivers\WdNisDrv.sys', total: 0,004ms (2 event(s))
...
1.3

@lowleveldesign lowleveldesign released this Mar 12, 2017 · 31 commits to master since this release

Assets 3

Changes

  • Powershell support
  • More consistent output to make filtering easier - summary is printed as summary events
1.2

@lowleveldesign lowleveldesign released this Jan 8, 2017 · 46 commits to master since this release

Assets 3

You may now trace RPC calls with wtrace!

Example trace:

4317.5999 (8424.15088) RpcClientCall/Stop  --- NamedPipes --> 6bffd098-a112-3610-9833-46c3f87e345a (\PIPE\wkssvc) 11
4317.7007 (8424.15088) RpcClientCall/Start --- LRPC --> 53825514-1183-4934-a0f4-cfdc51c3389b (LSMApi) 0 NULL
4317.8605 (8424.15088) RpcServerCall/Start <-- LRPC --- 53825514-1183-4934-a0f4-cfdc51c3389b (LSMApi) 0 NULL (96.5612)
4317.9506 (96.5612) RpcServerCall/Stop  <-- LRPC --- 53825514-1183-4934-a0f4-cfdc51c3389b (LSMApi) 0 NULL (96.5612)
4317.9738 (8424.15088) RpcClientCall/Stop  --- LRPC --> 53825514-1183-4934-a0f4-cfdc51c3389b (LSMApi) 0 NULL

More information in wiki.

1.1

@lowleveldesign lowleveldesign released this Dec 17, 2016 · 50 commits to master since this release

Assets 3

ALPC support added:

...
21888.9656 (7124) ALPC/WaitForReply (0x1A10)
21888.9919 ALPC 08cli (228) ---(0x1A10)--> 08comsrv (6060)
21889.0919 ALPC 08cli (228) <--(0x1A10)--- 08comsrv (6060)
21889.1401 (7124) ALPC/WaitForReply (0x1A10)
21889.1602 ALPC 08cli (228) ---(0x1A10)--> 08comsrv (6060)
21889.5194 ALPC 08cli (228) <--(0x1A10)--- 08comsrv (6060)
21890.0651 (7124) ALPC/WaitForReply (0x1A10)
21890.0910 ALPC 08cli (228) ---(0x1A10)--> svchost (516)
21890.3824 ALPC 08cli (228) <--(0x1A10)--- svchost (516)
21890.5377 (7124) ALPC/WaitForReply (0x1A10)
21890.5600 ALPC 08cli (228) ---(0x1A10)--> svchost (516)
21890.6640 ALPC 08cli (228) <--(0x1A10)--- svchost (516)
31189.9461 ALPC 08cli (228) ---(0x1960)--> csrss (9020)
31189.9622 ALPC 08cli (228) ---(0x19C4)--> csrss (9020)
...

======= ALPC =======
Filtered process connected through ALPC with:
- csrss (9020)
- svchost (516)
- lsass (836)
- 08comsrv (6060)
1.0

@lowleveldesign lowleveldesign released this Oct 21, 2016 · 53 commits to master since this release

Assets 3

Initial release