Skip to content

Releases: lowleveldesign/wtrace

3.3

14 Sep 07:27
Compare
Choose a tag to compare

Changelog:

  • the summary view now includes RPC procedure names (if wtrace was able to resolve them)
  • from now Process/Thread events are always enabled (they are required to make filters work)
  • minor improvements and fixes

You may find more details in the blog post describing the new release.

Hashes for the wtrace.exe binary:

MD5 = DF60B4BA8D6E9B07479E2FAD0520319B
SHA1 = 2C9C790B63DC9669AB2ED4AA936ACDAB94937B3D
SHA256 = 2CE3E6D447E32952388A5088C2A58DF836F87F605FD62F7DC605338F5F383271

3.2

28 Jun 06:43
Compare
Choose a tag to compare
3.2

NEW features:

  • added support for load image events (#15)

Hashes for the wtrace.exe binary:

MD5 = 50D867653449A348D248C9BA83F95012
SHA1 = 06FB5EDD7F7EAFA4B35A7639E99AF51A68F74C7D
SHA256 = D4400B327EDDFC83B7182214CC894B3A2D41E836E5C65FE1EC9874456324CFE3

3.1

02 Mar 18:57
Compare
Choose a tag to compare
3.1

NEW features:

  • added support for UDP events (#14 )

Hashes for the wtrace.exe binary:

MD5 = B1B05F925382FD98A7048BBFE2C1B429
SHA1 = C2BC4BB398D142A16B763DEF2E6BC76586DC45FB
SHA256 = CAD1A1A4448A8BEE58F99FFFEF824A014C300676B9BF1148FF5B54E2805391FE

3.0

29 Jan 16:14
Compare
Choose a tag to compare
3.0

The post describing the new release is at https://wtrace.net/2021/01/29/announcing-wtrace-3-0/.

NEW features:

  • system-wide tracing
  • extensive filtering options
  • a --handlers option to choose handlers for the trace session
  • a process tree in the statistics view

FIXES:

  • missing paths are much less common
  • wtrace can run in the Windows container (requires .NET Framework 4.7.2)

REMOVED features:

  • PowerShell events
  • ALPC events

Wtrace 3.0 runs on Windows 8.1+ and requires .NET Framework 4.7.2. If you need to trace an older system, please use wtrace 2.2.

2.2

25 Oct 19:15
Compare
Choose a tag to compare
2.2

Changes

  • PowerShell commands tracing added
  • Basic filtering for event names (-f switch)

Please have a look at the post on my blog to learn more.

2.1

12 Sep 05:52
Compare
Choose a tag to compare
2.1

Changes

  • You may trace only drivers, with no process specified (wtrace -s)
  • Trace all child processes started by the parent process (-c switch)

2.0

13 Aug 15:12
Compare
Choose a tag to compare
2.0

Changes

  • Summary events are back again displayed at the end of the trace
  • Collecting statistics for drivers execution during the trace session (-s option) - DPC/ISR events, eg.:
> wtrace -s notepad
...
--------------------------------
              ISR
--------------------------------
'C:\WINDOWS\System32\drivers\HDAudBus.sys', total: 4,047ms (338 event(s))
'C:\WINDOWS\system32\drivers\Wdf01000.sys', total: 1,831ms (372 event(s))
'C:\WINDOWS\System32\drivers\USBPORT.SYS', total: 0,599ms (66 event(s))

--------------------------------
              DPC
--------------------------------
'C:\WINDOWS\system32\drivers\Wdf01000.sys', total: 27,645ms (372 event(s))
'C:\WINDOWS\System32\drivers\dxgkrnl.sys', total: 11,721ms (665 event(s))
'C:\WINDOWS\system32\ntoskrnl.exe', total: 10,388ms (526 event(s))
'C:\WINDOWS\System32\drivers\USBPORT.SYS', total: 3,768ms (321 event(s))
'C:\WINDOWS\System32\drivers\HDAudBus.sys', total: 1,581ms (338 event(s))
'C:\WINDOWS\system32\drivers\ndis.sys', total: 1,162ms (99 event(s))
'C:\WINDOWS\System32\drivers\tcpip.sys', total: 0,637ms (30 event(s))
'C:\WINDOWS\system32\DRIVERS\igdkmd64.sys', total: 0,571ms (93 event(s))
'C:\WINDOWS\System32\drivers\storport.sys', total: 0,469ms (17 event(s))
'C:\WINDOWS\System32\drivers\vmswitch.sys', total: 0,311ms (35 event(s))
'C:\WINDOWS\System32\drivers\dxgmms2.sys', total: 0,174ms (27 event(s))
'C:\WINDOWS\System32\drivers\CLASSPNP.SYS', total: 0,046ms (1 event(s))
'C:\WINDOWS\System32\drivers\vmbusr.sys', total: 0,033ms (6 event(s))
'C:\WINDOWS\System32\drivers\bridge.sys', total: 0,019ms (4 event(s))
'C:\WINDOWS\system32\drivers\hvservice.sys', total: 0,009ms (3 event(s))
'C:\WINDOWS\System32\drivers\storahci.sys', total: 0,005ms (2 event(s))
'C:\WINDOWS\system32\Drivers\WdNisDrv.sys', total: 0,004ms (2 event(s))
...

1.3

12 Mar 07:24
Compare
Choose a tag to compare
1.3

Changes

  • Powershell support
  • More consistent output to make filtering easier - summary is printed as summary events

1.2

08 Jan 06:06
Compare
Choose a tag to compare
1.2

You may now trace RPC calls with wtrace!

Example trace:

4317.5999 (8424.15088) RpcClientCall/Stop  --- NamedPipes --> 6bffd098-a112-3610-9833-46c3f87e345a (\PIPE\wkssvc) 11
4317.7007 (8424.15088) RpcClientCall/Start --- LRPC --> 53825514-1183-4934-a0f4-cfdc51c3389b (LSMApi) 0 NULL
4317.8605 (8424.15088) RpcServerCall/Start <-- LRPC --- 53825514-1183-4934-a0f4-cfdc51c3389b (LSMApi) 0 NULL (96.5612)
4317.9506 (96.5612) RpcServerCall/Stop  <-- LRPC --- 53825514-1183-4934-a0f4-cfdc51c3389b (LSMApi) 0 NULL (96.5612)
4317.9738 (8424.15088) RpcClientCall/Stop  --- LRPC --> 53825514-1183-4934-a0f4-cfdc51c3389b (LSMApi) 0 NULL

More information in wiki.

1.1

17 Dec 13:03
Compare
Choose a tag to compare
1.1

ALPC support added:

...
21888.9656 (7124) ALPC/WaitForReply (0x1A10)
21888.9919 ALPC 08cli (228) ---(0x1A10)--> 08comsrv (6060)
21889.0919 ALPC 08cli (228) <--(0x1A10)--- 08comsrv (6060)
21889.1401 (7124) ALPC/WaitForReply (0x1A10)
21889.1602 ALPC 08cli (228) ---(0x1A10)--> 08comsrv (6060)
21889.5194 ALPC 08cli (228) <--(0x1A10)--- 08comsrv (6060)
21890.0651 (7124) ALPC/WaitForReply (0x1A10)
21890.0910 ALPC 08cli (228) ---(0x1A10)--> svchost (516)
21890.3824 ALPC 08cli (228) <--(0x1A10)--- svchost (516)
21890.5377 (7124) ALPC/WaitForReply (0x1A10)
21890.5600 ALPC 08cli (228) ---(0x1A10)--> svchost (516)
21890.6640 ALPC 08cli (228) <--(0x1A10)--- svchost (516)
31189.9461 ALPC 08cli (228) ---(0x1960)--> csrss (9020)
31189.9622 ALPC 08cli (228) ---(0x19C4)--> csrss (9020)
...

======= ALPC =======
Filtered process connected through ALPC with:
- csrss (9020)
- svchost (516)
- lsass (836)
- 08comsrv (6060)