Question Looking DPC records

Toggle sidebar Toggle sidebar
M

mynameiss

Jul 7, 2024
6
0
10
I want to dump the WMI trace logs from the kernel dump and then the DPC trace logs in a format that WPA can read. What steps should I take to do this?

Sorry for my English.
 
Last edited:
@mynameiss

What have you tried thus far?

What ideas and/or steps have you actually attempted or considered?

Any coding etc. thus far?

Showing what you have done - your steps - thus far is important.

And if the attempted process is failing then show those steps including error codes, pop-ups, etc. (if any) that appear.
 
  • Like
Reactions: mynameiss
I'm trying to convert XML with tracerpt via Powershell, but every time I get The file or directory is corrupted and unreadable error. The file location is correct, and when I try to select the folder where the file is located instead of selecting the DMP file directly, I get Prompt Access Denied to Administrator? I don't understand.
 
Not at all something I have worked with (full disclosure).

First:

Do you have any way to test your code on an applicable file that you know you have admin access and that the file is not corrupted in some manner?

Noted that "x.etl" - the "x" seems unsual. Should it be a wildcard "*"?

What about the path to the required to the file? Is the full path included elsewhere in your code?



Second:

Are the following links relevant?

https://learn.microsoft.com/en-us/windows/win32/wmisdk/tracing-wmi-activity

https://www.techwalla.com/articles/how-can-i-read-a-dmp-file

= = = =

Could not view the memory dump. Re: "problem with the preview".

Just some interim first thoughts from afar.
 
Ralston18 said:
Not at all something I have worked with (full disclosure).
Click to expand...
I don't know much about Windbg either. So I've been doing some research but I haven't gotten anything...

Ralston18 said:
First:

Do you have any way to test your code on an applicable file that you know you have admin access and that the file is not corrupted in some manner?
Click to expand...
I wrote a code in C# for administrator access and adapted it for powershell, but nothing changed. Probably I needed to set additional permissions for the folder when selecting it from the folder, but even if I did that, the corrupted warning would not change. I adapted a different dump but it kept giving the corrupted warning. I don't think there is a corruption.

Ralston18 said:
Noted that "x.etl" - the "x" seems unsual. Should it be a wildcard "*"?

What about the path to the required to the file? Is the full path included elsewhere in your code?
Click to expand...
I also tried a command for the file location and the result failed again. For the !wmitrace.logsave command I did exactly what microsoft wrote. When I put different names instead of "X", the same error persisted. I can't understand it unfortunately.

Ralston18 said:
Could not view the memory dump. Re: "problem with the preview".
Click to expand...
It probably can't preview because the file size is too big (Not too much)

Ralston18 said:
https://learn.microsoft.com/en-us/windows/win32/wmisdk/tracing-wmi-activity
Click to expand...
I saw it while doing research, but it contains definitions. I think.
 
One thing to look at is "For the !wmitrace.logsave command I did exactly what microsoft wrote."

Not unusual for documentation to have errors.

Did some more looking. Found this:

!wmitrace.logsave {LoggerID|LoggerName} Filename

Source:

https://learn.microsoft.com/en-us/windows-hardware/drivers/debuggercmds/-wmitrace-logsave

Unless your code provides LoggerID|LoggerName in some other manner then those missing parameters may be some part of problem(s).

From the last paragraph of the link:

"To find the logger ID of a trace session, use the !wmitrace.strdump extension. Alternatively, you can use the Tracelog command tracelog -l to list the trace sessions and their basic properties, including the logger ID."

[My italics.]

Does your code include any such commands, etc.?

= = = =

Not at all a C# person so I cannot address what was done (or not done) with respect to the required administrative access.
 
  • Like
Reactions: mynameiss
mynameiss said:
WMI Trace Save: Debugger Extension. LoggerId = -1, Save File = 'LogData.etl' Failed to Find Logger
Click to expand...
You need to provide the name of the logging source or Id for which you're trying to export.

Code: 
!wmitrace.logsave 2 C:\Users\<user name>\Desktop\Trace.etl
 
  • Like
Reactions: mynameiss
Yes, guys, I love you. I'm having trouble here, there are no dpc records in the .etl files I saved. It's frustrating that I keep getting different problems...
 
Going back a bit then.....

What process or steps are you using to create and save the empty (no dpc reccords) .etl files?

What records (if any) are being found? Could be problem in the search criteria. Works but looking for records that do not exist and thus the file is empty.

For the most part try to accomplish each required action just as a standalone effort.

One technique is to add some extra lines of code that simply display given values, variables, filenames.

For example: display the files in the target folder where the .etl files are to be saved.

Then after the files is reportly saved by whatever code you are using - redisplay the folder again.

Is the file really there? Filename, date, size etc. as expected?

Then when each action (process) is working then combine and run in order per your requirements.

Premise being that if you know that each individual action works then any new problems are likely in the order off things or the code being used to tie it all together.
 
  • Like
Reactions: mynameiss
I mean, I worked on it for a few more hours. It was a code problem, like you said. Thank's for everything! Love you guys :)
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom