Viewing WDF Logs In Windbg

One feature that is really helpful in debugging WDF drivers is the log file that is created by the frameworks themselves. In the log files you can see many warnings and errors that are created by the framework (i.e. they come for free and the driver does not have to do anything). Did you ever have a problem trying to understand why a call to a WDF function fails or what the framework is doing under the hood? Then, continue reading:

In this post I’ll explain how to look at the framework log files, while you’re debugging a driver using windbg. I assume that you have already installed the WDK in the directory %winddk%.

So, let’s start with UMDF:

  1. You need to debug the wudfhost application that hosts your driver. This is described in an earlier post of mine
  2. In windbg execute the command “!wmitrace.searchpath %winddk%\tools\tracing\%arch%”, e.g. “!wmitrace.searchpath c:\WinDDK\6001\tools\tracing\x86“. The directory that you use should have files with names wdf01007.tmf, wdf01009.tmf, etc.
  3. Execute the command “!wmitrace.strdump” and find the number that corresponds to “WUDF Trace”. Let’s say that this number is 0x11.
  4. Execute the command “!wmitrace.logdump number_from_previous_step”, e.g. “!wmitrace.logdump 0x11
  5. In order to control the verbosity of the output, you can use WdfVerifier, which can be found at %winddk%\tools\wdf\%arch%\wdfverifier.exe. Select the tab “User Mode Driver Settings” and change the tracing level. Also, enable the option “Send Log Output to Kernel Debugger”. These options are global (i.e. they will be applied to all UMDF drivers)

For KMDF, things are easier:

  1. Load wdfkd in windbg. This file is located at %winddk%\bin\%arch%. In order to load it execute “!load %winddk%\bin\%arch%\wdfkd.dll”, e.g. “!load c:\WinDDK\6001\bin\x86\wdfkd.dll
  2. Execute “!wdftmffile %winddk%\tools\tracing\<arch>\wdf01009.tmf”, e.g. “!wdftmffile c:\WinDDK\tools\tracing\x86\wdf01009.tmf“. Make sure that the file wdf01009.tmf is in that directory. If you are debugging a KMDF 1.7 driver, then you need to use the file wdf01007.tmf, etc.
  3. Execute “!wdflogdump my_driver” to see the log for your driver. For example, if you are debugging the echo driver, execute “!wdflogdump echo“.
  4. In order to control the verbosity, you can use WdfVerifier. Select the “Kernel Mode User Driver Settings” tab, select your driver in the left panel and then either select or de-select the option “Enable verbose logging”. This option is per-driver, i.e. if you want to enable verbose logging for multiple drivers, then you need to select all of them in the left panel.

Comments (0)