Diagnostics with Event Viewer

Tracing made easy

Starting with Windows 7 and Windows Server 2008 R2, NDIS can be configured to emit certain diagnostic information to the event log.  The event log is very easy to use, and it doesn't require any special tools.  It's especially good for easily identifying problems with driver registration, PNP and power management, OID requests, and status indications.

Here's how to turn it on:

1. Open the Event Viewer snapin (Start > Run > "eventvwr.msc")
2. From the View menu, check "Show Analytic and Debug Logs"
3. On the left tree, expand down through Applications and Services Logs > Microsoft > Windows > NDIS
4. Under the NDIS node, you should see Diagnostic and Operational channels.  Right-click on each, and select "Enable Log"

If you are having a hard time finding something in the UI, the overachievers at the excellent Ntdebugging blog have collected lots of screenshots of the procedure, starting under the heading "Enabling ETW Logging".  (They also give some more background on how the event logging infrastructure works -- it's a good read if you're ever curious about ETW.)

You'll find that NDIS's event log records lots of mundane events -- for example, on my machine, the very common event 10018 simply states:

Completing Request 0xfffffa8007d01af0 to Filter {c7cd2a33-5210-11e0-85d6-001aa0a3daf3}

This means that an OID request has been completed to a LWF.

Here are a couple tips for working with the Event Viewer UI:

• Most NDIS events carry more data than the formatted message shows.  Click the "Details" tab to see all data associated with the event.
• NDIS will log a lot of repetitive events under the Verbose and Info levels.  Click the "Filter Current..." link on the right side of the window to limit the display to events at level Critical, Error, and Warning.