Why isn't my Event Trace for Windows working?

StackOverflow https://stackoverflow.com/questions/11508317

  •  21-06-2021
  •  | 
  •  

Question

I'm trying to figure out how to use Event Tracing for Windows... but I'm failing.
Why does this code give me the error code ERROR_WMI_INSTANCE_NOT_FOUND?

#include <stdio.h>
#include <tchar.h>
#include <Windows.h>
#include <Wmistr.h>
#include <Evntrace.h>
#include <evntcons.h>

ULONG NTAPI EtpEtwBufferCallback(IN PEVENT_TRACE_LOGFILE Buffer) { return TRUE; }
VOID  NTAPI  EtpEtwEventCallback(IN PEVENT_TRACE EventTrace) { }

int _tmain()
{
    LPCTSTR loggerName = KERNEL_LOGGER_NAME;
    EVENT_TRACE_LOGFILE logFile = {0};
    logFile.LoggerName = const_cast<LPTSTR>(loggerName);
    logFile.ProcessTraceMode = PROCESS_TRACE_MODE_REAL_TIME;
    logFile.BufferCallback = EtpEtwBufferCallback;
    logFile.EventCallback = EtpEtwEventCallback;
    TRACEHANDLE hTrace = OpenTrace(&logFile);
    ULONG result = ProcessTrace(&hTrace, 1, NULL, NULL);
    // result is ERROR_WMI_INSTANCE_NOT_FOUND
    _tprintf(_T("%u\n"), result);
}
Was it helpful?

Solution

From the ProcessTrace docs, ERROR_WMI_INSTANCE_NOT_FOUND means "the session from which you are trying to consume events in real time is not running or does not have the real-time trace mode enabled".

You can start the NT Kernel Logger using tracelog from the Windows Driver Kit, though I don't have the WDK to hand so I haven't tried it.

This article explains how to start the NT Kernel Logger yourself.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top