Command line tracing tool for Windows, based on ETW.
License: MIT License
In my GitHub repositories you may find tools and materials dedicated to software troubleshooting.
I also publish my work at wtrace.net (troubleshooting tools and guides) and lowleveldesign.wordpress.com (my blog).
I hope you find the materials informative and beneficial to your own projects.
Support loadimage, Like: --handlers loadimage
Add a handler for the UDP ETW events.
Heya! This is an awesome tool. This isn't so much of as issue as a feature request: it would be excellent to be able to do something like:
wtrace mspaint | where {$_.syscall -eq "FileIO/Close" }
Or similar.
Windows 10 introduced a new ETW event type that is manifest less called TraceLogging.
It would useful if wtrace added support for capturing and viewing this new type of ETW event.
Thank you for creating wtrace! I'm trying to use it instead of Procmon, which is a GUI program, and using a CLI is much more convenient for many tasks.
In Procmon I'm able to see CreateProcess events, so I could for example wait for a Python program to be launched, and then get its command line arguments. How can I do this using wtrace? I'm not sure which arguments I should give wtrace, since my process doesn't exist yet.
After replacing the Chromium PInvoke methods with PInvoke nuget packages, wtrace stopped working on Win7. To fix.
C:\WINDOWS\system32>"C:\Program Files\Sysinternals\wtrace.exe" C:\Windows\system32\wbadmin.exe
ERROR: an error occurred while trying to start or open the process, hr: 0x80004005, code: 0x00000002 (The system cannot find the file specified).
wtrace fails when run inside a Docker container. Example code to replicate the issue:
C:\Users\Sebastian>docker inspect -f "{{ .NetworkSettings.Networks.nat.IPAddress }}" my-running-site
172.23.31.132
PS samplesite> docker run -d -v d:\temp:c:\host --name my-running-site aspnet-site
14065bc4473a0857b246e7d1812a2b338f4597bd980d8b193f4edfa95be2320e
PS samplesite> docker ps -all
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
14065bc4473a aspnet-site "C:\\ServiceMonitor..." 36 seconds ago Up 20 seconds 80/tcp my-running-site
PS samplesite> docker exec -it 140 powershell
PS C:\wtrace\wtrace> .\wtrace.exe cmd
ERROR: severe error happened when starting application: Value does not fall within the expected range.
C:\WINDOWS\system32>strace.exe -c -v netsh interface ipv4 set address name="test" static 169.254.215.40 255.255.0.0
wtrace v3.3.22257.11 - collects process or system traces
Copyright (C) 2022 Sebastian Solnica (lowleveldesign.org)
Visit https://wtrace.net to learn more
HANDLERS
file, image, process, rpc, tcp, udp
Starting the tracing session (might take a moment). Press Ctrl + C to exit.
WTrace.ETW.Tracing Information: 0 : [etw] Starting main ETW session
WTrace.ETW.Tracing Information: 0 : [etw] Starting rundown session wtrace-rt_rundown
WTrace.Tracing Information: 0 : [filter] including process netsh (2672)
WTrace.Tracing Information: 0 : [filter] including process netsh (2672)
WTrace.ETW.Tracing Information: 0 : [etw] Rundown session finished
Process (2672) exited.
WTrace.ETW.Tracing Information: 0 : [etw] Main ETW session completed
--------------------------------
Processes
--------------------------------
├─ netsh [2672]
C:\WINDOWS\system32>I saw your previous question on stackoverflow, but you didn't seem to find a good solution
I've just seen a way to do this with ActivityId
Here's the link to the original article:
https://www.elastic.co/cn/security-labs/effective-parenting-detecting-lrpc-based-parent-pid-spoofing
Hello @lowleveldesign
Awesome project ! I found pretty much everything I needed, from the ability to trace a process and its childs, limiting to a set of handlers, or filtering on specific keywords. The only missing thing is a flexible output option.
Correct me if I am wrong, at the moment, the tool can only write to stdout, so you need to pipe it to a file then manually parse the output which is not good (as parsing cli output is a bad pattern anyway).
I believe producing in JSON format will be helpful for many folks.
Cheers.
Some of the file I/O events show empty file names.
Tracing starts correctly and later stops, thinking that the application ended. To investigate.
the linked wiki is blank. Does any wiki page exist?
When building solution (both Release or Debug) required folders amd64 and x86 from binaries subdirectory are not copied to the output path. This results in the following exception during execution:
> wtrace.exe notepad
Unhandled Exception: System.ComponentModel.Win32Exception: The specified module could not be found
at Microsoft.Diagnostics.Tracing.Extensions.ETWKernelControl.LoadKernelTraceControl()
at Microsoft.Diagnostics.Tracing.Extensions.ETWKernelControl.StartKernelSession(UInt64& TraceHandle, Void* propertyBuff, Int32 propertyBuffLength, STACK_TRACING_EVENT_ID* stackTracingEventIds, Int32 cStackTracingEventIds)
at Microsoft.Diagnostics.Tracing.Session.TraceEventSession.EnableKernelProvider(Keywords flags, Keywords stackCapture)
at LowLevelDesign.WinTrace.TraceCollector.Start() in F:\GithubProjects\wtrace\wtrace\TraceCollector.cs:line 38
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.QueueUserWorkItemCallback.System.Threading.IThreadPoolWorkItem.ExecuteWorkItem()
at System.Threading.ThreadPoolWorkQueue.Dispatch()
Using VS 2017 Enterprsie 15.3.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.