DTrace on Windows
Published Mar 11 2019 10:04 AM 172K Views
Microsoft

Here at Microsoft, we are always looking to engage with open source communities to produce better solutions for the community and our customers . One of the more useful debugging advances that have arrived in the last decade is DTrace. DTrace of course needs no introduction: it’s a dynamic tracing framework that allows an admin or developer to get a real-time look into a system either in user or kernel mode. DTrace has a C-style high level and powerful programming language that allows you to dynamically insert trace points. Using these dynamically inserted trace points, you can filter on conditions or errors, write code to analyze lock patterns, detect deadlocks, etc. ETW while powerful, is static and does not provide the ability to programmatically insert trace points at runtime.  

 

There are a lot of websites and resources from the community to learn about DTrace. One of the most comprehensive one is the Dynamic Tracing Guide html book available on dtrace.org website. This ebook describes DTrace in detail and is the authoritative guide for DTrace. We also have Windows specific examples below which will provide more info.

 

Starting in 2016, the OpenDTrace effort began on GitHub that  tried to ensure a portable implementation of DTrace for different operating systems. We decided to add support for DTrace on Windows using this OpenDTrace port.

 

We have created a Windows branch for “DTrace on Windows” under the OpenDTrace project on GitHub. All our changes made to support DTrace on Windows are available here. Over the next few months, we plan to work with the OpenDTrace community to merge our changes. All our source code is also available at the 3rd party sources website maintained by Microsoft.   

 

Without further ado, let’s get into how to setup and use DTrace on Windows.

 

Install and Run DTrace

Prerequisites for using the feature

  • Windows 10 insider build 18342 or higher
  • Only available on x64 Windows and captures tracing info only for 64-bit processes
  • Windows Insider Program is enabled and configured with valid Windows Insider Account
    • Visit Settings->Update & Security->Windows Insider Program for details

Instructions:

  1. BCD configuration set:
    1. bcdedit /set dtrace on
    2. Note, you need to set the bcdedit option again, if you upgrade to a new Insider build
  2. Download and install the DTrace package from download center.
    1. This installs the user mode components, drivers and additional feature on demand packages necessary for DTrace to be functional.
  3. Optional: Update the PATH environment variable to include C:\Program Files\DTrace
    1. set PATH=%PATH%;"C:\Program Files\DTrace"
  4. Setup symbol path
    1. Create a new directory for caching symbols locally. Example: mkdir c:\symbols
    2. Set _NT_SYMBOL_PATH=srv*C:\symbols*https://msdl.microsoft.com/download/symbols
    3. DTrace automatically downloads the symbols necessary from the symbol server and caches to the local path.
  5. Optional: Setup Kernel debugger connection to the target machine (MSDN link). This is only required if you want to trace Kernel events using FBT or other providers.
    1. Note that you will need to disable Secureboot and Bitlocker on C:, (if enabled), if you want to setup a kernel debugger. 
  6. Reboot target machine

 

Running DTrace

Launch CMD prompt in administrator mode

 

Get started with sample one-liners:

 

# Syscall summary by program for 5 seconds: 
dtrace -Fn "tick-5sec { exit(0);} syscall:::entry{ @num[pid,execname] = count();} "
 
# Summarize timer set/cancel program for 3 seconds: 
dtrace -Fn "tick-3sec { exit(0);} syscall::Nt*Timer*:entry { @[probefunc, execname, pid] = count();}"
 
# Dump System Process kernel structure: (requires symbol path to be set)
dtrace -n "BEGIN{print(*(struct nt`_EPROCESS *) nt`PsInitialSystemProcess);exit(0);}"
 
# Tracing paths through NTFS when running notepad.exe (requires KD attach): Run below command and launch notepad.exe
dtrace -Fn "fbt:ntfs::/execname==\"notepad.exe\"/{}"

 

The command dtrace -lvn syscall::: will list all the probes and their parameters available from the syscall provider.

 

The following are some of the providers available on Windows and what they instrument.

  • syscall – NTOS system calls
  • fbt (Function Boundary Tracing) – Kernel function entry and returns
  • pid – User-mode process tracing. Like kernel-mode FBT, but also allowing the instrumentation of arbitrary function offsets.
  • etw (Event Tracing for Windows) – Allows probes to be defined for ETW This provider helps to leverage existing operating system instrumentation in DTrace.
    • This is one addition we have done to DTrace to allow it to expose and gain all the information that Windows already provides in ETW.

We have more Windows sample scripts applicable for Windows scenarios in the samples directory of the source.

 

How to file feedback?

DTrace on Windows is very different from our typical features on Windows and we are going to rely on our Insider community to guide us. If you hit any problems or bugs, please use Feedback hub to let us know.

 

  1. Launch feedback hub by clicking this link
  2. Select Add new feedback.
  3. Please provide a detailed description of the issue or suggestion.
    1. Currently, we do not automatically collect any debug traces, so your verbatim feedback is crucial for understanding and reproducing the issue. Pass on any verbose logs.
    2. You can set DTRACE_DEBUG environment variable to 1 to collect verbose dtrace logs.
  4. Submit

 

DTrace Architecture

Let’s talk a little about the internals and architecture of how we supported DTrace. As mentioned, DTrace on Windows is a port of OpenDTrace and reuses much of its user mode components and architecture. Users interact with DTrace through the dtrace command, which is a generic front-end to the DTrace engine. D scripts get compiled to an intermediate format (DIF) in user-space and sent to the DTrace kernel component for execution, sometimes called as the DIF Virtual Machine. This runs in the dtrace.sys driver.

 

Traceext.sys (trace extension) is a new kernel extension driver we added, which allows Windows to expose functionality that DTrace relies on to provide tracing. The Windows kernel provides callouts during stackwalk or memory accesses which are then implemented by the trace extension.

 

All APIs and functionality used by dtrace.sys are documented calls.

dtrace.png

Security

Security of Windows is key for our customers and the security model of DTrace makes it ideally suited to Windows. The DTrace guide, linked above talks about DTrace security and performance impact. It would be useful for anyone interested in this space to read that section. At a high level, DTrace uses an intermediate form which is validated for safety and runs in its own execution environment (think C# or Java). This execution environment also handles any run time errors to avoid crashing the system. In addition, the cost of having a probe is minimal and should not visibly affect the system performance unless you enable too many probes in performance sensitive paths.

 

DTrace on Windows also leverages the Windows security model in useful ways to enhance its security for our customers.

 

  1. To connect to the DTrace trace engine, your account needs to be part of the admin or LocalSystem group
  2. Events originating from kernel mode (FBT, syscalls with ‘kernel’ previous mode, etc.), are only traceable if Kernel debugger is attached
  3. To read kernel-mode memory (probe parameters for kernel-mode originated events, kernel-mode global variables, etc.), the following must be true:
    1. DTrace session security context has either TCB or LoadDriver privilege enabled.
    2. Secure Boot is not active.
  4. To trace a user-mode process, the user needs to have:
    1. Debug privilege
    2. DEBUG access to the target process.

 

Script signing

In addition, we have also updated DTrace on Windows to support signing of d scripts. We follow the same model as PowerShell to support signing of scripts.

 

There is a system wide DTrace script signing policy knob which controls whether to check for signing or not for DTrace scripts. This policy knob is controlled by the Registry.

 

By default, we do NOT check for signature on DTrace scripts.

 

Use the following registry keys to enforce policy at machine or user level.

  • User Scope: HKCU\Software\OpenDTrace\Dtrace, ExecutionPolicy, REG_SZ
  • Machine Scope: HKLM\Software\OpenDTrace\Dtrace, ExecutionPolicy, REG_SZ

 

Policy Values:

DTrace policy take the following values.

 

  • Bypass": do not perform signature checks. This is the default policy. Only set the registry key if you want to deviate from this policy.
  • "Unrestricted": Do not perform checks on local files, allow user's consent to use unsigned remote files.
  • "RemoteSigned": Do not perform checks on local files, requires a valid and trusted signature for remote files.
  • "AllSigned": Require valid and trusted signature for all files.
  • "Restricted": Script file must be installed as a system component and have a signature from the trusted source.

You can also set policy by defining the environment variable DTRACE_EXECUTION_POLICY to the required value.

 

Conclusion

We are very excited to release the first version of DTrace on Windows. We look forward to feedback from the Windows Insider community.

 

Cheers,

DTrace Team (Andrey Shedel, Gopikrishna Kannan, & Hari Pulapaka)

 

57 Comments
Copper Contributor

Are there plans to make an .msi of a build for Windows for ARM64 available?

 

Microsoft
hi @kobyk, thanks for your interest, its definitely on our roadmap for the future.
Copper Contributor

A nod to Sun Microsystems, the inventors of dTrace.

Copper Contributor

I'm not having any joy installing DTrace for Windows on my PC.

During install, I get the error:

 

DTrace: Failed to add capability
'Tools.DTrace.Platform~~~~0.0.1.0': 0x800f0954

I first tried with Windows 10 build 18342 and then with build 18351 but still the same problem :(

 

 

@nksmith Can you use "dism /online /get-capabilities" to find the status of DTrace feature on your machine? If state indicates DTrace is not installed - try reinstalling the package after ensuring your machine has network connectivity and configured for the insider program.
Copper Contributor

Hi Gopikrishna Kannan 

No joy with the command you suggested:

PS C:\WINDOWS\system32> dism /online /get-capabilites
Deployment Image Servicing and Management tool
Version: 10.0.18351.1

Image Version: 10.0.18351.7

Error: 87

The get-capabilites option is unknown.

 

I am configured for Insider builds, but on the 'slow' ring.  I'm not experiencing any network connectivity problems.

I also tried this:

PS C:\WINDOWS\system32> Get-WindowsCapability -Online | ? Name -like '*DTrace*'

Name : Tools.DTrace.Platform~~~~0.0.1.0
State : NotPresent

 

PS C:\WINDOWS\system32> Get-WindowsCapability -Online -Name Tools.DTrace.Platform~~~~0.0.1.0

Name : Tools.DTrace.Platform~~~~0.0.1.0
State : NotPresent
DisplayName : DTrace/NT
Description : DTrace/NT enables the system support for DTrace.
DownloadSize : 51314
InstallSize : 135889

 

In the DISM.log file, at the time I was trying to install DTrace, and it was failing, I see the following lines:

2019-03-12 18:04:22, Warning DISM DISM Provider Store: PID=14740 TID=12060 Failed to load the provider: C:\Windows\System32\Dism\SiloedPackageProvider.dll. - CDISMProviderStore::Internal_GetProvider(hr:0x8007007e)
2019-03-12 18:04:22, Warning DISM DISM Provider Store: PID=14740 TID=12060 Failed to load the provider: C:\Windows\System32\Dism\MetaDeployProvider.dll. - CDISMProviderStore::Internal_GetProvider(hr:0x8007007e)
[14740] [0x8007007b] FIOReadFileIntoBuffer:(1381): The filename, directory name, or volume label syntax is incorrect.
[14740] [0xc142011c] UnmarshallImageHandleFromDirectory:(641)
[14740] [0xc142011c] WIMGetMountedImageHandle:(2897)
[14740] [0x8007007b] FIOReadFileIntoBuffer:(1381): The filename, directory name, or volume label syntax is incorrect.
[14740] [0xc142011c] UnmarshallImageHandleFromDirectory:(641)
[14740] [0xc142011c] WIMGetMountedImageHandle:(2897)
2019-03-12 18:04:22, Warning DISM DISM Provider Store: PID=5656 TID=6812 Failed to load the provider: C:\Users\NWS~1.HEX\AppData\Local\Temp\F77F284C-E59D-42F7-B17C-0B809136900A\PEProvider.dll. - CDISMProviderStore::Internal_GetProvider(hr:0x8007007e)
2019-03-12 18:04:45, Error DISM DISM Package Manager: PID=5656 TID=6812 Failed finalizing changes. - CDISMPackageManager::Internal_Finalize(hr:0x800f0954)
2019-03-12 18:04:45, Error DISM DISM Package Manager: PID=5656 TID=6812 Failed processing package changes with session options - CDISMPackageManager::ProcessChangesWithOptions(hr:0x800f0954)
2019-03-12 18:04:45, Error DISM API: PID=14740 TID=12060 Failed to install capability. - CAddCapabilityCommandObject::InternalExecute(hr:0x800f0954)
2019-03-12 18:04:45, Error DISM API: PID=14740 TID=12060 InternalExecute failed - CBaseCommandObject::Execute(hr:0x800f0954)
2019-03-12 18:04:45, Error DISM API: PID=14740 TID=10572 CAddCapabilityCommandObject internal execution failed - DismAddCapabilityInternal(hr:0x800f0954)

 

 

Copper Contributor

Hi Gopikrishna Kannan

Must have had a typo in the dism command...now getting this, which just confirms its not present:

PS C:\WINDOWS\system32> dism /online /Get-Capabilities | sls DTrace -Context 0,2

> Capability Identity : Tools.DTrace.Platform~~~~0.0.1.0
State : Not Present

 

So what to do...?

 

Copper Contributor

Hello Gopikrishna Kannan

DISM seems to be looking for the following files:

C:\Windows\System32\Dism\SiloedPackageProvider.dll

C:\Windows\System32\Dism\MetaDeployProvider.dll

 

..but I checked my 'C:\Windows\System32\Dism' folder, and these two files do not exist...

@nwsmith  

 

Can you share log files under C:\Windows\Logs\CBS? Also, it will be great if you can confirm your environment is configured for WSUS. 

WSUS doesn’t receive insider builds. However the policies as it is setup cause FOD installs to check on WSUS and it fails.

Configuring the repair source policy to go to WU for FOD \ Repair content will resolve this.

 

https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/configure-a-windows-repair-sou...

Copper Contributor

Hello Gopikrishna Kannan

I now have DTrace installed & tried some simple commands with success :)

(I'm getting a lot of DEBUG output to the console, from libdtrace, when I run a dtrace command.)

 

PS C:\WINDOWS\system32> Get-WindowsCapability -Online -Name Tools.DTrace.Platform~~~~0.0.1.0

Name : Tools.DTrace.Platform~~~~0.0.1.0
State : Installed
DisplayName : DTrace/NT
Description : DTrace/NT enables the system support for DTrace.
DownloadSize : 51314
InstallSize : 135889

 

I'm not sure what I did that fixed it. I ran these commands:

PS C:\WINDOWS\system32> dism /online /cleanup-image /scanhealth
Deployment Image Servicing and Management tool
Version: 10.0.18351.1

Image Version: 10.0.18351.7

[==========================100.0%==========================] No component store corruption detected.
The operation completed successfully.

PS C:\WINDOWS\system32> sfc /scannow
Beginning system scan. This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection found corrupt files and successfully repaired them.

 

I checked C:\Windows\Logs\CBS\CBS.log and the repairs did not seem to be too important.

My CBS.log is rather large. If you email me your email, I will send it to you.

 

Then I also checked Windows Update again, and it found a further update:

Cumulative Update for Windows 10 Version Next (10.0.18351.7) (KB4492310)

..so maybe that fixed it.

After the Cumulative Update and a reboot, the DTrace install worked fine, and completed sucessfully :)

I did not need to try your advice on "Configure a Windows Repair Source" as it had already fixed itself.

 

By the way, it's so great that Microsoft have brought Dtrace to Windows :)

I remember the joy of using DTrace on OpenSolaris, over 10 years ago!

Thanks you

Nigel

 

 

@nksmith - Great to know you have DTrace working :) and thanks for trying the scripts. Hope you get a chance to try the advanced samples. Regarding logs, did you set DTRACE_DEBUG=1? This has the effect of turning ON logging.
 
We definitely want to understand and root cause the installation hiccup. Kindly share the CBS logs directly to my email address - gopikann@microsoft.com.
 
Thank you for your enthusiam and support.

 

Copper Contributor
K:\DTrace for Windows\Samples>type counter.d
dtrace:::BEGIN
{
i = 0;
}
profile:::tick-1sec
{
i = i + 1;
trace(i);
}
dtrace:::END
{
trace(i);
}
K:\DTrace for Windows\Samples>dtrace -s counter.d  2>NUL
CPU ID FUNCTION:NAME
10 3696 :tick-1sec 1
0 3696 :tick-1sec 2
2 3696 :tick-1sec 3
4 3696 :tick-1sec 4
6 3696 :tick-1sec 5
10 3696 :tick-1sec 6
0 3696 :tick-1sec 7
2 3696 :tick-1sec 8
4 3696 :tick-1sec 9
4 3696 :tick-1sec 10

6 3696 :tick-1sec 11
2 2 :END 11
Microsoft
@nigel, great to hear. I suspect, that you were on a build that didn't have the FOD package for dtrace, since you said you were on the slow ring. after you took the update to the latest slow release, you got the dtrace FOD package.
Copper Contributor

Is it possible to download the whole installation for an offline install?

Would it work with Windows Server 2016?

Copper Contributor

My problems installing DTrace indicates I need to better understand how 'Features On Demand' (FOD) works in Windows 10.

It would be good if the installer for DTrace could check the status of the relevant FOD and provide better feedback & advice, if it detects a problem.

Presumably as DTRACE needs the latest kernel from the preview of Windows 10 Version 1903, this means thats DTrace is not going to work on the current version of Windows Server 2019, which would be unfortunate. Maybe DTrace support could be back-ported eventually to older/existing kernels?

I wonder if Microsoft has a road-map of their planned work on DTrace for Windows, which they can make public?

It would be interesting to know if/what additional providers are planned...?

It would be useful to have further documentation & examples on how to use the ETW provider, particularly mapping the GUID listed by 'dtrace -l' to the ETW providers.

Also useful would be more details on the setup required for the fbt provider.

Thank you!

 

Deleted
Not applicable

Hey, what about ZFS?  May the BSD community works together Microsoft? I'm not expecting ZFS on Windows, but would be amazing!

Copper Contributor

I get this error "Product: DTrace for Windows -- Error 1920. Service 'dtrace' (dtrace) failed to start. Verify that you have sufficient privileges to start system " 1) when i run the DTrace.amd64.msi in cmd box with Administrator priv and I have run the "bcdedit /set dtrace on" and I'm running Windows 10 build 18356.1. What could i be missing ? 

 

1)

Log Name: Application
Source: MsiInstaller
Date: 3/14/2019 4:42:44 PM
Event ID: 11920
Task Category: None
Level: Error
Keywords: Classic
User: DESKTOP-M4I196O\pgram
Computer: DESKTOP-M4I196O
Description:
Product: DTrace for Windows -- Error 1920. Service 'dtrace' (dtrace) failed to start. Verify that you have sufficient privileges to start system services.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MsiInstaller" />
<EventID Qualifiers="0">11920</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2019-03-14T15:42:44.556932600Z" />
<EventRecordID>275</EventRecordID>
<Channel>Application</Channel>
<Computer>DESKTOP-M4I196O</Computer>
<Security UserID="S-1-5-21-2576452605-3747203651-1590175832-1001" />
</System>
<EventData>
<Data>Product: DTrace for Windows -- Error 1920. Service 'dtrace' (dtrace) failed to start. Verify that you have sufficient privileges to start system services.</Data>
<Data>(NULL)</Data>
<Data>(NULL)</Data>
<Data>(NULL)</Data>
<Data>(NULL)</Data>
<Data>(NULL)</Data>
<Data>
</Data>
<Binary>7B36343033373935422D424444432D343246322D394445432D4134363436343437354337327D</Binary>
</EventData>
</Event>

@nwsmith Thanks for sharing your feedback. It's in our backlog to make FoD install failures more friendly. Regarding server 2019 backport, we will consider your request and look into this possibility. Please do share more of your recommendations (like providers/capabilities to add) and we will look into the possibility to make it happen working with the open source community

@Nenad_Noveljic Thanks for your feedback. Unfortunately, we dont support offline setup (enterprise ISO install) at this moment. This requires OS changes. We have this in our backlog and will consider this for our next release.

@peter_gram We can help you get this fixed. Let's take this offline and follow up over email (Please email me at gopikann@microsoft.com). Thanks!

Copper Contributor
@Hari_Pulapaka are we able to define our own custom probes in our applications to leverage this? can we define our own custom dtrace providers?

@mofidulj We don't support custom providers for now. However, this is in our backlog and future consideration.

Copper Contributor

Hi. Any ideas why FBT traces may doesn't work? DTrace -l doesn't see any, this is DTrace.exe -y C:\symbols -Fn "fbt:nt:: {}" output: https://gist.github.com/kozera2137/bec79b5533970713ee38c33a19abe9f2

Debugger of course attached, am I doing something wrong?

Copper Contributor

Hi. Does anyone know why my installation fails at starting the services, because of insufficient privileges, even though it is running as admin?

I recently joined this program only to use this feature.

@joaoalves_061785 we are working with another user regarding this problem and will post a response as soon as we root cause this problem. Can you email me at gopikann@microsoft.com? I will add you to the thread. The root cause could be different and it will help validate the same.

@Kozera2137 fbt:nt:: instruments all NT functions. This may stall smaller systems and make it go unresponsive. Can you try instrumenting a  specific set of functions instead - dtrace -n "fbt:nt:*lock*:"

Copper Contributor
@Gopikrishna Kannan It doesn't work also.

@Kozera2137 Can you confirm if you attached the KD at the time of "boot"? I relooked into your logs and it appears that was not the case. The output shows symbol look up was fine and still FBT failed to match any probes (meaning FBT is not enabled). This typically happens if the KD was not attached at the time of the boot. Try these steps - 1. Attach KD to your machine 2. Reboot the machine 3. Try FBT command. 

 

Trace: invalid probe specifier fbt:nt:: {}: probe description fbt:nt:: does not match any probes

Copper Contributor
@Gopikrishna Kannan Thanks, it works. I thought I tested that but I guess I didn't
Copper Contributor

I am also getting    dtrace: failed to match syscall:::: No probe matches description

When I run 

C:\WINDOWS\system32>dtrace -lvn syscall:::

I am on version 1903 build 18855.1000

dtrace: failed to match syscall:::: No probe matches description

Capability Identity : Tools.DTrace.Platform~~~~0.0.1.0
State : Installed

 

What am I missing?

If it is a problem with KD, how do I check to see if KD is attached, and if it isn't how do I attach it?

 

@tomfenton can you check if you have DTrace enabled in BCDedit? Otherwise, run BCDedit /set dtrace on and reboot.

Copper Contributor

I entered 

  1. bcdedit /set dtrace on

and rebooted the system but I am still getting the same message

Copper Contributor

Sorry I had a type in my command it is working now. thank you!

 

Copper Contributor

Any chance of getting ustack to work on 64bit? I'm getting "unknown fault in action" with:

dtrace -n "profile-1 {@[ustack()]=count();}"

 

Also, predicates don't seem to work with the profile probe, like e.g.:

profile-1
/ pid == $target /
{
@[stack(),execname]=count();
}

 


@Nenad_Noveljic 
The current DTrace version does not support user mode stack trace. I tested Profile-1 on two machines.

 

It's worked on machine running build 18361 (see below). 

C:\WINDOWS\system32>dtrace -n " profile-1 /$target == pid/ { @[pid, stack(), execname]=count();}" -c taskmgr.exe
dtrace: description ' profile-1 ' matched 1 probe

3544
nt`KeAccumulateTicks+0x18619b
nt`KeClockInterruptNotify+0xcf
hal.dll`HalpTimerClockIpiRoutine+0x21
nt`KiCallInterruptServiceRoutine+0xa5
nt`KiInterruptSubDispatchNoLockNoEtw+0xfa
nt`KiInterruptDispatchNoLockNoEtw+0x37
Taskmgr.exe 2
3544
nt`KiDispatchInterruptContinue
nt`KiDpcInterruptBypass+0x25
nt`KiInterruptDispatchNoLockNoEtw+0xb1
Taskmgr.exe

 

 

However, it did not work on machine running an older build. It turned out that i was running with secure boot enabled and that blocks access to kernel. That is by design. In this case, I will need to attach KD to get the script working.  I get the below error even without predicates. Can you confirm if you have secure boot turned ON?

 

dtrace -n " profile-1  { @[pid, stack(), execname]=count();}"
dtrace: description ' profile-1  ' matched 1 probe
dtrace: error on enabled probe ID 1 (ID 3633: profile:::profile-1): unknown fault in action #2 at DIF offset 0
dtrace: error on enabled probe ID 1 (ID 3633: profile:::profile-1): unknown fault in action #2 at DIF offset 0
dtrace: error on enabled probe ID 1 (ID 3633: profile:::profile-1): unknown fault in action #2 at DIF offset 0
dtrace: error on enabled probe ID 1 (ID 3633: profile:::profile-1): unknown fault in action #2 at DIF offset 0

 

Copper Contributor

I have the insider build 18362.1 too.

 

In the meantime, we turned off secure boot. I'm not getting the error message with the profile-1 probe any more. But the observed process seems blocked. For example, taskmgr doesn't show up until I break the dtrace execution. In contrast, everything works fine after removing the predicate /$target == pid/.

 

Also, the ustack behaviour has changed since turning off secure boot. ustack probes don't throw errors anymore. However, the ustacks seem lost. I mean they are not printed at the end, I see just the number of samples.

 

 

Brass Contributor

Dang!!! -I never heard of this tech. Thanks for the POST.

Question: Do you folks have a Twitter account that I can follow (and subsequently I can get alerts on) ?

Copper Contributor
Hi. I'm trying do display name of created process, however I have no idea how to process wide char strings. Could anyone correct me? https://gist.github.com/kozera2137/0903a832af98686b24c26abd1ff698db

@Kozera2137 Try this below for printing process name 

 


struct ustr{uint16_t buffer[256];};

syscall::NtCreateUserProcess:entry
{
    this->ProcessParameters = (nt`_RTL_USER_PROCESS_PARAMETERS *) copyin(arg8, sizeof(nt`_RTL_USER_PROCESS_PARAMETERS));

    this->fname = (uint16_t*)
                copyin((uintptr_t) this->ProcessParameters->ImagePathName.Buffer,
                this->ProcessParameters->ImagePathName.Length);

    printf("Process %s PID %d created %*ws \n", execname,pid,
                this->ProcessParameters->ImagePathName.Length / 2,
                ((struct ustr*)this->fname)->buffer);
    
}
Copper Contributor
@Gopikrishna Kannan Thanks, works perfectly. I have one more question, why syscall provider doesn't works with some executables? Example below, works fine with notepad but seems to doesn't work with other apps. These apps of course calls syscalls. dtrace -n "syscall:::entry/execname==\"notepad.exe\"/{}"
Copper Contributor
I forgot to mention, I see these calls in this example: dtrace -n "syscall:::entry { @[execname] = count(); }"

@Kozera2137  can you give me some sample applications you couldn't filter? Please note the names have to be case sensitive and also full. if not, add * (wildcard) to the names. 

Copper Contributor
@Gopikrishna Kannan I solved the problem. I haven't noticed that execname is truncated to 15 characters and instead of "Application.ex" i was typing "Application.exe"
Copper Contributor
Hi. Is there any way to hook functions like nt!PsGetCurrentProcess or nt!PsGetProcessId? Is there any reason why aren't those available?

@Kozera2137 Can you share your use-case? Lets see if there are ways to achieve what you need using public APIs. 

Copper Contributor

traceext.sys is nowhere to be found on my 18999.vb_release.191004-1432 Insider build.  Where can I get that?

Copper Contributor

Wow **Goosebumps** when I got one of the D script running! Great addition and best wishes! :)- Sreejith. D. Menon

Copper Contributor

uregs constants are not defined. Is this an oversight?

 

https://docs.oracle.com/cd/E23824_01/html/E22973/gkyeg.html

 

 

Copper Contributor

also ustack/stack doesn't appear to work (prints empty line)

 

syscall::NtDeviceIoControlFile:entry
  /execname == "myprocess.exe"/
{
  ustack(50, 0);
}

 

Copper Contributor

Another issue: it doesn't trace win32u syscalls 

Version history
Last update:
‎Dec 12 2022 11:08 AM
Updated by: