Releases: lowleveldesign/wtrace
Releases · lowleveldesign/wtrace
3.4
Changelog:
- fixed missing events when the target process finishes very quickly
- minor improvements and fixes
Hashes for the wtrace.exe binary:
MD5 = 1974CFB0F6829E9A66B0B2F8EEC22C41
SHA1 = E0442450120CAB90F392D0985C55A21B8B3FE732
SHA256 = E96252913EE897F4C5816682EEDDBC193CEF5E87A3AB2C40EE487CB490D11FF1
3.3
Changelog:
- the summary view now includes RPC procedure names (if wtrace was able to resolve them)
- from now Process/Thread events are always enabled (they are required to make filters work)
- minor improvements and fixes
You may find more details in the blog post describing the new release.
Hashes for the wtrace.exe binary:
MD5 = DF60B4BA8D6E9B07479E2FAD0520319B
SHA1 = 2C9C790B63DC9669AB2ED4AA936ACDAB94937B3D
SHA256 = 2CE3E6D447E32952388A5088C2A58DF836F87F605FD62F7DC605338F5F383271
3.2
3.1
3.0
The post describing the new release is at https://wtrace.net/2021/01/29/announcing-wtrace-3-0/.
NEW features:
- system-wide tracing
- extensive filtering options
- a
--handlersoption to choose handlers for the trace session - a process tree in the statistics view
FIXES:
- missing paths are much less common
- wtrace can run in the Windows container (requires .NET Framework 4.7.2)
REMOVED features:
- PowerShell events
- ALPC events
Wtrace 3.0 runs on Windows 8.1+ and requires .NET Framework 4.7.2. If you need to trace an older system, please use wtrace 2.2.
2.2
2.1
Changes
- You may trace only drivers, with no process specified (wtrace -s)
- Trace all child processes started by the parent process (-c switch)
2.0
Changes
- Summary events are back again displayed at the end of the trace
- Collecting statistics for drivers execution during the trace session (-s option) - DPC/ISR events, eg.:
> wtrace -s notepad
...
--------------------------------
ISR
--------------------------------
'C:\WINDOWS\System32\drivers\HDAudBus.sys', total: 4,047ms (338 event(s))
'C:\WINDOWS\system32\drivers\Wdf01000.sys', total: 1,831ms (372 event(s))
'C:\WINDOWS\System32\drivers\USBPORT.SYS', total: 0,599ms (66 event(s))
--------------------------------
DPC
--------------------------------
'C:\WINDOWS\system32\drivers\Wdf01000.sys', total: 27,645ms (372 event(s))
'C:\WINDOWS\System32\drivers\dxgkrnl.sys', total: 11,721ms (665 event(s))
'C:\WINDOWS\system32\ntoskrnl.exe', total: 10,388ms (526 event(s))
'C:\WINDOWS\System32\drivers\USBPORT.SYS', total: 3,768ms (321 event(s))
'C:\WINDOWS\System32\drivers\HDAudBus.sys', total: 1,581ms (338 event(s))
'C:\WINDOWS\system32\drivers\ndis.sys', total: 1,162ms (99 event(s))
'C:\WINDOWS\System32\drivers\tcpip.sys', total: 0,637ms (30 event(s))
'C:\WINDOWS\system32\DRIVERS\igdkmd64.sys', total: 0,571ms (93 event(s))
'C:\WINDOWS\System32\drivers\storport.sys', total: 0,469ms (17 event(s))
'C:\WINDOWS\System32\drivers\vmswitch.sys', total: 0,311ms (35 event(s))
'C:\WINDOWS\System32\drivers\dxgmms2.sys', total: 0,174ms (27 event(s))
'C:\WINDOWS\System32\drivers\CLASSPNP.SYS', total: 0,046ms (1 event(s))
'C:\WINDOWS\System32\drivers\vmbusr.sys', total: 0,033ms (6 event(s))
'C:\WINDOWS\System32\drivers\bridge.sys', total: 0,019ms (4 event(s))
'C:\WINDOWS\system32\drivers\hvservice.sys', total: 0,009ms (3 event(s))
'C:\WINDOWS\System32\drivers\storahci.sys', total: 0,005ms (2 event(s))
'C:\WINDOWS\system32\Drivers\WdNisDrv.sys', total: 0,004ms (2 event(s))
...
1.3
Changes
- Powershell support
- More consistent output to make filtering easier - summary is printed as summary events
1.2
You may now trace RPC calls with wtrace!
Example trace:
4317.5999 (8424.15088) RpcClientCall/Stop --- NamedPipes --> 6bffd098-a112-3610-9833-46c3f87e345a (\PIPE\wkssvc) 11
4317.7007 (8424.15088) RpcClientCall/Start --- LRPC --> 53825514-1183-4934-a0f4-cfdc51c3389b (LSMApi) 0 NULL
4317.8605 (8424.15088) RpcServerCall/Start <-- LRPC --- 53825514-1183-4934-a0f4-cfdc51c3389b (LSMApi) 0 NULL (96.5612)
4317.9506 (96.5612) RpcServerCall/Stop <-- LRPC --- 53825514-1183-4934-a0f4-cfdc51c3389b (LSMApi) 0 NULL (96.5612)
4317.9738 (8424.15088) RpcClientCall/Stop --- LRPC --> 53825514-1183-4934-a0f4-cfdc51c3389b (LSMApi) 0 NULL
More information in wiki.