
Show HN: Wtrace – A command line tracing tool for Windows, based on ETW - lowleveldesign
https://github.com/lowleveldesign/wtrace
======
etatoby
To all the commenters lamenting the lack of filtering capabilities, I would
like to remind that this is a console program, which in the spirit of Unix
should "do one thing and do it well."

If you need filtering, sorting, correlating, and so on, you should add pipes
after this program. I believe Powershell pipes are even more powerful than
plain text ones, although I haven't used them myself.

~~~
nailer
Looks like the output is flat text, so powershell pipes:

    
    
      wtrace mspaint | where {$_.syscall -eq "FileIO/Close" }
    

Don't yet work. I've made a humble feature request
([https://github.com/lowleveldesign/wtrace/issues/1](https://github.com/lowleveldesign/wtrace/issues/1))
if anyone is interested.

Filtering by time or file, JSON/csv output and all the other powershell
goodness would be awesome for a tool like this.

~~~
xorblurb
That's why grep is great.

~~~
eriknstr
grep's good for sure but the comment you are replying to is a reply in turn to
someone speaking specifically about powershell piping capabilities. personally
i am a unix person, not a windows person, but i believe that for a tool to be
most effective it should adhere to the workflow of the platform it is written
for. since wtrace is written for windows it makes sense to expect that it
should integrate well with the windows way of doing things.

------
apankrat
At the risk of stating the obvious - tracing in itself is not that useful,
unless you are after just the aggregated stats. To use traces for reversing
the API/IOCTLs, it's equally (if not more) important to have a good UI for
filtering, analysis and cross-correlation.

There's another tool that fills this particular niche quite well [1] and
having used it to reverse HP Smart Array drivers among other things I can't
recommend it highly enough.

Just 2c.

[1] [http://www.rohitab.com/apimonitor](http://www.rohitab.com/apimonitor)

~~~
grok2
Took a look at the API Monitor app you recommended -- it is interesting -- can
it be used as a procmon replacement in your experience? The UI seems to be a
bit better (more intuitively) organized...with procmon, between one instance
of running it and another, I always have to search for where the menu settings
are to do some action -- it's almost like a GUI over a command line program.

------
Cylons
Google also has a similar tool for recording and managing ETW traces:
[https://github.com/google/UIforETW](https://github.com/google/UIforETW)

~~~
adzm
This is one of the greatest tools for dealing with ETW. And it is a great way
to introduce people to ETW as well, before diving into the arcane commands
necessary to drive it yourself from the command line.

------
NKCSS
Looks very nice. For those who don't know ETW (Event Traceing for Windows):
[https://msdn.microsoft.com/nl-
nl/library/windows/desktop/aa3...](https://msdn.microsoft.com/nl-
nl/library/windows/desktop/aa363668\(v=vs.85\).aspx)

~~~
lowleveldesign
Thank you.

------
aargh_aargh
I haven't used much Windows recently, but I remember this GUI tool, which
offers much needed filtering capabilities.

[https://technet.microsoft.com/en-
us/sysinternals/processmoni...](https://technet.microsoft.com/en-
us/sysinternals/processmonitor.aspx)

~~~
chris_wot
Yeah, but it's limited because process monitor stores its output in memory
(from what I can see) even though if you use a backing file other than the
swap file.

I use this tool all the time!

I really wish there was a command line version that is divorced from the GUI
that you can pipe to another process or file. This might be as close as any
I've found so far!

~~~
osullivj
I use procmon heavily too. Good point about the mem usage. I find procmon
especially helpful for diagnosing COM activation issues; being able to trace
all the registry and file system accesses is invaluable in figuring why a
specific DLL is or isn't loaded.

~~~
voltagex_
COM activation has eaten a week of mine. Any idea why procmon wouldn't load on
a Server 2008 box as Admin? Gives me a driver error.

~~~
j_s
Google says:

* reboot

* check anti-virus

* requires 'Workstation' service

* try a different/older version

* verify other SysInterals utils can load their driver

* extract the 64-bit version and run it directly

[http://superuser.com/questions/211759/process-monitor-
fails-...](http://superuser.com/questions/211759/process-monitor-fails-to-
load)

Any further details on the error message?

~~~
voltagex_
Unfortunately lowly devs are not allowed access to that particular server, but
I'd bet it's the Workstation service. Thanks.

------
skrebbel
Very nice! I really enjoy developing on Windows but whenever I read a blog
post about someone on *nix hunting down a problem with strace I've felt a bit
limited. I know Windows has similar instrumentation but it felt a bit
inaccessible to me.

This looks perfect! Simplest imaginable interface, the output I'd need. Great
work!

~~~
lowleveldesign
Thank you! I use a small number of ETW events (one of the reasons is that I
wanted to use the console output). WPT ([https://msdn.microsoft.com/en-
us/windows/hardware/commercial...](https://msdn.microsoft.com/en-
us/windows/hardware/commercialize/test/wpt/index)) or Perfview
([https://www.microsoft.com/en-
us/download/details.aspx?id=285...](https://www.microsoft.com/en-
us/download/details.aspx?id=28567)) reveal the whole power of ETW, providing
details such as thread context switches, DPC or APC requests.

------
wslh
Shameless plug: my company released a free Windows tracing tool that can
intercept a lot of user level Win32 calls. It is available here:
[http://www.nektra.com/products/spystudio-api-
monitor/](http://www.nektra.com/products/spystudio-api-monitor/) you can even
build your own tool with the folowing open source instrumentation frameworks:
[https://github.com/nektra/Deviare-InProc/](https://github.com/nektra/Deviare-
InProc/) and
[https://github.com/nektra/Deviare2](https://github.com/nektra/Deviare2)

------
pjc50
Ah, this will be great. I do miss the ease of using strace to hunt bugs. Even
just being able to find out where a program is looking for a file it can't
find or a network connection that doesn't work is useful.

------
pmoriarty
Are there any command-line tools like ltrace, ktrace, or dtrace on Windows?

Also, is there an executable for this tool? From a quick look at the github
page, it looks like it's only available as source.

~~~
lowleveldesign
The executable can be found on the release page [1]. I don't know any Windows
ports of ltrace, ktrace, or dtrace. But you may have a look at the list of ETW
events [2] supported by the Windows kernel and you should find the ones you
need for your diagnosis. With each version of Windows the list of event
providers for different parts of the system is also growing (you may use
'logman query providers' to list them).

[1]
[https://github.com/lowleveldesign/wtrace/releases/download/1...](https://github.com/lowleveldesign/wtrace/releases/download/1.2/wtrace.zip)
[2] [https://msdn.microsoft.com/en-
us/library/windows/desktop/aa3...](https://msdn.microsoft.com/en-
us/library/windows/desktop/aa363799\(v=vs.85\).aspx)

------
Garmonidas
Pretty good, great job! It's been a long time since I last worked with Windows
though...

~~~
lowleveldesign
Thank you!

------
ComodoHacker
What are the use cases when I should prefer this over good old ProcMon?

~~~
lowleveldesign
This tool is not supposed to compete with ProcMon, which I consider the best
tool of the trade. But... currently ProcMon can't be run on Nano Server (thus
for instance on Docker). ProcMon does not trace RPC/ALPC requests either. I
even suggest in the wiki that you may pipe the output of wtrace to ProcMon (I
wrote a simple tool send2procmon [1] for this purpose): wtrace notepad |
select-string "Rpc.*Call" | send2procmon

[1]
[https://github.com/lowleveldesign/send2procmon](https://github.com/lowleveldesign/send2procmon)

~~~
youdontknowtho
really fantastic stuff, man. read both blog posts, really impressed. Thanks!

