WPA does not show CPU, Dpc and Isr records

Brokoliy

Member
Joined
Jul 8, 2024
Posts
10
I get an etl file to check the 0x133 bugcheck but it's just full of empty system activity graphs.

Code:
11: kd> !wmitrace.logsave 2 hey.etl
WMI Trace Save: Debugger Extension. LoggerId = 2, Save File = 'orospuevladi.etl'
    Logger Id 0x02 @ 0xFFFFD0837ECF7040 Named 'Circular Kernel Context Logger'
      CollectionOn        = 1
      LoggerMode          = 0x02800480 ( secure buf system )
      HybridShutdown      = persist
      BufferSize          = 4 KB
      BuffersAvailable    = 12
      MinimumBuffers      = 24
      NumberOfBuffers     = 24
      MaximumBuffers      = 24
      EventsLost          = 0
      LogBuffersLost      = 0
      RealTimeBuffersLost = 0
      LastFlushedBuffer   = 0
      MaximumFileSize     = 0
      FlushTimer          = 0 sec
      PoolType            = NonPaged
      SequenceNumber      = 2651670
      ClockType           = CPU Cycle
      EventsLogged        = 18446744073709551615

      Buffer      Address           Cpu RefCnt State
      ===========================================================================================
      Buffer   1: ffffd0837ecfe000 ,  3:  15    General Logging    , Offset:     2040 ,  49% Used
      Buffer   2: ffffd0837ecff000 ,  6:  15    General Logging    , Offset:     2680 ,  65% Used
      Buffer   3: ffffd0837edc5000 ,  1:  15    General Logging    , Offset:     3576 ,  87% Used
      Buffer   4: ffffd0837edc6000 , 10:  15    General Logging    , Offset:      616 ,  15% Used
      Buffer   5: ffffd0837edc7000 , 10:   0    Free List          , Offset:     4080 ,  99% Used
      Buffer   6: ffffd0837edc8000 ,  2:  15    General Logging    , Offset:     2680 ,  65% Used
      Buffer   7: ffffd0837edc9000 ,  8:  15    General Logging    , Offset:     3264 ,  79% Used
      Buffer   8: ffffd0837edca000 ,  4:   0    Free List          , Offset:     4008 ,  97% Used
      Buffer   9: ffffd0837edcb000 ,  2:   0    Free List          , Offset:     4088 ,  99% Used
      Buffer  10: ffffd0837edcc000 ,  0:   0    Free List          , Offset:     4080 ,  99% Used
      Buffer  11: ffffd0837edcd000 ,  6:   0    Free List          , Offset:     4048 ,  98% Used
      Buffer  12: ffffd0837edce000 , 11:   0    Free List          , Offset:     4088 ,  99% Used
      Buffer  13: ffffd0837edcf000 ,  4:  15    General Logging    , Offset:     2776 ,  67% Used
      Buffer  14: ffffd0837edd0000 ,  8:   0    Free List          , Offset:     4072 ,  99% Used
      Buffer  15: ffffd0837edd1000 ,  7:   0    Free List          , Offset:     4072 ,  99% Used
      Buffer  16: ffffd0837edd2000 ,  6:   0    Free List          , Offset:     4072 ,  99% Used
      Buffer  17: ffffd0837edd3000 ,  5:  15    General Logging    , Offset:      848 ,  20% Used
      Buffer  18: ffffd0837edd4000 , 11:  15    General Logging    , Offset:     1872 ,  45% Used
      Buffer  19: ffffd0837edd5000 ,  7:  15    General Logging    , Offset:      648 ,  15% Used
      Buffer  20: ffffd0837edd6000 ,  9:   0    Free List          , Offset:     4056 ,  99% Used
      Buffer  21: ffffd0837edd7000 ,  0:   0    Free List          , Offset:     4096 , 100% Used
      Buffer  22: ffffd0837edd8000 ,  0:  15    General Logging    , Offset:     3824 ,  93% Used
      Buffer  23: ffffd0837edd9000 ,  5:   0    Free List          , Offset:     4096 , 100% Used
      Buffer  24: ffffd0837edda000 ,  9:  15    General Logging    , Offset:     1088 ,  26% Used
Saved 24 Buffers

IMG-20240708-WA0000.jpg

Any idea?
 
It's working OK for me....
Code:
7: kd> !wmitrace.strdump
(WmiTrace) StrDump Generic
  LoggerContext Array @ 0xFFFFD0837ECE5D40 [64 Elements]
    Logger Id 0x02 @ 0xFFFFD0837ECF7040 Named 'Circular Kernel Context Logger'
    Logger Id 0x03 @ 0xFFFFD0837EE7EA40 Named 'Eventlog-Security'
    Logger Id 0x04 @ 0xFFFFD0837ECF76C0 Named 'DefenderApiLogger'
    Logger Id 0x05 @ 0xFFFFD0837ECFB040 Named 'DefenderAuditLogger'
    Logger Id 0x06 @ 0xFFFFD0837EE7B080 Named 'DiagLog'
    Logger Id 0x07 @ 0xFFFFD0837EE7CA40 Named 'Diagtrack-Listener'
    Logger Id 0x08 @ 0xFFFFD0837EE7DA40 Named 'EventLog-Application'
    Logger Id 0x09 @ 0xFFFFD0837EE7FA40 Named 'EventLog-System'
    Logger Id 0x0a @ 0xFFFFD0837EE7B640 Named 'LwtNetLog'
    Logger Id 0x0b @ 0xFFFFD0837EE82040 Named 'Microsoft-Windows-Rdp-Graphics-RdpIdd-Trace'
    Logger Id 0x0c @ 0xFFFFD0837EE83A40 Named 'NetCore'
    Logger Id 0x0d @ 0xFFFFD0837EE82640 Named 'NtfsLog'
    Logger Id 0x0e @ 0xFFFFD0837EE85A40 Named 'RadioMgr'
    Logger Id 0x0f @ 0xFFFFD0837EE86A40 Named 'UBPM'
    Logger Id 0x10 @ 0xFFFFD0837EE89A40 Named 'WdiContextLog'
    Logger Id 0x11 @ 0xFFFFD0837EE8AA40 Named 'WiFiDriverIHVSession'
    Logger Id 0x12 @ 0xFFFFD0837EE878C0 Named 'WiFiSession'
    Logger Id 0x13 @ 0xFFFFD083B00ABA40 Named 'PerfDiag Logger'
    Logger Id 0x14 @ 0xFFFFD0838F077A40 Named 'UserNotPresentTraceSession'
    Logger Id 0x15 @ 0xFFFFD08385FCCA40 Named 'CldFltLog'
    Logger Id 0x16 @ 0xFFFFD0838D67C040 Named 'SgrmEtwSession'
    Logger Id 0x17 @ 0xFFFFD0838BFCEA40 Named 'WFP-IPsec Diagnostics'
    Logger Id 0x18 @ 0xFFFFD0838BFE2A40 Named 'GamingServices'
    Logger Id 0x19 @ 0xFFFFD0838C8F1A40 Named 'ScreenOnPowerStudyTraceSession'
    Logger Id 0x1a @ 0xFFFFD0838CB9E940 Named '48007CAB-C30B-4D1B-A6EA-F511E63024FB'
    Logger Id 0x1b @ 0xFFFFD0838D746680 Named '{5BD38BE2-CFC0-4E70-9FCC-6B7EC64DD71F}'
    Logger Id 0x1c @ 0xFFFFD08385677040 Named 'WindowsUpdate_trace_log'
    Logger Id 0x1d @ 0xFFFFD0838D6B68C0 Named '8696EAC4-1288-4288-A4EE-49EE431B0AD9'
    Logger Id 0x1e @ 0xFFFFD08396AE9A40 Named 'Admin_PS_Provider'
    Logger Id 0x1f @ 0xFFFFD08393DCAA40 Named 'SHS-07052024-170649-7-7f'
    Logger Id 0x20 @ 0xFFFFD083BB5B7A00 Named 'ECCB175F-1EB2-43DA-BFB5-A8D58A40A4D7'
    Logger Id 0x21 @ 0xFFFFD0838D6B3780 Named 'Terminal-Services-LSM-ApplicationLag-5168'
    Logger Id 0x22 @ 0xFFFFD0838CED2040 Named 'NVIDIA-NVTOPPS-NOCAT'
    Logger Id 0x23 @ 0xFFFFD0838CED2640 Named 'NVIDIA-NVTOPPS-FILTER'
7: kd> !wmitrace.logsave 2 W:\Temp\Tester.etl
WMI Trace Save: Debugger Extension. LoggerId = 2, Save File = 'W:\Temp\Tester.etl'
    Logger Id 0x02 @ 0xFFFFD0837ECF7040 Named 'Circular Kernel Context Logger'
      CollectionOn        = 1
      LoggerMode          = 0x02800480 ( secure buf system )
      HybridShutdown      = persist
      BufferSize          = 4 KB
      BuffersAvailable    = 12
      MinimumBuffers      = 24
      NumberOfBuffers     = 24
      MaximumBuffers      = 24
      EventsLost          = 0
      LogBuffersLost      = 0
      RealTimeBuffersLost = 0
      LastFlushedBuffer   = 0
      MaximumFileSize     = 0
      FlushTimer          = 0 sec
      PoolType            = NonPaged
      SequenceNumber      = 2651670
      ClockType           = CPU Cycle
      EventsLogged        = 18446744073709551615

      Buffer      Address           Cpu RefCnt State
      ===========================================================================================
      Buffer   1: ffffd0837ecfe000 ,  3:  15    General Logging    , Offset:     2040 ,  49% Used
      Buffer   2: ffffd0837ecff000 ,  6:  15    General Logging    , Offset:     2680 ,  65% Used
      Buffer   3: ffffd0837edc5000 ,  1:  15    General Logging    , Offset:     3576 ,  87% Used
      Buffer   4: ffffd0837edc6000 , 10:  15    General Logging    , Offset:      616 ,  15% Used
      Buffer   5: ffffd0837edc7000 , 10:   0    Free List          , Offset:     4080 ,  99% Used
      Buffer   6: ffffd0837edc8000 ,  2:  15    General Logging    , Offset:     2680 ,  65% Used
      Buffer   7: ffffd0837edc9000 ,  8:  15    General Logging    , Offset:     3264 ,  79% Used
      Buffer   8: ffffd0837edca000 ,  4:   0    Free List          , Offset:     4008 ,  97% Used
      Buffer   9: ffffd0837edcb000 ,  2:   0    Free List          , Offset:     4088 ,  99% Used
      Buffer  10: ffffd0837edcc000 ,  0:   0    Free List          , Offset:     4080 ,  99% Used
      Buffer  11: ffffd0837edcd000 ,  6:   0    Free List          , Offset:     4048 ,  98% Used
      Buffer  12: ffffd0837edce000 , 11:   0    Free List          , Offset:     4088 ,  99% Used
      Buffer  13: ffffd0837edcf000 ,  4:  15    General Logging    , Offset:     2776 ,  67% Used
      Buffer  14: ffffd0837edd0000 ,  8:   0    Free List          , Offset:     4072 ,  99% Used
      Buffer  15: ffffd0837edd1000 ,  7:   0    Free List          , Offset:     4072 ,  99% Used
      Buffer  16: ffffd0837edd2000 ,  6:   0    Free List          , Offset:     4072 ,  99% Used
      Buffer  17: ffffd0837edd3000 ,  5:  15    General Logging    , Offset:      848 ,  20% Used
      Buffer  18: ffffd0837edd4000 , 11:  15    General Logging    , Offset:     1872 ,  45% Used
      Buffer  19: ffffd0837edd5000 ,  7:  15    General Logging    , Offset:      648 ,  15% Used
      Buffer  20: ffffd0837edd6000 ,  9:   0    Free List          , Offset:     4056 ,  99% Used
      Buffer  21: ffffd0837edd7000 ,  0:   0    Free List          , Offset:     4096 , 100% Used
      Buffer  22: ffffd0837edd8000 ,  0:  15    General Logging    , Offset:     3824 ,  93% Used
      Buffer  23: ffffd0837edd9000 ,  5:   0    Free List          , Offset:     4096 , 100% Used
      Buffer  24: ffffd0837edda000 ,  9:  15    General Logging    , Offset:     1088 ,  26% Used
Saved 24 Buffers

mtHA3pV.jpg


You might want to check out this post.
 
I really don't understand. I tried probably 10-15 times in a row but I couldn't see it. Will changing the registry key mentioned in the topic help me?
 
So, I have the same problem when I install the application on a different computer. I probably missed a step.
 
The only thing I noticed is that the !wmitrace.logsave command remained *Busy* in WinDbg for a VERY long time, but I let it finish before opening the .etl file. I'm using WinDbg Preview version 10.0.27553.1004 and WPA version 11.1.5.2.

My process....
  1. Load the dump in WinDbg Preview.
  2. Run the !wmitrace.strdump command
  3. Run the !wmitrace.logsave 2 .etl_file_output_path command
  4. Wait for WinDbg to stop being *Busy*
  5. Open the .etl file in WPA.
 
Last edited:
Even though I tried the same things, it didn't work. For WPA, I downloaded the preview version from the Microsoft store and opened the file and it worked. It fails when using ADK. I couldn't understand either.
 
After downloading, I opened it via SDK and it worked fine. Then I created a tester myself and it worked properly again. I guess he needed something to ignite the fuse...? :)
 
I notice that in your jnitisl example you didn't dprfufy a path, only a filename. Perhaps WinDbg couldn't write to the current path?
 
I didn't specify a file path because it saved directly to the downloads folder. It's working smoothly for now. Thanks for help!
 
Back
Top