แก้ไข

แชร์ผ่าน


Global Logger Trace Session

A Global Logger trace session records events that occur during the boot process before the system is fully operational, such as events generated by device drivers. It is a reserved trace session that is built into Windows.

Global Logger trace sessions always write messages to a trace log. Global Logger does not support real-time trace sessions or buffered trace sessions.

Because Global Logger must be available early in the operating system boot process, it is started and configured by using registry entries (in the HKLM\SYSTEM\CurrentControlSet\Control\WMI\GlobalLogger subkey), instead of function calls. After starting, the Global Logger behaves like a regular event tracing session.

The Global Logger trace session uses a reserved session name, "GlobalLogger." The control GUID is represented by the constant, GlobalLoggerGuid. You create a Global Logger trace session, and then restart the computer to start the trace session. Only one Global Logger trace session can run on the computer at a time.

To create a Global Logger trace session, use Tracelog. It automatically creates the registry subkey and entries that store trace session options. The Global Logger trace session starts when you restart the computer. For more information, see Tracelog Command Syntax.

To format the trace messages from a Global Logger trace session, use Tracefmt with system.tmf, a trace message format file included in the WDK.

Because the Global Logger session is triggered by registry entries, it runs every time that the entries appear in the registry. To prevent the Global Logger session from starting every time the system starts, set the value of the Start entry to 0 or delete all of the registry entries.

You can convert a Global Logger trace session to an NT Kernel Logger trace session, thereby tracing the kernel during the boot process. For information, see Boot-time Global Logger Session

Trace providers, such as kernel-mode drivers and user-mode applications, can log to the Global Logger trace session. This enables you to trace a driver or other trace provider during system boot. For information, see Logging to the Global Logger Session

Limitations of the Global Logger Trace Session

The Global Logger trace session is very useful, but it's important to be aware of its limitations:

You can run only one Global Logger session at a time.

The Global Logger session does not send enable notification to providers.

The Global Logger registry entries remain in the registry and are effective until you reset or delete them manually, or use the tracelog -remove command. Until you reset them, the Global Logger session starts every time you start the system.

The Windows ACPI logger is permanently enabled for the Global Logger trace session. The trace messages from this logger appear in the trace log.

If a standard trace session starts while a driver is logging to the Global Logger session, the driver switches and starts logging to the standard trace session.

Global Logger Registry Entries

The following table shows the registry entries that configure the Global Logger session. These entries are in the HKLM\SYSTEM\CurrentControlSet\Control\WMI\GlobalLogger subkey. Only the Start entry is required.

In addition to the registry entries in this table, you can also add a ControlGUID subkey under the GlobalLogger subkey to represent a trace provider, such as a driver, that logs to the Global Logger trace session. For information, see Logging to the Global Logger Session.

Entry Data type Description

Start

REG_DWORD

When set to 1 (on), the Global Logger session starts the next time the system starts.

0 = off, 1=on

BufferSize

REG_DWORD

Specifies the size of each buffer (in KB). The default value is 0x40 (64 KB).

ClockType

REG_DWORD

Specifies the timer used for trace message time stamps.

Beginning with Windows Vista, the default value is 1. On operating systems prior to Windows Vista, the default value is 2.

1 = Performance counter value (high resolution)

2 = System timer

3 = CPU cycle clock

EnableKernelFlags

REG_BINARY

Converts the Global Logger session to an NT Kernel Logger trace session and specifies the events included in the kernel trace.

For information, see Boot-time Global Logger Session.

FileCounter

REG_DWORD

Stores the number of event trace log files generated by Global Logger sessions.

The system increments this value until it reaches the value of FileMax. Then, it resets the value to 0.

This counter prevents the system from overwriting a Global Logger trace log file.

FileMax

REG_DWORD

Specifies the maximum number of event trace log files permitted on the system.

When the number of trace logs reaches the specified maximum, the system begins to overwrite the logs, beginning with the oldest.

The default value is 0, meaning that there is no maximum.

FileName

REG_SZ

Path (optional) and file name of the event trace log file. The default is %SystemRoot%\System32\LogFiles\WMI\trace.log.

FlushTimer

REG_DWORD

Specifies how often (in seconds) the trace buffers are forcibly flushed. This forced flush is in addition to the automatic flush that occurs whenever a buffer is full and when the trace session stops.

The default value is 0. By default, buffers are flushed only when they are full.

The minimum flush time is 1 second.

LogFileMode

REG_DWORD

Specifies log session options.

Supported only in Windows Vista and later versions of Windows.

MaximumBuffers

REG_DWORD

Specifies the maximum number of buffers that can be allocated for the session. The default value is 0x19 (25).

MaximumFileSize

REG_DWORD

Specifies the maximum size of the event trace log file. By default, there is no maximum file size.

MinimumBuffers

REG_DWORD

Specifies the number of buffers allocated when the session starts. The default value is 0x3.

Status

REG_DWORD

Stores the return code from the attempt to start a Global Logger trace session.

If the session failed to start, the value of this entry is a Win32 error code. If the session started, the value of this entry is ERROR_SUCCESS.

These registry entries that you create remain in the registry and are effective until you delete them or change their values. Therefore, after the Global Logger session has run, use the tracelog -remove GlobalLogger command to set the value of the Start entry to 0 and delete the other Global Logger registry entries. Otherwise, the Global Logger session runs every time that you restart the computer, and the resulting log file can grow very large.

Logging Mode Constants

The following table displays the valid values for the LogFileMode registry entry in the HKLM\System\CurrentControlSet\Control\WMI\GlobalLogger subkey. This entry is used to set options for a Global Logger trace session, including those for real-time trace sessions, private trace sessions, circular logging, and buffering (no log). This registry entry is supported only in Windows Vista and later versions of Windows.

This registry entry corresponds to the LogFileMode member of the EVENT_TRACE_PROPERTIES structure. Its values correspond to the Logging Mode Constants. The EVENT_TRACE_PROPERTIES structure and the Logging Mode Constants are described in the Microsoft Windows SDK documentation.

This table is displayed here to show the hexadecimal values of the constants. Use these values or a sum of these values to represent the constant in the LogFileMode registry entry.

Value Constant Description

0x0

EVENT_TRACE_FILE_MODE_NONE

No event trace log files are created.

0x1

EVENT_TRACE_FILE_MODE_SEQUENTIAL

Event trace log files are sequential.

0x2

EVENT_TRACE_FILE_MODE_CIRCULAR

Event trace log files are circular.

0x4

EVENT_TRACE_FILE_MODE_APPEND

Append trace messages to an existing log file. This mode is valid only with sequential files.

0x8

EVENT_TRACE_FILE_MODE_NEWFILE

Create a new event trace log file whenever the existing file reaches the value of the MaximumFileSize entry (see the table above).

0x20

EVENT_TRACE_FILE_MODE_PREALLOCATE

Reserves space for the event trace log file.

Valid only with EVENT_TRACE_FILE_MODE_SEQUENTIAL or EVENT_TRACE_FILE_MODE_CIRCULAR, and not valid with EVENT_TRACE_FILE_MODE_NEWFILE.

0x40

EVENT_TRACE_NONSTOPPABLE_MODE

A call to StopTrace does not stop the trace session.

This feature prevents users from stopping trace sessions that the system requires for diagnosis and tuning.

0x100

EVENT_TRACE_REAL_TIME_MODE

Specifies a real-time trace session.

0x200

EVENT_TRACE_DELAY_OPEN_FILE_MODE

For internal use only.

0x400

EVENT_TRACE_BUFFERING_MODE

Events are retained in the buffers. They are never written to a log file or delivered to a trace consumer.

0x800

EVENT_TRACE_PRIVATE_LOGGER_MODE

Specifies a private trace session. This flag is not valid for a Global Logger trace session.

0x1000

EVENT_TRACE_ADD_HEADER_MODE

For internal use only.

0x2000

EVENT_TRACE_USE_KBYTES_FOR_SIZE

Interpret the value of MaximumFileSize in KB, instead of MB.

0x4000

EVENT_TRACE_USE_GLOBAL_SEQUENCE

Generates global sequence numbers for trace messages. These numbers are unique for all trace sessions on the computer.

By default, trace messages do not have any sequence numbers.

0x8000

EVENT_TRACE_USE_LOCAL_SEQUENCE

Generates local sequence numbers for trace messages. These numbers are unique within the trace session.

By default, trace messages do not have any sequence numbers.

0x10000

EVENT_TRACE_RELOG_MODE

For internal use only.

0x80000

EVENT_TRACE_KD_FILTER_MODE

Redirects the trace messages to the kernel debugger and sets the trace buffer size to 3 KB, the maximum buffer size for the debugger.

0x1000000

EVENT_TRACE_MODE_RESERVED

Not valid for a Global Logger trace session.

0x01000000

EVENT_TRACE_USE_PAGED_MEMORY

Allocate trace session buffers from pageable memory. By default, the buffers are allocated from nonpageable memory.