Building VTrace, a Tracer for Windows NT and Windows 2000

Jacob R. Lorch and Alan Jay Smith

EECS Department
University of California, Berkeley
Technical Report No. UCB/CSD-00-1093
February 2000

http://www2.eecs.berkeley.edu/Pubs/TechRpts/2000/CSD-00-1093.pdf

In order to conduct accurate simulations of new approaches to energy management, we needed to collect detailed, time-stamped traces of several diverse types of activity on Windows NT and Windows 2000. For this purpose, we wrote VTrace, which collects data about processes, threads, messages, disk operations, network operations, the keyboard, the mouse, and the cursor. Building this tool required a large number of special techniques, which we describe in this paper. These techniques included using a DLL loaded into the address space of every process to intercept Win32 system calls; establishing hook functions for Windows NT kernel system calls; modifying the context switch code in memory to log context switches despite inadequate operating system support; and using device filters to log accesses to devices such as file systems, disk partitions, network transport layers, and the keyboard. We also describe related issues, such as where we found the necessary information, and how to debug a tracing tool that is intimately connected to the operating system kernel. Finally, since VTrace was originally written for Windows NT but later modified and extended to run with Windows 2000, we briefly discuss some of the changes required for Windows 2000.

BibTeX citation:

@techreport{Lorch:CSD-00-1093,
    Author = {Lorch, Jacob R. and Smith, Alan Jay},
    Title = {Building VTrace, a Tracer for Windows NT and Windows 2000},
    Institution = {EECS Department, University of California, Berkeley},
    Year = {2000},
    Month = {Feb},
    URL = {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2000/5346.html},
    Number = {UCB/CSD-00-1093},
    Abstract = {In order to conduct accurate simulations of new approaches to energy management, we needed to collect detailed, time-stamped traces of several diverse types of activity on Windows NT and Windows 2000. For this purpose, we wrote VTrace, which collects data about processes, threads, messages, disk operations, network operations, the keyboard, the mouse, and the cursor. Building this tool required a large number of special techniques, which we describe in this paper. These techniques included using a DLL loaded into the address space of every process to intercept Win32 system calls; establishing hook functions for Windows NT kernel system calls; modifying the context switch code in memory to log context switches despite inadequate operating system support; and using device filters to log accesses to devices such as file systems, disk partitions, network transport layers, and the keyboard. We also describe related issues, such as where we found the necessary information, and how to debug a tracing tool that is intimately connected to the operating system kernel. Finally, since VTrace was originally written for Windows NT but later modified and extended to run with Windows 2000, we briefly discuss some of the changes required for Windows 2000.}
}

EndNote citation:

%0 Report
%A Lorch, Jacob R.
%A Smith, Alan Jay
%T Building VTrace, a Tracer for Windows NT and Windows 2000
%I EECS Department, University of California, Berkeley
%D 2000
%@ UCB/CSD-00-1093
%U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2000/5346.html
%F Lorch:CSD-00-1093