Injecting Application Debug Messages

Process Monitor

Injecting Application Debug Messages

If you are an application developer, it might be useful to include your own debug output in Process Monitor's event stream so that you can better correlate application operations with other events. Process Monitor allows unprivileged applications to inject wide-character strings of up to 2048 characters in length. The code sample below shows how to open the Process Monitor debugging interface and write messages to the event stream. The strings do not need to be null-terminated, though the one in the example is. The code sample below demonstrates how to generate Process Monitor debug output. John Robbins has also made helper classes you can use in your native or managed application to easily add support, which you can download here.

Note that you must show Profiling events, which are filtered by the default filter configuration, to see these events.

#include <windows.h>
#include <tchar.h>
#include <stdio.h>

#define FILE_DEVICE_PROCMON_LOG 0x00009535
#define IOCTL_EXTERNAL_LOG_DEBUGOUT (ULONG) CTL_CODE( FILE_DEVICE_PROCMON_LOG, 0x81, METHOD_BUFFERED, FILE_WRITE_ACCESS )

int main()
{

HANDLE hDevice = CreateFile( L"\\\\.\\Global\\ProcmonDebugLogger", GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL );

if ( hDevice != INVALID_HANDLE_VALUE ) {

WCHAR text[] = L"Debug out";

DWORD textlen = (wcslen(text)+1) *sizeof(WCHAR);
DWORD nb = 0;

BOOL ok = DeviceIoControl( hDevice, IOCTL_EXTERNAL_LOG_DEBUGOUT, text, textlen, NULL, 0, &nb, NULL );

if ( ok ) {

printf( "wrote debug output message\n" );

} else {

printf( "error 0x%x\n", GetLastError() );

}

CloseHandle( hDevice );

} else {

printf( "error %d opening Process Monitor\n", GetLastError() );

}

return 0;

}