Jump to content











Photo
- - - - -

Driver for logging Windows boot drivers and services


  • Please log in to reply
4 replies to this topic

#1 Brito

Brito

    Platinum Member

  • .script developer
  • 10616 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted 19 February 2015 - 10:05 AM

Hello,

 

I've just published a fresh Windows driver that will create a text file containing the drivers, services and processes that are launched during the startup phase.

 

Basically, I am using this driver to measure the performance of the Windows boot and check which drivers might be causing the system to be slow.

 

The code, install instructions and license are available on https://github.com/n...rito/BootLogger

 

If you want to just try the driver then look on the "downloads" folder. Take a look on the README.txt for instructions on how to install. My advice is that you run this from a virtual machine and not your everyday desktop computer when testing around. I didn't yet tested the driver under Windows PE, should presumably work since the code is fairly simple.

 

Feedback is welcome and constructive comments are welcome, trolling is not so welcome..

 

Hope you find the driver useful. :cheers:



#2 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 19 February 2015 - 10:38 AM

Interesting. :thumbup:

 

Can you post (here or on github) a sample of an actually created log?

 

I believe it will help in understanding what is logged and how and  - indirectly - the tool may be useful/which added features it has when compared to  - say - ntbtlog.txt and or a trace like the ones only :w00t: MagicAndre1981 :worship: can actually read...

 

:duff:

Wonko



#3 Brito

Brito

    Platinum Member

  • .script developer
  • 10616 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted 19 February 2015 - 12:13 PM

Can you post (here or on github) a sample of an actually created log?

 
Sure, here is a snippet of what you might expect on the header of a log:
18/02/2015 13:16:40.437, Driver, 4, \SystemRoot\System32\Drivers\crashdmp.sys
18/02/2015 13:16:40.453, Driver, 4, \SystemRoot\System32\Drivers\iaStor.sys
18/02/2015 13:16:40.453, Driver, 4, \SystemRoot\System32\Drivers\dumpfve.sys
18/02/2015 13:16:40.812, Driver, 4, \SystemRoot\system32\DRIVERS\cdrom.sys
18/02/2015 13:16:40.812, Driver, 4, \SystemRoot\System32\Drivers\Null.SYS
18/02/2015 13:16:40.828, Driver, 4, \SystemRoot\System32\Drivers\Beep.SYS
18/02/2015 13:16:40.843, Driver, 4, \SystemRoot\System32\drivers\watchdog.sys
18/02/2015 13:16:40.843, Driver, 4, \SystemRoot\System32\drivers\VIDEOPRT.SYS
18/02/2015 13:16:40.843, Driver, 4, \SystemRoot\System32\drivers\vga.sys
18/02/2015 13:16:40.843, Driver, 4, \SystemRoot\System32\DRIVERS\RDPCDD.sys
18/02/2015 13:16:40.859, Driver, 4, \SystemRoot\system32\drivers\rdpencdd.sys
18/02/2015 13:16:40.859, Driver, 4, \SystemRoot\system32\drivers\rdprefmp.sys
18/02/2015 13:16:40.859, Driver, 4, \SystemRoot\System32\Drivers\Msfs.SYS
18/02/2015 13:16:40.875, Driver, 4, \SystemRoot\System32\Drivers\Npfs.SYS
18/02/2015 13:16:40.875, Driver, 4, \SystemRoot\system32\DRIVERS\TDI.SYS
...
There is a separation between driver or process (module) to ease identifying what is what. I'm not so sure what the "4" and other numbers on the same field position are supposed to represent, just thought it might be useful to include the value but didn't had much time (or need) to check.
 
You can view/download a full log at https://github.com/n...15-13-17-11.log
 

I believe it will help in understanding what is logged and how and  - indirectly - the tool may be useful/which added features it has when compared to  - say - ntbtlog.txt and or a trace

 
From what I understand of ntbtlog.txt, its output is similar to:
Service Pack 1 8 10 2013 12:55:18.375
Loaded driver \SystemRoot\system32\ntkrnlpa.exe
Loaded driver \SystemRoot\system32\halmacpi.dll
Loaded driver \SystemRoot\system32\kdcom.dll
Loaded driver \SystemRoot\system32\mcupdate_GenuineIntel.dll
Loaded driver \SystemRoot\system32\PSHED.dll
Loaded driver \SystemRoot\system32\BOOTVID.dll
Loaded driver \SystemRoot\system32\CLFS.SYS
Loaded driver \SystemRoot\system32\CI.dll
Loaded driver \SystemRoot\system32\drivers\Wdf01000.sys
Loaded driver \SystemRoot\system32\drivers\WDFLDR.SYS
Loaded driver \SystemRoot\system32\drivers\ACPI.sys
Loaded driver \SystemRoot\system32\drivers\WMILIB.SYS
Loaded driver \SystemRoot\system32\drivers\msisadrv.sys
Loaded driver \SystemRoot\system32\drivers\pci.sys
Loaded driver \SystemRoot\system32\drivers\vdrvroot.sys
Loaded driver \SystemRoot\System32\drivers\partmgr.sys
Loaded driver \SystemRoot\system32\DRIVERS\compbatt.sys
 
From a first view I would say a point in favor of this boot logger (besides being open source) is that you get a time stamp when each driver is called. I could get a similar value using some sysinternals code but it is not permitted to be redistributed. A minus point for this custom boot logger is that I see some entries on the Windows tool that my driver is not capturing. For example: ntkrnlpa.exe, halmacpi.dll, ...

My goal here is to measure (more or less) accurately what is causing delays, so missing the early drivers doesn't bother me much since I'm more interested on seeing the performance of non-critical services and drivers usually loading later (printers, network drivers, ... ).

Also, it seems that nbtlog.txt includes some driver entries with no identification, meaning that they are launched but there is no name to be listed on the text file. On BootLogger this shouldn't happen.

A possible improvement in the future by someone knowledgeable on driver architecture could be adding this driver running at an a earlier point of the boot phase. Any volunteers? :)

#4 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 16066 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 19 February 2015 - 01:28 PM

Well, if I can make a small suggestion (believing that it should be not particularly difficult), if you are making a simpler to use tool, you could add a simple (but useful) thingy to manage this kind of data:

18/02/2015 13:16:40.437, Driver, 4, \SystemRoot\System32\Drivers\crashdmp.sys
18/02/2015 13:16:40.453, Driver, 4, \SystemRoot\System32\Drivers\iaStor.sys
18/02/2015 13:16:40.453, Driver, 4, \SystemRoot\System32\Drivers\dumpfve.sys

adding to it a progressive number (useful for sorting/reverting), just like BTW github adds ;):

1 18/02/2015 13:16:40.437, Driver, 4, \SystemRoot\System32\Drivers\crashdmp.sys
2 18/02/2015 13:16:40.453, Driver, 4, \SystemRoot\System32\Drivers\iaStor.sys
3 18/02/2015 13:16:40.453, Driver, 4, \SystemRoot\System32\Drivers\dumpfve.sys
4 18/02/2015 13:16:44.046, Module, 408, \Windows\System32\sxssrv.dll
...
150 18/02/2015 13:16:44.046, Process, 444, \Device\HarddiskVolume2\Windows\System32\smss.exe
151 18/02/2015 13:16:44.046, Module, 444, \SystemRoot\System32\ntdll.dll
152 18/02/2015 13:16:44.062, Process, 452, \Device\HarddiskVolume2\Windows\System32\csrss.exe

 
and  *something* that, once the trace is ended, adds a report  (or an external tool) that transforms the above in user readable data *like*:
Report:

The trace lasted 1:02.278 minutes
The 10 items that took more time loading were (in decreasing loading time):
151 Module, 444, \SystemRoot\System32\ntdll.dll 0:00.016
....
The 10 Drivers that took more time loading were (in decreasing loading time):
....
The 10 Modules that took more time loading were (in decreasing loading time):
....
Tje 10 Processes that took more time loading were (in decreasing loading time):
...

 
:duff:
Wonko

#5 Brito

Brito

    Platinum Member

  • .script developer
  • 10616 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted 19 February 2015 - 02:40 PM

Could be a future feature, makes sense.

 

@Joakim, would you like to help me out on this stats feature? :)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users