Here at Microsoft, we are always looking to engage with open source communities to produce better solutions for the community and our customers. One of the more useful debugging advances that have arrived in the last decade is DTrace. DTrace of course needs no introduction: it's a dynamic tracing framework that allows an admin or developer to get a real-time look into a system either in user or kernel mode.
DTrace has a C-style high level and powerful programming language that allows you to dynamically insert trace points. Using these dynamically inserted trace points, you can filter on conditions or errors, write code to analyze lock patterns, detect deadlocks, etc. ETW, while powerful, is static and does not provide the ability to programmatically insert trace points at runtime.
There are a lot of websites and resources from the community to learn about DTrace. One comprehensive option is the Dynamic Tracing Guide. This book describes DTrace in detail and is the authoritative guide for DTrace. We also have Windows specific examples below.
Starting in 2016, the OpenDTrace effort began on GitHub that tried to ensure a portable implementation of DTrace for different operating systems. We decided to add support for DTrace on Windows using this OpenDTrace port. This is a fork of the 'opendtrace' repository and contains the unified, cross platform, source code for the OpenDTrace system including kernel components.
Prerequisites:
- Windows 10 x64 Build 18342 or higher
Limitations:
- Only available for 64-bit platforms
- Only captures traces for 64-bit processes
Steps:
-
Enable
dtracein the Boot Configuration Data (BCD) store. (bcdedit /set dtrace on) You will need to repeat this step every time you install a newer build of Windows. -
Download and execute the dtrace installer.
-
Configure the
_NT_SYMBOL_PATHenvironment variable for local symbol caching. -
(Optional) Configure Windows for kernel-mode debugging. This is only required if you want to trace kernel events using
fbtor other providers. -
Reboot the target machine.
Note: DTrace on Windows leverages additional Windows security features that may impact your experience.
// Syscall summary by program for 5 seconds:
dtrace -Fn "tick-5sec { exit(0);} syscall:::entry{ @num[pid,execname] = count();} "
// Summarize timer set/cancel program for 3 seconds:
dtrace -Fn "tick-3sec { exit(0);} syscall::Nt*Timer*:entry { @[probefunc, execname, pid] = count();}"
// Dump System Process kernel structure: (requires symbol path to be set)
dtrace -n "BEGIN{print(*(struct nt`_EPROCESS *) nt`PsInitialSystemProcess);exit(0);}"
// Tracing paths through NTFS when running notepad.exe (requires KD attach): Run below command and launch notepad.exe
dtrace -Fn "fbt:ntfs::/execname==\"notepad.exe\"/{}"- DTrace on Windows
- Compiling OpenDTrace for Windows
- OpenDTrace Documentation Repository
- Dynamic Tracing Guide
OpenDTrace is under the CDDL license, see the LICENSE file in this repository for details.