How to Create a Boot-Time Global Logger Session
The easiest way to create a Global Logger trace session that logs kernel events is to use Tracelog to create a standard Global Logger trace session, and then add the EnableKernelFlags entry and its values. This topic describes the procedure.
Use Tracelog to create a Global Logger trace session. The simplest command is as follows:
tracelog -start GlobalLoggerFor instructions and more information, see Tracelog Command Syntax and Global Logger Trace Session. For an example, see Example 13: Creating a Global Logger Session.
Add a REG_BINARY entry named EnableKernelFlags to the HKLM\System\CurrentControlSet\Control\WMI\GlobalLogger subkey. Tracelog creates the GlobalLogger registry subkey when you use the tracelog -start command. The values that you can use for EnableKernelFlags are taken from the values of the EnableFlags member of the EVENT_TRACE_PROPERTIES structure. For a description of the EnableFlags values, see EVENT_TRACE_PROPERTIES.
Restart the system.
When your testing is complete, use the tracelog -remove GlobalLogger command to reinitialize the entries in the GlobalLogger subkey. Otherwise, the Global Logger trace session starts each time you start the system.
Comments
The presence of the EnableKernelFlags entry, with a valid value, converts the Global Logger trace session to an NT Kernel Logger trace session. The value of EnableKernelFlags, along with the other Global Logger registry entries, is used to configure the session. The trace session starts when you restart the system.
Registry entries are used to configure the Global Logger trace session, because the configuration values must be available before the system is fully operational.
You can configure a Global Logger trace session by editing the registry or by using Tracelog, a tool included in the Windows Driver Kit (WDK). For more information about the registry entries that configure the Global Logger trace session, see Global Logger trace session.
After running this trace session, use the tracelog -remove command to set the value of the Start entry to 0 to delete the registry subkeys that you added. If you do not, the session will run each time you start the system and the log might grow very large.
For more information about the Tracelog commands, see Tracelog Command Syntax
Related topics
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for