Jump to content
Kaspersky Support Forum

How to сollect ETW logs for drivers [KES for Windows]

Antipova Anna
 Share

Recommended Posts

Antipova Anna

Antipova Anna

Posted
Posted

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Unless explicitly requested by Kaspersky Support, there is no need to collect ETW logs.

You can use this article to collect driver traces for Light agent 5.2 as well. Please don't forget to change pathnames accordingly.

ETW_drivers.zip can be found here.

KES 11.5+

Enable KES tracing and driver trace will also be running. It will be stored in C:\ProgramData\Kaspersky Lab\KES\Traces and have name like KES.%version%_MM.DD_HH.mm_PID.drivers.etl

Same as KES tracing, it is recommended to collect driver trace since driver startup unless it is affecting the issue reproduction or unless explicitly said it is mandatory for specific issue. So, after enabling KES trace it is enough to reboot the PC. This will both run driver logging on system boot and KES since service start. It is also recommended to collect drivers logs all at once, no matter the fact you'll find how to start them separately for specific driver below. Still, it is mandatory to identify the problematic driver prior to collecting diagnostics unless it is impossible due to certain reasons. 

Batch scripts to run driver logs altogether

On demand

  1. Download ETW_drivers.zip archive and extract it into desired folder
  2. Run elevated CMD
  3. CD to the folder where the script file drivers_on_demand.cmd resides and run it
  4. Driver trace will start till you hit any key in the cmd and stop immediately. Driver logs should be present in the same folder where script was executed

On demand for long time (split log files)

  1. Download ETW_drivers.zip archive and extract it into desired folder
  2. Run elevated CMD
  3. CD to the folder where the script file drivers_on_demand_long_time.cmd resides and run it
  4. Driver trace will start till you press any key in the cmd and stop if you press it again. Driver logs should be present in the same folder where script was executed

On boot

  1. Download ETW_drivers.zip archive and extract it into desired folder
  2. Run elevated CMD
  3. CD to the folder where the script file enable_drivers_boot.cmd resides and run it. Do not run it more than once, and do not try to run disable_drivers_boot.cmd before the reboot.
  4. Driver trace will start after reboot. To stop the capture, run disable_drivers_boot.cmd, also from elevated CMD

Note: use this bat file only when the problem is reproduced during Windows startup. Otherwise, use on demand bat files. 

image.png

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing


×
×
  • Create New...