drstrace is a system call tracing tool for Windows. It uses the Dr. Memory Framework to monitor all system calls executed by a target application.
drstrace, simply launch it on the target application of your choice. By default, its output is sent to log files in the current directory, one per process. A different location for these files can be specified with the
-logdir parameter. Here is a simple example:
This command will result in data written to a file named
drstrace.calc.exe.<pid>.<counter>.log in the current directory. For example:
Here is some example output from that file:
drstrace traces all child processes. The runtime option
-no_follow_children overrides this and only traces the parent process.
In order to report detailed system call type information on Windows,
drstrace relies on debug symbol information (specifically,
WinTypes.pdb). The first time the tool is executed, it retrieves this data over the network, caching it locally for future use. The location of the cache is by default a local directory. If the
_NT_SYMBOL_PATH environment variable is set, or if the
-symcache_path runtime option is set, the specified directory will be used for caching the symbol data.
Window of Tracing
drstrace starts logging only at the start of the executable's entry point. Thus, system calls executed by the initialization code in statically imported shared libraries will not be seen. However, the logging for child processes when the parent is under the control of
drstrace starts earlier, during shared library initialization. Future versions will provide an earlier start point for the initial process.
Windows XP and 2000 Console Output
On Windows XP and Windows 2000, when
drstrace is run from the
cmd console and its output is not sent to a file, the printed output stops prior to the final system call. This is due to
drstrace tracing past where the application's console state in
csrss is cleaned up, preventing any further writes to the console by that process. Use a file if complete output is required.