Decrypting wdf01000.sys interrupts with WPA


If you are trying to figure out which WDF driver is the source of all interrupts there is a way out. Since wdf01000.sys fields all interrupts and then calls the actual driver, it is difficult to figure out which driver caused the interrupts. Fortunately, there is a way out: You need to use the trace flags in the kernel – WDF_INTERRUPT and WDF_DPC. You can find all Kernel trace flags by the following command: “xperf -providers KF” .

You can trace as follows: ”

xperf -on diageasy+WDF_DPC+WDF_INTERRUPT+0x48000000+PROC_THREAD+LOADER+INTERRUPT+DPC+CSWITCH+TIMER+CLOCKINT -stackwalk TimerSetPeriodic+TimerSetOneShot+CSwitch+readythread+profile -clocktype perfcounter -buffersize 1024 -minbuffers 1024

xperf -d test.etl

Advertisements

One Response to “Decrypting wdf01000.sys interrupts with WPA”

  1. Martin Says:

    Thanks for that information – very very helpful!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: