Joya Systems

Call Us: 1-877-DEV-KERNEL

How to Get a Call Stack for an ETW Event

Turn a trace row into the code path that produced it.

A trace message tells you what happened; a call stack tells you how the code got there. ETW can record a stack walk with each event, and WppViewer Studio resolves those frames against your symbols and source so you can read them next to the message.

Why Stacks Help

For intermittent, noisy, or timing-sensitive driver issues, the message alone rarely pinpoints the cause. With a resolved stack you see which function chain reached the trace point, which makes it far faster to decide where to look next — without dropping into a separate kernel debugger session.

Capture a Stack, Step by Step

  1. Use a licensed WppViewer Studio build. Stack inspection and kernel trace support are enabled in licensed Studio builds. The demo can show messages but disables stack dump and kernel stack support.
  2. Run WppViewer elevated. Stack-walk collection and kernel context depend on system-wide ETW logger features, so start WppViewer as administrator.
  3. Enable stack collection for the session. When you configure the trace session, turn on stack-walk collection so the logger records a stack with each qualifying event.
  4. Configure symbols and source paths. Add your symbol path or symbol server and the source tree so frames resolve to function names, files, and line numbers.
  5. Capture events and inspect the stack pane. Generate the events, select an event in the list, and read the resolved call stack in the stack pane alongside the message and source.
Ask about licensingSee WppViewer Studio

What Carries a Stack — and What Doesn't

Stack traces are available for ETW messages and DbgPrint events. Plain WPP messages do not generate stack data, so if you need stacks, instrument with ETW events or capture DbgPrint with kernel stack support enabled. For a complete, runnable example, see the EtwMessagesWithStack walkthrough, which builds a sample provider and shows messages, source, and stacks together.

Stack traces are available for ETW messages and DbgPrint events. WPP messages do not generate stack data.