Systrace for Windows

C

9

102

I'm looking for a Windows equivalent of Systrace or at least strace. I'm aware of StraceNT, but wondering if there are any more alternatives out there. Specifically, I'm looking for a specific way to programmatically enforce system call policies, though this can be after the fact rather than actively stopping them.

Is there a good way to do this currently?

Centripetal answered 2/10, 2010 at 22:21 Comment(1)

Also related - #865339 – Shumaker 21/10, 2015 at 11:45

G

32

WinDbg's Logger.exe is the closest to strace: https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/logger-and-logviewer

EDIT: There's also windbg's wt: https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/wt--trace-and-watch-data-

Glabrescent answered 12/10, 2012 at 14:32 Comment(3)

However, it's more like ltrace than strace because it captures library calls rather than syscalls. – Wholly 9/2, 2013 at 23:12

@BrunoMartinez : you don’t need to specify a memory address for using strace. – Patton 13/3, 2016 at 1:36

The only problem I met was windbg stopped at a certain software breakpoint, not at the startup where I was expected.So there were several syscalls I failed to capture. – Judson 17/2, 2023 at 1:55

P

45

A few options:

Process Monitor

Also, see this article about tools built into Windows 7:

Core OS Tools

Petitioner answered 2/8, 2011 at 22:56 Comment(4)

I just used ProcessMonitor to find out why a process was hanging - turns out it was trying to access a file which it couldn't delete... would never have figured it out without ProcMon – Jill 21/5, 2013 at 7:54

I use strace quite a bit on Linux and came across this question while looking for similar tool on Windows for troubleshooting the issue I was having with NANT. I tried Process Monitor, set filter to include only Nant.exe and excluding everything else, also set filter for register access only where I was having problem, and quickly figure out the issue I was having. I highly recommend Process Monitor. – Electrometer 13/9, 2013 at 22:13

@Petitioner : In my case I have a program which load some files ; buffer them to ʀᴀᴍ (so there’s no handle left) and crash. As there’s no handle left process monitor is no help. – Patton 13/3, 2016 at 1:30

@Electrometer : the problem with process monitor is a process don’t need an handle to access a file. So in a case like mine (trying to see which config file cause a crash), it’s no help. – Patton 13/3, 2016 at 1:38

G

32

WinDbg's Logger.exe is the closest to strace: https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/logger-and-logviewer

EDIT: There's also windbg's wt: https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/wt--trace-and-watch-data-

Glabrescent answered 12/10, 2012 at 14:32 Comment(3)

However, it's more like ltrace than strace because it captures library calls rather than syscalls. – Wholly 9/2, 2013 at 23:12

@BrunoMartinez : you don’t need to specify a memory address for using strace. – Patton 13/3, 2016 at 1:36

The only problem I met was windbg stopped at a certain software breakpoint, not at the startup where I was expected.So there were several syscalls I failed to capture. – Judson 17/2, 2023 at 1:55

C

18

The Dr. Memory (http://drmemory.org) tool comes with a system call tracing tool called drstrace that lists all system calls made by a target application along with their arguments: http://drmemory.org/strace_for_windows.html

For programmatically enforcing system call policies, you could use the same underlying engines as drstrace: the DynamoRIO tool platform (http://dynamorio.org) and the DrSyscall system call monitoring library (http://drmemory.org/docs/page_drsyscall.html). These use dynamic binary translation technology, which does incur some overhead (20%-30% in steady state, but much higher when running new code such as launching a big desktop app), which may or may not be suitable for your purposes.

Concent answered 7/4, 2014 at 13:14 Comment(0)

A

15

API Monitor looks very useful for this purpose.

Alexina answered 21/1, 2015 at 17:57 Comment(1)

This is an excellent program, shows detailed function params/return values, allows you to breakpoint when certain conditions are met, many different hooking method so it can be used on a lot of processes that don't like to be inspected. – Endomorph 21/11, 2017 at 14:28

Z

8

Here is a pretty intersting article, I don't know if it hits the target you are looking for but I think you may find it leading you in the direction you want.

http://jbremer.org/intercepting-system-calls-on-x86_64-windows/

Zadoc answered 26/7, 2013 at 13:44 Comment(1)

Thanks, that's pretty good. I guess it means we're still a long way off a nice and functional strace on Windows... – Brominate 29/7, 2013 at 9:32

M

2

There are several tools all built around Xperf. It's rather complex but very powerful -- see the quick start guide. There are other useful resources on the Windows Performance Analysis page

Manolete answered 20/12, 2011 at 9:2 Comment(2)

strace is unrelated to performance. It simply prints which system calls a process makes. The performance tools don't seem to do that. – Eu 7/6, 2012 at 9:4

First URL now redirects to learn.microsoft.com/en-us/previous-versions/windows/desktop/…. Second URL redirects to a generic MS page and seems to be lost. – Corpulence 7/3 at 16:36

P

2

You can use process monitor written by Mark Russinovich. This is a fantastic little application that will allow you to attach to any running process on the system and see all of the system calls that process is currently making.

https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx

Paraguay answered 21/1, 2017 at 16:38 Comment(1)

djhaskin987 already mentioned Process Monitor in his earlier answer. You should edit his answer and edit your description into it. – Fuld 1/3, 2017 at 23:50

A

1

strace is available from Cygwin in the cygwin package. You can download it from a Cygwin mirror, for example:

http://mirrors.sonic.net/cygwin/x86_64/release/cygwin/cygwin-2.0.2-1.tar.xz
#      |                      |                              |     |
#      +-----------+----------+                              +--+--+
#                  |                                            |
#               mirror                                       version

strace is one of the few Cygwin programs that does not rely on the Cygwin DLL, so you should be able to just copy strace.exe to where you want and use it.

Aemia answered 3/6, 2015 at 3:14 Comment(2)

It's good, but only seems to work on other cygwin programs. You can't strace notepad. It launches notepad, but doesn't capture any system calls. – Lawgiver 2/12, 2015 at 20:5

@MichaelFox : Yes, it only catch calls to cygwin1.dll. – Patton 13/3, 2016 at 1:32

C

-1

strace supported By installation of Windwos Git,as Michael Fox Mention Maybe not useful for complex/windows software.

Conclave answered 22/8, 2019 at 22:10 Comment(2)

That is the Linux program. It only functions with Linus software/syscalls. – Firework 19/11, 2020 at 16:45

@HenkPoley not sure what u meant? – Conclave 30/9, 2021 at 10:50

Recommended topics

Hot tags