The problem: Your DbgPrint or KdPrint messages don't appear in WinDbg (or KD) when you run your driver on Windows Vista.

The reason?  Vista automatically maps DbgPrint and friends to DbgPrintEx.  Now, you may recall that DbgPrintEx allows you to control the conditions under which messages will be sent to the kernel debugger by filtering messages via a component name and level in the function call and an associated filter mask in either the registry or in memory. 

In Vista, DbgPrint and KdPrint are mapped to component "DPFLTR_DEFAULT_ID" and level "DPFLTR_INFO_LEVEL".  Of course, in Vista, xxx_INFO_LEVEL output is disabled by default.  So, by default, your DbgPrint/KdPrint doesn't get sent to the kernel debugger.


How to fix it? Two choices:

  • Enable output of DbgPrint/KdPrint messages by default --Open the key "HKLM/SYSTEM/CCS/Control/Session Manager/Debug Print Filter".  Under this key, create a  value with the name "DEFAULT"  Set the value of this key equal to the DWORD value 8 to enable xxx_INFO_LEVEL output as well as xxx_ERROR_LEVEL output.  Or try setting the mask to 0xF so you get all output.  You must reboot for these changes to take effect.
  • Specifically change the component filter mast for DPFLTR.  In early releases of Vista/LH you changed the default printout mask by specifying a mask value for the DWORD at Kd_DPFLTR_MASK ("ed Kd_DPFLTR_MASK").  In build 5308 (the February CTP of Vista), it seems that the mask variable has changed and you need to set the mask value for the DWORD at Kd_DEFAULT_MASK ("ed Kd_DEFAULT_MASK).  In either case, specify 8 to enable DPFLTR_INFO_LEVEL output in addition to DPFLTR_ERROR_LEVEL output, or 0xF to get all levels of output.

See the WDK documentation for Reading and Filtering Debugging Messages (follow the path: Driver Development Tools/Tools for Debugging Drivers/Using Debugging Code in a Driver/Debugging Code Overview) for the complete details on the use of DbgPrintEx/KdPrintEx.  Or look at the Debugging Tools For Windows documentation (Appendix A) on DbgPrintEx.

从以上信息可以看出,内核在显示调试信息之前要先进行一下过滤,使用的过滤标准是component name and level. 在DbgPrint Ex函数中组件名和Log等级是被显式的指定出来的,Level必须为DPFLTR_ERROR_LEVEL时,Windbg才能显示输出的调试信息。

 当直接使用DbgPrint 或 KdPrint时,OS自动将其过滤参数置为"DPFLTR_DEFAULT_ID" 和 "DPFLTR_INFO_LEVEL",而DPFLTR_INFO_LEVEL的信息默认是不会被显示的。


修改注册表,在 "HKLM/SYSTEM/CCS/Control/Session Manager/Debug Print Filter“路径下新建一个名为”DEFAULT“的键值,类型为DWORD,值为 8或0xF


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Debug Print Filter] 







程序编译、链接均没问题,,但当我用drivermonitor打开helloDDK(for NT).sys的时候,只是显示"Load the driver successfully!"...







按以上方法添加了相应的项和键,键值填成8,重启后,依然不显示调试信息,于是后改称了0xf,还是不行- -,其实跟这个并无关系。。。





The KdPrintEx macro sends a string to the kernel debugger if certain conditions are met.

A call to KdPrintEx requires double parentheses.

ULONG  KdPrintEx ( (    IN ULONG  ComponentId,    IN ULONG  Level,    IN PCHAR  Format,    . . . .  [arguments]     ) ) ;


Specifies the component calling this routine. This must be one of the component name filter IDs defined in the Ntddk.h Windows Driver Kit (WDK) header file. To avoid mixing your driver's output with the output of Windows components, you should use only the following values for ComponentId:
Specifies the severity of this message. This can be any 32-bit integer. Values between 0 and 31 (inclusive) are treated differently than values between 32 and 0xFFFFFFFF. For details, see Reading and Filtering Debugging Messages.
Specifies a pointer to the format string to print. The Format string supports all the printf-style formatting codes. However, the Unicode format codes (%C%S%lc%ls%wc%ws, and %wZ) can only be used with IRQL = PASSIVE_LEVEL.
Specifies arguments for the format string, as in printf.

Return Value

If successful, KdPrintEx returns the NTSTATUS code STATUS_SUCCESS; otherwise, it returns the appropriate error code.


KdPrintEx is identical to the DbgPrintEx routine in code that is compiled in a checked build environment. This routine has no effect if compiled in a free build environment. Only kernel-mode drivers can call the KdPrintExroutine.

KdPrintEx either passes the specified string to the kernel debugger or does nothing at all, depending on the values of ComponentIdLevel, and the corresponding component filter masks. For details, see Reading and Filtering Debugging Messages.

Unless it is absolutely necessary, you should not obtain a string from user input or another process and pass it to KdPrintEx. If you do use a string that you did not create, you must verify that this is a valid format string, and that the format codes match the argument list in type and quantity. The best coding practice is for all Formatstrings to be static and defined at compile time.

There is no upper limit to the size of the Format string or the number of arguments. However, any single call toKdPrintEx will only transmit 512 bytes of information. There is also a limit to the size of the DbgPrint buffer. SeeThe DbgPrint Buffer and the Debugger for details.


Versions: Available in Microsoft Windows XP and later.

Headers: This routine is defined in ntddk.h and ndis.h; component filter IDs are defined in ntddk.h, ndis.h, andwdm.h. Include ntddk.h or ndis.h.

本已为差不多了,,结果却发现了两个link error!!~~


其中一个说是 error LNK2019: unresolved external symbol __imp__DbgPrintEx 
referenced in function _DriverEntry@8..





Link against ntoskrnl.lib, not wdm.lib (by removing DRIVERTYPE=wdm in your sources). DbgPrintEx is not a WDM function.

WDM is a subset of the NT driver model as snapshotted by win9x releases over time, ending with WinME. Since win9x is no longer supported or released, the idea of WDM in terms of cross OS compat is no longer relevant. What remains of WDM is the name and the overall model, even if it is only supported by one OS family. WDM itself in terms of APIs has grown, but wdm.lib has not kept pace b/c it still matches the win9x subset of WDM. Any driver which targets win2k and beyond should really just link against ntoskrnl.lib








于是闲着无事用build工具上vista相应的X86 check版本的build,编译成功后,抱着尝试心态看了下DbgView...




但是,遗留了一个问题:用vista相应的X86 check版本的build成功编译NT程序,,加载后不但没有调试信息,反而蓝屏!










1、win7/vista下确实需要修改调试信息过滤的键值(不知道我为什么没成功- -),而且该修改竟然存在wxp和wlh两个版本(网站上并无说明)。如果自己修改不成功可以借助别人做的工具。












2、用vista相应的X86 check版本的build工具编译出来的NT驱动,加载后蓝屏。





