1. Install WinDbg inside the guest. You will need to generate symbol files from the guest since this is the Windows version you will be hooking vprobes to.
2. Create a local or remote symbol server per Debugging Applications for Microsoft .NET and Microsoft Windows Part I, Chapter 2 and run the following command from the WinDbg folder:
cscript ossyms2.0.js \\symbols\path
This will take some time to complete and you should end up with a couple gigs of modules and their PDBs.
3. Run WinDbg in local kernel debugging mode on the guest and issue the following command, replacing <modulename> with an actual module name:
x <modulename>!*
4. Save the output from WinDbg: Edit > Write Window Text to File
5. Place the saved file in the guest datastore directory.
6. Stop the guest.
7. Edit the VMX file to include
vprobe.enable = "TRUE"
vprobe.guestSyms = "symbolFile.TXT"
8. Start the guest.
9. Issue the vprobeListProbes command to view your imported events.
The attached probes.txt file contains all my events with the NT module imported. nt.txt is the file I am importing with vprobe.guestSyms. I am not sure if this will be a problem but the event names look like:
GUEST:t!MiShutdownSystem*
instead of
GUEST:nt!MiShutdownSystem*
Any insight on this?
UPDATE FROM VMWARE:
This looks like an issue with our internal parsing logic for windbg-style symbol text files. Try adding a "0`" (w/o the double quotes) to each of the lines and you should see the full, intact probe names.
I will check this out and post my results...