How to enable debug logging locally on the client
Technical Articles ID:
KB82192
Last Modified: 2023-01-11 06:52:53 Etc/GMT
Summary
Use these instructions when you're working with Technical Support to troubleshoot issues with FRP.
There are two tracing options built into the FRP client that can be enabled for debugging purposes. Both utilities log all activities in each component. In that way, a log is created of what happens at a certain point in time, such as when an FRP module malfunctions.
The user mode trace is used when the issue appears in the user interface of the product. The kernel mode is used when there are issues in the driver of the product; for example, when there are issues with the encryption of files.
The tracing utility creates one log for Driver (Kernel) Mode tracing, and one for User Mode tracing, depending on what tracing is enabled.
- Driver Mode / Kernel Mode
In this mode, the activities in the FRP driver are tracked and traced.
Because the FRP driver is extensively involved in all file Input/Output (I/O) transactions of the client system, the Kernel Mode trace grows large quickly. So, before using the Kernel tracing mode, the problem being traced must be as close as possible to 100% reproducible. Then, activate the Kernel tracing using the instructions in this article. Try to reproduce the problem immediately, and then disable Kernel mode tracing when the problem has been reproduced.
- User Mode
In this mode, the activities that happen in the User Mode are tracked and traced.
The User Mode trace file doesn't grow as fast as the Kernel trace. But, you must follow the same procedure as for Kernel tracing to keep all logs as small as possible. Thus, you reduce the amount of trace information not related to the issue being recorded.
IMPORTANT: Send any trace file that's generated to Technical Support for further analysis.
For FRP issues
| Mode |
Reasons to use this mode |
|
|
- Authentication issues
- Windows Explorer issues
- Context menu issues
- Performance issues
- Recovery issues
- Application incompatibility issues
|
|
|
- Data encryption and decryption operations issues
- Data corruption issues, Windows Explorer issues
- Performance issues
- Application incompatibility issues
|
For Removable Media issues
| Mode |
Reasons to use this mode |
| User Trace |
For all issues related to removable media |
| Kernel Trace |
For all issues related to removable media |
Solution
1
Use one of the following methods to create a coreTrace log using either the MfeFfShell.com (command-line version) or MfeFfShell.exe (Windows version) utility. This file resides in the FRP Program Files directory.
- Run the driver trace as administrator, or as a user that has administrator rights, on the local computer system.
- When creating a driver trace file, make sure that you perform the following actions:
- Start tracing before the issue is reproduced and stop it immediately after the issue has been reproduced.
- Avoid all other activities when driver tracing is enabled. The reason is because the driver trace output file grows large quickly. A driver trace larger than 25 MB, uncompressed, is too large to analyze.
For situations when you need to enable both User and Kernel mode tracing on the client, use the command-line option MfeFfShell.com:
- To enable User mode tracing, open a User command prompt:
- Click Start.
- In the Start Search box, type cmd, and then press Enter.
- Change to the Program Files folder that the product was installed to.
Default location: ..:\Program Files\McAfee\Endpoint Encryption for Files and Folders\
- At the command prompt, type the following and press Enter:
MfeFfShell -enable_user_mode_trace
- To enable Kernel mode tracing, open an administrator command prompt:
- Click Start.
- In the Start Search field, type cmd, and then press CTRL+SHIFT+ENTER.
- If the User Account Control dialog window appears, confirm that the action it displays is what you want, and then click Continue.
- Change to the Program Files folder that the product was installed to.
Default location: ..:\Program Files\McAfee\Endpoint Encryption for Files and Folders\
- At the administrator command prompt, type the following and press Enter to use full driver Kernel mode tracing:
mfeffshell -change_tracing *=ON
- Type the following command and press Enter to start the Driver mode tracing:
MfeFfShell –begin_driver_trace c:\[path and filename for tracefile]
NOTE: The path and file name for the trace file is a 'free to choose' path and file name to store the driver trace.
- Perform the operation, reproduce the problem, and capture the events in a log.
- At the administrator command prompt, type the following and press Enter to disable the Driver trace:
MfeFfShell –end_driver_trace
- At the User command prompt, type the following and press Enter to disable the User trace:
MfeFfShell -disable_user_mode_trace
- Use WinZip to archive the following two output files and send them to Technical Support for analysis:
- The Driver trace file located in the path you specify when you enable Driver trace mode
- The User trace file called TraceFile.sb that's located in the user's temp folder and the Windows temp folder.
NOTE: The complete path to the user's temp folder is displayed when you enable User mode tracing.
To enable different logging level
With the command syntax mfeffshell -change_tracing <flagpattern>=<level>, you can change the logging level.
NOTES:
- The <flagpattern> of the change_tracing option specifies the tracing that you want to capture. It can be any one of the strings listed below, or it can use the wildcard character asterisk (*) to match multiple flags.
- The <level> specifies what types of condition you want to trace, with only the ON or OFF functionality.
The values for the flagpattern in the -change_tracing option are as follows:
- SBDL_TRACE_*
- SBFS_TRACE_*
- SBCE_TRACE_*
- SBCD_TRACE_*
- PROM_TRACE_*
- FFV_TRACE_*
- SB_FLAG_*
- FFV_TRACE_*
Several tracing areas
The first part of the pattern flag of the tracing command is the area to make the trace out of.
| Command |
Purpose |
| SBCD |
CD/DVD encryption |
| PROM |
Removable Media encryption (EERM) |
| SBDL |
Debugging library |
| SBFS |
Virtual file system |
| SBCE |
Main encryption driver |
| FFV |
Vault driver |
| SB |
Lists all available SB commands |
Command-line examples
| If you want to capture all CD-related trace |
mfeffshell -change_tracing SBCD*=ON |
| If you want to disable all CD tracing |
mfeeffshell -change_tracing SBCD*=OFF |
| Use the -change_tracing command multiple times to get different combinations of flags. Changes you make are cumulative, and don't set all flags at once. |
mfeeffshell -change_tracing *=OFF
mfeeffshell -change_tracing SBCE*=ON
mfeeffshell -change_tracing SBFS*=ON |
Solution
2
For situations where you only need to enable User mode tracing on the client, using the command-line option MfeFfShell.com:
- To enable User mode tracing, open a User command prompt:
- Click Start.
- In the Start Search field, type cmd, and then press Enter.
- Change to the Program Files folder that the product was installed to.
Default location: ..\Program Files\McAfee\Endpoint Encryption for Files and Folders\
- At the User command prompt, type the following and press Enter to enable User mode tracing:
MfeFfShell -enable_user_mode_trace
- Perform the operation, reproduce the problem, and capture the events in a log.
- At the User command prompt, type the following and press Enter to disable the User trace:
MfeFfShell -disable_user_mode_trace
- Use WinZip to archive the User trace file called TraceFile.sb that's located in the user's temp and the Windows temp folder. Then, send them to Technical Support for analysis:
NOTE: The complete path to the user's temp folder is displayed when enabling User mode tracing.
|
