Note that pre-built NtTrace64.exe and NtTrace86.exe binaries are included, for convenience, with the release.

Build instructions for Microsoft Visual Studio

At a Visual Studio command prompt type 'nmake -f NtTrace.mak' (or use CMake with CMakeLists.txt)
or, from a command prompt, run `scripts\build-vs-x64.bat` or `scripts\build-vs-x86.bat`.

Build the appropriate binary (32-bit or 64-bit) for your target program.

• Windows does not support 32-bit binaries debugging 64-bit ones.
• While you can use a 64-bit NtTrace on 32-bit programs the output from the 32-bit NtTrace is likely to be clearer.

(See Readme.txt for full details. Currently supports building with Visual Studio versions 2015 - 2026)

MemoryStats

Options:

Display memory statistics for child process(es)

SymExplorer

Options:

Provides access to symbols in the module specified.

Commands available:

ShowLoaderSnaps

Options:

Show Loader Snaps from executing the target program

• Added brief description of the additional tools
• Extend SymExplorer 'odr' command to work across binaries

• Added -totals command line option to NtTrace

• Addition of CMakeLists.txt for those who prefer to use CMake.
• Some modernization of the code base.

• Changed to use the MIT license to make it clearer what can be done with the source code.

• Enhanced display of ACCESS_MASK values
• Rationalise SAL processing

• Add `-only` option to suppress tracing of child processes
• Add `scripts` from Takayuki Matsuoka
• Apply some clang-tidy 'modernize' changes

• Log and continue after invalid handle exceptions raised by CloseHandle()
• Provide extra diagnostics on incorrect signature
• Prefer C++11 'using' over typedefs

• New entry points for Windows 11 22H2
• Show command line for created processes

• Add -nodlls option
• Distinguish the initial process breakpoint

• First pass at adding the Windows 11 NtDll functions

• Add inline frame handling to the StackTrace functionality
• Replace home-grown headers with cvconst.h, from the DIA SDK in Visual Studio
• Remove conditional code needed for ancient versions of MSVC

• Split NtTrace build directory into build32 and build64
• Update NtDll for Windows 10 2004
• Consistent logging of process header
• Use decorated name as a fallback if unable to undecorate

• Tracked new APIS in Windows 10 (up to build 2004)
• Fix crash in exception logging (issue #3)
• Changed email address

• Added the most recent Windows 10 APIs, and categorized some of them
• Update some enumerations, for example Power Information, with newer values
• Support for user32 and gdi32 on more recent versions of Windows that use win32u.dll
• Add -v option to NtTrace to display address and SSN

• Clean compile with VC14 (CTP3)
• Add filter off logic

• Ctrl+C now detaches from attached process (-a option) rather than terminating
• Add -nl option to force a newline on each output
• A few minor changes to NTDLL/Gdi32/User32 entry points

• Add -config option to allow easier selection of configuration
• Add Gdi32Trace.cfg containing the NtGdi functions exported from Gdi32
• Add User32Trace.cfg containing the NtUser functions exported from User32
• A few minor changes to NTDLL entry points
• Better logging of 64bit C++ exceptions
• Display of RootDirectory for ObjectAttributes

Version 1139 - 25-May-2012
Change summary:

• Add entry points for the NtWow64 functions (available to 32-bit programs on 64-bit Windows)
• Add names and types to a few more entry points
• Improve handling of duplicate/output arguments

Version 967 - 17-Nov-2011
Change summary:

• Add X64 build (AMD64) - supports 32-bit and 64-bit targets
• Add new entry points for Windows 7
• Extend coverage of names for enumerated values
• Add basic LPC_MESSAGE unpacking
• Add -pre option to trace pre-call as well as post-call
• Don't dereference output only arguments on error