Hey Insiders! DTrace can now run riot in Windows 10, if you really want it to
Open-source debugger takes to the stage in OS's next release
Windows 10 has been tweaked to let devs enjoy the delights of DTrace while chasing down pesky bugs.
Microsoft's Hari Pulapaka took to Twitter to share the news, though he swiftly followed it up with a blog post explaining that when he said "Windows 10", he actually meant "Insider Builds from 18342" onwards.
we are excited to announce that we added support in Windows Kernel to run DTrace. DTrace is now officially supported on Windows 10! Full details on how to use DTrace on Insider builds, along with links to GitHub to our source code. cc @JenMsft @gvnn3https://t.co/aUn9QMIEzB— Hari Pulapaka (@TheRealHariP) March 11, 2019
The move is the latest to demonstrate that Microsoft is far from the anti-open-source beast of old.
The next release of Windows 10 also has a change aimed specifically at getting the thing up and running on Linux Kernel-based Virtual Machines (KVM).
Microsoft tweaks Windows 10 on Arm64 to play nicely with KVMREAD MORE
To make things work, the Windows team added a new kernel extension driver,
Traceext.sys, to expose the functionality required by DTrace. Pulapaka explained: "The Windows kernel provides callouts during stackwalk or memory accesses which are then implemented by the trace extension."
At this point, security fans will be stroking their chins thoughtfully. Allowing DTrace to run riot in the kernel stomps on some of Windows' built-in security. As DTrace can effectively make changes in functions being analysed, Microsoft's PatchGuard must be disabled, which Pulapaka confirmed on Twitter.
PatchGuard, formerly known as Kernel Patch Protection (KPP), is designed to stop miscreants from tinkering with the Windows kernel and will also stop DTrace from doing its thing.
Pulapaka remarked that the team knew what was needed to be done to make the two co-exist, but that it was "a lot of work" and they were keen for developers to get their hands on the new toys.
As it stands, it is important to understand that booting with a kernel debugger attached will leave PatchGuard disabled. SecureBoot also needs to be disabled to actually set the necessary options.
DTrace has its roots in Sun Microsystems' Solaris operating system, allowing developers to troubleshoot problems in real time and see what processes are doing in the guts of the system, either in user or kernel mode. It also allows devs to dynamically add tracepoints, detect deadlocks and so on.
The journey to Windows from Solaris was a bumpy one. After Oracle acquired Sun, the tool floundered somewhat until Big Red eventually open-sourced the thing. At its Ignite event last year, Microsoft announced that it had ported DTrace to Windows.
"DTrace on Windows" lurks under OpenDTrace on GitHub, and Microsoft plans to merge its changes over the coming months. ®
Sponsored: Becoming a Pragmatic Security Leader