My ultimate goal: to better understand the implementation of ETW/WPP traces The way I want to use: Under winpe I try to analyze the behavior of the DSMSVC service : timeout for a full display of devices . Quick introduction of ETW and WPP technologies. I think I understood the concepts of Providers, Controlers, Consummers. Here is the site among all those I consulted that sums up well what I understood: https://www.magicsplat.com/book/event_tracing.html My main documentation for TMF files: https://posts.specterops.io/data-source-analysis-and-dynamic-windows-re-using-wpp-and-tracelogging-e465f8b653f7 Analysis of DeviceSetupManager.dll (DSMSVC) code with IDA: - to identify the guids - to understand the use of WPP_xxx functions A summary of my investigations with IDA and Windbg: The "DllMain" function of "DeviceSetupManager.dll" records 3 Guids with 2 different aps and 3 different callbacks: GUID1: AB11A476-79F6-5026-7D54-2E989E539A2D EventRegister TlgEnableCallback GUID2: 6CD73F09-D1F7-47A2-9D8B-C9CCC8D6F27E RegisterTraceGuidsW WppControlCallback GUID3: FCBB06BB-6A2A-46E3-ABAA-246CB4E508B2 EventRegister McGenControlCallbackV2 My first observations in Winpe: When the DSMSVC service is active, the command "logman query providers microsoft-Windows-devicesetupmanager" shows only the Guid FCBB06BB-6A2A-46E3-ABAA-246CB4E508B2: why doesn't it display the other 2 guides? The activation in "eventvwr.msc" of this provider's log ("debug") allows you to view certain events. But it doesn't display WPP messages. Note: to activate the "debug" logs in Eventvwr on winpe: you have to activate the "debug" logs from the "display" menu: change to the file ???? then activate the desired log in the left treeview with a right click The logman activation sequence: logman create trace MyTrace -o "X:\DSMSVC-Trace.etl" -ets -rt logman update MyTrace -p {FCBB06BB-6A2A-46E3-ABAA-246CB4E508B2} 0xff 5 -ets logman update MyTrace -p {6CD73F09-D1F7-47A2-9D8B-C9CCC8D6F27E} 0xff 5 -ets logman update MyTrace -p {AB11A476-79F6-5026-7D54-2E989E539A2D} 0xff 5 -ets rem Create activity with DSMSVC ( genarated with the config panel ) logman stop MyTrace -ets Note: The role of the 2 parameters "0xff" abd "5" is variable and is left to the initiative of the programmer, so reading the code with IDA is necessary. (read in an MS doc, perhaps in the description of the callback) First point: - how to read and exploit this file "X:\DSMSVC-Trace.etl" with comfort? You can load the ETL file in Eventlog but Eventvwr.msc does not interpret all content. - how to build these files ".TMF"? I found some good documentation here: https://posts.specterops.io/data-source-analysis-and-dynamic-windows-re-using-wpp-and-tracelogging-e465f8b653f7 it explains better than i can ! Second point, build the TMF manually: Big work with IDA to analyze the deviceSetupManager.dll code and build the files." TMF." I added some comments but it's a far cry from the original MS's TMF files So, i read GUID in IDA and i write it with parameters that seems to be the good ones note : Where to find default.tmf? it is need to know the items used in TMF I find one in : "C:\Program Files (x86)\Windows Kits\10\bin\10.0.18362.0\x64\default.tmf" Third point, Trace Analysis of the file MyTrace.txt: It's not that simple. Because it takes a good understanding of the code with IDA in order to be able to properly document the TMF files In fact it is very complex. My way : This reading should be synchronized with the analysis of the "stack" provided by procmon 3-1 - It is very difficult for me to find the GUID in the IDA file The command "logman query providers microsoft-Windows-devicesetupmanager" provides the GUID: 'FCBB06BB-6A2A-46E3-ABAA-246CB4E508B2' This allows me to deduce the "value" of the Guids from the IDA listing So I remember the following guides with the APIs used to record them and callback: EventRegister GUID1: AB11A476-79F6-5026-7D54-2E989E539A2D TlgEnableCallback RegisterTraceGuidsW GUID2: 6CD73F09-D1F7-47A2-9D8B-C9CCC8D6F27E WppControlCallback EventRegister GUID3: FCBB06BB-6A2A-46E3-ABAA-246CB4E508B2 McGenControlCallbackV2 It is this GUID3 that is the only one visible in "eventvwr.msc" and in "logman": why? 3-2 - where are the return information of the recordings stoked? ULONG EVNTAPI EventRegister ( LPCGUID ProviderId, PENABLECALLBACK EnableCallback, PVOID CallbackContext, PREGHANDLE RegHandle ----------- in r9! ); ULONG WMIAPI RegisterTraceGuidsW( WMIDPREQUEST RequestAddress, -- callback! PVOID RequestContext, LPCGUID ControlGuid, ULONG GuidCount, PTRACE_GUID_REGISTRATION TraceGuidReg, LPCWSTR MofImagePath, LPCWSTR MofResourceName, PTRACEHANDLE RegistrationHandle ------- in the stack ); For GUID 1: in the variable REGHANDLE_qword_180039078 (variable name I defined in the IDA listing) For GUID 3: in the variable MICROSOFT_WINDOWS_DEVICESETUPMANAGER_Context (variable name I defined in the IDA listing) For GUID 2: complex !!!! 3-3 - Which trace writing command is used for each guid? I see two distinct families of trace writing. "McTemplate" features use the Api EventWriteTransfer GUID3 "WPP_SF_" features use the TraceMessage API for GUID2 And for GUID1: ??? They have to find the right Handle every time. 3-4 - how and where to find information for EventWriteTransfer ??? 3-5 - manipulation of PDB with TMF files TMF files are not made available to the public by MS. Only a few examples are available (as I understand it). Nevertheless, a Ms website reports that the driver winusb.sys pdb file contains the info "TMF" for the "public" version. The following tools are available in the SDK (or DDK? but I never loaded the DDK on my pc) - I download this file winusb.pdb with: "c:Program Files (x86)-Windows Kits-10-Debuggers-x64-symchk.exe" c:w10-1903-pro-apply-en-Windows-System32-drivers-winusb.sys -oc . - To extract the "TMF" info it contains: "c:Program Files (x86)-Windows Kits-8.1-bin-x64-tracepdb.exe" -f C:-Users-Noelb-Desktop-ETW-WPP-winusb.pdb The generated TMF file contains very few different items. Fortunately, some sites provide a little more item (useful for setting TMF settings) But for deviceSetupManager.dll: C:-Users-Noelb-Desktop-ETW-WPP"c:Program Files (x86)-Windows Kits-8.1-1-x64-tracepdb.exe" -f C:-Users-Noelb-Desktop-ETW-W-DeviceSetupManager.pdb Microsoft (R) TracePDB.Exe (6.3.9600.16384) Microsoft Corporation. All rights reserved. tracepdb: info BNP0000: WPPFMT No Trace entries found in C:-Users-Noelb-Desktop-ETW-WPP-DeviceSetupManager.pdb" --->>>> No Trace entries found ! - To produce a TXT file from an ETL capture file and built TMF files for it: "c:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\tracefmt.exe" .\DSMSVC.etl -displayonly "c:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\tracefmt.exe" .\DSMSVC.etl Under, the command and the screen displayed : "c:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\tracefmt.exe" .\DSMSVC.etl -p C:\Users\noelb\Desktop\ETW-WPP\ Setting log file to: C:\Users\noelb\Desktop\ETW-WPP\trace du 30mars\trace\DSMSVC-Trace.etl Examining c:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\default.tmf for message formats, 3 found. Searching for TMF files on path: C:\Users\noelb\Desktop\ETW-WPP\ Logfile C:\Users\noelb\Desktop\ETW-WPP\trace du 30mars\trace\DSMSVC-Trace.etl: OS version 10.0.18362 (Currently running on 10.0.18362) Start Time 2020-03-30-14:02:40.419 End Time 2020-03-30-14:20:23.077 Timezone is @tzres.dll,-302 (Bias is -60mins) BufferSize 8192 B Maximum File Size 0 MB Buffers Written 1317 Logger Mode Settings (0) Logfile Mode is not set ProcessorCount 4 Processing completed Buffers: 1317, Events: 17550, EventsLost: 0 :: Format Errors: 0, Unknowns: 658 Event traces dumped to FmtFile.txt" Case of traceview.exe : "c:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\traceview.exe" Too complex for me. ************************************************************************** sites Introducing the components ETL/WPP https://www.magicsplat.com/book/event_tracing.html https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63 https://social.msdn.microsoft.com/forums/en-US/a1aa1350-41a0-4490-9ae3-9b4520aeb9d4/faq-common-questions-for-etw-and-windows-event-log Good explanation of the difference between ETW et WPP : https://docs.microsoft.com/en-us/windows/win32/etw/event-tracing-portal https://docs.microsoft.com/en-us/windows/win32/tracelogging/trace-logging-portal https://docs.microsoft.com/fr-fr/windows-hardware/drivers/devtest/wpp-software-tracing http://download.microsoft.com/download/5/d/6/5d6eaf2b-7ddf-476b-93dc-7cf0072878e6/WPP_Intro.doc Using TMF : https://posts.specterops.io/data-source-analysis-and-dynamic-windows-re-using-wpp-and-tracelogging-e465f8b653f7F Format de TMF https://github.com/antoxar/WPPTracingSample/blob/master/sample/WppTracing/default.tmf https://gist.github.com/mattifestation/4bc43dfbd46429ec18ce60a2ea1bcf3c parameter : messageflags ????????????? valable pour W10 ?????????????????? http://www.geoffchappell.com/studies/windows/win32/advapi32/api/etw/logapi/message.htm https://docs.microsoft.com/en-us/windows-hardware/drivers/install/porting-from-setupapi-to-cfgmgr32 Pour coder un prg de type service avec WPP : très bien fait ! https://github.com/antoxar/WPPTracingSample/tree/master/sample/CppWindowsService https://blogs.msdn.microsoft.com/ntdebugging/tag/ivan/ https://kernelpool.blogspot.com/2018/05/add-wpp-tracing-to-kernel-mode-windows.html https://docs.microsoft.com/fr-fr/archive/blogs/ndis/diagnostics-with-wpp https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/trace-message-format-file ************************************************************************** The context of my investigations (build V1903): The dll "DeviceSetupManager.dll" of course exports a function "DllMain". Here's the part about ETW/WPP records IDA extract for deviceSetupManager.dll: ; BOOL __stdcall DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) call TraceLoggingRegisterEx -->> GUID1 call WPP_INIT_CONTROL_ARRAY lea rax, WPP_MAIN_CB lea rcx, WPP_ThisDir_CTLGUID_DSM mov cs:WPP_GLOBAL_Control, rax mov cs:WPP_REGISTRATION_GUIDS, rcx call WppInitUm -->> GUID2 mov rcx, cs:WPP_GLOBAL_Control lea rax, WPP_GLOBAL_Control cmp rcx, rax jz short loc_1800113FB test byte ptr [rcx+1Ch], 1 jz short loc_1800113FB mov rcx, [rcx+10h] lea r8, WPP_db891b733ce035474320725818ee3f1d_Traceguids mov edx, 0Ah call WPP_SF_ loc_1800113FB: ; hLibModule mov rcx, rbx call cs:__imp_DisableThreadLibraryCalls call McGenEventRegister ; -->> GUID3 EventRegister FCBB06BB-6A2A-46E3-ABAA-246CB4E508B2 &McGenControlCallbackV2 test cs:Microsoft_Windows_DeviceSetupManagerEnableBits, 2 jz short loc_180011489 lea rdx, DsmServiceDllLoad ; "f" call McTemplateU0 jmp short loc_180011489 With these details for the functions called : TraceLoggingRegisterEx : call cs:__imp_EventRegister ("AB11A476-79F6-5026-547D-2E989E539A2D", &_TlgEnableCallback , ...) -->> GUID1 00007ff9`d4043c4d 0f1040f0 movups xmm0,xmmword ptr [rax-10h] (dq ds:00007ff9`d4070230 -> 2d9a539e9b2e547d502679f6ab11a476) This "guid" is read with Windbg. WPP_INIT_CONTROL_ARRAY : xor eax, eax mov cs:qword_180039D78, 1 ----------- mov cs:qword_180039D70, rax -------> 0 mov cs:WPP_MAIN_CB, rax -------> 0 -> data:0000000180039D60 WPP_MAIN_CB dq ? retn call WppInitUm: call cs:__imp_RegisterTraceGuidsW ( *WPP_ThisDir_CTLGUID_DSM , &WppControlCallback, ...) -->> GUID2 McGenEventRegister proc near sub rsp, 28h xor eax, eax -> 0 cmp cs:MICROSOFT_WINDOWS_DEVICESETUPMANAGER_Context, rax jnz short loc_18000FF1D lea r8, MICROSOFT_WINDOWS_DEVICESETUPMANAGER_Context -> &MICROSOFT_WINDOWS_DEVICESETUPMANAGER_Context mov r9, r8 -> 0 lea rdx, McGenControlCallbackV2 lea rcx, MICROSOFT_WINDOWS_DEVICESETUPMANAGER ---> GUID3 call cs:__imp_EventRegister EventRegister &GUID3, &McGenControlCallbackV2, &MICROSOFT_WINDOWS_DEVICESETUPMANAGER_Context , &MICROSOFT_WINDOWS_DEVICESETUPMANAGER_Context loc_18000FF1D: add rsp, 28h retn McGenEventRegister endp The 3 GUIDs in binary format : convert to string needs some work GUID1: .rdata:0000000180030230 db 76h ; v .rdata:0000000180030231 db 0A4h ; ¤ .rdata:0000000180030232 db 11h .rdata:0000000180030233 db 0ABh ; « .rdata:0000000180030234 db 0F6h ; ö .rdata:0000000180030235 db 79h ; y .rdata:0000000180030236 db 26h ; & .rdata:0000000180030237 db 50h ; P .rdata:0000000180030238 db 7Dh ; } --- do not reverse with the following byte: why? .rdata:0000000180030239 db 54h ; T --- ? .rdata:000000018003023A db 2Eh ; . .rdata:000000018003023B db 9Bh ; › .rdata:000000018003023C db 9Eh ; ž .rdata:000000018003023D db 53h ; S .rdata:000000018003023E db 9Ah ; š .rdata:000000018003023F db 2Dh ; - GUID2: .rdata:0000000180030998 WPP_ThisDir_CTLGUID_DSM db 9 ; DATA XREF: DllMain+2B↑o .rdata:0000000180030999 db 3Fh ; ? .rdata:000000018003099A db 0D7h ; × .rdata:000000018003099B db 6Ch ; l .rdata:000000018003099C db 0F7h ; ÷ .rdata:000000018003099D db 0D1h ; Ñ .rdata:000000018003099E db 0A2h ; ¢ .rdata:000000018003099F db 47h ; G .rdata:00000001800309A0 db 9Dh --- do not reverse with the following byte: why? .rdata:00000001800309A1 db 8Bh ; ‹ --- ? .rdata:00000001800309A2 db 0C9h ; É .rdata:00000001800309A3 db 0CCh ; Ì .rdata:00000001800309A4 db 0C8h ; È .rdata:00000001800309A5 db 0D6h ; Ö .rdata:00000001800309A6 db 0F2h ; ò .rdata:00000001800309A7 db 7Eh ; ~ GUID3: FCBB06BB-6A2A-46E3-ABAA-246CB4E508B2 .rdata:000000018002BBD8 MICROSOFT_WINDOWS_DEVICESETUPMANAGER db 0BBh ; » .rdata:000000018002BBD8 ; DATA XREF: McGenEventRegister+20↑o .rdata:000000018002BBD9 db 6 .rdata:000000018002BBDA db 0BBh ; » .rdata:000000018002BBDB db 0FCh ; ü .rdata:000000018002BBDC db 2Ah ; * .rdata:000000018002BBDD db 6Ah ; j .rdata:000000018002BBDE db 0E3h ; ã .rdata:000000018002BBDF db 46h ; F .rdata:000000018002BBE0 db 0ABh ; « .rdata:000000018002BBE1 db 0AAh ; ª .rdata:000000018002BBE2 db 24h ; $ .rdata:000000018002BBE3 db 6Ch ; l .rdata:000000018002BBE4 db 0B4h ; ´ .rdata:000000018002BBE5 db 0E5h ; å .rdata:000000018002BBE6 db 8 .rdata:000000018002BBE7 db 0B2h ; ² WPP_SF_ proc near var_18= qword ptr -18h sub rsp, 38h and [rsp+38h+var_18], 0 movzx r9d, dx ; MessageNumber mov edx, 2Bh ; MessageFlags call cs:__imp_TraceMessage add rsp, 38h retn WPP_SF_ endp MessageFlags : Value Name Meaning 0x00000001 TRACE_MESSAGE_SEQUENCE include sequence number as event-specific data 0x00000002 TRACE_MESSAGE_GUID include GUID as event-specific data 0x00000004 TRACE_MESSAGE_COMPONENTID include component ID as event-specific data 0x00000008 TRACE_MESSAGE_TIMESTAMP include time stamp as event-specific data 0x00000010 TRACE_MESSAGE_PERFORMANCE_TIMESTAMP use performance counter for time stamp 0x00000020 TRACE_MESSAGE_SYSTEMINFO include thread and process IDs as event-specific data So, 2bh = .... McTemplateU0 proc near var_38= qword ptr -38h var_28= byte ptr -28h var_18= qword ptr -18h sub rsp, 58h mov rax, cs:__security_cookie xor rax, rsp mov [rsp+58h+var_18], rax lea rax, [rsp+58h+var_28] mov r9d, 1 lea rcx, MICROSOFT_WINDOWS_DEVICESETUPMANAGER_Context mov [rsp+58h+var_38], rax call McGenEventWrite mov rcx, [rsp+58h+var_18] xor rcx, rsp ; StackCookie call __security_check_cookie add rsp, 58h retn McTemplateU0 endp McGenEventWrite proc near var_18= dword ptr -18h var_10= qword ptr -10h arg_20= qword ptr 28h sub rsp, 38h mov r10, [rcx+8] xor eax, eax mov r8, [rsp+38h+arg_20] mov r11d, r9d test r10, r10 jnz loc_180014D9E mov [r8], rax mov r9d, eax jmp loc_180005B1D loc_180014D9E: mov [r8], r10 mov eax, 2 movzx r9d, word ptr [r10] jmp loc_180005B1D loc_180005B1D: mov [r8+8], r9d xor r9d, r9d mov [r8+0Ch], eax mov rcx, [rcx] mov [rsp+38h+var_10], r8 xor r8d, r8d mov [rsp+38h+var_18], r11d call cs:__imp_EventWriteTransfer add rsp, 38h retn McGenEventWrite endp ------------------------------------------------------------------- .text:0000000180003C14 TraceLoggingRegisterEx proc near ; CODE XREF: DllMain+1A↓p .text:0000000180003C14 ; DATA XREF: .rdata:0000000180032248↓o ... .text:0000000180003C14 .text:0000000180003C14 var_28 = xmmword ptr -28h .text:0000000180003C14 var_18 = qword ptr -18h .text:0000000180003C14 .text:0000000180003C14 ; FUNCTION CHUNK AT .text:0000000180013CF2 SIZE 00000014 BYTES .text:0000000180003C14 .text:0000000180003C14 push rbx .text:0000000180003C16 sub rsp, 40h .text:0000000180003C1A mov rax, cs:__security_cookie .text:0000000180003C21 xor rax, rsp .text:0000000180003C24 mov [rsp+48h+var_18], rax .text:0000000180003C29 mov rax, cs:ptr_EventInformation_off_180039060 .text:0000000180003C30 lea r9, REGHANDLE_qword_180039078 .text:0000000180003C37 xorps xmm1, xmm1 .text:0000000180003C3A lea r8, CallBackContext_dword_180039058 .text:0000000180003C41 lea rdx, _TlgEnableCallback .text:0000000180003C48 lea rcx, [rsp+48h+var_28] .text:0000000180003C4D movups xmm0, xmmword ptr [rax-10h] .text:0000000180003C51 movdqu cs:xmmword_180039080, xmm1 ; 0 .text:0000000180003C59 movdqu [rsp+48h+var_28], xmm0 ; 2d9a539e9b2e547d502679f6ab11a476 .text:0000000180003C5F call cs:__imp_EventRegister .text:0000000180003C65 mov ebx, eax .text:0000000180003C67 test eax, eax .text:0000000180003C69 jnz loc_180013CF2 .text:0000000180003C6F mov r8, cs:ptr_EventInformation_off_180039060 .text:0000000180003C76 lea edx, [rax+2] ; Event_Info_CLASS = 2 EventProviderSetTraits .text:0000000180003C79 mov rcx, cs:REGHANDLE_qword_180039078 .text:0000000180003C80 movzx r9d, word ptr [r8] ; longueur du buffer EventInformation .text:0000000180003C84 call cs:__imp_EventSetInformation .text:0000000180003C8A .text:0000000180003C8A loc_180003C8A: ; CODE XREF: TraceLoggingRegisterEx:loc_180013CF2↓j .text:0000000180003C8A ; TraceLoggingRegisterEx+100ED↓j .text:0000000180003C8A mov eax, ebx .text:0000000180003C8C mov rcx, [rsp+48h+var_18] .text:0000000180003C91 xor rcx, rsp ; StackCookie .text:0000000180003C94 call __security_check_cookie .text:0000000180003C99 add rsp, 40h .text:0000000180003C9D pop rbx .text:0000000180003C9E retn .text:0000000180003C9E TraceLoggingRegisterEx endp -------------------------------------------------------------------- .text:000000018000FA6C WppInitUm proc near ; CODE XREF: DllMain+40↓p .text:000000018000FA6C ; DATA XREF: .pdata:000000018003BE7C↓o .text:000000018000FA6C .text:000000018000FA6C TraceGuidReg = qword ptr -38h .text:000000018000FA6C var_30 = qword ptr -30h .text:000000018000FA6C var_28 = qword ptr -28h .text:000000018000FA6C RegistrationHandle= qword ptr -20h .text:000000018000FA6C var_18 = _TRACE_GUID_REGISTRATION ptr -18h .text:000000018000FA6C arg_0 = qword ptr 8 .text:000000018000FA6C .text:000000018000FA6C mov [rsp+arg_0], rbx .text:000000018000FA71 push rdi .text:000000018000FA72 sub rsp, 50h .text:000000018000FA76 mov rbx, cs:WPP_GLOBAL_Control .text:000000018000FA7D lea rdi, WPP_REGISTRATION_GUIDS .text:000000018000FA84 .text:000000018000FA84 loc_18000FA84: ; CODE XREF: WppInitUm+76↓j .text:000000018000FA84 test rbx, rbx .text:000000018000FA87 jnz short loc_18000FA94 .text:000000018000FA89 mov rbx, [rsp+58h+arg_0] .text:000000018000FA8E add rsp, 50h .text:000000018000FA92 pop rdi .text:000000018000FA93 retn .text:000000018000FA94 ; --------------------------------------------------------------------------- .text:000000018000FA94 .text:000000018000FA94 loc_18000FA94: ; CODE XREF: WppInitUm+1B↑j .text:000000018000FA94 mov r8, [rdi] ; ControlGuid .text:000000018000FA97 lea rax, [rbx+8] .text:000000018000FA9B and [rsp+58h+var_18.RegHandle], 0 .text:000000018000FAA1 lea rcx, WppControlCallback ; RequestAddress .text:000000018000FAA8 mov [rsp+58h+RegistrationHandle], rax ; RegistrationHandle .text:000000018000FAAD lea rdi, [rdi+8] .text:000000018000FAB1 and [rsp+58h+var_28], 0 .text:000000018000FAB7 lea rax, [rsp+58h+var_18] .text:000000018000FABC and [rsp+58h+var_30], 0 .text:000000018000FAC2 mov r9d, 1 ; GuidCount .text:000000018000FAC8 mov [rsp+58h+var_18.Guid], r8 .text:000000018000FACD mov rdx, rbx ; RequestContext .text:000000018000FAD0 mov [rsp+58h+TraceGuidReg], rax ; TraceGuidReg .text:000000018000FAD5 mov [rbx+20h], r8 .text:000000018000FAD9 call cs:__imp_RegisterTraceGuidsW .text:000000018000FADF mov rbx, [rbx] .text:000000018000FAE2 jmp short loc_18000FA84 .text:000000018000FAE2 WppInitUm endp