pcel - Parse OS Event Log (pcel.exe)


pcel [<filename>][<logfile>]


-f <filename> This argument specifies the input binary OS Event Log image file.


pcel is an x86 executable tool which is used to parse a OS Event Log image. OS Event Log images are implemented as a circular log. When the log is full, the oldest entry will be overwritten by a new entry.

The command name is pcel, corresponding with the executable file pcel.exe. The pcel tool will validate and parse the contents of the OS Event Log, writing the plain text result to standard output. Log entries are displayed in reverse chronological order, with the most recently logged OS event displayed first.

There are several fields in the reported log entry. Consider the following example of a log output line and the described, reported, log fields.

001 7779825 U2 15 e. 1-003 00000068 00000069 0000006a 0000006b En functionCallWithFourArgs @ line 666
Field Example Description
1 001 Log session, which may increment across OS restarts. In some cases the OS event log will persist across normal OS restarts. This field is used to differentiate booted log sessions.
2 7779825 Timestamp since system startup in units of microseconds.
3 U U indicates that log was submitted by usermode, K indicates that log was submitted by kernelmode. Note that events logged in kernelmode use an internal set of event categories, the definitions for which are not provided to SDK users.
4 2 CPU core ID on which the code that submitted the log entry was executing.
5 15 Process ID of the executing code that submitted the log entry.
6 e e indicates that interrupts were enabled within the calling context when the log was submitted, '.' indicates that they were not.
7 . p indicates that interrupts were pending within the calling context when the log was submitted, '.' indicates that they were not.
8 1 Level of the logged event.
9 003 Category of the logged event.
10-13 00000068, 00000069, 0000006a, 0000006b Arbitrary word arguments passed when log was submitted. These fields are optional and may not be present for some entries. Only these OS Log API are capable of submitting arguments: OSLogArgs, OSLogFunc.
14 En En indicates function entry and Ex indicates function exit. This output is driven by log options OS_LOG_DATA_OPT_FUNC_ENTER_MASK and OS_LOG_DATA_OPT_FUNC_EXIT_MASK.
15 functionCallWithFourArgs When OS Log API OSLogFunc is used, the name of function which submitted the log is provided.
16 @ line 666 When OS Log API OSLogFunc is used, a reference source file line number is provided.


The following example shows how pcel would be used to parse a OS Event Log image file, writing the output to log.txt.

pcel OSEventLog.bin > log.txt   

See Also

System Logging Overview

Revision History

2014/10/02 Fixes for table heading and links etc.
2014/10/02 Placed topic in canonical API format.
2013/05/08 Automated cleanup pass.
2012/07/18 Initial version.