1. Install WinDbg inside the guest. You will need to generate symbol files from the guest since this is the Windows version you will be hooking vprobes to.

2. Create a local or remote symbol server per Debugging Applications for Microsoft .NET and Microsoft Windows Part I, Chapter 2 and run the following command from the WinDbg folder:

cscript ossyms2.0.js \\symbols\path

This will take some time to complete and you should end up with a couple gigs of modules and their PDBs.

3. Run WinDbg in local kernel debugging mode on the guest and issue the following command, replacing <modulename> with an actual module name:

x <modulename>!*

4. Save the output from WinDbg: Edit > Write Window Text to File

5. Place the saved file in the guest datastore directory.

6. Stop the guest.

7. Edit the VMX file to include

vprobe.enable = "TRUE"
vprobe.guestSyms = "symbolFile.TXT"

8. Start the guest.

9. Issue the vprobeListProbes command to view your imported events.

The attached probes.txt file contains all my events with the NT module imported. nt.txt is the file I am importing with vprobe.guestSyms. I am not sure if this will be a problem but the event names look like:

GUEST:t!MiShutdownSystem*

instead of

GUEST:nt!MiShutdownSystem*

Any insight on this?

UPDATE FROM VMWARE:

This looks like an issue with our internal parsing logic for windbg-style symbol text files. Try adding a "0`" (w/o the double quotes) to each of the lines and you should see the full, intact probe names.

I will check this out and post my results...