Introduction
This page will cover various tools used to interact with ETW.
Logman
Logman is a native command-line tool for Windows. It is an ETW controller
Creating Tracing Sessions
Copy PS> logman create trace TESTING -o C:\Users\WinDev\Desktop\Output.etl -p Microsoft-Windows-Kernel-Process -ets Adding the -ets option to the command will send commands directly to the tracing session without saving or scheduling the session for future use
Inspecting Trace Files
Once the trace file session is created, it can be viewed in Event Viewer
Goto -> File -> Open Saved Log -> Select "Yes"
Here are the events
Clicking on an event allow you to view the details
Stopping Tracing Session
Copy PS> werlogman TESTING stop -ets Query ETW Providers
Copy C:\Windows\system32>logman query providers
Provider GUID
-------------------------------------------------------------------------------
ACPI Driver Trace Provider {DAB01D4D-2D48-477D-B1C3-DAAD0CE6F06B}
Active Directory Domain Services: SAM {8E598056-8993-11D2-819E-0000F875A064}
Active Directory: Kerberos Client {BBA3ADD2-C229-4CDB-AE2B-57EB6966B0C4}
Active Directory: NetLogon {F33959B4-DBEC-11D2-895B-00C04F79AB69}
ADODB.1 {04C8A86F-3369-12F8-4769-24E484A9E725}
ADOMD.1 {7EA56435-3F2F-3F63-A829-F0B35B5CAD41}
Application Popup {47BFA2B7-BD54-4FAC-B70B-29021084CA8F}
Application-Addon-Event-Provider {A83FA99F-C356-4DED-9FD6-5A5EB8546D68}
ATA Port Driver Tracing Provider {D08BD885-501E-489A-BAC6-B7D24BFE6BBF}
Copy C:\Windows\system32>logman query providers Microsoft-Antimalware-Engine
Provider GUID
-------------------------------------------------------------------------------
Microsoft-Antimalware-Engine {0A002690-3839-4E3A-B3B6-96D8DF868D99}
Value Keyword Description
-------------------------------------------------------------------------------
0x0000000000000001 SenseRemediation
0x0000000000000002 UefiFirmware
0x0000000000000004 TCGLogs
0x0000000000000008 SenseHeartbeat
0x0000000000000010 BmFileOverwrite
0x0000000000000020 SenseOnboardingInfo
0x0000040000000000 StartRundown
0x0000080000000000 EndRundown
Value Level Description
-------------------------------------------------------------------------------
0x04 win:Informational Information
PID Image
------------------------------------------------------------------------------- Query Running Tracing Sessions
Copy C:\Windows\system32>logman query -ets
Data Collector Set Type Status
-------------------------------------------------------------------------------
Circular Kernel Context Logger Trace Running
Eventlog-Security Trace Running
DiagLog Trace Running
Diagtrack-Listener Trace Running
EventLog-Application Trace Running
EventLog-System Trace Running
LwtNetLog Trace Running
Microsoft-Windows-Rdp-Graphics-RdpIdd-Trace Trace Running
NetCore Trace Running
NtfsLog Trace Running
RadioMgr Trace Running
UBPM Trace Running
WdiContextLog Trace Running
WiFiSession Trace Running
UserNotPresentTraceSession Trace Running
CldFltLog Trace Running
SgrmEtwSession Trace Running
ScreenOnPowerStudyTraceSession Trace Running
MpWppTracing-20240306-170459-00000003-ffffffff Trace Running
MSDTC_TRACE_SESSION Trace Running
SHS-03062024-170520-7-7f Trace Running
Cloud Files Diagnostic Event Listener Trace Running
MALDEV_ETW_SESSION Trace Running
Copy C:\Windows\system32> logman query RadioMgr -ets ETW Explorer
ETWExplorer is an open source tool that offers a GUI ETW Controller
DotNetEtwConsumer
The DotNetEtwConsumer tool is an ETW consumer, that uses Microsoft-Windows-DotNETRuntime ETW provider, which has the {E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4} GUID.
The tool makes use of the following WinAPIs:
Reference
