ETW Tools

Introduction

This page will cover various tools used to interact with ETW.

Logman

Logman is a native command-line tool for Windows. It is an ETW controller.

Creating Tracing Sessions

PS> logman create trace TESTING -o C:\Users\WinDev\Desktop\Output.etl -p Microsoft-Windows-Kernel-Process -ets

Adding the -ets option to the command will send commands directly to the tracing session without saving or scheduling the session for future use

\

Inspecting Trace Files

Once the trace file session is created, it can be viewed in Event Viewer.

Goto -> File -> Open Saved Log -> Select "Yes"

Here are the events

Clicking on an event allow you to view the details

Stopping Tracing Session

PS> werlogman TESTING stop -ets

Querying Information

Query ETW Providers

C:\Windows\system32>logman query providers

Provider                                 GUID
-------------------------------------------------------------------------------
ACPI Driver Trace Provider               {DAB01D4D-2D48-477D-B1C3-DAAD0CE6F06B}
Active Directory Domain Services: SAM    {8E598056-8993-11D2-819E-0000F875A064}
Active Directory: Kerberos Client        {BBA3ADD2-C229-4CDB-AE2B-57EB6966B0C4}
Active Directory: NetLogon               {F33959B4-DBEC-11D2-895B-00C04F79AB69}
ADODB.1                                  {04C8A86F-3369-12F8-4769-24E484A9E725}
ADOMD.1                                  {7EA56435-3F2F-3F63-A829-F0B35B5CAD41}
Application Popup                        {47BFA2B7-BD54-4FAC-B70B-29021084CA8F}
Application-Addon-Event-Provider         {A83FA99F-C356-4DED-9FD6-5A5EB8546D68}
ATA Port Driver Tracing Provider         {D08BD885-501E-489A-BAC6-B7D24BFE6BBF}

Query Information about an ETW Provider

C:\Windows\system32>logman query providers Microsoft-Antimalware-Engine

Provider                                 GUID
-------------------------------------------------------------------------------
Microsoft-Antimalware-Engine             {0A002690-3839-4E3A-B3B6-96D8DF868D99}

Value               Keyword              Description
-------------------------------------------------------------------------------
0x0000000000000001  SenseRemediation
0x0000000000000002  UefiFirmware
0x0000000000000004  TCGLogs
0x0000000000000008  SenseHeartbeat
0x0000000000000010  BmFileOverwrite
0x0000000000000020  SenseOnboardingInfo
0x0000040000000000  StartRundown
0x0000080000000000  EndRundown

Value               Level                Description
-------------------------------------------------------------------------------
0x04                win:Informational    Information

PID                 Image
-------------------------------------------------------------------------------

Query Running Tracing Sessions

C:\Windows\system32>logman query -ets

Data Collector Set                      Type                          Status
-------------------------------------------------------------------------------
Circular Kernel Context Logger          Trace                         Running
Eventlog-Security                       Trace                         Running
DiagLog                                 Trace                         Running
Diagtrack-Listener                      Trace                         Running
EventLog-Application                    Trace                         Running
EventLog-System                         Trace                         Running
LwtNetLog                               Trace                         Running
Microsoft-Windows-Rdp-Graphics-RdpIdd-Trace Trace                         Running
NetCore                                 Trace                         Running
NtfsLog                                 Trace                         Running
RadioMgr                                Trace                         Running
UBPM                                    Trace                         Running
WdiContextLog                           Trace                         Running
WiFiSession                             Trace                         Running
UserNotPresentTraceSession              Trace                         Running
CldFltLog                               Trace                         Running
SgrmEtwSession                          Trace                         Running
ScreenOnPowerStudyTraceSession          Trace                         Running
MpWppTracing-20240306-170459-00000003-ffffffff Trace                         Running
MSDTC_TRACE_SESSION                     Trace                         Running
SHS-03062024-170520-7-7f                Trace                         Running
Cloud Files Diagnostic Event Listener   Trace                         Running
MALDEV_ETW_SESSION                      Trace                         Running

Query Information about a Tracing Sessions

C:\Windows\system32> logman query RadioMgr -ets

ETW Explorer

ETWExplorer is an open source tool that offers a GUI ETW Controller

LogoGitHub - zodiacon/EtwExplorer: View ETW Provider manifestGitHub

DotNetEtwConsumer

The DotNetEtwConsumer tool is an ETW consumer, that uses Microsoft-Windows-DotNETRuntime ETW provider, which has the {E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4} GUID.

The tool makes use of the following WinAPIs:

  • StartTraceW - Used to start an event tracing session.

  • EnableTraceEx - Used to configure how an ETW event provider logs events to a trace session.

  • OpenTraceW - Opens a handle for consuming events from an ETW real-time trace session.

  • ProcessTrace - Delivers events from the ETW trace session to the ETW consumer.

  • StopTraceW - Used at the end to stop a specified event tracing session. It is equivalent to the logman stop command.

Reference

LogoTampering with Windows Event Tracing: Background, Offense, and DefenseMedium
LogoETW: Event Tracing for Windows 101Red Team Notes
LogoThreat Hunting with ETW events and HELKβ€Šβ€”β€ŠPart 1: Installing SilkETW πŸ„β€β™€πŸ„Open Threat Research
LogoA Begginers All Inclusive Guide to ETW β€” Blake's R&DBlake's R&D
PreviousInteracting with ETWNextEnumeration

Last updated