Is .etl log generated by ETW logger in encrypted form ? RRS feed

  • Question

  • How safe is it to send string messages to a ETW session.
    I am planning to send confidential information like function names to a ETW session from my user mode driver.
    Do I need to encrypt the string messages ?
    Does ETW framework has a built in security mechanism such that the *.etl it saves will have those strings in unreadable/encrypted format ?

    Tuesday, January 6, 2015 12:58 PM


  • The log itself uses indices into a CTL file (which is generated from a PDB file) to get the text of the format strings.  So that will be secure, as long as you do not distribute the CTL data.  If you print strings to the log using %s or %Z  or variants, those will be viewable in a binary dump of the log.  ETW is pretty secure if you use it correctly, it is definitely the way to go for data you want to collect, but don't nessecarily want all users of the binary to see.

    Don Burn Windows Filesystem and Driver Consulting Website:

    Tuesday, January 6, 2015 1:04 PM