none
ETW discussion RRS feed

  • Question

  • Hi all,

    I am playing with Event Trace for Windows, ETW, to trace down some kernel events like files, disk IO and network.

    ( https://docs.microsoft.com/en-us/windows/desktop/ETW/event-tracing-portal )

    No problem to get realtime events from userland but I try to achieve reboot persistency and trace events in a global or autologger when userland is running off or not yet up. Badly I see no trace I want to get in my global logger. 

    Anyone here tried to achieve that kind of thing?

    Mrutyunjaya

    Tuesday, August 14, 2018 11:18 AM

All replies

  • I use autologgers all the time. Post your command that you use to enable the autologger

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Tuesday, August 14, 2018 6:09 PM
    Moderator
  • I use registry to configure the auto-logger session. Could please post command, you are using too enable the auto-logger.

    -Mrutyunjaya

    Tuesday, August 14, 2018 7:06 PM
  • tracelog -addautologger USBFilter -sessionguid #DC636A6B-C0D4-4632-8639-B7E2C1E117C1 -b 1024 -max 64 -kd -rt -level 0xffffffff -flag 0xff -ft 1 -noprocess -nothread -nodisk -f C:\Target\USBFilter\USBFilter.etl -guid #69365897-4962-46AE-8981-A5A9BEE6B57C
    

     -Brian

    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Tuesday, August 14, 2018 7:27 PM
    Moderator
  • Could you please tell me tool, you are using to analyze the .etl log. How are you analyzing the .etl log ?

    -Mrutyunjaya

    Thursday, August 16, 2018 11:29 AM
  • TraceView comes in the WDK. I particularly like TraceView Plus

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Thursday, August 16, 2018 7:38 PM
    Moderator