pywintrace icon indicating copy to clipboard operation
pywintrace copied to clipboard
verified publisher icon fireeye

logging nt kernel logger or windows kernel trace

Open joemikhailgwu opened this issue 6 years ago • 5 comments

When logging nt kernel logger or windows kernel trace providers, there are no results. Any tips?

joemikhailgwu avatar Oct 21 '19 13:10 joemikhailgwu

Run as administrator.

abergl avatar Oct 21 '19 14:10 abergl

I am running as administrator. All the other providers work fine.

joemikhailgwu avatar Oct 21 '19 14:10 joemikhailgwu

@joemikhailgwu can you verify this is an issue with pywintrace by trying the same actions on Microsoft Message Analyzer?

SuprHackerSteve avatar Nov 14 '19 18:11 SuprHackerSteve

I have encountered the same as above. Running an admin shell on Windows 10. I cannot try and test with MS Message Analyzer as it was deprecated and remove from their sites before November.

Ref Code: ` #! python3

from log import Log import time import etw

def some_func(log): providers = [etw.ProviderInfo('Microsoft-Windows-Kernel-EventTracing', etw.GUID("{B675EC37-BDB6-4648-BC92-F3FDC74D3CA2}"))] # create instance of ETW class job = etw.ETW(providers=providers, event_callback=lambda x: log.Write(f"{x}\n")) # start capture job.start()

while 1:
    pass

# stop capture
job.stop()

log = Log() some_func(log) `

ifUpEth0 avatar Dec 09 '19 18:12 ifUpEth0

Interestingly I found I could test much of this with logman and found many of the kernel level providers did not provide much via it either. For disks at the kernel level I am getting some useful info with, Microsoft-Windows-Kernel-Disk should anyone be interested.

ifUpEth0 avatar Dec 09 '19 20:12 ifUpEth0