krabsetw icon indicating copy to clipboard operation
krabsetw copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Why Service Control Manager provider doesn't generate any event id?

Open subvert0r opened this issue 1 year ago • 2 comments

I am trying to get events related to service creation, and so far I have tried these:

Microsoft-Windows-Services
Service Control Manager
Service Control Manager Trace

But strangely, non of the above providers produce events when a service is created or started.

Then I looked into it, and figured that Service Control Manager and Service Control Manager Trace don't generate any event id at all! At least the Microsoft-Windows-Services generates some events at some point.

Question: Why when I register with Service Control Manager and Service Control Manager Trace without any filter, I don't get any event at all, no matter how long I keep it running and do all sorts of service related activity? When their callback is called, the event id and opcode id is just 0, and there is no property. Their event header is basically junk.

subvert0r avatar Jan 17 '24 08:01 subvert0r

Hi @subvert0r, we aren't able to provide general assistance with Windows ETW providers in this repo.

swannman avatar Jan 17 '24 17:01 swannman

Hi @subvert0r, we aren't able to provide general assistance with Windows ETW providers in this repo.

Understood, I edited the question title to make it less generic. My main question is:

Question: Why when I register with Service Control Manager and Service Control Manager Trace without any filter, I don't get any event at all, no matter how long I keep it running and do all sorts of service related activity? When their callback is called, the event id and opcode id is just 0, and there is no property. Their event header is basically junk.

subvert0r avatar Jan 18 '24 13:01 subvert0r