- ETW allows you to capture operating system and application events, both in user space and in the kernel, and is key for debugging and performance analysis.
- There are multiple types of ETW providers, such as MOF, WPP, manifest-based, or TraceLogging, each with its own structure and complexity.
- ETW can be worked with using tools such as logman, wpr, and PerfView, which are ideal for triggering tracking sessions, capturing data, and analyzing it.
- ETW is essential for EDR/XDR solutions and forensic investigations, being able to extract memory events even if an attacker deletes files.
Event Tracing for Windows (ETW) It's one of the most powerful tools, but also one that's unknown to many developers and security professionals in Microsoft environments. This system allows you to monitor, capture, and analyze events generated by the operating system and applications, both in user mode and kernel mode.
Used for both advanced debugging and forensic analysis or threat detection, ETW provides deep visibility into what's happening at the system level, with minimal impact on performance. In this article, we'll take a detailed look at how ETW works, what tools to use, how to configure it, what type of data can be obtained, and how to leverage it from different environments such as .NET. PowerShell or even forensically from memory.
What is ETW and why is it so powerful?
Event Tracing for Windows is an event tracing system built into the Windows kernel.. It was designed to allow developers and administrators to record and consume event streams in real time or from log files (.etl). ETW is extremely versatile because it can be used by:
- User-mode applications written primarily in C or C++
- Kernel drivers
- EDR and antivirus systems
- Performance or security analysts
It works through a model based on three key roles: The Providers (which generate the events), the controllers (which configure and control the tracking sessions), and the Consumers (who read the events).
Essential components of the ETW ecosystem
The ETW operating model revolves around several architectural elements that allow for a clear separation between the event generator and the event consumer:
1. Providers or suppliers
They are the components of the system or applications that emit events. There are different types:
- MOF-based providers: They use Managed Object Format. They have a more complex structure and are no longer in use.
- WPP providers: mainly used in drivers for debugging.
- Manifest-based providers: the most common today. They use an XML manifest that defines the event structure.
- TraceLogging providers: a simpler alternative compatible with modern applications.
2. Controllers or controllers
They are responsible for starting, stopping, or configuring trace sessions. For example, a tool like Logman It acts as a controller, allowing you to configure which providers are activated and where events are written.
3. Consumers
These are applications or scripts that read events, either in real time or through .etl files. Some well-known examples are:
- Event Viewer (Windows Event Viewer)
- Windows Performance Analyzer (WPA)
- PerfView
- EDR systems such as Microsoft Defender for Endpoint
What is ETW used for?
ETW is used extensively within the Microsoft ecosystem, from internal processes to enterprise solutions. Some scenarios include:
- Debugging real-time applications
- Performance monitoring (CPU, IO, network…)
- Debugging kernel-mode drivers
- Threat prevention and detection with EDR/XDR
- Digital forensic investigation
How to interact with ETW: practical tools
There are several tools that allow you to work with ETW from different angles:
Logman.exe
Tool per line commands Included in Windows, it doesn't require administrator privileges to perform many operations. It allows you to list available providers, active sessions, and configure new sessions:
logman query providers: lists all ETW providerslogman start miSesion -p {GUID} -o c:\logs\miSesion.etl -ets: Start a tracking sessionlogman stop miSesion -ets: stops the session
WPR.exe and WPA.exe
Windows Performance Recorder (WPR) is used to start or stop tracking sessions, and Windows Performance Analyzer (WPA) allows you to analyze them visually. Its use is common in advanced development or debugging environments:
wpr -start CPU -start FileIO -start DiskIOwpr -stop resultado.etl
PerfView
A tool developed by Microsoft for advanced performance analysis. It generates traces, groups by asynchronous patterns, and simplifies complex debugging. It also allows for round-robin session capture to avoid disk overload:
perfview -ThreadTime -CircularMB:500 -LogFile:salida.log -Merge:true collectThe generated files (.etl and .etl.ngenpdb) can be opened directly in WPA.
Understanding ETW Manifestos
On manifest-based providers define all their events through an XML file. This manifest includes information such as:
- provider: name, GUID and resource files
- channels: output channel (e.g. Application, System)
- levels: event severity level (Critical, Error, Verbose…)
- Tasks and Opcodes: group events by task and type of operation
- Keywords: filters by event categories
- Maps: mapping codes to readable text
- templates: define the structure of the data included in events
- Events: define each event with its ID, task, opcode, level and template
Capture and analysis of ETW traces
Once a trace (.etl file) has been captured, it can be converted to other formats or analyzed directly:
tracerpt archivo.etl -o archivo.xml: export to XMLtracerpt archivo.etl -o archivo.evtx -of EVTX: converts to Event Viewer formatxperf -i archivo.etl -o archivo.csv: dump to CSV
It is also possible to perform live views with PerfView or define automatic sessions from the Boot using autologger:
wpr -boottrace -addboot FileIO
.NET and ETW
In .NET you can take advantage of the API TraceProcessing to process events generated by applications or components. It's available as a NuGet package and is even used by Microsoft engineers.
Security Use Cases: EDR/XDR and Threat Hunting
ETW is a cornerstone of early detection and response (EDR/XDR) solutions. It integrates deeply with the system and enables the detection of behaviors such as:
- Creation of suspicious processes
- Registry modifications
- Unusual network traffic
- Access to critical system resources
For example, it is possible to identify techniques such as DCSync using providers that report domain controller replication.
Forensic analysis with ETW
Advanced research even allows retrieve ETW events from RAM If they have been deleted from the disk by an attacker. This is achieved by accessing internal structures such as:
- _WMI_LOGGER_CONTEXT: contains lists like GlobalList or BufferQueue
- _ETW_REALTIME_CONSUMER: provides access to UserBufferListHead
Tools such as the JPCERT Volatility3 plugin This allows you to recover and analyze these traces directly from RAM dumps. They can then be processed with tracefmt or WPA to identify DNS access, network traffic, blocked threats, and more.
This system offers a comprehensive view of the operating system and application layers, allowing you to anticipate problems, optimize resources, and detect anomalies. Although it has a steep learning curve, mastering the tools and structures it comprises provides a unique advantage in modern Windows environments.
Passionate writer about the world of bytes and technology in general. I love sharing my knowledge through writing, and that's what I'll do on this blog, show you all the most interesting things about gadgets, software, hardware, tech trends, and more. My goal is to help you navigate the digital world in a simple and entertaining way.