base on # ETWInspector EtwInspector is a comprehensive Event Tracing for Windows (ETW) toolkit designed to simplify the enumeration of ETW providers and trace session properties. Developed in C#, EtwInspector is easily accessible as a PowerShell module, making it user-friendly and convenient. This tool aims to be a one-stop solution for all ETW-related tasks—from discovery and inspection to trace capturing. ## Instructions ### PowerShell Gallery Coming soon... ### Import Directly 1. Import EtwInspector via: ``` PS > Import-Module EtwInspector.psd1 ``` You may need to go to the file and press "unblock" if you get an error about importing the module and its depedencies. 2. Get a list of available commands within the module: ``` PS > Get-Command -Module EtwInspector CommandType Name Version Source ----------- ---- ------- ------ Cmdlet Get-EtwProviders 1.0 EtwInspector Cmdlet Get-EtwSecurityDescriptor 1.0 EtwInspector Cmdlet Get-EtwTraceSessions 1.0 EtwInspector Cmdlet Start-EtwCapture 1.0 EtwInspector Cmdlet Stop-EtwCapture 1.0 EtwInspector ``` ### Enumeration Steps #### ETW Providers `Get-EtwProviders` allows a user to enumerate Manifest, MOF, and Tracelogging providers. Depending on the provider type that is being queried, some functionality is more advanced then others. Example 1: Enumerating Manifest/MOF providers that have "Threat" in the provider name ``` PS > $EnumProviders = Get-EtwProviders -ProviderName Threat PS > $EnumProviders RegisteredProviders TraceloggingProviders ------------------- --------------------- {Microsoft-Windows-Threat-Intelligence} PS > $EnumProviders.RegisteredProviders providerGuid : f4e1897c-bb5d-5668-f1d8-040f4d8dd344 providerName : Microsoft-Windows-Threat-Intelligence resourceFilePath : %SystemRoot%\system32\Microsoft-Windows-System-Events.dll schemaSource : Manifest eventKeywords : {KERNEL_THREATINT_KEYWORD_ALLOCVM_LOCAL, KERNEL_THREATINT_KEYWORD_ALLOCVM_LOCAL_KERNEL_CALLER, KERNEL_THREATINT_KEYWORD_ALLOCVM_REMOTE, KERNEL_THREATINT_KEYWORD_ALLOCVM_REMOTE_KERNEL_CALLER...} eventMetadata : {1, 2, 2, 2...} securityDescriptor : EtwInspector.Provider.Enumeration.EventTraceSecurity ``` Example 2: Enumerating Manifest providers that have "ReadVm" in a property field ``` PS > $EnumProviders = Get-EtwProviders -PropertyString ReadVm PS > $EnumProviders RegisteredProviders TraceloggingProviders ------------------- --------------------- {Microsoft-Windows-Threat-Intelligence} PS > $EnumProviders.RegisteredProviders providerGuid : f4e1897c-bb5d-5668-f1d8-040f4d8dd344 providerName : Microsoft-Windows-Threat-Intelligence resourceFilePath : %SystemRoot%\system32\Microsoft-Windows-System-Events.dll schemaSource : Manifest eventKeywords : {KERNEL_THREATINT_KEYWORD_ALLOCVM_LOCAL, KERNEL_THREATINT_KEYWORD_ALLOCVM_LOCAL_KERNEL_CALLER, KERNEL_THREATINT_KEYWORD_ALLOCVM_REMOTE, KERNEL_THREATINT_KEYWORD_ALLOCVM_REMOTE_KERNEL_CALLER...} eventMetadata : {1, 2, 2, 2...} securityDescriptor : EtwInspector.Provider.Enumeration.EventTraceSecurity ``` Example 3: Enumerating tracelogging providers that exist in kerberos.dll ``` PS > $EnumProviders = Get-EtwProviders -ProviderType TraceLogging -FilePath C:\Windows\System32\kerberos.dll PS > $EnumProviders RegisteredProviders TraceloggingProviders ------------------- --------------------- {} EtwInspector.Provider.Enumeration.TraceLoggingSchema PS > $EnumProviders.TraceloggingProviders FilePath Providers -------- --------- C:\Windows\System32\kerberos.dll {Microsoft.Windows.Security.Kerberos, Microsoft.Windows.Security.SspCommon, Microsoft.Windows.Tlg... ``` `Get-EtwTraceSessions` is also another cmdlet that allows someone to query trace sessions locally and remotely. You can query regular trace sessions, trace sessions that live in a data collector, and/or both. ### Capture EtwInspector also holds cmdlets, `Start-EtwCapture` and `Stop-EtwCapture` that allows a users to start and stop ETW trace sessions locally. These are fairly straight forward. Feel free to call `Get-Help Start-EtwCapture -Examples` for more details. ## Previous Versions If you prefer to use EtwInspector 1.0, which is written in C++ please visit the `v1.0` branch. ## Feedback If there are any features you would like to see, please don't hesitate to reach out. Thank you to the following people who were willing to test this tool and provide feedback: - Olaf Hartong - Matt Graeber ## Resources/Nuget Packages: * Fody * Microsoft.Diagnostics.Tracing.TraceEvent * XmlDoc2CmdletDoc ## Release Notes v1.0.0 * Initial release of package * Following Cmdlets: * Get-EtwProviders * Get-EtwSecurityDescriptor * Get-EtwTraceSessions * Start-EtwCapture * Stop-EtwCapture ", Assign "at most 3 tags" to the expected json: {"id":"10270","tags":[]} "only from the tags list I provide: [{"id":77,"name":"3d"},{"id":89,"name":"agent"},{"id":17,"name":"ai"},{"id":54,"name":"algorithm"},{"id":24,"name":"api"},{"id":44,"name":"authentication"},{"id":3,"name":"aws"},{"id":27,"name":"backend"},{"id":60,"name":"benchmark"},{"id":72,"name":"best-practices"},{"id":39,"name":"bitcoin"},{"id":37,"name":"blockchain"},{"id":1,"name":"blog"},{"id":45,"name":"bundler"},{"id":58,"name":"cache"},{"id":21,"name":"chat"},{"id":49,"name":"cicd"},{"id":4,"name":"cli"},{"id":64,"name":"cloud-native"},{"id":48,"name":"cms"},{"id":61,"name":"compiler"},{"id":68,"name":"containerization"},{"id":92,"name":"crm"},{"id":34,"name":"data"},{"id":47,"name":"database"},{"id":8,"name":"declarative-gui "},{"id":9,"name":"deploy-tool"},{"id":53,"name":"desktop-app"},{"id":6,"name":"dev-exp-lib"},{"id":59,"name":"dev-tool"},{"id":13,"name":"ecommerce"},{"id":26,"name":"editor"},{"id":66,"name":"emulator"},{"id":62,"name":"filesystem"},{"id":80,"name":"finance"},{"id":15,"name":"firmware"},{"id":73,"name":"for-fun"},{"id":2,"name":"framework"},{"id":11,"name":"frontend"},{"id":22,"name":"game"},{"id":81,"name":"game-engine "},{"id":23,"name":"graphql"},{"id":84,"name":"gui"},{"id":91,"name":"http"},{"id":5,"name":"http-client"},{"id":51,"name":"iac"},{"id":30,"name":"ide"},{"id":78,"name":"iot"},{"id":40,"name":"json"},{"id":83,"name":"julian"},{"id":38,"name":"k8s"},{"id":31,"name":"language"},{"id":10,"name":"learning-resource"},{"id":33,"name":"lib"},{"id":41,"name":"linter"},{"id":28,"name":"lms"},{"id":16,"name":"logging"},{"id":76,"name":"low-code"},{"id":90,"name":"message-queue"},{"id":42,"name":"mobile-app"},{"id":18,"name":"monitoring"},{"id":36,"name":"networking"},{"id":7,"name":"node-version"},{"id":55,"name":"nosql"},{"id":57,"name":"observability"},{"id":46,"name":"orm"},{"id":52,"name":"os"},{"id":14,"name":"parser"},{"id":74,"name":"react"},{"id":82,"name":"real-time"},{"id":56,"name":"robot"},{"id":65,"name":"runtime"},{"id":32,"name":"sdk"},{"id":71,"name":"search"},{"id":63,"name":"secrets"},{"id":25,"name":"security"},{"id":85,"name":"server"},{"id":86,"name":"serverless"},{"id":70,"name":"storage"},{"id":75,"name":"system-design"},{"id":79,"name":"terminal"},{"id":29,"name":"testing"},{"id":12,"name":"ui"},{"id":50,"name":"ux"},{"id":88,"name":"video"},{"id":20,"name":"web-app"},{"id":35,"name":"web-server"},{"id":43,"name":"webassembly"},{"id":69,"name":"workflow"},{"id":87,"name":"yaml"}]" returns me the "expected json"