2.17. ETW – Event Tracing for Windows

The EtwManager instance is accessible via windows.system.etw

Note

This code is the result of my research on ETW that lead to this presentation ETW for the lazy reverser (FR)

Note

See sample ETW (Event Tracing for Windows)

2.17.1. EtwManager

class windows.winobject.event_trace.EtwManager[source]

An object to query ETW session/providers and open new trace

open_trace(name=None, logfile=None, guid=None)[source]

Open a new ETW Trace

Returns:EtwTrace
providers

The list of currently existing ETW providers.

Type:[TraceProvider] – A list of ETW providers
sessions

The list of currently active ETW session.

Type:[EventTraceProperties] – A list of EventTraceProperties

2.17.2. Tracing Events

2.17.2.1. EtwTrace

class windows.winobject.event_trace.EtwTrace(name, logfile=None, guid=None)[source]

Represent an ETW Trace for tracing/processing events

enable(guid, flags=255, level=255)[source]

Enable the specified event trace provider.

enable_ex(guid, flags=255, level=255, any_keyword=4294967295L, all_keyword=0)[source]

Enable the specified event trace provider.

exists()[source]

Return True if the trace already exist (based on its name)

flush()[source]

Flush the trace

guid = None

The guid of the trace

logfile = None

The logging file of the trace (None means real time trace)

name = None

The name of the trace

process(callback, begin=None, end=None, context=None)[source]

Process the event retrieved by the trace. This function will call callback with any EventRecord in the trace. begin/end allow to filter and only process events in a given timeframe.

Warning

If the trace if REALTIME (no logfile) this function will hang/process new event until the trace is stopped.

Using logman -ets stop TRACE_NAME for exemple.

start(flags=0, mode=0)[source]

Start the tracing

stop(soft=False)[source]

stop the tracing.

soft will allow to stop a non-existing trace that do not exists/run. This allow for simpler script that stop/start some EtwTrace.

2.17.2.2. EventTraceProperties

class windows.winobject.event_trace.EventTraceProperties[source]

Represent an Event Trace session that may exist or now. (https://docs.microsoft.com/en-us/windows/win32/api/evntrace/ns-evntrace-event_trace_properties)

This class is widly used by EtwTrace

classmethod create()[source]

Initialize a new EventTraceProperties

guid

The GUID of the Event Trace session (see Wnode.Guid)

id

The LoggerId if the session (see Wnode.HistoricalContext)

logfile

The logfile associated with the session

name

The name of the session

2.17.2.3. EventRecord

class windows.winobject.event_trace.EventRecord[source]
guid

Guid of the Event

id

ID of the Event

pid

Process ID that provided the event

tid

Thread ID that provided the event

user_data

Event specific data

Type:str