This is a repository that contains a bunch of resources to learn and understand EVTX/ETW (Event Tracing for Windows)

• EVTX/ETW Resources
  • Content
  • Structure
  • Blogs / Research (https://nasbench.medium.com/)
  • Tools
    • Interacting w/ ETW
    • Dumping ETW Providers Manifest
    • Scripting w/ ETW (Detection, Digital Forensics)
  • Online Resources
    • Architecture
    • Research
    • Talks
    • Books
    • Other Github Projects w/ ETW Content
  • Contributing

• ETW Providers Manifests - List of ETW XML manifests from different versions of Windows.
• Examples - Example scripts to collect ETW events using different libraries.
• ETW Events List - List of all ETW events extracted from the currently dumped ETW providers.

• A Primer On Event Tracing For Windows (ETW)
• Finding Detection and Forensic Goodness In ETW Providers
• Windows 11 “New” ETW Providers — Overview

The following is a list of tools that can let us interact with the different ETW providers available. The examples directory contains example scripts and commands on how to use these tools

• Logman
• Microsoft.Diagnostics.Tracing.TraceEvent
• Message Analyzer

• ETW Explorer
• WEPExplorer
• PerfView

• PSalander
• Sealighter
• PyWintrace
• SilkETW
• KrabsETW

The following are blogs and articles published by the wider security community discussing various aspects of ETW

• Event Tracing: Improve Debugging And Performance Tuning With ETW by Microsoft
• About Event Tracing by Microsoft
• Part 1 - ETW Introduction and Overview by Microsoft
• Part 2 - Exploring and Decoding ETW Providers using Event Log Channels by Microsoft
• Part 3 - ETW Methods of Tracing by Microsoft
• ETW: Event Tracing for Windows 101
• ETW: Event Tracing for Windows, Part 1: Intro by Mozilla
• ETW: Event Tracing for Windows, part 2: field reporting by Mozilla
• ETW: Event Tracing for Windows, part 3: architecture by Mozilla
• ETW: Event Tracing for Windows, part 4: collection by Mozilla
• ETW Security by Geoff Chappell
• Writing an Instrumentation Manifest

• Tampering with Windows Event Tracing: Background, Offense, and Defense by Palantir
• Introduction to Threat Intelligence ETW
• Detecting process injection with ETW
• Experimenting with Protected Processes and Threat-Intelligence
• Bypassing the Microsoft-Windows-Threat-Intelligence Kernel APC Injection Sensor
• Data Source Analysis and Dynamic Windows RE using WPP and TraceLogging
• Detecting Parent PID Spoofing
• Veni, No Vidi, No Vici: Attacks on ETW Blind EDR Sensors

• T208 Hidden Treasure Detecting Intrusions with ETW Zac Brown - Derbycon 7
• T208 Hidden Treasure Detecting Intrusions with ETW Zac Brown - GrrCON 2017
• RECON 2019 - Using WPP and TraceLogging Tracing (Matt Graeber)
• S25 Tracing Adversaries Detecting Attacks with ETW Matt Hastings Dave Hull - Derbycon 7
• The Good, the Bad and the ETW (Grzegorz Tworek)

• Windows Internals, Part 2, 7th Edition
• Windows 10 System Programming, Part 2

• OSSEM Data Dictionaries by OTRF
• ETW Providers Docs by repnz
• Windows 10 ETW Events by jdu2600

If you want to contribute to this project simply follow these steps:

• Download the latest version of WEPExplorer
• Download the latest version of Auto Keyboard Presser
• Follow the steps in the GIF below

• Fork the repo and upload your files
• Make a PR and receive our eternal thanks