Quickly search for references to a GUID in DLLs, EXEs, and drivers

.\FindETWProviderImage.exe "<{provider-guid}|Provider-Name>" "\path\to\search\directory"

Since the tool is only returning basic offsets/RVAs, you'll still need to disassemble the image in Ghidra/IDA/etc.
My workflow is to load the image into the disassembler, do the initial automatic analysis, and then look for cross-references to the offset/RVA, specifically ones coming from EventRegister() (user mode) and EtwRegister() (kernel mode).

• Add checks for EventRegister() and EtwRegister() to help identify providers
• Add provider name to GUID resolution functionality

1. If a provider name was specified, translate it to a GUID by parsing the registry and return the image if found there
2. Recursively search the supplied directory for files ending with .dll, .exe, or .sys
3. Use a Boyer-Moore search to parse each of the files for the target GUID across 4 threads
4. If references are found in the image, return the offset and relative virtual address (RVA) of each reference

Thanks to Matt Graeber (@mattifestation) for the original idea of identifying provider images by locating GUIDs inside the files