Every Windows event log, every Sysmon event, every PowerShell ScriptBlock log — all of them are built on top of ETW. Event Tracing for Windows is not just another artifact; it is the infrastructure that produces artifacts. Understanding ETW directly gives investigators access to telemetry that never reaches the event log, including kernel-level process and thread events, DNS client resolution data, and the Microsoft Threat Intelligence provider that powers Windows Defender’s real-time detection.
What Is ETW?
Event Tracing for Windows (ETW) is a high-performance, low-overhead kernel-level tracing facility built into Windows since Windows 2000. It operates on a Provider → Session → Consumer model. Providers are components (kernel subsystems, drivers, applications) that generate events. Sessions are kernel objects that collect events from one or more providers and route them to a buffer. Consumers read events from sessions, either in real-time or from persisted .etl (Event Trace Log) files.
The Windows Event Log service itself is an ETW consumer — it reads events from ETW sessions and writes them to .evtx files. But many ETW providers emit events that are never consumed by the Event Log service. These “unlogged” events are only visible through direct ETW tracing. For forensic investigators, this means ETW provides access to telemetry that is invisible in standard event logs, including detailed kernel process/thread activity, network stack events, DNS resolution details, and memory allocation patterns.
Windows ships with over 1,100 registered ETW providers. Each provider is identified by a GUID and has a manifest describing its event schema. Providers can emit events at different levels (verbose, informational, warning, error, critical) and can be filtered by keyword bitmasks. This granularity means an investigator can enable exactly the telemetry needed for a specific investigation without overwhelming the system.
The Microsoft-Windows-Threat-Intelligence ETW provider (introduced in Windows 10) provides kernel-level visibility into memory allocation, process injection, and code integrity violations. It powers Windows Defender and Credential Guard detections. Consuming this provider directly via SilkETW or custom tools gives investigators access to the same telemetry that Microsoft uses for its own threat detection — including events that never reach the standard event log.
Location & Format
| Component | Path / Location | Notes |
|---|---|---|
| .etl Files (persisted traces) | C:\Windows\System32\WDI\LogFiles\, C:\Windows\System32\LogFiles\WMI\, various | Binary ETL format; multiple locations depending on the trace session |
| AutoLogger sessions | C:\Windows\System32\LogFiles\WMI\RtBackup\ | Boot-time auto-start sessions; persist .etl files across reboots |
| Circular kernel traces | C:\Windows\System32\WDI\{GUID}\ | Diagnostic traces with circular buffers; may contain recent kernel events |
| Provider manifests | Embedded in DLLs; enumerable via logman query providers | Over 1,100 registered providers on a typical Windows 10/11 system |
| Session configuration | HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\ | Registry keys defining auto-start trace sessions |
ETL File Format
ETL files use a binary format with a header containing the session configuration, followed by buffers of serialized events. Each event contains a common header (timestamp, process ID, thread ID, provider GUID, event ID, level, keyword) followed by provider-specific payload data. The format is not self-describing — you need the provider manifest (typically embedded in a DLL) to decode the payload fields. Tools like tracerpt, xperf, and SilkETW handle manifest resolution automatically.
Providers / Sessions / Consumers Model
Understanding the ETW architecture is essential for both collection and analysis:
- Providers emit events when enabled by a session. A provider does nothing until a session subscribes to it. Providers are identified by GUID and name (e.g.,
Microsoft-Windows-Kernel-Process {22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716}). - Sessions (also called trace sessions or controllers) are kernel objects that buffer events from subscribed providers. A session can write events to an .etl file, deliver them in real-time to a consumer, or both. Sessions are created with
logman,xperf, or theStartTraceAPI. - Consumers read events from sessions. The Windows Event Log service is a consumer.
tracerpt.exeis a consumer. SilkETW is a consumer. Custom C# or Python code using theTraceEventlibrary is a consumer. Real-time consumers process events as they arrive; file-based consumers process stored .etl files.
Windows supports a maximum of 64 concurrent ETW sessions (plus the NT Kernel Logger and a few reserved sessions). If the maximum is reached, new sessions will fail to start. In heavily instrumented environments with EDR, SIEM agents, and diagnostic tools, session slots may be exhausted — check with logman query -ets to see active sessions.
Key Forensic ETW Providers
| Provider | GUID | Forensic Value |
|---|---|---|
| Microsoft-Windows-Kernel-Process | {22FB2CD6-0E7B-422B-A0C7-2FAD1FD0E716} | Process and thread creation/termination with full context; more detailed than Security EID 4688 |
| Microsoft-Windows-DNS-Client | {1C95126E-7EEA-49A9-A3FE-A378B03DDB4D} | DNS resolution events per process; captures queries that never reach the DNS Server log |
| Microsoft-Windows-Threat-Intelligence | {F4E1897C-BB5D-5668-F1D8-040F4D8DD344} | Kernel-level process injection, memory allocation, code integrity events; requires PPL (Protected Process Light) |
| Microsoft-Windows-Kernel-File | {EDD08927-9CC4-4E65-B970-C2560FB5C289} | File I/O operations at the kernel level; file create, read, write, delete, rename |
| Microsoft-Windows-Kernel-Network | {7DD42A49-5329-4832-8DFD-43D979153A88} | TCP/UDP connection events; socket creation, bind, connect, accept, disconnect |
| Microsoft-Windows-Kernel-Registry | {70EB4F03-C1DE-4F73-A051-33D13D5413BD} | Registry operations at kernel level; key create, open, set value, delete |
| Microsoft-Antimalware-Scan-Interface | {2A576B87-09A7-520E-C21A-4942F0271D67} | AMSI scan events; captures content submitted to AMSI (PowerShell scripts, macros, .NET assemblies) |
| Microsoft-Windows-DotNETRuntime | {E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4} | .NET assembly loading, JIT compilation; detects in-memory .NET malware and reflective loading |
The Microsoft-Windows-Threat-Intelligence provider can only be consumed by processes running as Protected Process Light (PPL). This means standard user-mode tools cannot subscribe to it. Tools like SilkETW require a signed driver or PPL elevation. On a forensic image, .etl files from AutoLogger sessions that were subscribed to this provider can still be parsed normally.
What ETW Reveals
- Process injection techniques — The Threat Intelligence provider captures
NtAllocateVirtualMemory,NtProtectVirtualMemory, andNtMapViewOfSectioncalls across process boundaries, revealing injection without needing Sysmon. - DNS queries per process — The DNS Client provider maps every DNS query to the originating process ID, providing per-process DNS visibility without Sysmon Event ID 22.
- .NET in-memory execution — The DotNETRuntime provider captures assembly loading events, including assemblies loaded via reflection (e.g.,
Assembly.Load(byte[])), which is the primary mechanism for fileless .NET malware. - Kernel-level file operations — The Kernel-File provider captures all file I/O at the NTFS level, including operations that bypass user-mode APIs and are invisible to most monitoring tools.
- Network connections below the event log — The Kernel-Network provider captures TCP/UDP events that may not generate event log entries, particularly for short-lived connections.
- AMSI inspection content — The AMSI provider captures the actual content submitted for scanning, including deobfuscated PowerShell scripts and decoded macro payloads.
Forensic Use Cases
1. Process Injection Detection Without Sysmon
On a system without Sysmon, the Threat Intelligence ETW provider (if an AutoLogger session was active) captures cross-process memory operations. An .etl file showing NtAllocateVirtualMemory called by Process A targeting Process B’s address space, followed by NtWriteVirtualMemory and NtCreateThreadEx, proves process injection occurred — with timestamps, PIDs, and call stacks.
2. DNS Exfiltration Attribution
The DNS Client ETW provider maps DNS queries to process IDs. When a process in C:\ProgramData generates hundreds of DNS queries to subdomains of a single parent domain, the ETW trace attributes every query to that PID. This provides the same per-process DNS attribution as Sysmon Event ID 22 but is available natively without Sysmon installation.
3. Fileless .NET Malware Detection
The DotNETRuntime provider captures assembly load events including the assembly name and whether it was loaded from disk or from a byte array in memory. A powershell.exe process loading an assembly named SharpHound or Rubeus via reflection (no file path, loaded from byte array) is a clear indicator of in-memory .NET tool execution.
4. AMSI Bypass Detection
The AMSI provider captures content submitted for scanning. If the AMSI content shows a PowerShell script attempting to patch amsi.dll in memory (the common AMSI bypass technique), the ETW trace captures the bypass attempt itself — including the script content that attempted the bypass — even if the bypass subsequently succeeds and prevents further AMSI logging.
5. Boot-Time Malware Analysis
AutoLogger sessions configured in the registry start tracing at boot time, before most user-mode services. The WDI\LogFiles\ directory contains boot traces that capture early process creation, driver loading, and service startup. Bootkits and early-stage persistence mechanisms that execute before the event log service starts may still be captured in these boot-time .etl traces.
Collection & Analysis Tools
| Tool | Author | Purpose | Notes |
|---|---|---|---|
| logman | Microsoft (built-in) | Create/manage trace sessions, list providers | logman query providers lists all registered providers; logman query -ets shows active sessions |
| xperf / WPR | Microsoft (Windows SDK) | High-performance kernel tracing and analysis | Windows Performance Recorder captures detailed kernel/user traces; WPA for analysis |
| SilkETW | FiEye (Mandiant) | Security-focused ETW consumer | JSON output; supports Yara rules on ETW events; ideal for threat hunting |
| tracerpt | Microsoft (built-in) | Parse .etl files to CSV/XML | tracerpt file.etl -o output.csv -of CSV |
| ETWExplorer | Pavel Yosifovich | GUI tool for exploring ETW providers and manifests | Useful for understanding provider schemas before tracing |
| KrabsETW | Microsoft | C++ library for ETW consumption | Open source; used by many EDR products internally |
| TraceEvent | Microsoft | .NET library for ETW parsing | PerfView uses this; excellent for programmatic .etl analysis |
:: List all registered ETW providers logman query providers > C:\Evidence\etw_providers.txt :: List all active trace sessions logman query -ets > C:\Evidence\active_sessions.txt :: Start a Kernel-Process trace (captures process/thread events) logman create trace KernelProc -p "Microsoft-Windows-Kernel-Process" -o C:\Evidence\kernproc.etl -ets :: Start a DNS Client trace logman create trace DNSTrace -p "Microsoft-Windows-DNS-Client" -o C:\Evidence\dns.etl -ets :: Stop a trace logman stop DNSTrace -ets :: Parse .etl to CSV tracerpt C:\Evidence\dns.etl -o C:\Evidence\dns_events.csv -of CSV
Acquisition Methods
ETW .etl files in WDI\LogFiles\ and LogFiles\WMI\ are often overlooked during forensic collection. KAPE includes targets for WMI trace files. On a live system, use logman query -ets to identify active sessions and their output file paths before collecting. AutoLogger .etl files in LogFiles\WMI\RtBackup\ may contain boot-time events not available in standard event logs.
:: Collect all .etl files from standard locations robocopy C:\Windows\System32\WDI C:\Evidence\ETW\WDI /S /COPYALL *.etl robocopy C:\Windows\System32\LogFiles\WMI C:\Evidence\ETW\WMI /S /COPYALL *.etl :: Using KAPE kape.exe --tsource C: --tdest C:\Evidence --target WMITraceFiles
Retention & Persistence
| ETW Component | Retention | Notes |
|---|---|---|
| Real-time sessions | None (in-memory only) | Events are consumed and discarded unless a file-based consumer persists them |
| File-based sessions | Size-limited; depends on configuration | Circular or sequential mode; circular overwrites oldest events when buffer is full |
| AutoLogger .etl files | Boot-to-boot or configurable | May accumulate across reboots or reset on each boot depending on session config |
| WDI diagnostic traces | Hours to days | Circular buffers; overwritten based on system activity and configured buffer size |
Anti-Forensics & ETW Tampering
ETW is a known target for sophisticated adversaries. Techniques to blind ETW include:
| Technique | Method | Detection |
|---|---|---|
| ETW patching | Patch ntdll!EtwEventWrite to return immediately (NOP the function) | Kernel integrity checks; compare ntdll in-memory vs on-disk hash; detectable via Sysmon EID 25 |
| Provider disabling | Use logman update to disable providers on a session | Check session configuration with logman query -ets; compare against expected baseline |
| Session stop | logman stop <session> -ets | ETW session stop events in the kernel; gaps in .etl traces indicate tampering |
| Kernel callback removal | Remove ETW registration callbacks from kernel memory | Requires kernel-mode access; leaves no ETW event (by definition); kernel integrity monitoring may detect |
If an adversary patches ntdll!EtwEventWrite to disable ETW in a process, the patched bytes are detectable by comparing the in-memory copy of ntdll against the on-disk copy. Any difference in the .text section of ntdll.dll within a process is a strong indicator of ETW tampering — and by extension, a strong indicator that the process is malicious. This check can be performed with tools like pe-sieve or Moneta.
MITRE ATT&CK Detection Mapping
| Technique | Name | ETW Provider |
|---|---|---|
T1055 T1055 | Process Injection | Threat-Intelligence: cross-process memory allocation and write operations |
T1071 T1071 | Application Layer Protocol | DNS-Client: per-process DNS queries; Kernel-Network: TCP/UDP connections |
T1620 T1620 | Reflective Code Loading | DotNETRuntime: assembly load from byte array; Threat-Intelligence: image load events |
T1562.006 T1562.006 | Impair Defenses: Indicator Blocking | ETW patching detection via ntdll integrity comparison |
Related Artifacts & Cross-References
| Artifact | Relationship | Cross-Correlation |
|---|---|---|
| EVTX Event Logs | EVTX files are the output of an ETW consumer (Event Log service) | ETW is the source; EVTX is the persisted subset. ETW traces contain events that EVTX does not. |
| Sysmon | Sysmon is an ETW provider and consumer | Sysmon hooks kernel callbacks and emits ETW events consumed by the Event Log service |
| PowerShell Logs | ScriptBlock logging uses the PowerShell ETW provider | Direct ETW consumption captures PowerShell events even if log size is exhausted |
| Windows Defender | Defender consumes the Threat-Intelligence ETW provider | Defender detection events correlate with Threat-Intelligence ETW events |
References
- Microsoft, “Event Tracing for Windows (ETW)” — https://learn.microsoft.com
- FiEye/Mandiant, “SilkETW — Security-focused ETW Consumer” — https://github.com/mandiant/SilkETW
- Pavel Yosifovich, “ETWExplorer” — https://github.com/zodiacon/EtwExplorer
- Matt Graeber, “Subverting Sysmon” — https://specterops.io/blog/
- Adam Chester, “Silencing ETW Providers” — https://blog.xpnsec.com
- Microsoft, “KrabsETW” — https://github.com/microsoft/krabsetw
- Microsoft, “TraceEvent Library” — https://github.com/microsoft/perfview
Mjolnir Security — Digital Forensics & Incident Response
Mjolnir Security provides 24/7 incident response, digital forensics, and expert witness testimony. Our DFIR team specializes in ETW trace analysis, kernel-level forensics, and advanced threat detection beyond standard event logs.
mjolnirsecurity.com — 24/7: +1 833 403 5875