понедельник, 14 февраля 2011 г.

EtwRegister

а вот например начиная с висты появился и kernel mode аналог функции EventRegister

Структуры в ядре, представляющие провайдеров и трейсы, сильно похожи на те, что описаны для user-mode. Например есть функция EtwpRegisterProvider, которая вызывается из EtwRegister с типом 3 (и под windows7 из EtwRegisterClassicProvider с типом 2)
Объекты хранятся в связном списке с головой в EtwpGuidListHead и синхронизируются локом EtwpGuidListLock и имеют тип ETW_GUID_ENTRY
Размер ETW_GUID_ENTRY (можно получить из функции EtwpAllocGuidEntry):
  • в vista - 0x158 байт, под 64бита - 0x170 байт
  • в windows7 - 0x178 байт, под 64бита - 0x1B0 байт

Общая для всех версий windows структура объектов в EtwpGuidListHead примерно такая :
struct _ETW_GUID_ENTRY
{
/* Win32 Win64 - offsets */
/*   0x0   0x0 */  LIST_ENTRY GuidList;
/*   0x8  0x10 */  ULONG      RefCount;
/*   0xC  0x14 */  GUID       Guid;
/*  0x1C  0x28 */  LIST_ENTRY RegListHead;
/*  0x24  0x38 */  PSECURITY_DESCRIPTOR SecurityDescriptor;

/* поля ниже различаются на разных версиях windows */
};

Поле RegListHead указывает на список объектов EtwRegistration (создаются с помощью ObCreateObject в функции EtwpCreateKmRegEntry) типа ETW_REG_ENTRY:

struct _ETW_REG_ENTRY
{
/* Win32 Win64 - offsets */
/*   0x0   0x0 */ LIST_ENTRY List;
/*   0x8  0x10 */
ETW_GUID_ENTRY *Parent;
/*   0xC  0x18 */ WORD Index;
/*   0xE  0x1A */ WORD Flags;
/*  0x10  0x1C */ BYTE EnableMask;
/*  0x14  0x20 */ PVOID ReplySlot[4];
/*  0x24  0x40 */ PVOID Callback;
/*  0x28  0x48 */ PVOID CallbackContext;
/*  0x2C  0x50 - total size */


Примерное содержимое на моей машине (vista 32bit. logman query providers как обычно умеет показывать далеко не все зарегистрированные источники):
KEtw[0]: RefCount 1, KProvider - 96AB99FB-A7BF-40D3-AF9E-EBBD11A0C535
KEtw[1]: RefCount 1, KProvider - 4B966436-6781-4906-8035-9AF94B32C3F7
KEtw[2]: RefCount 1, KProvider - 09D2CF12-29BB-4FB2-B35B-AD99C670CE9A
KEtw[3]: RefCount 1, KProvider - 755F1D96-ABA9-4029-B7CA-590CA1A3F350
KEtw[4]: RefCount 2 Servicing Stack Trace
KEtw[5]: RefCount 1 CTLGUID_RdrDetTraceGuid
KEtw[6]: RefCount 1 Microsoft-Windows-Shell-ZipFolder
KEtw[7]: RefCount 1, KProvider - D2E57BAD-CBBE-4891-8438-3DF8A8099A69
KEtw[8]: RefCount 3, KProvider - A0832312-4A19-4AA1-93F4-73F99AA3A659
KEtw[9]: RefCount 3, KProvider - 716AB53C-1578-40C7-9798-60D5ECF813F8
KEtw[A]: RefCount 1, KProvider - AC45FEF2-612B-4066-85A7-DD0A5E8A7F30
KEtw[B]: RefCount 1, KProvider - 3B361F5F-9B6F-48BF-9388-261EDE6A529C
KEtw[C]: RefCount 1, KProvider - E1890165-82D2-485C-8C5C-25B9E87CE3D7
KEtw[D]: RefCount 1 IMAPI2 Multisession Sequential
KEtw[E]: RefCount 1 IMAPI2 MSF
KEtw[F]: RefCount 1 IMAPI2 Interleave Stream
KEtw[10]: RefCount 1 IMAPI2 Concatenate Stream
KEtw[11]: RefCount 1 IMAPI2 Pseudo-Random Stream
KEtw[12]: RefCount 1 IMAPI2 Zero Stream
KEtw[13]: RefCount 1 IMAPI2 Raw CD Writer
KEtw[14]: RefCount 1 IMAPI2 Track-at-Once CD Writer
KEtw[15]: RefCount 1 IMAPI2 Standard Data Writer
KEtw[16]: RefCount 1 IMAPI2 Media Eraser
KEtw[17]: RefCount 1 IMAPI2 Write Engine
KEtw[18]: RefCount 1 IMAPI2 Disc Recorder
KEtw[19]: RefCount 1 IMAPI2 Disc Recorder Enumerator
KEtw[1A]: RefCount 1 IMAPI2 Disc Master
KEtw[1B]: RefCount 1 IMAPI2 dll
KEtw[1C]: RefCount 1 IMAPI2 Utilities
KEtw[1D]: RefCount 1 WPD Types Trace
KEtw[1E]: RefCount 1, KProvider - 6299FF78-88D8-495D-B5B7-CA40CA55C6B4
KEtw[1F]: RefCount 1 Microsoft-Windows-mobsync
KEtw[20]: RefCount 1, KProvider - D4700B23-6DFE-4316-AEE5-6C285DB610C8
KEtw[21]: RefCount 1, KProvider - AD8FE36A-0581-4571-A143-5A3F93E30160
KEtw[22]: RefCount 1 WPD ShellServiceObject Trace
KEtw[23]: RefCount 1 Microsoft-Windows-AltTab
KEtw[24]: RefCount 2 WLAN Diagnostics Trace
KEtw[25]: RefCount 2 Layer2 Security HC Diagnostics Trace
KEtw[26]: RefCount 2 WLAN HC Diagnostics Trace
KEtw[27]: RefCount 2 WLAN AutoConfig Trace
KEtw[28]: RefCount 2 Native WIFI MSM Trace
KEtw[29]: RefCount 2 OneX Supplicant Library
KEtw[2A]: RefCount 2 Layer 2 Authentication Utilities
KEtw[2B]: RefCount 4, KProvider - 5F31090B-D990-4E91-B16D-46121D0255AA
KEtw[2C]: RefCount 1 CTLGUID_PNIandNetcenterGUID
KEtw[2D]: RefCount 2 Microsoft-Windows-stobject
KEtw[2E]: RefCount 1 batmeter_CtlGuid
KEtw[2F]: RefCount 2, KProvider - B0278A28-76F1-4E15-B1DF-14B209A12613
KEtw[30]: RefCount 3, KProvider - 8AEFCE96-4618-42FF-A057-3536AA78233E
KEtw[31]: RefCount 1, KProvider - 779771D9-81AC-437D-8F63-7356F4BF82D2
KEtw[32]: RefCount 1, KProvider - 362007F7-6E50-4044-9082-DFA078C63A73
KEtw[33]: RefCount 1 CTLGUID_CSC
KEtw[34]: RefCount 1, KProvider - A42C77DB-874F-422E-9B44-6D89FE2BD3E5
KEtw[35]: RefCount 2 Microsoft-Windows-HotStart
KEtw[36]: RefCount 1, KProvider - ED56CD5C-617B-49A5-9B80-ECA3E02414BD
KEtw[37]: RefCount 1, KProvider - 25BD019C-3858-4EA4-A7B3-55B9EC8977E5
KEtw[38]: RefCount 4, KProvider - 71DD85BC-D474-4974-B0F6-93FFC5BFBD04
KEtw[39]: RefCount 2 Microsoft-Windows-WindowsUpdateClient
KEtw[3A]: RefCount 1, KProvider - 75638A28-E9ED-42B2-9F8F-C2B1F89CF5EE
KEtw[3B]: RefCount 1 Microsoft-Windows-WSC-SRV
KEtw[3C]: RefCount 2 BITS Service Trace
KEtw[3D]: RefCount 1 CTLGUID_INETPP
KEtw[3E]: RefCount 1, KProvider - 836767A6-AF31-4938-B4C0-EF86749A9AEF
KEtw[3F]: RefCount 1, KProvider - 99F5F45C-FD1E-439F-A910-20D0DC759D28
KEtw[40]: RefCount 3 Microsoft-Windows-Fax
KEtw[41]: RefCount 1 Spooler Trace Control
KEtw[42]: RefCount 3 Microsoft-Windows-PrintSpooler
KEtw[43]: RefCount 2 Certificate Services Client Trace
KEtw[44]: RefCount 1, KProvider - 9B1DD39A-2779-40A0-AA7D-C4427208626E
KEtw[45]: RefCount 1 Microsoft-Windows-WMI-Activity
KEtw[46]: RefCount 1 Network Profile Manager
KEtw[47]: RefCount 4 CTLGUID_PeerCollaboration
KEtw[48]: RefCount 4 CTLGUID_CrpGeneral
KEtw[49]: RefCount 4 CTLGUID_PeerSecurity
KEtw[4A]: RefCount 4 CTLGUID_PeerGrouping
KEtw[4B]: RefCount 4 CTLGUID_PeerPnrpSvc
KEtw[4C]: RefCount 4 CTLGUID_PeerPnrpNsp
KEtw[4D]: RefCount 4 CTLGUID_PeerGraphing
KEtw[4E]: RefCount 4 CTLGUID_PeerCommon
KEtw[4F]: RefCount 4 CTLGUID_PeerGeneral
KEtw[50]: RefCount 4 Microsoft-Windows-P2P-CRP
KEtw[51]: RefCount 4 Microsoft-Windows-P2P-Collab
KEtw[52]: RefCount 4 Microsoft-Windows-P2P-Mesh
KEtw[53]: RefCount 4 Microsoft-Windows-P2P-PNRP
KEtw[54]: RefCount 4 CTLGUID_NamingStubGeneral
KEtw[55]: RefCount 4 CTLGUID_NamingShimGeneral
KEtw[56]: RefCount 3 WPD APISQM Trace
KEtw[57]: RefCount 2 WPD API Trace
KEtw[58]: RefCount 3 Microsoft-Windows-Search-Core
KEtw[59]: RefCount 1 WPD BusEnumService Trace
KEtw[5A]: RefCount 1 CTLGUID_WerSvcTracingGuid
KEtw[5B]: RefCount 2 bfe event provider
KEtw[5C]: RefCount 6 UPnP Framework Trace
KEtw[5D]: RefCount 1 Downlevel IPsec Service
KEtw[5E]: RefCount 1 Microsoft-Windows-IPSEC-SRV
KEtw[5F]: RefCount 2, KProvider - 4D5A5784-B063-4C87-8DEF-DBF683902CE3
KEtw[60]: RefCount 1 Microsoft-Windows-NetworkConnectivityStatus
KEtw[61]: RefCount 2 FD Core Trace
KEtw[62]: RefCount 2 CTLGUID_PcaTracingGuid
KEtw[63]: RefCount 1 IKEEXT Trace Provider
KEtw[64]: RefCount 1 FD Publication Trace
KEtw[65]: RefCount 2 WSDAPI Trace
KEtw[66]: RefCount 4 Microsoft-Windows-Diagnosis-WDI
KEtw[67]: RefCount 1, KProvider - C2D79B17-4941-4678-B807-3ED7572BA092
KEtw[68]: RefCount 1, KProvider - 0A002690-3839-4E3A-B3B6-96D8DF868D99
KEtw[69]: RefCount 1, KProvider - 5638CD78-BC82-608A-5B69-C9C7999B411C
KEtw[6A]: RefCount 1, KProvider - 0A592D4D-6D8E-403D-9A4A-4D5E94DC5DC5
KEtw[6B]: RefCount 6 Microsoft_Windows_SQM_Provider
KEtw[6C]: RefCount 1 SrvControlGuid
KEtw[6D]: RefCount 4 Microsoft-Windows-ADSI
KEtw[6E]: RefCount 4 Microsoft-Windows-CredUI
KEtw[6F]: RefCount 1 Windows Firewall API - GP
KEtw[70]: RefCount 1 Microsoft-Windows-MPS-SRV
KEtw[71]: RefCount 1 Windows Firewall Service
KEtw[72]: RefCount 8 Microsoft-Windows-WinINet
KEtw[73]: RefCount 9, KProvider - 797FABAC-7B58-4796-B924-D51178A59CE4
KEtw[74]: RefCount 9, KProvider - 0CFE0455-93BA-440D-A3FE-553973D0B723
KEtw[75]: RefCount 2, KProvider - 91EFB5A1-642D-42A4-9821-F15C73064FB5
KEtw[76]: RefCount 1 NseKmInfoProviderGuid
KEtw[77]: RefCount 1 CTLGUID_MpsDrvTrace
KEtw[78]: RefCount 1 Microsoft-Windows-MPS-DRV
KEtw[79]: RefCount 6 FWPUCLNT Trace Provider
KEtw[7A]: RefCount 1 BFE Trace Provider
KEtw[7B]: RefCount 1 CTLGUID_Srv2Log
KEtw[7C]: RefCount 1 Microsoft-Windows-HttpService
KEtw[7D]: RefCount 4 Microsoft-Windows-CAPI2
KEtw[7E]: RefCount 5 TaskEng_JobCtlGuid
KEtw[7F]: RefCount 1 DNS Trace
KEtw[80]: RefCount 1 CTLGUID_RSPNDR
KEtw[81]: RefCount 1 CTLGUID_LLTDIO
KEtw[82]: RefCount 1 Tablet PC Input Service
KEtw[83]: RefCount 1 Sens_CtlGuid
KEtw[84]: RefCount 2 Microsoft-Windows-Shsvcs
KEtw[85]: RefCount 1 Microsoft-Windows-Security-Licensing-SLC
KEtw[86]: RefCount 1, KProvider - 47F2D4D0-7BDB-44AA-8B61-79FBD0B72B09
KEtw[87]: RefCount 8 Network Location Awareness Trace
KEtw[88]: RefCount 6 Microsoft-Windows-OfflineFiles-CscNetApi
KEtw[89]: RefCount 6 Microsoft-Windows-OfflineFiles-CscApi
KEtw[8A]: RefCount 6 Microsoft-Windows-OfflineFiles-CscUM
KEtw[8B]: RefCount 6 Microsoft-Windows-OfflineFiles-CscFastSync
KEtw[8C]: RefCount 6 Microsoft-Windows-OfflineFiles-CscDclUser
KEtw[8D]: RefCount 6 Microsoft-Windows-OfflineFiles-CscService
KEtw[8E]: RefCount 7 AudioEngineWMIGUID
KEtw[8F]: RefCount 2, KProvider - AFFF9C82-5BE3-4205-9B3E-49E014C09A63
KEtw[90]: RefCount 2, KProvider - 3E1FD72A-C323-4574-9917-5CE9C936F78C
KEtw[91]: RefCount 27 Audio_AudioTrace
KEtw[92]: RefCount 2, KProvider - 7C0334A1-4635-4D95-8D76-9CF3171AC618
KEtw[93]: RefCount 3, KProvider - 1FB3F43F-4827-46E5-89E2-B398580357A3
KEtw[94]: RefCount 13 Microsoft-Windows-UxTheme
KEtw[95]: RefCount 13, KProvider - 69D3F5B6-6605-4EF9-B6A0-BC0233BD2CA6
KEtw[96]: RefCount 1, KProvider - 449E4E69-329E-4EB1-9DDF-809D17A2E0C1
KEtw[97]: RefCount 2, KProvider - 5283D5F6-65B5-425F-A30B-F16C057D6B57
KEtw[98]: RefCount 1, KProvider - AC45FEF1-612B-4066-85A7-DD0A5E8A7F30
KEtw[99]: RefCount 2, KProvider - DB30E9DC-354D-48B5-9DC0-AEAEBC5C6B54
KEtw[9A]: RefCount 25 CTLGUID_ShellPerfTraceProvider
KEtw[9B]: RefCount 24, KProvider - 6097799C-99DF-4C32-BF88-A32958C6421A
KEtw[9C]: RefCount 64 CTLGUID_ShellTraceProvider
KEtw[9D]: RefCount 1 Microsoft-Windows-RPCSS
KEtw[9E]: RefCount 2 CTLGUID_DCOMSCM
KEtw[9F]: RefCount 7 Windows Firewall API
KEtw[A0]: RefCount 7 Microsoft-Windows-MPS-CLNT
KEtw[A1]: RefCount 11 Microsoft-Windows-Services-Svchost
KEtw[A2]: RefCount 1 Active Directory: SAM
KEtw[A3]: RefCount 1 CTLGUID_SamSrv
KEtw[A4]: RefCount 1 Local Security Authority (LSA)
KEtw[A5]: RefCount 15 User-mode PnP Manager Trace
KEtw[A6]: RefCount 33 CtlGuid_Ole32
KEtw[A7]: RefCount 1 Microsoft-Windows-EFS
KEtw[A8]: RefCount 1 Security: TSPkg
KEtw[A9]: RefCount 1 DigestGlobalDebugTraceControlGuid
KEtw[AA]: RefCount 18 Security: SChannel
KEtw[AB]: RefCount 2 Service Control Manager Trace
KEtw[AC]: RefCount 2, KProvider - 557D257B-180E-4AAE-8F06-86C4E46E9D00
KEtw[AD]: RefCount 1 NTLM Security Protocol
KEtw[AE]: RefCount 1 Security: NTLM Authentication
KEtw[AF]: RefCount 1 Active Directory: Kerberos
KEtw[B0]: RefCount 2 Security: Kerberos Authentication
KEtw[B1]: RefCount 12 Dhcp6GlobalTraceGuid
KEtw[B2]: RefCount 12 DhcpGlobalTraceGuid
KEtw[B3]: RefCount 6 WEVTAPI_CtlGuid
KEtw[B4]: RefCount 3 CTLGUID_SysNtfy
KEtw[B5]: RefCount 20 Microsoft-Windows-LDAP-Client
KEtw[B6]: RefCount 14 WMI_Tracing_Client_Operations
KEtw[B7]: RefCount 15 WMI_Tracing
KEtw[B8]: RefCount 23 Microsoft-Windows-DCLocator
KEtw[B9]: RefCount 9 FusionTraceGuid
KEtw[BA]: RefCount 1, KProvider - 301779E2-227D-4FAF-AD44-664501302D03
KEtw[BB]: RefCount 2 Windows Winlogon Trace
KEtw[BC]: RefCount 14 CTLGUID_winsta
KEtw[BD]: RefCount 35 Microsoft-Windows-RPC
KEtw[BE]: RefCount 1, KProvider - A789EFEB-FC8A-4C55-8301-C2D443B933C0
KEtw[BF]: RefCount 2 Windows Wininit Trace
KEtw[C0]: RefCount 31 CTLGUID_ShellPerfTraceProvider
KEtw[C1]: RefCount 31 CTLGUID_ShellTraceProvider
KEtw[C2]: RefCount 4 Mobile PC Performance
KEtw[C3]: RefCount 2 winsrv_CtlGuid
KEtw[C4]: RefCount 1, KProvider - BC6C9364-FC67-42C5-ACF7-ABED3B12ECC6
KEtw[C5]: RefCount 2 Microsoft-Windows-Subsys-Csr
KEtw[C6]: RefCount 2 Microsoft-Windows-Win32k
KEtw[C7]: RefCount 1 Microsoft-Windows-Subsys-SMSS
KEtw[C8]: RefCount 1 USB_WMI_TRACING
KEtw[C9]: RefCount 1 kmixer_ControlGuid
KEtw[CA]: RefCount 1 ndisControlGuid
KEtw[CB]: RefCount 1 ACPI Driver Trace Provider
KEtw[CC]: RefCount 1 Microsoft-Windows-QoS-Pacer
KEtw[CD]: RefCount 1 Microsoft-Windows-Winsock-AFD
KEtw[CE]: RefCount 2, KProvider - 37A3E5D6-9EDB-46D7-BAEC-6B841D4E89E7
KEtw[CF]: RefCount 2, KProvider - BA696CFE-F69C-431B-81C4-68A83567A600
KEtw[D0]: RefCount 1 CTLGUID_FWPKCLNT
KEtw[D1]: RefCount 1 CTLGUID_usbhub
KEtw[D2]: RefCount 1 ETW_VIDEOPRT_CONTROL_GUID
KEtw[D3]: RefCount 1 CTLGUID_UMBus
KEtw[D4]: RefCount 1 rdpdr_CtlGuid
KEtw[D5]: RefCount 1 raspptp_CtlGuid
KEtw[D6]: RefCount 1 ndiswan_CtlGuid
KEtw[D7]: RefCount 1 rasl2tp_CtlGuid
KEtw[D8]: RefCount 1 CTLGUID_iScsi
KEtw[D9]: RefCount 1, KProvider - 10EB6007-818C-4DB6-A694-B518E589D07A
KEtw[DA]: RefCount 1 videoprt_CtlGuid
KEtw[DB]: RefCount 1 CTLGUID_usbport
KEtw[DC]: RefCount 1 cdrom_CtlGuid
KEtw[DD]: RefCount 1 Classpnp Driver Tracing Provider
KEtw[DE]: RefCount 1 disk_CtlGuid
KEtw[DF]: RefCount 1 CTLGUID_RFSMon
KEtw[E0]: RefCount 1 CTLGUID_Partmgr
KEtw[E1]: RefCount 1 Microsoft-Windows-VolumeSnapshot-Driver
KEtw[E2]: RefCount 1 NDISTraceGuid
KEtw[E3]: RefCount 1 Common Log (CLFS)
KEtw[E4]: RefCount 1 storport_CtlGuid
KEtw[E5]: RefCount 1 ataport_CtlGuid
KEtw[E6]: RefCount 1 CTLGUID_VolMgr
KEtw[E7]: RefCount 1 hdaudbus_FrameworksTraceGuid
KEtw[E8]: RefCount 1 Microsoft-Windows-Kernel-Acpi
KEtw[E9]: RefCount 2 CTLGUID_NETIO
KEtw[EA]: RefCount 1 Microsoft-Windows-Kernel-Prefetch
KEtw[EB]: RefCount 1 Microsoft-Windows-Services
KEtw[EC]: RefCount 1 Microsoft-Windows-Kernel-Registry
KEtw[ED]: RefCount 2 Microsoft-Windows-Kernel-Process
KEtw[EE]: RefCount 1, KProvider - AD5C7A10-4E08-45E1-81B5-CB5EB6EC8917
KEtw[EF]: RefCount 1, KProvider - 41932CAB-7E12-40D6-A728-62D30E054593
KEtw[F0]: RefCount 1, KProvider - 7EFE4AB3-990D-4350-A878-CD8772888199
KEtw[F1]: RefCount 2 Microsoft-Windows-COM
KEtw[F2]: RefCount 88 Microsoft-Windows-Shell-Core
KEtw[F3]: RefCount 2 Microsoft-Windows-Kernel-BootDiagnostics
KEtw[F4]: RefCount 2 UserLoaderGuid
KEtw[F5]: RefCount 4, KProvider - E9F2D03A-747C-41C2-BB9A-02C62B6D5FCB
KEtw[F6]: RefCount 3 Microsoft-Windows-Wininit
KEtw[F7]: RefCount 2 Microsoft-Windows-DxgKrnl
KEtw[F8]: RefCount 2 Microsoft-Windows-DesktopWindowManager-Diag
KEtw[F9]: RefCount 4, KProvider - E5B30460-9853-44E1-BCC4-D385E9058FDF
KEtw[FA]: RefCount 2, KProvider - AAA24221-0693-49B6-9331-267D089C5669
KEtw[FB]: RefCount 1 ECache_ControlGuid
KEtw[FC]: RefCount 1 Microsoft-Windows-FileInfoMinifilter
KEtw[FD]: RefCount 2 CTLGUID_MupLog
KEtw[FE]: RefCount 2 CTLGUID_NtfsLog
KEtw[FF]: RefCount 3 smb_SmbGuid
KEtw[100]: RefCount 2 Microsoft-Windows-FilterManager
KEtw[101]: RefCount 2 Microsoft-Windows-Bits-Client
KEtw[102]: RefCount 1 Microsoft-Windows-User-PnP
KEtw[103]: RefCount 1 Microsoft-Windows-DiskDiagnostic
KEtw[104]: RefCount 1 Microsoft-Windows-Firewall
KEtw[105]: RefCount 1 Microsoft-Windows-DiskDiagnosticDataCollector
KEtw[106]: RefCount 2 Ntfs
KEtw[107]: RefCount 1 Microsoft-Windows-CorruptedFileRecovery-Server
KEtw[108]: RefCount 1 Microsoft-Windows-Winsock-WS2HELP
KEtw[109]: RefCount 4 Microsoft-Windows-Diagnostics-Performance
KEtw[10A]: RefCount 1 Microsoft-Windows-Power-Troubleshooter
KEtw[10B]: RefCount 1 Microsoft-Windows-IPBusEnum
KEtw[10C]: RefCount 1 Microsoft-Windows-StartupRepair
KEtw[10D]: RefCount 2 Microsoft-Windows-TerminalServices-RemoteConnectionManager
KEtw[10E]: RefCount 4 Microsoft-Windows-UAC-FileVirtualization
KEtw[10F]: RefCount 2 Microsoft-Windows-GroupPolicy
KEtw[110]: RefCount 1 Microsoft-Windows-MUI
KEtw[111]: RefCount 2 Microsoft-Windows-Kernel-General
KEtw[112]: RefCount 4 Microsoft-Windows-Kernel-PnP
KEtw[113]: RefCount 2 Microsoft-Windows-Resource-Exhaustion-Detector
KEtw[114]: RefCount 1 Microsoft-Windows-OfflineFiles
KEtw[115]: RefCount 1 Microsoft-Windows-DfsSvc
KEtw[116]: RefCount 1 Microsoft-Windows-TPM-WMI
KEtw[117]: RefCount 1 Microsoft-Windows-HttpEvent
KEtw[118]: RefCount 2 Microsoft-Windows-Kernel-WHEA
KEtw[119]: RefCount 1 Microsoft-Windows-ResourcePublication
KEtw[11A]: RefCount 1 Microsoft-Windows-MemoryDiagnostics-Schedule
KEtw[11B]: RefCount 1 Microsoft-Windows-LanguagePackSetup
KEtw[11C]: RefCount 5 Microsoft-Windows-Diagnosis-DPS
KEtw[11D]: RefCount 2 Microsoft-Windows-HAL
KEtw[11E]: RefCount 1 Microsoft-Windows-MemoryDiagnostics-Results
KEtw[11F]: RefCount 1 Service Control Manager
KEtw[120]: RefCount 1 Microsoft-Windows-TBS
KEtw[121]: RefCount 2 Microsoft-Windows-CodeIntegrity
KEtw[122]: RefCount 2 Microsoft-Windows-Kernel-Tm
KEtw[123]: RefCount 1 Microsoft-Windows-Program-Compatibility-Assistant
KEtw[124]: RefCount 4 Microsoft-Windows-Kernel-Power
KEtw[125]: RefCount 4 Microsoft-Windows-Kernel-WDI
KEtw[126]: RefCount 1 Microsoft-Windows-DriverFrameworks-UserMode
KEtw[127]: RefCount 1 Microsoft-Windows-Diagnosis-MSDT
KEtw[128]: RefCount 1 Microsoft-Windows-Dhcp-Client
KEtw[129]: RefCount 3 Microsoft-Windows-Eventlog
KEtw[12A]: RefCount 1 Microsoft-Windows-PerfOS
KEtw[12B]: RefCount 1 Microsoft-Windows-CertificateServicesClient-AutoEnrollment
KEtw[12C]: RefCount 3 Microsoft-Windows-UAC
KEtw[12D]: RefCount 4 Microsoft-Windows-ReadyBoost
KEtw[12E]: RefCount 1 Microsoft-Windows-Diagnosis-PLA
KEtw[12F]: RefCount 7 Microsoft-Windows-TaskScheduler
KEtw[130]: RefCount 1 Microsoft-Windows-Help
KEtw[131]: RefCount 4 Microsoft-Windows-Winlogon
KEtw[132]: RefCount 1 Microsoft-Windows-LanGPA
KEtw[133]: RefCount 1 Microsoft-Windows-PerfNet
KEtw[134]: RefCount 2 Microsoft-Windows-CorruptedFileRecovery-Client
KEtw[135]: RefCount 2 Microsoft-Windows-EventCollector
KEtw[136]: RefCount 1 Microsoft-Windows-Wired-AutoConfig
KEtw[137]: RefCount 1 Microsoft-Windows-SystemHealthAgent
KEtw[138]: RefCount 1 Microsoft-Windows-OcSetup
KEtw[139]: RefCount 1 Microsoft-Windows-Winsrv
KEtw[13A]: RefCount 1 Microsoft-Windows-Reliability-Analysis-Agent
KEtw[13B]: RefCount 1 Microsoft-Windows-PerfCtrs
KEtw[13C]: RefCount 1 Microsoft-Windows-DirectShow-Core
KEtw[13D]: RefCount 2 Microsoft-Windows-WLAN-AutoConfig
KEtw[13E]: RefCount 1 Microsoft-Windows-Resource-Exhaustion-Resolver
KEtw[13F]: RefCount 1 Microsoft-Windows-CertificateServicesClient-CredentialRoaming
KEtw[140]: RefCount 1 Microsoft-Windows-L2NACP
KEtw[141]: RefCount 1 Microsoft-Windows-PerfDisk
KEtw[142]: RefCount 1 Microsoft-Windows-SoftwareRestrictionPolicies
KEtw[143]: RefCount 1 Microsoft-Windows-DateTimeControlPanel
KEtw[144]: RefCount 3 Microsoft-Windows-CertificateServicesClient
KEtw[145]: RefCount 1 Microsoft-Windows-PerfProc
KEtw[146]: RefCount 1 Microsoft-Windows-Video-For-Windows
KEtw[147]: RefCount 1 Microsoft-Windows-DiskDiagnosticResolver
KEtw[148]: RefCount 3 Microsoft-Windows-ApplicationExperienceInfrastructure
KEtw[149]: RefCount 1 Microsoft-Windows-Resource-Leak-Diagnostic
KEtw[14A]: RefCount 1 Microsoft-Windows-RemoteAssistance
KEtw[14B]: RefCount 1 Microsoft-Windows-Eventlog-ForwardPlugin
KEtw[14C]: RefCount 1 Microsoft-Windows-CertificateServicesClient-CertEnroll
KEtw[14D]: RefCount 1 Microsoft-Windows-NetworkAccessProtection
KEtw[14E]: RefCount 1 Microsoft-Windows-Reliability-Analysis-Engine
KEtw[14F]: RefCount 1 Microsoft-Windows-WLGPA
KEtw[150]: RefCount 1 Microsoft-Windows-International
KEtw[151]: RefCount 2 Microsoft-Windows-Diagnostics-Networking
KEtw[152]: RefCount 1 Microsoft-Windows-TerminalServices-PnPDevices
KEtw[153]: RefCount 2 Microsoft-Windows-Backup
KEtw[154]: RefCount 1 Microsoft-Windows-MeetingSpace
KEtw[155]: RefCount 1 Microsoft-Windows-WUSA
KEtw[156]: RefCount 1 Microsoft-Windows-RestartManager
KEtw[157]: RefCount 1 Microsoft-Windows-PDH

9 комментариев:

  1. Do you have source code to get the name of the providers? That I am not sure about.

    ОтветитьУдалить
  2. just parse output of logman query providers - it`s not hard

    ОтветитьУдалить
  3. Oh ... I am trying to do this via kernel code, I was expecting you were too given the references to kernel debugging and kernel structures. I didn't realize that was all you were doing there (using logman). Oh well.

    ОтветитьУдалить
  4. EtwRegister hasn`t any string args, so I doubt if names of providers stored somewhere in kernel

    ОтветитьУдалить
  5. Yeah, I was thinking the same thing and thought maybe you had found a way to do it. Guess not.

    Makes me wonder where those strings are stored (the names of the providers) and how I can associate a GUID with the provider name programatically (not using logman).

    ОтветитьУдалить
  6. quick and dirty re of logman.exe shows that it uses IWbemLocator/IEnumWbemClassObject from WMI for quering names

    ОтветитьУдалить
  7. FYI - the name of the providers can be found at the following registry key:

    HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\publishers

    Each sub key is a provider (aka puiblisher) GUID and the provider name is the in the Default value for each sub key.

    ОтветитьУдалить
  8. It's for Vista+. Also, not all providers are there, but I saw quite a few

    ОтветитьУдалить