COMPlus_ETWEnabled

There is nice trick to hide that your .NET assemblies does not have ETW logging
Lets see if we can detect this not from environment vars
ETW logging inited in mscorwks.dll!CEtwTracer::Register:


 lea     rcx, aEtwenabled               ; "ETWEnabled"
 mov     [rsp+168h+var_148], 0
 lea     r9d, [rdx+1]
 lea     r8d, [rdx+7]
 call    ?GetConfigDWORD@EEConfig@@SAKPEBGKKHW4ConfigSearch@1@@Z
 test    eax, eax
 jz      loc_6427F59447D ; skip
loc_6427F5943B8:
 lea     rcx, aAdvapi32_dll_3           ; "advapi32.dll"
 call    cs:__imp_GetModuleHandleW
 test    rax, rax
 mov     cs:?m_hModule@CEtwTracer@@0PEAUHINSTANCE__@@EA, rax ; HINSTANCE__ * CEtwTracer::m_hModule
 jz      loc_6427F594473
 lea     rdx, aRegistertraceg           ; "RegisterTraceGuidsW"
 mov     rcx, rax                       ; hModule
 call    cs:__imp_GetProcAddress
 mov     rcx, cs:?m_hModule@CEtwTracer@@0PEAUHINSTANCE__@@EA ; hModule
 lea     rdx, aUnregistertrac           ; "UnregisterTraceGuids"
 mov     cs:?g_pufnRegisterTraceGuids@@3P6AKP6AKW4WMIDPREQUESTCODE@@PEAXPEAK1@Z1PEBU_GUID@@KPEAU_TRACE_GUID_REGISTRATION@@PEBG6PEA_K@ZEA, rax ; ulong (*g_pufnRegisterTraceGuids)(ulong (*)(WMIDPREQUESTCODE,void *,ulong *,void *),void *,_GUID const *,ulong,_TRACE_GUID_REGISTRATION *,ushort const *,ushort const *,unsigned __int64 *)
 call    cs:__imp_GetProcAddress
 mov     rcx, cs:?m_hModule@CEtwTracer@@0PEAUHINSTANCE__@@EA ; hModule
 lea     rdx, aGettracelogger           ; "GetTraceLoggerHandle"
 mov     cs:?g_pufnUnregisterTraceGuids@@3P6AK_K@ZEA, rax ; ulong (*g_pufnUnregisterTraceGuids)(unsigned __int64)
 call    cs:__imp_GetProcAddress
 mov     rcx, cs:?m_hModule@CEtwTracer@@0PEAUHINSTANCE__@@EA ; hModule
 lea     rdx, aGettraceenable           ; "GetTraceEnableLevel"
 mov     cs:?g_pufnGetTraceLoggerHandle@@3P6A_KPEAX@ZEA, rax ; unsigned __int64 (*g_pufnGetTraceLoggerHandle)(void *)
 call    cs:__imp_GetProcAddress
 mov     rcx, cs:?m_hModule@CEtwTracer@@0PEAUHINSTANCE__@@EA ; hModule
 lea     rdx, aGettraceenab_1           ; "GetTraceEnableFlags"
 mov     cs:?g_pufnGetTraceEnableLevel@@3P6AE_K@ZEA, rax ; uchar (*g_pufnGetTraceEnableLevel)(unsigned __int64)
 call    cs:__imp_GetProcAddress
 mov     rcx, cs:?m_hModule@CEtwTracer@@0PEAUHINSTANCE__@@EA ; hModule
 lea     rdx, aTraceevent               ; "TraceEvent"
 mov     cs:?g_pufnGetTraceEnableFlags@@3P6AK_K@ZEA, rax ; ulong (*g_pufnGetTraceEnableFlags)(unsigned __int64)
 call    cs:__imp_GetProcAddress
 mov     cs:?g_pufnTraceEvent@@3P6AK_KPEAU_EVENT_TRACE_HEADER@@@ZEA, rax ; ulong (*g_pufnTraceEvent)(unsigned __int64,_EVENT_TRACE_HEADER *)

as you can see if ETW logging was disables all related ETW pfns will not be inited. So it`s enough to check in debugger values of

• g_pufnUnregisterTraceGuids
• g_pufnGetTraceEnableLevel
• g_pufnTraceEvent
• g_pufnGetTraceEnableFlags
• g_pufnGetTraceLoggerHandle
• g_pufnRegisterTraceGuids

If they contains NULL or some trash not from advapi32.dll - logging does not work