вторник, 26 марта 2019 г.

Windows 10 1809 kernel sensors

After reading this article I was curious which info Mocrosoft gather in it`s telemetry. There is some theoretical possibility to ask Microsoft via MVI but link to "apply for membership" gives 404, lol. So as usually run IDA Pro and start with KeInsertQueueApc function

We can see that code checks EtwThreatIntProvRegHandle and somewhere inside function calls etw logger function EtwTiLogInsertQueueUserApc. So lets collect other etw loggers reffered to
EtwThreatIntProvRegHandle (and EtwSecurityMitigationsRegHandle too)


  • EtwThreatIntProvRegHandle - called from KeInsertQueueApc and IopfCompleteRequest
  • EtwTiLogSetContextThread - called from PspWow64SetContextThread & PspSetContextThreadInternal
  • EtwTiLogAllocExecVm - called from MiAllocateVirtualMemory
  • EtwTiLogProtectExecVm - called from NtProtectVirtualMemory
  • EtwTiLogReadWriteVm - called from MiReadWriteVirtualMemory
  • EtwTiLogDeviceObjectLoadUnload - called from IoDeleteDevice & IoCreateDevice
  • EtwTiLogDriverObjectLoad - called from IopLoadDriver & IoCreateDriver
  • EtwTiLogMapExecView - called from NtMapViewOfSection & MiMapViewOfSectionExCommon
  • EtwTiLogSuspendResumeProcess - called from PsThawProcess, PsFreezeProcess, PsResumeProcess & PsSuspendProcess
  • EtwTiLogSuspendResumeThread - called from PsSuspendThread & PsResumeThread
etw loggers reffered to EtwSecurityMitigationsRegHandle
  • EtwpTimLogMitigationForProcess - called from MiAllowImageMap
  • EtwTimLogProhibitDynamicCode - called from MiArbitraryCodeBlocked
  • EtwTimLogProhibitWin32kSystemCalls - called from PsConvertToGuiThread
  • EtwTimLogProhibitNonMicrosoftBinaries - called from MiValidateSectionSigningPolicy
  • EtwTimLogProhibitChildProcessCreation - called from SeSubProcessToken
  • EtwTimLogProhibitLowILImageMap - called from MiAllowImageMap