Open kujo2019 opened 5 years ago
SuprHackerSteve
commented
4 years ago @kujo2019 this could be an issue with the ETW provider itself. Could you troubleshoot further by using another ETW collection tool, such as Microsoft Message Analyzer and report back if that works?
zxie11
commented
3 months ago
Try to run test_etw.py and get error.
Get error like this:
..Failed to get data field data for Flags, incrementing by reported size
Unable to parse event: invalid literal for int() with base 10: 'PackageId '
Unable to parse event: invalid literal for int() with base 10: 'PackageId '
Unable to parse event: invalid literal for int() with base 10: 'PackageId '
Unable to parse event: invalid literal for int() with base 10: 'PackageId '
Unable to parse event: invalid literal for int() with base 10: 'PackageId '
Failed to get data field data for Flags, incrementing by reported size
Failed to get data field data for Flags, incrementing by reported size
Unable to parse event: invalid literal for int() with base 10: 'PackageId '
D:\anaconda3\Lib\site-packages\etw\etw.py:383: DeprecationWarning: isSet() is deprecated, use is_set() instead
if end_capture.isSet():
..Failed to get data field data for Flags, incrementing by reported size
....Unable to parse event: [WinError 1168] Element not found.
No more user data left, returning none for field UpperFilters
No more user data left, returning none for field LowerFilters
No more user data left, returning none for field UpperFiltersMay I know why it happens and how we can fix it?
On a Win10 x64 box, in an Admin cmd window I am running the python script from the article https://www.countercept.com/blog/detecting-malicious-use-of-net-part-1/ (https://gist.github.com/countercept/7765ba05ad00255bcf6a4a26d7647f6e). I am running it with the --high-risk-only flag. It gets a lot of "Failed to get data field for AssemblyFlags, incrementing by reported size" error messages.
What would cause this? Is this normal or a bug? How can I fix it or suppress these messages?