How to retrieve ComputerName and EventRecordId parameters

[ali63yavari]

I used krabsetw for monitoring WMI Activity events. all things was ok and my callback function is fired. my program needs Computer and EventRecordId (which can be found in System tag of all windows events) for classifying received events but I can't find these parameters in EVENT_RECORD structure.

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-WMI-Activity" Guid="{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}" /> 
  <EventID>5857</EventID> 
  <Version>0</Version> 
  <Level>0</Level> 
  <Task>0</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x4000000000000000</Keywords> 
  <TimeCreated SystemTime="2020-10-04T06:40:57.6663580Z" /> 
  <EventRecordID>8340</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="11700" ThreadID="7860" /> 
  <Channel>Microsoft-Windows-WMI-Activity/Operational</Channel> 
  <Computer>DESKTOP-XXXXXX</Computer> 
  <Security UserID="S-1-5-20" /> 
  </System>
- <UserData>
- <Operation_StartedOperational xmlns="http://manifests.microsoft.com/win/2006/windows/WMI">
  <ProviderName>CIMWin32a</ProviderName> 
  <Code>0x0</Code> 
  <HostProcess>wmiprvse.exe</HostProcess> 
  <ProcessID>11700</ProcessID> 
  <ProviderPath>%systemroot%\system32\wbem\wmipcima.dll</ProviderPath> 
  </Operation_StartedOperational>
  </UserData>
  </Event>

is there any method which help me to retrieve these parameters?

thanx.

[zacbrown]

Hi @ali63yavari - unfortunately there's not a great 1:1 mapping between how these fields are represented in the Event Log and how they're actually exposed underneath. This is where ETW manifests come into play as they define the structure of the schema for a given event.

For getting the event ID, there's an example here: https://github.com/microsoft/krabsetw/blob/84b77ed85093cdffc8cc074c0b70ab90cfc1552e/examples/NativeExamples/user_trace_002.cpp#L43

There are likely similar fields for doing it with ComputerName but I don't recall what they are. Historically, Message Analyzer has been quite useful for addressing this. There's a doc written up here on how to use it: https://github.com/microsoft/krabsetw/blob/master/docs/UsingMessageAnalyzerToFindETWSources.md. It might be a bit out of date but the broad strokes should still largely be true.

[jdu2600]

There are alternatives for retrieving the computer name, but if you need the full Event Log event details (especially EventRecordId) then I believe that you'll need to use the Event Log APIs instead - https://docs.microsoft.com/en-us/windows/win32/wes/subscribing-to-events

[ali63yavari]

There are alternatives for retrieving the computer name, but if you need the full Event Log event details (especially EventRecordId) then I believe that you'll need to use the Event Log APIs instead - https://docs.microsoft.com/en-us/windows/win32/wes/subscribing-to-events

Hi @jdu2600, Thanx for reply, I used EvtSubscribe [Event Log APIs] before using Krabsetw, but EvtSubscribe returned ERROR_NO 50 when tried to subscribe on Microsoft-Windows-WMI-Activity/Trace event channel. after that I decided to use Krabsetw for subscribing on WMI Activity events and as i mentioned in this issue, my program needs EventRecordId and ComputerName to classify events correctly while i could not find any solution to retrieve these parameters from EVENT_RECORD.

[ali63yavari]

Hi @zacbrown, Thanx for reply,

https://github.com/microsoft/krabsetw/blob/84b77ed85093cdffc8cc074c0b70ab90cfc1552e/examples/NativeExamples/user_trace_002.cpp#L43

yes, i saw that before, but i need EventReordId. i installed Microsoft Message Analyzer and added Computer field from EventLog as a column. but this field was not filled by any of WMI event which MMA listed.

[jdu2600]

EventRecordId is not an ETW concept as far as I know - so you won't be able to get it with krabs.

Subscribing to Microsoft-Windows-WMI-Activity/Operational with the Event Log API worked for me. (This is the channel in your original example). Though I did receive error 15009 for Microsoft-Windows-WMI-Activity/Trace - "The events for a direct channel go directly to a log file and cannot be subscribed to."

What are you using EventRecordId for? I believe that it's just the record key for that event log? Not sure how that would help to classify an event?

[ali63yavari]

Dear @jdu2600 i need EventRecordId for debugging reasons, but i need ComputerName too which it is principal for my program.

Though I did receive error 15009 for Microsoft-Windows-WMI-Activity/Trace - 
"The events for a direct channel go directly to a log file and cannot be subscribed to."

it is true, i face to such an error when i want subscribing on Microsoft-Windows-WMI-Activity/Trace. i found another API to use Logs directly. OpenEventLog but could not find proper event source for Microsoft-Windows-WMI-Activity/Trace Event Channel.

[jdu2600]

The /Trace logfile seem to be stored here - %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-WMI-Activity%4Trace.etl.

But it's in the (ETW) etl format, not the (Event Log) evtx format. So it doesn't seem to store either the ComputerName or EventLogId. When I look at the log in Event Viewer, EventLogId seems to just be a 0-based counter for this log. ComputerName is filled - but I assume via an API call. There are some ETL->EVTX conversion tools that might fake this enough for your purposes?

But otherwise /Trace event logging doesn't seem to strictly occur, so only the /Operational WMI event logs are available?

[zacbrown]

Perhaps this is a naive question, but is there a reason you couldn't call GetComputerNameExW or similar in this case? If you've got code running on the machine to consume ETW traces, then this would work.

[ali63yavari]

Dear @zacbrown I can not use API call for computer name due to there are some nodes which use event forwarding to forward events to collector node. (the node that my program has been executed on it.)