".NET Common Language Runtime" events not captured

[jdu2600]

I've recently discovered that {e13c0d23-ccbc-4e12-931b-d9cc2eee27e4} is a very interesting provider.

In .NET 4.8 it is a modern manifest provider called 'Microsoft-Windows-DotNETRuntime' In .NET 3.5 it is a legacy MOF provider called '.NET Common Language Runtime'

Currently krabs receives, but does not correctly forward, the events generated by the MOF provider. I can workaround the forwarding - but krabs still does not seem to correctly parse the event. Note - I haven't investigated yet whether krabs doesn't support all MOF providers - or just this special cae.

Microsoft's TraceEvent library correctly filters and parses events from both sources - and could be an exemplar to determine any necessary steps. e.g. SilkETW.exe -t user -pn Microsoft-Windows-DotNETRuntime -uk 0x8 -ot file -p C:\\Some\\Path\\out.json will collect loader events from both .NET runtimes.

[jdu2600]

Looks like krabs didn't support all MOF providers at all.

Microsoft's TDH documentation nicely describes how to handle both cases.

[swannman]

Resolved by #145 published to NuGet as 4.1.16.

[ghost]

I also was hit by this issue. The events do get forwarded now but they hit "Could not find the schema" exception. I suppose it is related to "Looks like krabs didn't support all MOF providers at all.".

What would it take to support MOF providers?

[ghost]

To clarify, I'm running Windows 7, which has .NET 2.0 as part of the OS and hence the '.NET Common Language Runtime' provider. The exception is thrown in the even callback when I do krabs::schema schema { record, traceContext.schema_locator };.

[jdu2600]

Hmm. I didn't test on Windows 7. To add the MOF provider support I actually had to retrieve the schema in order to determine which provider to forward the event to...so the schema should definitely be available...

Which version of krabs are you using?

[ghost]

The krabs version I'm using is 4.1.16.

Something doesn't quite add up.

logman output would indicate that the MOF provider is present:

Provider                                 GUID
-------------------------------------------------------------------------------
.NET Common Language Runtime             {E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}

But the record.EventHeader.ProviderId has the provider GUID ({E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}) in it, which, based on code comments, would suggest a manifest provider.

Calling krabs::schema schema { record, traceContext.schema_locator }; will throw "Could not find the schema" -exception.

I'm wondering whether there is some conflict because of several .NET versions installed (2.0, 3.0, 3.5, 4.0)? And is there any way to deal with this situation?

[jdu2600]

.NET 4 will be producing manifest events for that provider guid also. Could that runtime be the source of the erroring events? Or are you certain that the events are coming from .NET 2/3/3.5?

And are you receiving the error for all event ids? Or just some?

I have encountered situations where Windows emits events that are not in registered manifest - which results in schema errors like you've encountered. Though you could manually parse the UserData if the event is essential. Unfortunately there is nothing further that krabs can do in these cases - other than hope that the manifest is updated in the next patch.

[ghost]

So I ran some more tests and found out that indeed when producing events from .NET 2/3.5 on Windows 7 it works fine. Only .NET 4 produces schema not found error.

[jdu2600]

Can you update to .NET 4.8?

[ghost]

.NET 4.8 doesn't make a difference.