How to log "clear log event (1102)"

[zeze-zeze]

Tested on Windows10 19042 and Windows Server 2012, I want to use etw to log clear log event (1102), but it doesn't work.

The target provider is Microsoft-Windows-Eventlog, corresponding to GUID {FC65DDD8-D6EF-4962-83D5-6E5CFE9CE148}, and here is my source code:

void user_trace::start()
{
    krabs::user_trace trace;
    krabs::provider<> provider(krabs::guid(L"{FC65DDD8-D6EF-4962-83D5-6E5CFE9CE148}"));
    provider.any(0xf8200000001e0000);
    provider.add_on_event_callback([](const EVENT_RECORD &record, const krabs::trace_context &trace_context) {
        krabs::schema schema(record, trace_context.schema_locator);
        std::wcout << L"Event " << schema.event_id();
        std::wcout << L"(" << schema.event_name() << L") received." << std::endl;
    });
    trace.enable(provider);
    trace.start();
}

It is expected to print an event id and an event name whenever it gets a log. So far, it can log the event ids 100, 201, 202, 203, 204, 205, not my target 1102 though.

The way I used to clear the logs are event viewer and command line with wevtutil.

event viewer:

command line: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"

I have also tried to use logman to log the event from provider Microsoft-Windows-Eventlog, but it can't log 1102 either.

Any advice would be thankful!

[zeze-zeze]

After reversing wevtsvc.dll, I found that it doesn't call any ETW function when log clear event is triggered. It just try to create and write a record to C:\Windows\System32\winevt\Logs\Security.evtx, so it is why we cannot log 1102 event when using logman or krabsetw

In fact, we can see in ida that there are ETW functions like EventWrite and EventWriteTransfer in the Channel::ClearChannelLog function. However, when I use x64dbg to attach to the process, it didn't walk to the addresses of ETW functions.