Closed subvert0r closed 7 months ago
swannman
commented
8 months ago Good question! The "kernel trace" refers to the NT Kernel Logger Session. The EnableFlags values here show the types of data that are emitted by the kernel to this trace session.
subvert0r
commented
7 months ago Good question! The "kernel trace" refers to events that are emitted by the Windows kernel through the NT Kernel Logger Session. The
EnableFlagsvalues here show the types of data that are emitted by this provider.
Thank you for the explanation, I get it now. But one other question tho: Does this mean that every other provider is generating events from user-mode, for example in a service dll, even "Microsoft-Windows-Kernel-Process"?
Because I thought many providers generate events from kernel-mode. So does this mean the only provider that generates events from kernel mode is the NT Kernel Logger, and any other provider will generate these events in user-mode, in a user-mode process by calling APIs such as EventWrite?
swannman
commented
7 months ago The difference between user_trace and kernel_trace is only about the trace session, not the producer of the events. I updated my earlier reply to make that more clear. Thanks for asking for clarification!
I am very confused on the difference between krabs::user_trace vs krabs::kernel_trace and its not properly explained in the docs.
I have used user_trace so far, and was able to receive events from any provider that I have tried, including those that have kernel in their name such as "Microsoft-Windows-Kernel-Process".
So what's the difference between them exactly? when should I use krabs::kernel_trace?