search

microsoft / krabsetw

KrabsETW provides a modern C++ wrapper and a .NET wrapper around the low-level ETW trace consumption functions.
Other
581 stars 149 forks source link

Why Service Control Manager provider doesn't generate any event id? #225

Open subvert0r opened 6 months ago

subvert0r commented 6 months ago

I am trying to get events related to service creation, and so far I have tried these:

Microsoft-Windows-Services
Service Control Manager
Service Control Manager Trace

But strangely, non of the above providers produce events when a service is created or started.

Then I looked into it, and figured that Service Control Manager and Service Control Manager Trace don't generate any event id at all! At least the Microsoft-Windows-Services generates some events at some point.

Question: Why when I register with Service Control Manager and Service Control Manager Trace without any filter, I don't get any event at all, no matter how long I keep it running and do all sorts of service related activity? When their callback is called, the event id and opcode id is just 0, and there is no property. Their event header is basically junk.

swannman commented 6 months ago

Hi @subvert0r, we aren't able to provide general assistance with Windows ETW providers in this repo.

subvert0r commented 6 months ago

Hi @subvert0r, we aren't able to provide general assistance with Windows ETW providers in this repo.

Understood, I edited the question title to make it less generic. My main question is:

Question: Why when I register with Service Control Manager and Service Control Manager Trace without any filter, I don't get any event at all, no matter how long I keep it running and do all sorts of service related activity? When their callback is called, the event id and opcode id is just 0, and there is no property. Their event header is basically junk.