what is object_manager_provider?

microsoft / krabsetw

KrabsETW provides a modern C++ wrapper and a .NET wrapper around the low-level ETW trace consumption functions.

Other

610 stars 149 forks source link

what is object_manager_provider? #248

Closed Kwansy98 closed 3 weeks ago

Kwansy98 commented 3 weeks ago

Hello, can anyone explain the statement "record.EventHeader.EventDescriptor.Opcode == 33" in the kernel_trace_002::start() function? What does the number 33 mean? And why is there an "ObjectName" property in it? I can't find the provider 89497f50-effe-4440-8cf2-ce6b1cdcaca7 using etw explorer or logman query providers. Thanks!

https://github.com/microsoft/krabsetw/blob/4b1456c39a6f4e8e934d3952dc37bfa6564a62fa/examples/NativeExamples/kernel_trace_002.cpp#L23

swannman commented 3 weeks ago

Hi @Kwansy98, we aren't able to assist with individual ETW providers. I do see a public reference here that may be relevant: https://gist.github.com/jdu2600/a2b03e4e9cf19282a41ad766388c9856#file-windowskerneltrace-mof-L157

Kwansy98 commented 3 weeks ago

Hi @Kwansy98, we aren't able to assist with individual ETW providers. I do see a public reference here that may be relevant: https://gist.github.com/jdu2600/a2b03e4e9cf19282a41ad766388c9856#file-windowskerneltrace-mof-L157

Thanks for the guidance