wolfpld
commented
2 months ago This is possible and unavoidable due to the way kernel tracing works on Windows. Basically, any privileged process can stop the tracing session started by another program (and it's the tracing session, not a tracing session).
It’s crazy, but the ramifications of all this are crazier still. If you think about what it means to have only one possible trace that is connected to the kernel logger, you realize quickly that there are security issues at play. If some other process had called StartTrace(), and they were the ones that were using the kernel logger, how does the system know that it’s OK for our process to come in and stop that trace so we can start it back up again with our settings?
The answer, hilariously, is that it doesn’t! In fact, it’s a complete free-for-all — may the best process win! Whoever calls StartTrace() last, well, that’s who gets to configure the trace.
eclazi
With my application, after about 1.5s, the ETW callbacks stop firing, so sampling stops working.
Breakpoint in EventRecordCallback stops getting hit.
This is on Windows 11