search

zodiacon / EtwExplorer

View ETW Provider manifest
MIT License
415 stars 70 forks source link

Feature request #7

Open BigJim opened 3 years ago

BigJim commented 3 years ago

First of all thanks for all of your kick-A tools. This one must be everyone's favorite for exploring ETW providers.

One or two additional search features would be great addition though IMHO. The ability to search through ALL of the providers would be great. Like if you query for the level providers in EtwExplorer on Win 10 for "process" you will see "Microsoft-Windows-Kernel-Process", etc., but then you could be missing other providers that produce "process" events that you can't see. You only see the top level context, not the ETW event labels that might match by name. It would be nice to be able to optionally query through them all.

I suppose this could be a seperate tool, maybe a console one. What I'm doing now is doing an iterative "logman query providers" dump via a script into huge text file. But it would be nicer to be able to jump to a provider with all the metadata et al in a tool like yours.

Thank you,

zodiacon commented 3 years ago

Thank you for the suggestion. Agreed it is a good idea. I will put it on my backlog.

BigJim commented 2 years ago

Thank you can close this. Coming back a year later I see:

Someone made a robust provider with events, etc., dumper using your "EtwManifestParsing" no less, w/data in a single line .tsv format: https://github.com/jdu2600/Windows10EtwEvents

Also another one, also a great ETW learning resource too, w/dumps in XML format: https://github.com/nasbench/EVTX-ETW-Resources

Thanks, your tools are fantastic!

AndrewRathbun commented 2 years ago

Thank you can close this. Coming back a year later I see:

Someone made a robust provider with events, etc., dumper using your "EtwManifestParsing" no less, w/data in a single line .tsv format: https://github.com/jdu2600/Windows10EtwEvents

Also another one, also a great ETW learning resource too, w/dumps in XML format: https://github.com/nasbench/EVTX-ETW-Resources

Thanks, your tools are fantastic!

Thanks for the shout on the second link! There are also CSVs organized by specific OS versions and Providers. It's a pretty awesome resource that I reference myself pretty often!