Is it possible to obtain ETW tracing event on mutex creation? Which provider is this?
The current version of the kernel does not have an ETW event when a mutex is created (KeInitializeMutex, I presume).
However! The current version of the kernel does support DTrace. So if you set that up, you can hook the function call and get a log & callstack of every time it’s called.
(Note that there are several exported routines to initialize a mutex: KeInitializeMutex, KeInitializeMutant, KeInitializeMutantEx. If you poke around in a disassembler a bit, you’ll see that they all jmp to KiInitializeMutant, on current versions of the kernel. So hooking the latter will give you more coverage. This also helps with cases where the kernel internally allocates a mutex: it doesn’t always go through the exported entrypoint, since the compiler can inline the jmp to the worker function.)