We currently install manifest items in the INF using AddReg directives, such as shown below:
HKLM,%EventLogProviderKey%,%FLG_ADDREG_TYPE_SZ%,“DPTF”
HKLM,%EventLogProviderKey%,“ResourceFileName”,%REG_EXPAND_SZ%,“%%SystemRoot%%\system32\xyz.dll”
HKLM,%EventLogProviderKey%,“MessageFileName”,%REG_EXPAND_SZ%,“%%SystemRoot%%\system32\xyz.dll”
HKLM,%EventLogProviderKey%,“Enabled”,%FLG_ADDREG_TYPE_DWORD%,1
HKLM,%EventLogProviderKey%“\ChannelReferences”,“Count”,%FLG_ADDREG_TYPE_DWORD%,1
HKLM,%EventLogProviderKey%“\ChannelReferences\0",%FLG_ADDREG_TYPE_SZ%,“Application”
HKLM,%EventLogProviderKey%”\ChannelReferences\0",“Flags”,%FLG_ADDREG_TYPE_DWORD%,1
HKLM,%EventLogProviderKey%"\ChannelReferences\0",“Id”,%FLG_ADDREG_TYPE_DWORD%,9
HKLM,%EventLogChannelKey%,“Enabled”,%FLG_ADDREG_TYPE_DWORD%,1
HKLM,%EventLogChannelKey%,“EnableLevel”,%FLG_ADDREG_TYPE_DWORD%,0
HKLM,%EventLogChannelKey%,“EnableProperty”,%FLG_ADDREG_TYPE_DWORD%,1
HKLM,%EventLogChannelKey%,“LoggerName”,%REG_EXPAND_SZ%,“EventLog-Application”
HKLM,%EventLogChannelKey%,“MatchAnyKeyword”,%FLG_ADDREG_TYPE_QWORD%,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x80
HKLM,%EventLogChannelKey%,“MatchAllKeyword”,%FLG_ADDREG_TYPE_QWORD%,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
But in “universal” INFs, it says we can only use HKR relative paths in the registry. We cannot use wevtutil.exe within an INF, and they also don’t want co-installers.
So, how exactly are we supposed install manifests for ETW-based event logging or just ETW events as a standard provider? I see no documentation on this at all.