ETW Consumer in kernel-mode

Hi, is there any api to create an event consumer from kernel-mode? Couldn’t find any counterpart of the OpenTrace api or similar.

Regards,
Mauro.

Why? I’m not trying to be snarky (well, maybe I am). I just cannot imagine a case where this would be useful. ETW events are intended for human consumption, or for automated analysis tools producing reports for human consumption. The details, the string handling, the I/O – all of that is just more difficult in the kernel.

Tim’s first general rule of Windows programming: Never do anything in the kernel that can be done just as well in user mode.

2 Likes

Hi @Tim_Roberts, I want to detect processes being launched spoofing the parent for an AV style app. Something used more frequently in malware. One method is capturing a kernel trace. Of course I can add the code in my service and notify the driver when an event reaches but would like to know if a more direct approach is possible. Regards, Mauro.

Realized I can get that info in the PsSetCreateProcessNotifyRoutine callback because it is executed in the context of the process creator :stuck_out_tongue:

Much better idea.