krabsetw
krabsetw copied to clipboard
microsoft
KrabsETW provides a modern C++ wrapper and a .NET wrapper around the low-level ETW trace consumption functions.
Hello. Reading at the Microsoft documentation, krabsetw (and its Rust-counterpart [ferrisetw](https://github.com/n4r1b/ferrisetw)), I am puzzled about how to distinguish different schemas. [The doc](https://docs.microsoft.com/en-us/windows/win32/api/evntprov/ns-evntprov-event_descriptor) says (emphasis mine): > For **manifest-based ETW**, the...
Since querying the schema can be a demanding task, a cache is used in `krabs::schema_locator` to speed up schema retrieval for future events. The cache key is calculated using the...
`get_event_schema_from_tdh()` can throw an exception in case an error is returned by `TdhGetEventInformation()`. This exception is not handled in `ut::forward_events()` and will result in process termination. This happens before user...
I couldn't get EventId when I tried to trace the "Service Control Manager" . Microsoft Message Analyzer (MMA) also has this problem. 
https://github.com/microsoft/krabsetw/blob/d4688217e01440bbea9db6d560b3d649a7acdb93/examples/NativeExamples/kernel_trace_003_rundown.cpp?_pjax=%23js-repo-pjax-container%2C%20div%5Bitemtype%3D%22http%3A%2F%2Fschema.org%2FSoftwareSourceCode%22%5D%20main%2C%20%5Bdata-pjax-container%5D#L74 When I use the std::string class to parse Chinese characters, there will be garbled code in the ImageFileName, but it cannot be parsed using the wstring class. How can...
Hey all, I am running into the following exception, with Microsoft Visual Studio Professional 2019, Version 16.11.3. I have installed the managed NuGet Package “Microsoft.O365.Security.Native.ETW, Version 4.2.2” The App compiles...
By default, krabsetw produces events that have their timestamps converted into system time. Specifying `PROCESS_TRACE_MODE_RAW_TIMESTAMP` as `ProcessTraceMode` in the `EVENT_TRACE_LOGFILE` would leave timestamps in the same raw format used by...
The `EventNameOffset` property of `TRACE_EVENT_INFO` was added in "Windows 10 Fall Creators Update (2017)" as this [comment](https://github.com/microsoft/krabsetw/blob/master/krabs/krabs/schema.hpp#L282) suggests. Should `Windows 10` be a requirement for krabsetw, or should the use...
result by static analyser PVS-Studio: [check_krabsetw_by_pvs_studio.zip](https://github.com/microsoft/krabsetw/files/7323176/check_krabsetw_by_pvs_studio.zip)
Hi there, I have a problem regarding parse for boolean type. Indeed it is identified as UINT8 instead of BOOLEAN (or BOOL), thus throw_if_invalid raises an exception:  I guess...
