Windows 11 “New” ETW Providers — Overview

Windows 11 Wallpaper

Today Microsoft started rolling out the newest version of Windows to computers around the world. I wanted to check what new and interesting ETW providers were included in this official release.

Note: to get these results I did a diff between providers from windows version 21H1 (Win 10) and 21h2 (Win 11) using the following command:

Microsoft-Windows-WerKernel

  • GUID: {87A623F0–8DB5–5C11–7C80-A2EBBCBE5189}
  • Channel: Microsoft-Windows-WerKernel/Operational
  • Path: %SystemRoot%\system32\drivers\werkernel.sys

Events

  • EID 1001: Create “Dump”
  • EID 1002: Submit “Dump”

There are three types of “Dumps” defined:

  • 1: “No Dump”
  • 2: “Mini Dump”
  • 3: “Kernel Dump”

Unmapped Message

  • EID 1001
  • EID 1002

Microsoft-Windows-Winsock-Sockets

  • GUID: {BDE46AEA-2357–51FE-7367-D5296F530BD1}
  • Channel: None
  • Path: %SystemRoot%\system32\ws2_32.dll

Events

  • SockCreate
  • SockClose
  • SockAccept
  • SockSetOpt
  • SockConnect
  • SockBind
  • SockGetOpt
  • SockListen

Microsoft-Quic

  • GUID: {FF15E657–4F26–570E-88AB-0796B258D11C}
  • Channel: None
  • Path: %WinDir%\system32\drivers\msquic.sys

Events

More than 100 events are defined. Please reference the provider manifest here.

Microsoft-Windows-Kernel-Dump

  • GUID: {17D2A329–4539–5F4D-3435-F510634CE3B9}
  • Channel: Microsoft-Windows-Kernel-Dump/Operational
  • File: %SystemRoot%\system32\Microsoft-Windows-System-Events.dl

Events

  • EID 1: Policy Operation Failed
  • EID 2: Policy Value Changed
  • EID 3: CrashDump disabled on boot

Unmapped Message

  • EID 1
  • EID 2
  • EID 3

Microsoft-Windows-DNS-Client-DiagTrack

  • GUID: {80E30BFE-62CF-5C77–5DC4–425D2C7734A3}
  • Channel: None
  • Path: %SystemRoot%\system32\dnsapi.dll

Events / Unmapped Message

  • EID 3021
  • EID 3022

Other

Here are is a list of the rest of the providers that I found :

  • Microsoft-Windows-Kernel-Cache
  • Microsoft-Windows-Kernel-CPU-Starvation
  • Microsoft-Windows-Kernel-Prm
  • Microsoft-Windows-MapControls
  • Microsoft-Windows-MosHost
  • Microsoft-Windows-Network-ExecutionContext
  • Microsoft-Windows-NvmeDisk
  • Microsoft-Windows-Privacy-Auditing-CPSS
  • Microsoft-Windows-StorageManagement-PartUtil
  • Microsoft-Windows-StorageSpaces-Api
  • Microsoft-Windows-StorageSpaces-Parser
  • Microsoft-Windows-TenantRestrictions
  • Microsoft-Windows-USB-USB4DeviceRouter-EventLogs
  • Microsoft-Windows-WinHttp-Pca
  • Microsoft-Windows-WinINet-Pca
  • Microsoft-Windows-Winsock-Sockets
  • Microsoft-Windows-ZTraceMaps

You can find the manifest of these providers on my Github below:

If I missed any ETW provider or made a mistake somewhere, please let me know via a DM on Twitter @nas_bench or a PR on GitHub.

I write about #ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.