Windows 11 “New” ETW Providers — Overview
3 min readOct 5, 2021
Today Microsoft started rolling out the newest version of Windows to computers around the world. I wanted to check what new and interesting ETW providers were included in this official release.
Note: to get these results I did a diff between providers from windows version 21H1 (Win 10) and 21h2 (Win 11) using the following command:
logman query providersMicrosoft-Windows-WerKernel
- GUID: {87A623F0–8DB5–5C11–7C80-A2EBBCBE5189}
- Channel: Microsoft-Windows-WerKernel/Operational
- Path: %SystemRoot%\system32\drivers\werkernel.sys
Events
- EID 1001: Create “Dump”
- EID 1002: Submit “Dump”
There are three types of “Dumps” defined:
- 1: “No Dump”
- 2: “Mini Dump”
- 3: “Kernel Dump”
Unmapped Message
- EID 1001
Component [ComponentName] has requested to create a Live Kernel Dump and the request has been completed. RequestedType [RequestedPolicy], GrantedType [GrantedPolicy], Status [Status], ThrottleCheckResult [ThrottleCheckResult].- EID 1002
Component [ComponentName] has requested to submit a Live Kernel Dump and the request has been completed. DumpType [Policy], ReportId [ReportId], Status [Status].Microsoft-Windows-Winsock-Sockets
- GUID: {BDE46AEA-2357–51FE-7367-D5296F530BD1}
- Channel: None
- Path: %SystemRoot%\system32\ws2_32.dll
Events
- SockCreate
- SockClose
- SockAccept
- SockSetOpt
- SockConnect
- SockBind
- SockGetOpt
- SockListen
Microsoft-Quic
- GUID: {FF15E657–4F26–570E-88AB-0796B258D11C}
- Channel: None
- Path: %WinDir%\system32\drivers\msquic.sys
Events
More than 100 events are defined. Please reference the provider manifest here.
Microsoft-Windows-Kernel-Dump
- GUID: {17D2A329–4539–5F4D-3435-F510634CE3B9}
- Channel: Microsoft-Windows-Kernel-Dump/Operational
- File: %SystemRoot%\system32\Microsoft-Windows-System-Events.dl
Events
- EID 1: Policy Operation Failed
- EID 2: Policy Value Changed
- EID 3: CrashDump disabled on boot
Unmapped Message
- EID 1
AllowCrashDump policy: [OperationType]- EID 2
AllowCrashDump policy value changed (AllowCrashDump = [PolicyValue]). Configure crash dump. NT status: [NTStatus]- EID 3
CrashDump disabled on boot by policy (AllowCrashDump = [PolicyValue]).Microsoft-Windows-DNS-Client-DiagTrack
- GUID: {80E30BFE-62CF-5C77–5DC4–425D2C7734A3}
- Channel: None
- Path: %SystemRoot%\system32\dnsapi.dll
Events / Unmapped Message
- EID 3021
Collecting trace for DoH query [QueryName] and type [QueryType] which failed with response status [QueryStatus]- EID 3022
Finished collecting trace for DoH query [QueryName] and type [QueryType]. Retry status code is: [QueryStatus]Other
Here are is a list of the rest of the providers that I found :
- Microsoft-Windows-Kernel-Cache
- Microsoft-Windows-Kernel-CPU-Starvation
- Microsoft-Windows-Kernel-Prm
- Microsoft-Windows-MapControls
- Microsoft-Windows-MosHost
- Microsoft-Windows-Network-ExecutionContext
- Microsoft-Windows-NvmeDisk
- Microsoft-Windows-Privacy-Auditing-CPSS
- Microsoft-Windows-StorageManagement-PartUtil
- Microsoft-Windows-StorageSpaces-Api
- Microsoft-Windows-StorageSpaces-Parser
- Microsoft-Windows-TenantRestrictions
- Microsoft-Windows-USB-USB4DeviceRouter-EventLogs
- Microsoft-Windows-WinHttp-Pca
- Microsoft-Windows-WinINet-Pca
- Microsoft-Windows-Winsock-Sockets
- Microsoft-Windows-ZTraceMaps
You can find the manifest of these providers on my Github below:
If I missed any ETW provider or made a mistake somewhere, please let me know via a DM on Twitter @nas_bench or a PR on GitHub.
