Windows 11 “New” ETW Providers — Overview

Windows 11 Wallpaper

Today Microsoft started rolling out the newest version of Windows to computers around the world. I wanted to check what new and interesting ETW providers were included in this official release.

Note: to get these results I did a diff between providers from windows version 21H1 (Win 10) and 21h2 (Win 11) using the following command:

logman query providers

Microsoft-Windows-WerKernel

  • GUID: {87A623F0–8DB5–5C11–7C80-A2EBBCBE5189}
  • Channel: Microsoft-Windows-WerKernel/Operational
  • Path: %SystemRoot%\system32\drivers\werkernel.sys

Events

  • EID 1001: Create “Dump”
  • EID 1002: Submit “Dump”

There are three types of “Dumps” defined:

  • 1: “No Dump”
  • 2: “Mini Dump”
  • 3: “Kernel Dump”

Unmapped Message

  • EID 1001
Component [ComponentName] has requested to create a Live Kernel Dump and the request has been completed. RequestedType [RequestedPolicy], GrantedType [GrantedPolicy], Status [Status], ThrottleCheckResult [ThrottleCheckResult].
  • EID 1002
Component [ComponentName] has requested to submit a Live Kernel Dump and the request has been completed. DumpType [Policy], ReportId [ReportId], Status [Status].

Microsoft-Windows-Winsock-Sockets

  • GUID: {BDE46AEA-2357–51FE-7367-D5296F530BD1}
  • Channel: None
  • Path: %SystemRoot%\system32\ws2_32.dll

Events

  • SockCreate
  • SockClose
  • SockAccept
  • SockSetOpt
  • SockConnect
  • SockBind
  • SockGetOpt
  • SockListen

Microsoft-Quic

  • GUID: {FF15E657–4F26–570E-88AB-0796B258D11C}
  • Channel: None
  • Path: %WinDir%\system32\drivers\msquic.sys

Events

More than 100 events are defined. Please reference the provider manifest here.

Microsoft-Windows-Kernel-Dump

  • GUID: {17D2A329–4539–5F4D-3435-F510634CE3B9}
  • Channel: Microsoft-Windows-Kernel-Dump/Operational
  • File: %SystemRoot%\system32\Microsoft-Windows-System-Events.dl

Events

  • EID 1: Policy Operation Failed
  • EID 2: Policy Value Changed
  • EID 3: CrashDump disabled on boot

Unmapped Message

  • EID 1
AllowCrashDump policy: [OperationType]
  • EID 2
AllowCrashDump policy value changed (AllowCrashDump = [PolicyValue]). Configure crash dump. NT status: [NTStatus]
  • EID 3
CrashDump disabled on boot by policy (AllowCrashDump = [PolicyValue]).

Microsoft-Windows-DNS-Client-DiagTrack

  • GUID: {80E30BFE-62CF-5C77–5DC4–425D2C7734A3}
  • Channel: None
  • Path: %SystemRoot%\system32\dnsapi.dll

Events / Unmapped Message

  • EID 3021
Collecting trace for DoH query [QueryName] and type [QueryType] which failed with response status [QueryStatus]
  • EID 3022
Finished collecting trace for DoH query [QueryName] and type [QueryType]. Retry status code is: [QueryStatus]

Other

Here are is a list of the rest of the providers that I found :

  • Microsoft-Windows-Kernel-Cache
  • Microsoft-Windows-Kernel-CPU-Starvation
  • Microsoft-Windows-Kernel-Prm
  • Microsoft-Windows-MapControls
  • Microsoft-Windows-MosHost
  • Microsoft-Windows-Network-ExecutionContext
  • Microsoft-Windows-NvmeDisk
  • Microsoft-Windows-Privacy-Auditing-CPSS
  • Microsoft-Windows-StorageManagement-PartUtil
  • Microsoft-Windows-StorageSpaces-Api
  • Microsoft-Windows-StorageSpaces-Parser
  • Microsoft-Windows-TenantRestrictions
  • Microsoft-Windows-USB-USB4DeviceRouter-EventLogs
  • Microsoft-Windows-WinHttp-Pca
  • Microsoft-Windows-WinINet-Pca
  • Microsoft-Windows-Winsock-Sockets
  • Microsoft-Windows-ZTraceMaps

You can find the manifest of these providers on my Github below:

If I missed any ETW provider or made a mistake somewhere, please let me know via a DM on Twitter @nas_bench or a PR on GitHub.

--

--

--

I write about #ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Algorithms for Detecting Anagrams

Rustc is not allowed to be used in Android 10 build system

How to approach a technical interview question

GeekyAnts at Chain React, Google HQ and Meteor

What is Filebase and How do you use it?

My Google Code-in 2019 Experience with OpenMRS

9 tips on how to get tech support and development work as a team

Design Patterns

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nasreddine Bencherchali

Nasreddine Bencherchali

I write about #ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.

More from Medium

Creating Malicious .wms Files — Malware Mondays #3

Apollo 2.0 — New Year, New Features

Cybercriminals from Molerats are using public cloud services to hide new snooping attacks

Lab 5 — IDA Pro