Introduction to ETW

Поділитися
Вставка
  • Опубліковано 29 лис 2024

КОМЕНТАРІ • 25

  • @ek2719
    @ek2719 Рік тому +2

    Thanks Pavel, I’ve been missing your videos! 😊

  • @rayansec
    @rayansec 9 місяців тому +2

    Great video, I was trying to learn what ETW is and couldn't really understand it without examples but this video helped me a lot! Thank you :)

  • @thedude8421
    @thedude8421 Рік тому +2

    Pefect timing! Thanks :)

  • @Alchemytweaks
    @Alchemytweaks Рік тому +4

    Great video , thank you

  • @pavelpavelsin2786
    @pavelpavelsin2786 Рік тому +2

    Thanks 👍

  • @tommak-u9d
    @tommak-u9d Рік тому +2

    Tks..😀

  • @Alchemytweaks
    @Alchemytweaks Рік тому +1

    Μr Pavel , I would like to ask you a question regarding Windows Performance Analyzer. When I select the DPC/ISR Tab to analyze drivers, I can't seem to identify a clear driver related to devices like the keyboard or mouse. Therefore, I'm unable to study the results I've collected for my peripherals. Could you please advise me on what I might be doing wrong or what steps I should take to address this issue?

    • @zodiacon
      @zodiacon  Рік тому +2

      I can't say for sure why. Do note that many drivers for keyboard/mouse are written in user mode (UMDF), so DPC/ISR is unlikely to be shown for these drivers.

    • @Alchemytweaks
      @Alchemytweaks Рік тому +1

      ​Does this mean that the DPC & ISR doesn't handle drivers for devices such as the keyboard and mouse? Furthermore, if I intend to analyze data (before and after) resulting from configurations directly related to these devices drivers, with a focus on theoretically reducing their execution time, what process would you recommend I follow? Your guidance would be greatly appreciated.@@zodiacon

    • @zodiacon
      @zodiacon  Рік тому +2

      USB connected devices are triggered by a USB bus driver. I'm not sure how you can reduce any execution time unless you write the drivers yourself. If you really want to examine what is going on, you should write a filter driver for the device of interest and/or for USB controllers. You can start by looking for ETW events that may provide some insight without the need to write code.

    • @Alchemytweaks
      @Alchemytweaks Рік тому

      ​@@zodiaconThank you !

    • @Alchemytweaks
      @Alchemytweaks Рік тому

      @@zodiacon Μr Pavel, I happened to notice something interesting. When I mentioned to you that I couldn't see the drivers related to peripherals when I opened WPA, I didn't mention that I had conducted the tests using xperf. Now that I've performed the tests with WPR, I observed that as soon as I opened the .etl file, drivers appeared that were not present ( like USBXHCI.SYS ) with xperf. Therefore, I assume that the process of how I conduct these measurements plays a significant role.

  • @itf_ph3r0x41
    @itf_ph3r0x41 Рік тому +1

    Hey Pavel, nice video as always :)
    Can I ask you a question about Windows HANDLEs, I am having a bit of trouble with this one :(.
    Basically, I want to make a simple handle monitoring application, where I want to have some special functions, like determining an object type from it's HANDLE value.
    I am aware that I can use NtQuerySystemInformation with SystemHandleInformation, which gives me a snapshot of all HANDLEs in the system, but it usually takes up several seconds to filter out that list for a specific SYSTEM_HANDLE_TABLE_ENTRY_INFO object just to query a HANDLE's type.
    I am basically asking if there is a basic "int getObjectType(HANDLE)" usermode function that I could use for this purpose?
    Thanks for your answer in advance, unfortunately I couldn't find anything by myself yet.

    • @zodiacon
      @zodiacon  Рік тому +1

      There is NtQueryObject with ObjectTypeInformation that you can use.

    • @itf_ph3r0x41
      @itf_ph3r0x41 Рік тому +1

      Thanks a lot you are a life saver! :)@@zodiacon

  • @Alchemytweaks
    @Alchemytweaks Рік тому +1

    One more question related with your document about thread priorities . Is it possible to change the thread priority of a driver ( for instance the ndis.sys ) via registry parameterization or not ?

    • @zodiacon
      @zodiacon  Рік тому

      There is no meaning to that. A driver is not a thread, it has no priority. It's invoked by client code or because of interrupts.

    • @Alchemytweaks
      @Alchemytweaks Рік тому +1

      Thank you for opening my eyes! @@zodiacon

  • @SusanThomas-j8o
    @SusanThomas-j8o 2 місяці тому

    Hudson Road

  • @imnirajan
    @imnirajan 2 місяці тому

    is there a way to differentiate between file upload initiated by user instead of file upload one internally by a browser ?
    since most of the file upload stuff is done using IFileopenDialog, is it possible to use ETW to check it information?

    • @zodiacon
      @zodiacon  2 місяці тому

      Only if the IFileOpenDialog implementation raises ETW events - since there are many ETW providers and events, more research is needed.

  • @Misheeification
    @Misheeification 4 місяці тому

    Is it possible to query the ETW for the Event fields with logman instead than using ETW explorer?

    • @zodiacon
      @zodiacon  4 місяці тому

      No as far as I can tell.

  • @WilliamsBarco-z3x
    @WilliamsBarco-z3x Місяць тому

    Daniela Stream