I have one for process events that s coming along alright mi

Question

I have one for process events that s coming along alright missing quite a bit if data from the normal table schema though disappointed Also haven t sorted out the best trace provider for network events

Mike Myers · Answer

At a previous job I worked on this problem here are the providers we used <https github com DigitalOperatives PAINT blob 6412814c0a61d8e0a785801970eaf37d3f835b38 PAINT PAINT h>

thor · Answer

Any chance you knew how to get command line information for the process events

thor · Answer

Were you using anything for process events That looks like just networking stuff Still very useful thank you very much heart

Mike Myers · Answer

In that project we were using some network related ETW providers which carried PID metadata for every packet So we were not capturing process events per se but I thought maybe the list of network event providers might be of interest to you

Mike Myers · Answer

I noticed that you re using the TDH API directly and if it works that s fine but Microsoft does have a less known modern C++ wrapper called krabsetw that I really like <https github com Microsoft krabsetw>

Mike Myers · Answer

Regarding the getting of command line information I dunno where to get that from an ETW provider The way that ProcessHacker gets it is `NtQueryInformationProcess`

thor · Answer

Hah yeah I ve been talking with < zacbrown> who s one of the authors of Krabs and his response to my question was why don t you just use krabs smile

zacbrown · Answer

Heh Weird hearing people talk about krabs

zacbrown · Answer

< thor> and actually I m one of three main authors The other two still work for MSFT but both are on the C++ compiler team now We all worked on O365 Security tho when it was written