Any chance you knew how to get command line information for the process events?
Were you using anything for process events? That looks like just networking stuff. Still very useful, thank you very much ❤️
08/24/2018, 6:56 PM
In that project, we were using some network-related ETW providers which carried PID metadata for every packet. So we were not capturing process events per se, but I thought maybe the list of network event providers might be of interest to you.
I noticed that you're using the TDH API directly and if it works that's fine but Microsoft does have a less-known modern C++ wrapper called krabsetw that I really like: https://github.com/Microsoft/krabsetw
Regarding the getting of command line information: I dunno where to get that from an ETW provider. The way that ProcessHacker gets it is
08/24/2018, 8:28 PM
Hah, yeah, I've been talking with @zacbrown who's one of (the?) authors of Krabs, and his response to my question was "why don't you just use krabs?" 😄
08/24/2018, 9:53 PM
Heh. Weird hearing people talk about krabs
@thor and actually, I’m one of three main authors. The other two still work for MSFT but both are on the C++ compiler team now. We all worked on O365 Security tho when it was written