I have one for process events that's coming along alright, missing quite a bit if data from the normal table schema though š Also haven't sorted out the best trace provider for network events
Any chance you knew how to get command line information for the process events?
thor
08/24/2018, 5:32 PM
Were you using anything for process events? That looks like just networking stuff. Still very useful, thank you very much ā¤ļø
m
Mike Myers
08/24/2018, 6:56 PM
In that project, we were using some network-related ETW providers which carried PID metadata for every packet. So we were not capturing process events per se, but I thought maybe the list of network event providers might be of interest to you.
Mike Myers
08/24/2018, 6:59 PM
I noticed that you're using the TDH API directly and if it works that's fine but Microsoft does have a less-known modern C++ wrapper called krabsetw that I really like: https://github.com/Microsoft/krabsetw
š 1
Mike Myers
08/24/2018, 7:22 PM
Regarding the getting of command line information: I dunno where to get that from an ETW provider. The way that ProcessHacker gets it is
NtQueryInformationProcess
t
thor
08/24/2018, 8:28 PM
Hah, yeah, I've been talking with @zacbrown who's one of (the?) authors of Krabs, and his response to my question was "why don't you just use krabs?" š
š 1
z
zacbrown
08/24/2018, 9:53 PM
Heh. Weird hearing people talk about krabs
zacbrown
08/24/2018, 9:54 PM
@thor and actually, Iām one of three main authors. The other two still work for MSFT but both are on the C++ compiler team now. We all worked on O365 Security tho when it was written