logging nt kernel logger or windows kernel trace

[joemikhailgwu]

When logging nt kernel logger or windows kernel trace providers, there are no results. Any tips?

[abergl]

Run as administrator.

[joemikhailgwu]

I am running as administrator. All the other providers work fine.

[SuprHackerSteve]

@joemikhailgwu can you verify this is an issue with pywintrace by trying the same actions on Microsoft Message Analyzer?

[ifUpEth0]

I have encountered the same as above. Running an admin shell on Windows 10. I cannot try and test with MS Message Analyzer as it was deprecated and remove from their sites before November.

Ref Code:
`
#! python3

from log import Log
import time
import etw

def some_func(log):
providers = [etw.ProviderInfo('Microsoft-Windows-Kernel-EventTracing', etw.GUID("{B675EC37-BDB6-4648-BC92-F3FDC74D3CA2}"))]
# create instance of ETW class
job = etw.ETW(providers=providers, event_callback=lambda x: log.Write(f"{x}\n"))
# start capture
job.start()

while 1:
    pass

# stop capture
job.stop()

log = Log()
some_func(log)
`

[ifUpEth0]

Interestingly I found I could test much of this with logman and found many of the kernel level providers did not provide much via it either. For disks at the kernel level I am getting some useful info with, Microsoft-Windows-Kernel-Disk should anyone be interested.