├── .gitignore ├── LICENSE ├── README.md ├── bin ├── etl2pcap └── etl2xml ├── etl ├── __init__.py ├── dtyp.py ├── error.py ├── etl.py ├── event.py ├── parsers │ ├── __init__.py │ ├── etw │ │ ├── AESMService.py │ │ ├── Application_Addon_Event_Provider.py │ │ ├── Application_Popup.py │ │ ├── DptfAcpiEtwProvider.py │ │ ├── Error_Instrument.py │ │ ├── HidEventFilter.py │ │ ├── Intel_SST_BUS.py │ │ ├── Intel_SST_OED.py │ │ ├── Intel_Thunderbolt_App.py │ │ ├── Intel_Thunderbolt_Bus.py │ │ ├── Intel_Thunderbolt_Service.py │ │ ├── Intel_iaLPSS2_GPIO2.py │ │ ├── Intel_iaLPSS2_I2C.py │ │ ├── Intel_iaLPSS_GPIO.py │ │ ├── Intel_iaLPSS_I2C.py │ │ ├── LsaSrv.py │ │ ├── Microsoft_Antimalware_AMFilter.py │ │ ├── Microsoft_Antimalware_Protection.py │ │ ├── Microsoft_Antimalware_RTP.py │ │ ├── Microsoft_Antimalware_Scan_Interface.py │ │ ├── Microsoft_Antimalware_Service.py │ │ ├── Microsoft_AppV_Client.py │ │ ├── Microsoft_AppV_Client_StreamingUX.py │ │ ├── Microsoft_AppV_ServiceLog.py │ │ ├── Microsoft_AppV_SharedPerformance.py │ │ ├── Microsoft_Client_Licensing_Platform.py │ │ ├── Microsoft_Gaming_Services.py │ │ ├── Microsoft_IE.py │ │ ├── Microsoft_IEFRAME.py │ │ ├── Microsoft_IE_JSDumpHeap.py │ │ ├── Microsoft_JScript.py │ │ ├── Microsoft_Office_Events.py │ │ ├── Microsoft_Office_Word.py │ │ ├── Microsoft_Office_Word2.py │ │ ├── Microsoft_Office_Word3.py │ │ ├── Microsoft_OneCore_OnlineSetup.py │ │ ├── Microsoft_Pef_WFP_MessageProvider.py │ │ ├── Microsoft_Pef_WebProxy.py │ │ ├── Microsoft_PerfTrack_IEFRAME.py │ │ ├── Microsoft_PerfTrack_MSHTML.py │ │ ├── Microsoft_User_Experience_Virtualization_Admin.py │ │ ├── Microsoft_User_Experience_Virtualization_Agent_Driver.py │ │ ├── Microsoft_User_Experience_Virtualization_App_Agent.py │ │ ├── Microsoft_User_Experience_Virtualization_IPC.py │ │ ├── Microsoft_User_Experience_Virtualization_SQM_Uploader.py │ │ ├── Microsoft_WindowsPhone_ConfigManager2.py │ │ ├── Microsoft_WindowsPhone_CoreMessaging.py │ │ ├── Microsoft_WindowsPhone_CoreUIComponents.py │ │ ├── Microsoft_WindowsPhone_LocationServiceProvider.py │ │ ├── Microsoft_WindowsPhone_Net_Cellcore_CellManager.py │ │ ├── Microsoft_WindowsPhone_Net_Cellcore_CellularAPI.py │ │ ├── Microsoft_WindowsPhone_Ufx.py │ │ ├── Microsoft_WindowsPhone_UfxSynopsys.py │ │ ├── Microsoft_Windows_AAD.py │ │ ├── Microsoft_Windows_ADSI.py │ │ ├── Microsoft_Windows_AIT.py │ │ ├── Microsoft_Windows_ASN1.py │ │ ├── Microsoft_Windows_ATAPort.py │ │ ├── Microsoft_Windows_ActionQueue.py │ │ ├── Microsoft_Windows_AllJoyn.py │ │ ├── Microsoft_Windows_All_User_Install_Agent.py │ │ ├── Microsoft_Windows_AppHost.py │ │ ├── Microsoft_Windows_AppID.py │ │ ├── Microsoft_Windows_AppLocker.py │ │ ├── Microsoft_Windows_AppModel_Exec.py │ │ ├── Microsoft_Windows_AppModel_Runtime.py │ │ ├── Microsoft_Windows_AppModel_State.py │ │ ├── Microsoft_Windows_AppReadiness.py │ │ ├── Microsoft_Windows_AppSruProv.py │ │ ├── Microsoft_Windows_AppXDeployment.py │ │ ├── Microsoft_Windows_ApplicationExperienceInfrastructure.py │ │ ├── Microsoft_Windows_ApplicationExperience_Cache.py │ │ ├── Microsoft_Windows_ApplicationExperience_LookupServiceTrigger.py │ │ ├── Microsoft_Windows_ApplicationExperience_SwitchBack.py │ │ ├── Microsoft_Windows_Application_Experience.py │ │ ├── Microsoft_Windows_Application_Server_Applications.py │ │ ├── Microsoft_Windows_AppxPackagingOM.py │ │ ├── Microsoft_Windows_AssignedAccess.py │ │ ├── Microsoft_Windows_AssignedAccessBroker.py │ │ ├── Microsoft_Windows_AsynchronousCausality.py │ │ ├── Microsoft_Windows_Audio.py │ │ ├── Microsoft_Windows_Audit.py │ │ ├── Microsoft_Windows_Audit_CVE.py │ │ ├── Microsoft_Windows_AuthenticationProvider.py │ │ ├── Microsoft_Windows_AxInstallService.py │ │ ├── Microsoft_Windows_BTH_BTHUSB.py │ │ ├── Microsoft_Windows_BackgroundTransfer_ContentPrefetcher.py │ │ ├── Microsoft_Windows_Backup.py │ │ ├── Microsoft_Windows_Base_Filtering_Engine_Connections.py │ │ ├── Microsoft_Windows_Base_Filtering_Engine_Resource_Flows.py │ │ ├── Microsoft_Windows_Battery.py │ │ ├── Microsoft_Windows_BfeTriggerProvider.py │ │ ├── Microsoft_Windows_Biometrics.py │ │ ├── Microsoft_Windows_BitLocker_API.py │ │ ├── Microsoft_Windows_BitLocker_DrivePreparationTool.py │ │ ├── Microsoft_Windows_BitLocker_Driver.py │ │ ├── Microsoft_Windows_BitLocker_Driver_Performance.py │ │ ├── Microsoft_Windows_Bits_Client.py │ │ ├── Microsoft_Windows_Bluetooth_BthLEPrepairing.py │ │ ├── Microsoft_Windows_Bluetooth_Bthmini.py │ │ ├── Microsoft_Windows_Bluetooth_MTPEnum.py │ │ ├── Microsoft_Windows_Bluetooth_Policy.py │ │ ├── Microsoft_Windows_BootUX.py │ │ ├── Microsoft_Windows_BranchCache.py │ │ ├── Microsoft_Windows_BranchCacheClientEventProvider.py │ │ ├── Microsoft_Windows_BranchCacheMonitoring.py │ │ ├── Microsoft_Windows_BranchCacheSMB.py │ │ ├── Microsoft_Windows_BrokerInfrastructure.py │ │ ├── Microsoft_Windows_CAPI2.py │ │ ├── Microsoft_Windows_CDROM.py │ │ ├── Microsoft_Windows_COM.py │ │ ├── Microsoft_Windows_COMRuntime.py │ │ ├── Microsoft_Windows_COM_Perf.py │ │ ├── Microsoft_Windows_COM_RundownInstrumentation.py │ │ ├── Microsoft_Windows_CertPolEng.py │ │ ├── Microsoft_Windows_CertificateServicesClient.py │ │ ├── Microsoft_Windows_CertificateServicesClient_AutoEnrollment.py │ │ ├── Microsoft_Windows_CertificateServicesClient_CredentialRoaming.py │ │ ├── Microsoft_Windows_CertificateServicesClient_Lifecycle_System.py │ │ ├── Microsoft_Windows_CertificateServicesClient_Lifecycle_User.py │ │ ├── Microsoft_Windows_CertificationAuthorityClient_CertCli.py │ │ ├── Microsoft_Windows_CloudStore.py │ │ ├── Microsoft_Windows_CmiSetup.py │ │ ├── Microsoft_Windows_CodeIntegrity.py │ │ ├── Microsoft_Windows_ComDlg32.py │ │ ├── Microsoft_Windows_Compat_Appraiser.py │ │ ├── Microsoft_Windows_Complus.py │ │ ├── Microsoft_Windows_Containers_BindFlt.py │ │ ├── Microsoft_Windows_Containers_BindFlt_Mapping.py │ │ ├── Microsoft_Windows_Containers_Wcifs.py │ │ ├── Microsoft_Windows_Containers_Wcifs_Mapping.py │ │ ├── Microsoft_Windows_Containers_Wcnfs.py │ │ ├── Microsoft_Windows_CoreSystem_InitMachineConfig.py │ │ ├── Microsoft_Windows_CoreSystem_NetProvision_JoinProviderOnline.py │ │ ├── Microsoft_Windows_CoreSystem_SmsRouter.py │ │ ├── Microsoft_Windows_CoreWindow.py │ │ ├── Microsoft_Windows_CorruptedFileRecovery_Client.py │ │ ├── Microsoft_Windows_CorruptedFileRecovery_Server.py │ │ ├── Microsoft_Windows_Crashdump.py │ │ ├── Microsoft_Windows_Crypto_BCrypt.py │ │ ├── Microsoft_Windows_Crypto_CNG.py │ │ ├── Microsoft_Windows_Crypto_DPAPI.py │ │ ├── Microsoft_Windows_Crypto_DSSEnh.py │ │ ├── Microsoft_Windows_Crypto_NCrypt.py │ │ ├── Microsoft_Windows_Crypto_RNG.py │ │ ├── Microsoft_Windows_Crypto_RSAEnh.py │ │ ├── Microsoft_Windows_D3D10Level9.py │ │ ├── Microsoft_Windows_D3D9.py │ │ ├── Microsoft_Windows_DAL_Provider.py │ │ ├── Microsoft_Windows_DCLocator.py │ │ ├── Microsoft_Windows_DHCPv6_Client.py │ │ ├── Microsoft_Windows_DLNA_Namespace.py │ │ ├── Microsoft_Windows_DNS_Client.py │ │ ├── Microsoft_Windows_DSC.py │ │ ├── Microsoft_Windows_DUI.py │ │ ├── Microsoft_Windows_DUSER.py │ │ ├── Microsoft_Windows_DVD.py │ │ ├── Microsoft_Windows_DXGI.py │ │ ├── Microsoft_Windows_DXGIDebug.py │ │ ├── Microsoft_Windows_DXP.py │ │ ├── Microsoft_Windows_DataIntegrityScan.py │ │ ├── Microsoft_Windows_Data_Pdf.py │ │ ├── Microsoft_Windows_DateTimeControlPanel.py │ │ ├── Microsoft_Windows_Deduplication.py │ │ ├── Microsoft_Windows_Deduplication_Change.py │ │ ├── Microsoft_Windows_DeliveryOptimization.py │ │ ├── Microsoft_Windows_Deplorch.py │ │ ├── Microsoft_Windows_DesktopActivityModerator.py │ │ ├── Microsoft_Windows_DesktopWindowManager_Diag.py │ │ ├── Microsoft_Windows_DevMgmt_UefiCsp.py │ │ ├── Microsoft_Windows_DeviceAssociationService.py │ │ ├── Microsoft_Windows_DeviceConfidence.py │ │ ├── Microsoft_Windows_DeviceGuard.py │ │ ├── Microsoft_Windows_DeviceManagement_Enterprise_Diagnostics_Provider.py │ │ ├── Microsoft_Windows_DeviceManagement_Pushrouter.py │ │ ├── Microsoft_Windows_DeviceSetupManager.py │ │ ├── Microsoft_Windows_DeviceSync.py │ │ ├── Microsoft_Windows_DeviceUpdateAgent.py │ │ ├── Microsoft_Windows_DeviceUx.py │ │ ├── Microsoft_Windows_Devices_Background.py │ │ ├── Microsoft_Windows_DfsSvc.py │ │ ├── Microsoft_Windows_Dhcp_Client.py │ │ ├── Microsoft_Windows_DiagCpl.py │ │ ├── Microsoft_Windows_Diagnosis_AdvancedTaskManager.py │ │ ├── Microsoft_Windows_Diagnosis_DPS.py │ │ ├── Microsoft_Windows_Diagnosis_PCW.py │ │ ├── Microsoft_Windows_Diagnosis_PLA.py │ │ ├── Microsoft_Windows_Diagnosis_PerfHost.py │ │ ├── Microsoft_Windows_Diagnosis_Scheduled.py │ │ ├── Microsoft_Windows_Diagnosis_Scripted.py │ │ ├── Microsoft_Windows_Diagnosis_ScriptedDiagnosticsProvider.py │ │ ├── Microsoft_Windows_Diagnosis_WDC.py │ │ ├── Microsoft_Windows_Diagnosis_WDI.py │ │ ├── Microsoft_Windows_Diagnostics_LoggingChannel.py │ │ ├── Microsoft_Windows_Diagnostics_Networking.py │ │ ├── Microsoft_Windows_Diagnostics_PerfTrack.py │ │ ├── Microsoft_Windows_Diagnostics_PerfTrack_Counters.py │ │ ├── Microsoft_Windows_Diagnostics_Performance.py │ │ ├── Microsoft_Windows_Direct3D10.py │ │ ├── Microsoft_Windows_Direct3D10_1.py │ │ ├── Microsoft_Windows_Direct3D11.py │ │ ├── Microsoft_Windows_Direct3D12.py │ │ ├── Microsoft_Windows_Direct3DShaderCache.py │ │ ├── Microsoft_Windows_DirectComposition.py │ │ ├── Microsoft_Windows_DirectManipulation.py │ │ ├── Microsoft_Windows_DirectShow_Core.py │ │ ├── Microsoft_Windows_DirectShow_KernelSupport.py │ │ ├── Microsoft_Windows_DirectSound.py │ │ ├── Microsoft_Windows_Directory_Services_SAM.py │ │ ├── Microsoft_Windows_Disk.py │ │ ├── Microsoft_Windows_DiskDiagnostic.py │ │ ├── Microsoft_Windows_DiskDiagnosticResolver.py │ │ ├── Microsoft_Windows_Dism_Api.py │ │ ├── Microsoft_Windows_DisplayColorCalibration.py │ │ ├── Microsoft_Windows_DistributedCOM.py │ │ ├── Microsoft_Windows_Documents.py │ │ ├── Microsoft_Windows_DomainJoinManagerTriggerProvider.py │ │ ├── Microsoft_Windows_DotNETRuntime.py │ │ ├── Microsoft_Windows_DotNETRuntimeRundown.py │ │ ├── Microsoft_Windows_DriverFrameworks_KernelMode_Performance.py │ │ ├── Microsoft_Windows_DriverFrameworks_UserMode.py │ │ ├── Microsoft_Windows_DriverFrameworks_UserMode_Performance.py │ │ ├── Microsoft_Windows_Dwm_Api.py │ │ ├── Microsoft_Windows_Dwm_Dwm.py │ │ ├── Microsoft_Windows_Dwm_Redir.py │ │ ├── Microsoft_Windows_Dwm_Udwm.py │ │ ├── Microsoft_Windows_DxgKrnl.py │ │ ├── Microsoft_Windows_DxpTaskSyncProvider.py │ │ ├── Microsoft_Windows_EDP_AppLearning.py │ │ ├── Microsoft_Windows_EDP_Audit_Regular.py │ │ ├── Microsoft_Windows_EDP_Audit_TCB.py │ │ ├── Microsoft_Windows_EFS.py │ │ ├── Microsoft_Windows_ELS_Hyphenation.py │ │ ├── Microsoft_Windows_EQoS.py │ │ ├── Microsoft_Windows_ESE.py │ │ ├── Microsoft_Windows_EapHost.py │ │ ├── Microsoft_Windows_EapMethods_RasChap.py │ │ ├── Microsoft_Windows_EapMethods_RasTls.py │ │ ├── Microsoft_Windows_EapMethods_Sim.py │ │ ├── Microsoft_Windows_EapMethods_Ttls.py │ │ ├── Microsoft_Windows_EaseOfAccess.py │ │ ├── Microsoft_Windows_EndpointTriggerProvider.py │ │ ├── Microsoft_Windows_EnergyEfficiencyWizard.py │ │ ├── Microsoft_Windows_EnhancedStorage_EhStorTcgDrv.py │ │ ├── Microsoft_Windows_ErrorReportingConsole.py │ │ ├── Microsoft_Windows_EventCollector.py │ │ ├── Microsoft_Windows_EventSystem.py │ │ ├── Microsoft_Windows_Eventlog.py │ │ ├── Microsoft_Windows_FMS.py │ │ ├── Microsoft_Windows_FailoverClustering_Client.py │ │ ├── Microsoft_Windows_Fat_SQM.py │ │ ├── Microsoft_Windows_Fault_Tolerant_Heap.py │ │ ├── Microsoft_Windows_FeatureConfiguration.py │ │ ├── Microsoft_Windows_FileHistory_Catalog.py │ │ ├── Microsoft_Windows_FileHistory_ConfigManager.py │ │ ├── Microsoft_Windows_FileHistory_Core.py │ │ ├── Microsoft_Windows_FileHistory_Engine.py │ │ ├── Microsoft_Windows_FileHistory_EventListener.py │ │ ├── Microsoft_Windows_FileHistory_Service.py │ │ ├── Microsoft_Windows_FileHistory_UI.py │ │ ├── Microsoft_Windows_FileInfoMinifilter.py │ │ ├── Microsoft_Windows_FilterManager.py │ │ ├── Microsoft_Windows_Firewall.py │ │ ├── Microsoft_Windows_Folder_Redirection.py │ │ ├── Microsoft_Windows_Forwarding.py │ │ ├── Microsoft_Windows_FunctionDiscovery.py │ │ ├── Microsoft_Windows_FunctionDiscoveryHost.py │ │ ├── Microsoft_Windows_GPIOButtons.py │ │ ├── Microsoft_Windows_GPIO_ClassExtension.py │ │ ├── Microsoft_Windows_GenericRoaming.py │ │ ├── Microsoft_Windows_Graphics_Capture_Server.py │ │ ├── Microsoft_Windows_Graphics_Printing.py │ │ ├── Microsoft_Windows_Graphics_Printing3D.py │ │ ├── Microsoft_Windows_GroupPolicyTriggerProvider.py │ │ ├── Microsoft_Windows_HAL.py │ │ ├── Microsoft_Windows_HealthCenter.py │ │ ├── Microsoft_Windows_HealthCenterCPL.py │ │ ├── Microsoft_Windows_Heap_Snapshot.py │ │ ├── Microsoft_Windows_HelloForBusiness.py │ │ ├── Microsoft_Windows_Help.py │ │ ├── Microsoft_Windows_HomeGroup_ControlPanel.py │ │ ├── Microsoft_Windows_HomeGroup_ListenerService.py │ │ ├── Microsoft_Windows_HomeGroup_ProviderService.py │ │ ├── Microsoft_Windows_HotspotAuth.py │ │ ├── Microsoft_Windows_HttpEvent.py │ │ ├── Microsoft_Windows_HttpLog.py │ │ ├── Microsoft_Windows_HttpService.py │ │ ├── Microsoft_Windows_Http_SQM_Provider.py │ │ ├── Microsoft_Windows_Hyper_V_ComputeLib.py │ │ ├── Microsoft_Windows_Hyper_V_Guest_Drivers_Dynamic_Memory.py │ │ ├── Microsoft_Windows_Hyper_V_Guest_Drivers_IcSvc.py │ │ ├── Microsoft_Windows_Hyper_V_Guest_Drivers_Storage_Filter.py │ │ ├── Microsoft_Windows_Hyper_V_Hypervisor.py │ │ ├── Microsoft_Windows_Hyper_V_Netvsc.py │ │ ├── Microsoft_Windows_Hyper_V_VID.py │ │ ├── Microsoft_Windows_Hyper_V_VmSwitch.py │ │ ├── Microsoft_Windows_IE_F12_Provider.py │ │ ├── Microsoft_Windows_IE_SmartScreen.py │ │ ├── Microsoft_Windows_IME_CustomerFeedbackManager.py │ │ ├── Microsoft_Windows_IME_JPTIP.py │ │ ├── Microsoft_Windows_IME_KRTIP.py │ │ ├── Microsoft_Windows_IME_TCTIP.py │ │ ├── Microsoft_Windows_IME_TIP.py │ │ ├── Microsoft_Windows_IPNAT.py │ │ ├── Microsoft_Windows_IPxlatCfg.py │ │ ├── Microsoft_Windows_IdCtrls.py │ │ ├── Microsoft_Windows_IdleTriggerProvider.py │ │ ├── Microsoft_Windows_Immersive_Shell.py │ │ ├── Microsoft_Windows_Immersive_Shell_API.py │ │ ├── Microsoft_Windows_IndirectDisplays_ClassExtension_Events.py │ │ ├── Microsoft_Windows_InputSwitch.py │ │ ├── Microsoft_Windows_Input_HIDCLASS.py │ │ ├── Microsoft_Windows_Install_Agent.py │ │ ├── Microsoft_Windows_International.py │ │ ├── Microsoft_Windows_International_RegionalOptionsControlPanel.py │ │ ├── Microsoft_Windows_Iphlpsvc.py │ │ ├── Microsoft_Windows_Iphlpsvc_Trace.py │ │ ├── Microsoft_Windows_IsolatedUserMode.py │ │ ├── Microsoft_Windows_KdsSvc.py │ │ ├── Microsoft_Windows_KernelStreaming.py │ │ ├── Microsoft_Windows_Kernel_Acpi.py │ │ ├── Microsoft_Windows_Kernel_AppCompat.py │ │ ├── Microsoft_Windows_Kernel_Audit_API_Calls.py │ │ ├── Microsoft_Windows_Kernel_Boot.py │ │ ├── Microsoft_Windows_Kernel_Disk.py │ │ ├── Microsoft_Windows_Kernel_EventTracing.py │ │ ├── Microsoft_Windows_Kernel_File.py │ │ ├── Microsoft_Windows_Kernel_IO.py │ │ ├── Microsoft_Windows_Kernel_Interrupt_Steering.py │ │ ├── Microsoft_Windows_Kernel_LicensingSqm.py │ │ ├── Microsoft_Windows_Kernel_LiveDump.py │ │ ├── Microsoft_Windows_Kernel_Memory.py │ │ ├── Microsoft_Windows_Kernel_Network.py │ │ ├── Microsoft_Windows_Kernel_Pep.py │ │ ├── Microsoft_Windows_Kernel_PnP.py │ │ ├── Microsoft_Windows_Kernel_PnP_Rundown.py │ │ ├── Microsoft_Windows_Kernel_Power.py │ │ ├── Microsoft_Windows_Kernel_PowerTrigger.py │ │ ├── Microsoft_Windows_Kernel_Prefetch.py │ │ ├── Microsoft_Windows_Kernel_Process.py │ │ ├── Microsoft_Windows_Kernel_Processor_Power.py │ │ ├── Microsoft_Windows_Kernel_Registry.py │ │ ├── Microsoft_Windows_Kernel_ShimEngine.py │ │ ├── Microsoft_Windows_Kernel_StoreMgr.py │ │ ├── Microsoft_Windows_Kernel_Tm.py │ │ ├── Microsoft_Windows_Kernel_Tm_Trigger.py │ │ ├── Microsoft_Windows_Kernel_WDI.py │ │ ├── Microsoft_Windows_Kernel_WHEA.py │ │ ├── Microsoft_Windows_Kernel_XDV.py │ │ ├── Microsoft_Windows_KnownFolders.py │ │ ├── Microsoft_Windows_L2NACP.py │ │ ├── Microsoft_Windows_LDAP_Client.py │ │ ├── Microsoft_Windows_LUA.py │ │ ├── Microsoft_Windows_LanGPA.py │ │ ├── Microsoft_Windows_LanguagePackSetup.py │ │ ├── Microsoft_Windows_LimitsManagement.py │ │ ├── Microsoft_Windows_LinkLayerDiscoveryProtocol.py │ │ ├── Microsoft_Windows_LiveId.py │ │ ├── Microsoft_Windows_MCCS_AccountAccessor.py │ │ ├── Microsoft_Windows_MCCS_AccountsHost.py │ │ ├── Microsoft_Windows_MCCS_AccountsRT.py │ │ ├── Microsoft_Windows_MCCS_ActiveSyncCsp.py │ │ ├── Microsoft_Windows_MCCS_ActiveSyncProvider.py │ │ ├── Microsoft_Windows_MCCS_DavSyncProvider.py │ │ ├── Microsoft_Windows_MCCS_EngineShared.py │ │ ├── Microsoft_Windows_MCCS_InternetMail.py │ │ ├── Microsoft_Windows_MCCS_InternetMailCsp.py │ │ ├── Microsoft_Windows_MCCS_NetworkHelper.py │ │ ├── Microsoft_Windows_MCCS_SyncController.py │ │ ├── Microsoft_Windows_MCCS_SyncUtil.py │ │ ├── Microsoft_Windows_MF.py │ │ ├── Microsoft_Windows_MFH264Enc.py │ │ ├── Microsoft_Windows_MF_FrameServer.py │ │ ├── Microsoft_Windows_MMCSS.py │ │ ├── Microsoft_Windows_MP4SDECD.py │ │ ├── Microsoft_Windows_MPEG2_DLNA_Encoder.py │ │ ├── Microsoft_Windows_MPRMSG.py │ │ ├── Microsoft_Windows_MSDTC.py │ │ ├── Microsoft_Windows_MSDTC_2.py │ │ ├── Microsoft_Windows_MSDTC_Client.py │ │ ├── Microsoft_Windows_MSDTC_Client_2.py │ │ ├── Microsoft_Windows_MSFTEDIT.py │ │ ├── Microsoft_Windows_MSMPEG2ADEC.py │ │ ├── Microsoft_Windows_MSMPEG2VDEC.py │ │ ├── Microsoft_Windows_MSPaint.py │ │ ├── Microsoft_Windows_MUI.py │ │ ├── Microsoft_Windows_Magnification.py │ │ ├── Microsoft_Windows_Management_SecureAssessment.py │ │ ├── Microsoft_Windows_MediaEngine.py │ │ ├── Microsoft_Windows_MediaFoundation_MFCaptureEngine.py │ │ ├── Microsoft_Windows_MediaFoundation_MFReadWrite.py │ │ ├── Microsoft_Windows_MediaFoundation_MSVProc.py │ │ ├── Microsoft_Windows_MediaFoundation_Performance.py │ │ ├── Microsoft_Windows_MediaFoundation_Performance_Core.py │ │ ├── Microsoft_Windows_MediaFoundation_Platform.py │ │ ├── Microsoft_Windows_MediaFoundation_PlayAPI.py │ │ ├── Microsoft_Windows_Media_Protection_PlayReady_Performance.py │ │ ├── Microsoft_Windows_Media_Streaming.py │ │ ├── Microsoft_Windows_MemoryDiagnostics_Results.py │ │ ├── Microsoft_Windows_MemoryDiagnostics_Schedule.py │ │ ├── Microsoft_Windows_Memory_Diagnostic_Task_Handler.py │ │ ├── Microsoft_Windows_Minstore.py │ │ ├── Microsoft_Windows_Mobile_Broadband_Experience_Api.py │ │ ├── Microsoft_Windows_Mobile_Broadband_Experience_Api_Internal.py │ │ ├── Microsoft_Windows_Mobile_Broadband_Experience_Parser_Task.py │ │ ├── Microsoft_Windows_Mobile_Broadband_Experience_SmsApi.py │ │ ├── Microsoft_Windows_ModernDeployment_Diagnostics_Provider.py │ │ ├── Microsoft_Windows_MountMgr.py │ │ ├── Microsoft_Windows_Mprddm.py │ │ ├── Microsoft_Windows_NCSI.py │ │ ├── Microsoft_Windows_NDF_HelperClassDiscovery.py │ │ ├── Microsoft_Windows_NDIS.py │ │ ├── Microsoft_Windows_NDIS_PacketCapture.py │ │ ├── Microsoft_Windows_NFC_ClassExtension.py │ │ ├── Microsoft_Windows_NTLM.py │ │ ├── Microsoft_Windows_NWiFi.py │ │ ├── Microsoft_Windows_Narrator.py │ │ ├── Microsoft_Windows_Ncasvc.py │ │ ├── Microsoft_Windows_NcdAutoSetup.py │ │ ├── Microsoft_Windows_NdisImPlatformEventProvider.py │ │ ├── Microsoft_Windows_NdisImPlatformSysEvtProvider.py │ │ ├── Microsoft_Windows_Ndu.py │ │ ├── Microsoft_Windows_NetworkBridge.py │ │ ├── Microsoft_Windows_NetworkManagerTriggerProvider.py │ │ ├── Microsoft_Windows_NetworkProfile.py │ │ ├── Microsoft_Windows_NetworkProfileTriggerProvider.py │ │ ├── Microsoft_Windows_NetworkProvisioning.py │ │ ├── Microsoft_Windows_NetworkSecurity.py │ │ ├── Microsoft_Windows_NetworkStatus.py │ │ ├── Microsoft_Windows_Network_Connection_Broker.py │ │ ├── Microsoft_Windows_Network_Setup.py │ │ ├── Microsoft_Windows_Networking_Correlation.py │ │ ├── Microsoft_Windows_Networking_RealTimeCommunication.py │ │ ├── Microsoft_Windows_Networking_VPN_Plugin_Platform.py │ │ ├── Microsoft_Windows_NlaSvc.py │ │ ├── Microsoft_Windows_Ntfs_UBPM.py │ │ ├── Microsoft_Windows_OLEACC.py │ │ ├── Microsoft_Windows_OLE_Perf.py │ │ ├── Microsoft_Windows_OOBE_FirstLogonAnim.py │ │ ├── Microsoft_Windows_OOBE_Machine_Core.py │ │ ├── Microsoft_Windows_OOBE_Machine_DUI.py │ │ ├── Microsoft_Windows_OOBE_Machine_Plugins_Wireless.py │ │ ├── Microsoft_Windows_OfflineFiles.py │ │ ├── Microsoft_Windows_OneBackup.py │ │ ├── Microsoft_Windows_OneX.py │ │ ├── Microsoft_Windows_OobeLdr.py │ │ ├── Microsoft_Windows_OtpCredentialProviderEvt.py │ │ ├── Microsoft_Windows_OverlayFilter.py │ │ ├── Microsoft_Windows_PDC.py │ │ ├── Microsoft_Windows_PDFReader.py │ │ ├── Microsoft_Windows_PackageStateRoaming.py │ │ ├── Microsoft_Windows_ParentalControls.py │ │ ├── Microsoft_Windows_Partition.py │ │ ├── Microsoft_Windows_PerfDisk.py │ │ ├── Microsoft_Windows_PerfNet.py │ │ ├── Microsoft_Windows_PerfOS.py │ │ ├── Microsoft_Windows_PerfProc.py │ │ ├── Microsoft_Windows_Perflib.py │ │ ├── Microsoft_Windows_Performance_Recorder_Control.py │ │ ├── Microsoft_Windows_PersistentMemory_Nvdimm.py │ │ ├── Microsoft_Windows_PersistentMemory_PmemDisk.py │ │ ├── Microsoft_Windows_PersistentMemory_ScmBus.py │ │ ├── Microsoft_Windows_Photo_Image_Codec.py │ │ ├── Microsoft_Windows_PktMon.py │ │ ├── Microsoft_Windows_PortableWorkspaces_Creator_Tool.py │ │ ├── Microsoft_Windows_PowerShell.py │ │ ├── Microsoft_Windows_PowerShell_DesiredStateConfiguration_FileDownloadManager.py │ │ ├── Microsoft_Windows_Power_CAD.py │ │ ├── Microsoft_Windows_Power_Meter_Polling.py │ │ ├── Microsoft_Windows_Power_Troubleshooter.py │ │ ├── Microsoft_Windows_PrimaryNetworkIcon.py │ │ ├── Microsoft_Windows_PrintBRM.py │ │ ├── Microsoft_Windows_PrintService.py │ │ ├── Microsoft_Windows_PrintService_USBMon.py │ │ ├── Microsoft_Windows_ProcessExitMonitor.py │ │ ├── Microsoft_Windows_ProcessStateManager.py │ │ ├── Microsoft_Windows_Processor_Aggregator.py │ │ ├── Microsoft_Windows_Program_Compatibility_Assistant.py │ │ ├── Microsoft_Windows_Provisioning_Diagnostics_Provider.py │ │ ├── Microsoft_Windows_Proximity_Common.py │ │ ├── Microsoft_Windows_PushNotifications_Developer.py │ │ ├── Microsoft_Windows_PushNotifications_InProc.py │ │ ├── Microsoft_Windows_PushNotifications_Platform.py │ │ ├── Microsoft_Windows_Push_To_Install_Service.py │ │ ├── Microsoft_Windows_QoS_Pacer.py │ │ ├── Microsoft_Windows_QoS_qWAVE.py │ │ ├── Microsoft_Windows_RPC.py │ │ ├── Microsoft_Windows_RPCSS.py │ │ ├── Microsoft_Windows_RPC_Events.py │ │ ├── Microsoft_Windows_RPC_FirewallManager.py │ │ ├── Microsoft_Windows_RPC_Proxy_LBS.py │ │ ├── Microsoft_Windows_RRAS.py │ │ ├── Microsoft_Windows_RTWorkQueue_Extended.py │ │ ├── Microsoft_Windows_RTWorkQueue_Threading.py │ │ ├── Microsoft_Windows_RasServer.py │ │ ├── Microsoft_Windows_RasSstp.py │ │ ├── Microsoft_Windows_Ras_AgileVpn.py │ │ ├── Microsoft_Windows_Ras_NdisWanPacketCapture.py │ │ ├── Microsoft_Windows_ReFS.py │ │ ├── Microsoft_Windows_ReFS_v1.py │ │ ├── Microsoft_Windows_ReadyBoost.py │ │ ├── Microsoft_Windows_ReadyBoostDriver.py │ │ ├── Microsoft_Windows_Registry_SQM_Provider.py │ │ ├── Microsoft_Windows_RemoteApp_and_Desktop_Connections.py │ │ ├── Microsoft_Windows_RemoteAssistance.py │ │ ├── Microsoft_Windows_RemoteDesktopServices_RdpCoreTS.py │ │ ├── Microsoft_Windows_RemoteDesktopServices_RemoteFX_Synth3dvsc.py │ │ ├── Microsoft_Windows_RemoteDesktopServices_RemoteFX_VM_Kernel_Mode_Transport.py │ │ ├── Microsoft_Windows_RemoteDesktopServices_RemoteFX_VM_User_Mode_Transport.py │ │ ├── Microsoft_Windows_RemoteDesktopServices_SessionServices.py │ │ ├── Microsoft_Windows_Remotefs_Rdbss.py │ │ ├── Microsoft_Windows_ResetEng_Trace.py │ │ ├── Microsoft_Windows_ResourcePublication.py │ │ ├── Microsoft_Windows_Resource_Exhaustion_Detector.py │ │ ├── Microsoft_Windows_Resource_Exhaustion_Resolver.py │ │ ├── Microsoft_Windows_RetailDemo.py │ │ ├── Microsoft_Windows_Runtime_Graphics.py │ │ ├── Microsoft_Windows_Runtime_Media.py │ │ ├── Microsoft_Windows_Runtime_Networking.py │ │ ├── Microsoft_Windows_Runtime_Networking_BackgroundTransfer.py │ │ ├── Microsoft_Windows_Runtime_WebAPI.py │ │ ├── Microsoft_Windows_Runtime_Web_Http.py │ │ ├── Microsoft_Windows_SCPNP.py │ │ ├── Microsoft_Windows_SEC.py │ │ ├── Microsoft_Windows_SENSE.py │ │ ├── Microsoft_Windows_SMBClient.py │ │ ├── Microsoft_Windows_SMBDirect.py │ │ ├── Microsoft_Windows_SMBServer.py │ │ ├── Microsoft_Windows_SMBWitnessClient.py │ │ ├── Microsoft_Windows_SPB_ClassExtension.py │ │ ├── Microsoft_Windows_SPB_HIDI2C.py │ │ ├── Microsoft_Windows_Schannel_Events.py │ │ ├── Microsoft_Windows_Sdbus.py │ │ ├── Microsoft_Windows_Sdstor.py │ │ ├── Microsoft_Windows_Search.py │ │ ├── Microsoft_Windows_Search_Core.py │ │ ├── Microsoft_Windows_Search_ProfileNotify.py │ │ ├── Microsoft_Windows_Search_ProtocolHandlers.py │ │ ├── Microsoft_Windows_SecurityMitigationsBroker.py │ │ ├── Microsoft_Windows_Security_Adminless.py │ │ ├── Microsoft_Windows_Security_Audit_Configuration_Client.py │ │ ├── Microsoft_Windows_Security_Auditing.py │ │ ├── Microsoft_Windows_Security_EnterpriseData_FileRevocationManager.py │ │ ├── Microsoft_Windows_Security_ExchangeActiveSyncProvisioning.py │ │ ├── Microsoft_Windows_Security_IdentityListener.py │ │ ├── Microsoft_Windows_Security_Kerberos.py │ │ ├── Microsoft_Windows_Security_LessPrivilegedAppContainer.py │ │ ├── Microsoft_Windows_Security_Mitigations.py │ │ ├── Microsoft_Windows_Security_Netlogon.py │ │ ├── Microsoft_Windows_Security_SPP.py │ │ ├── Microsoft_Windows_Security_SPP_UX_GenuineCenter_Logging.py │ │ ├── Microsoft_Windows_Security_SPP_UX_Notifications.py │ │ ├── Microsoft_Windows_Security_UserConsentVerifier.py │ │ ├── Microsoft_Windows_SenseIR.py │ │ ├── Microsoft_Windows_Sensors.py │ │ ├── Microsoft_Windows_Sensors_Core.py │ │ ├── Microsoft_Windows_Sensors_Core_Performance.py │ │ ├── Microsoft_Windows_Serial_ClassExtension.py │ │ ├── Microsoft_Windows_Serial_ClassExtension_V2.py │ │ ├── Microsoft_Windows_ServiceReportingApi.py │ │ ├── Microsoft_Windows_ServiceTriggerPerfEventProvider.py │ │ ├── Microsoft_Windows_Services.py │ │ ├── Microsoft_Windows_Services_Svchost.py │ │ ├── Microsoft_Windows_Servicing.py │ │ ├── Microsoft_Windows_SettingSync.py │ │ ├── Microsoft_Windows_SettingSync_Azure.py │ │ ├── Microsoft_Windows_SettingSync_Desktop.py │ │ ├── Microsoft_Windows_SettingSync_OneDrive.py │ │ ├── Microsoft_Windows_Setup.py │ │ ├── Microsoft_Windows_SetupCl.py │ │ ├── Microsoft_Windows_SetupPlatform.py │ │ ├── Microsoft_Windows_SetupQueue.py │ │ ├── Microsoft_Windows_SetupUGC.py │ │ ├── Microsoft_Windows_ShareMedia_ControlPanel.py │ │ ├── Microsoft_Windows_SharedAccess_NAT.py │ │ ├── Microsoft_Windows_ShellCommon_StartLayoutPopulation.py │ │ ├── Microsoft_Windows_Shell_AuthUI.py │ │ ├── Microsoft_Windows_Shell_ConnectedAccountState.py │ │ ├── Microsoft_Windows_Shell_Core.py │ │ ├── Microsoft_Windows_Shell_DefaultPrograms.py │ │ ├── Microsoft_Windows_Shell_LockScreenContent.py │ │ ├── Microsoft_Windows_Shell_OpenWith.py │ │ ├── Microsoft_Windows_Shell_Search_UriHandler.py │ │ ├── Microsoft_Windows_Shsvcs.py │ │ ├── Microsoft_Windows_SleepStudy.py │ │ ├── Microsoft_Windows_SmartCard_Audit.py │ │ ├── Microsoft_Windows_SmartCard_DeviceEnum.py │ │ ├── Microsoft_Windows_SmartCard_TPM_VCard_Module.py │ │ ├── Microsoft_Windows_SmartScreen.py │ │ ├── Microsoft_Windows_Smartcard_Server.py │ │ ├── Microsoft_Windows_Smartcard_Trigger.py │ │ ├── Microsoft_Windows_SmbWmiProvider.py │ │ ├── Microsoft_Windows_SoftwareRestrictionPolicies.py │ │ ├── Microsoft_Windows_Speech_TTS.py │ │ ├── Microsoft_Windows_Speech_UserExperience.py │ │ ├── Microsoft_Windows_SpellChecker.py │ │ ├── Microsoft_Windows_Spell_Checking.py │ │ ├── Microsoft_Windows_Spellchecking_Host.py │ │ ├── Microsoft_Windows_SruMon.py │ │ ├── Microsoft_Windows_SrumTelemetry.py │ │ ├── Microsoft_Windows_StartLmhosts.py │ │ ├── Microsoft_Windows_StartupRepair.py │ │ ├── Microsoft_Windows_StateRepository.py │ │ ├── Microsoft_Windows_StorDiag.py │ │ ├── Microsoft_Windows_StorPort.py │ │ ├── Microsoft_Windows_StorageManagement.py │ │ ├── Microsoft_Windows_StorageManagement_WSP_FS.py │ │ ├── Microsoft_Windows_StorageManagement_WSP_Health.py │ │ ├── Microsoft_Windows_StorageManagement_WSP_Host.py │ │ ├── Microsoft_Windows_StorageManagement_WSP_Spaces.py │ │ ├── Microsoft_Windows_StorageSpaces_Driver.py │ │ ├── Microsoft_Windows_StorageSpaces_ManagementAgent.py │ │ ├── Microsoft_Windows_StorageSpaces_SpaceManager.py │ │ ├── Microsoft_Windows_Storage_Tiering.py │ │ ├── Microsoft_Windows_Storage_Tiering_IoHeat.py │ │ ├── Microsoft_Windows_Store.py │ │ ├── Microsoft_Windows_Storsvc.py │ │ ├── Microsoft_Windows_Subsys_Csr.py │ │ ├── Microsoft_Windows_Subsys_SMSS.py │ │ ├── Microsoft_Windows_Superfetch.py │ │ ├── Microsoft_Windows_Sysmon.py │ │ ├── Microsoft_Windows_Sysprep.py │ │ ├── Microsoft_Windows_SystemEventsBroker.py │ │ ├── Microsoft_Windows_SystemSettingsHandlers.py │ │ ├── Microsoft_Windows_System_Restore.py │ │ ├── Microsoft_Windows_TCPIP.py │ │ ├── Microsoft_Windows_TPM_WMI.py │ │ ├── Microsoft_Windows_TSF_UIManager.py │ │ ├── Microsoft_Windows_TSF_msctf.py │ │ ├── Microsoft_Windows_TSF_msutb.py │ │ ├── Microsoft_Windows_TZSync.py │ │ ├── Microsoft_Windows_TZUtil.py │ │ ├── Microsoft_Windows_TabletPC_InputPanel.py │ │ ├── Microsoft_Windows_TabletPC_MathInput.py │ │ ├── Microsoft_Windows_TabletPC_MathRecognizer.py │ │ ├── Microsoft_Windows_TabletPC_Platform_Input_Ninput.py │ │ ├── Microsoft_Windows_TaskScheduler.py │ │ ├── Microsoft_Windows_TerminalServices_ClientActiveXCore.py │ │ ├── Microsoft_Windows_TerminalServices_ClientUSBDevices.py │ │ ├── Microsoft_Windows_TerminalServices_LocalSessionManager.py │ │ ├── Microsoft_Windows_TerminalServices_MediaRedirection.py │ │ ├── Microsoft_Windows_TerminalServices_PnPDevices.py │ │ ├── Microsoft_Windows_TerminalServices_Printers.py │ │ ├── Microsoft_Windows_TerminalServices_RdpSoundDriver.py │ │ ├── Microsoft_Windows_TerminalServices_RemoteConnectionManager.py │ │ ├── Microsoft_Windows_TerminalServices_ServerUSBDevices.py │ │ ├── Microsoft_Windows_Tethering_Manager.py │ │ ├── Microsoft_Windows_Tethering_Station.py │ │ ├── Microsoft_Windows_ThemeCPL.py │ │ ├── Microsoft_Windows_ThemeUI.py │ │ ├── Microsoft_Windows_Threat_Intelligence.py │ │ ├── Microsoft_Windows_TimeBroker.py │ │ ├── Microsoft_Windows_Time_Service.py │ │ ├── Microsoft_Windows_Time_Service_PTP_Provider.py │ │ ├── Microsoft_Windows_TriggerEmulatorProvider.py │ │ ├── Microsoft_Windows_Troubleshooting_Recommended.py │ │ ├── Microsoft_Windows_TunnelDriver.py │ │ ├── Microsoft_Windows_TunnelDriver_SQM_Provider.py │ │ ├── Microsoft_Windows_UAC_FileVirtualization.py │ │ ├── Microsoft_Windows_UIAnimation.py │ │ ├── Microsoft_Windows_UIAutomationCore.py │ │ ├── Microsoft_Windows_UIRibbon.py │ │ ├── Microsoft_Windows_UI_Search.py │ │ ├── Microsoft_Windows_URLMon.py │ │ ├── Microsoft_Windows_USBVideo.py │ │ ├── Microsoft_Windows_USB_MAUSBHOST.py │ │ ├── Microsoft_Windows_USB_USBHUB.py │ │ ├── Microsoft_Windows_UniversalTelemetryClient.py │ │ ├── Microsoft_Windows_UserDataAccess_CEMAPI.py │ │ ├── Microsoft_Windows_UserDataAccess_CallHistoryClient.py │ │ ├── Microsoft_Windows_UserDataAccess_PimIndexMaintenance.py │ │ ├── Microsoft_Windows_UserDataAccess_Poom.py │ │ ├── Microsoft_Windows_UserDataAccess_UnifiedStore.py │ │ ├── Microsoft_Windows_UserDataAccess_UserDataApis.py │ │ ├── Microsoft_Windows_UserDataAccess_UserDataService.py │ │ ├── Microsoft_Windows_UserDataAccess_UserDataUtils.py │ │ ├── Microsoft_Windows_UserModePowerService.py │ │ ├── Microsoft_Windows_UserPnp.py │ │ ├── Microsoft_Windows_User_ControlPanel.py │ │ ├── Microsoft_Windows_User_Device_Registration.py │ │ ├── Microsoft_Windows_User_Diagnostic.py │ │ ├── Microsoft_Windows_User_Loader.py │ │ ├── Microsoft_Windows_User_Profiles_General.py │ │ ├── Microsoft_Windows_User_Profiles_Service.py │ │ ├── Microsoft_Windows_UxInit.py │ │ ├── Microsoft_Windows_UxTheme.py │ │ ├── Microsoft_Windows_VHDMP.py │ │ ├── Microsoft_Windows_VIRTDISK.py │ │ ├── Microsoft_Windows_VPN_Client.py │ │ ├── Microsoft_Windows_VWiFi.py │ │ ├── Microsoft_Windows_VerifyHardwareSecurity.py │ │ ├── Microsoft_Windows_Video_For_Windows.py │ │ ├── Microsoft_Windows_Volume.py │ │ ├── Microsoft_Windows_VolumeControl.py │ │ ├── Microsoft_Windows_VolumeSnapshot_Driver.py │ │ ├── Microsoft_Windows_WCN_Config_Registrar.py │ │ ├── Microsoft_Windows_WCN_Config_Registrar_Secure.py │ │ ├── Microsoft_Windows_WDAG_PolicyEvaluator_CSP.py │ │ ├── Microsoft_Windows_WDAG_PolicyEvaluator_GP.py │ │ ├── Microsoft_Windows_WEPHOSTSVC.py │ │ ├── Microsoft_Windows_WER_Diag.py │ │ ├── Microsoft_Windows_WER_PayloadHealth.py │ │ ├── Microsoft_Windows_WER_SystemErrorReporting.py │ │ ├── Microsoft_Windows_WFP.py │ │ ├── Microsoft_Windows_WHEA_Logger.py │ │ ├── Microsoft_Windows_WLAN_AutoConfig.py │ │ ├── Microsoft_Windows_WLAN_Driver.py │ │ ├── Microsoft_Windows_WLGPA.py │ │ ├── Microsoft_Windows_WMI.py │ │ ├── Microsoft_Windows_WMI_Activity.py │ │ ├── Microsoft_Windows_WMP.py │ │ ├── Microsoft_Windows_WMPDMCUI.py │ │ ├── Microsoft_Windows_WMPNSSUI.py │ │ ├── Microsoft_Windows_WMPNSS_PublicAPI.py │ │ ├── Microsoft_Windows_WMPNSS_Service.py │ │ ├── Microsoft_Windows_WMP_Setup_WM.py │ │ ├── Microsoft_Windows_WMVENCOD.py │ │ ├── Microsoft_Windows_WPDClassInstaller.py │ │ ├── Microsoft_Windows_WPD_API.py │ │ ├── Microsoft_Windows_WPD_CompositeClassDriver.py │ │ ├── Microsoft_Windows_WPD_MTPBT.py │ │ ├── Microsoft_Windows_WPD_MTPClassDriver.py │ │ ├── Microsoft_Windows_WPD_MTPIP.py │ │ ├── Microsoft_Windows_WPD_MTPUS.py │ │ ├── Microsoft_Windows_WUSA.py │ │ ├── Microsoft_Windows_WWAN_CFE.py │ │ ├── Microsoft_Windows_WWAN_MM_EVENTS.py │ │ ├── Microsoft_Windows_WWAN_NDISUIO_EVENTS.py │ │ ├── Microsoft_Windows_WWAN_SVC_EVENTS.py │ │ ├── Microsoft_Windows_Wallet.py │ │ ├── Microsoft_Windows_Wcmsvc.py │ │ ├── Microsoft_Windows_WebAuth.py │ │ ├── Microsoft_Windows_WebAuthN.py │ │ ├── Microsoft_Windows_WebIO.py │ │ ├── Microsoft_Windows_WebServices.py │ │ ├── Microsoft_Windows_WebcamExperience.py │ │ ├── Microsoft_Windows_WebdavClient_LookupServiceTrigger.py │ │ ├── Microsoft_Windows_Websocket_Protocol_Component.py │ │ ├── Microsoft_Windows_WiFiDisplay.py │ │ ├── Microsoft_Windows_WiFiHotspotService.py │ │ ├── Microsoft_Windows_WiFiNetworkManager.py │ │ ├── Microsoft_Windows_Win32k.py │ │ ├── Microsoft_Windows_WinHttp.py │ │ ├── Microsoft_Windows_WinINet.py │ │ ├── Microsoft_Windows_WinINet_Capture.py │ │ ├── Microsoft_Windows_WinINet_Config.py │ │ ├── Microsoft_Windows_WinJson.py │ │ ├── Microsoft_Windows_WinMDE.py │ │ ├── Microsoft_Windows_WinNat.py │ │ ├── Microsoft_Windows_WinQuic.py │ │ ├── Microsoft_Windows_WinRM.py │ │ ├── Microsoft_Windows_WinRT_Error.py │ │ ├── Microsoft_Windows_Windeploy.py │ │ ├── Microsoft_Windows_WindowsBackup.py │ │ ├── Microsoft_Windows_WindowsColorSystem.py │ │ ├── Microsoft_Windows_WindowsSystemAssessmentTool.py │ │ ├── Microsoft_Windows_WindowsToGo_StartupOptions.py │ │ ├── Microsoft_Windows_WindowsUIImmersive.py │ │ ├── Microsoft_Windows_WindowsUpdateClient.py │ │ ├── Microsoft_Windows_Windows_Defender.py │ │ ├── Microsoft_Windows_Windows_Firewall_With_Advanced_Security.py │ │ ├── Microsoft_Windows_Wininit.py │ │ ├── Microsoft_Windows_Winlogon.py │ │ ├── Microsoft_Windows_Winsock_AFD.py │ │ ├── Microsoft_Windows_Winsock_NameResolution.py │ │ ├── Microsoft_Windows_Winsock_SQM.py │ │ ├── Microsoft_Windows_Winsock_WS2HELP.py │ │ ├── Microsoft_Windows_Winsrv.py │ │ ├── Microsoft_Windows_Wired_AutoConfig.py │ │ ├── Microsoft_Windows_Wordpad.py │ │ ├── Microsoft_Windows_WorkFolders.py │ │ ├── Microsoft_Windows_Workplace_Join.py │ │ ├── Microsoft_Windows_XAML.py │ │ ├── Microsoft_Windows_XAML_Diagnostics.py │ │ ├── Microsoft_Windows_XAudio2.py │ │ ├── Microsoft_Windows_XWizards.py │ │ ├── Microsoft_Windows_exFAT_SQM.py │ │ ├── Microsoft_Windows_mobsync.py │ │ ├── Microsoft_Windows_msmpeg2venc.py │ │ ├── Microsoft_Windows_osk.py │ │ ├── Microsoft_Windows_stobject.py │ │ ├── Microsoft_Windows_wmvdecod.py │ │ ├── NetJoin.py │ │ ├── Ntfs.py │ │ ├── OfficeAirSpace.py │ │ ├── OfficeLoggingLiblet.py │ │ ├── OpenSSH.py │ │ ├── RmClient_RestartManager.py │ │ ├── Schannel.py │ │ ├── Service_Control_Manager.py │ │ ├── TeeDriver.py │ │ ├── User32.py │ │ ├── WINSATAPI_ETW_PROVIDER.py │ │ ├── Windows_ApplicationModel_Store_SDK.py │ │ ├── __init__.py │ │ └── core.py │ ├── kernel │ │ ├── __init__.py │ │ ├── core.py │ │ ├── file.py │ │ ├── header.py │ │ ├── image.py │ │ ├── io.py │ │ ├── process.py │ │ └── thread.py │ └── tracelogging.py ├── perf.py ├── system.py ├── trace.py ├── utils.py ├── wintrace.py └── wmi.py ├── setup.py └── tests ├── example ├── AMSITrace.etl ├── BootPerfDiagLogger.etl ├── NetTrace.etl ├── ShutdownPerfDiagLogger.etl └── lxcore_kernel.etl ├── test_guid_parser.py ├── test_mof_header_parser.py ├── test_mof_image_parser.py ├── test_mof_process_parser.py ├── test_mof_thread_parser.py ├── test_tracelogging_parser.py └── test_utils.py /etl/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/airbus-cert/etl-parser/76b7c046866ce0469cd129ee3f7bb3799b34e271/etl/__init__.py -------------------------------------------------------------------------------- /etl/dtyp.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | """ 4 | :see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/cca27429-5689-4a16-b2b4-9325d93e4ba2 5 | """ 6 | from construct import Struct, Int8ul, Byte, Int32ul, Array, Const 7 | 8 | # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/f992ad60-0fe4-4b87-9fed-beb478836861 9 | Sid = Struct( 10 | "Revision" / Const(0x01, Int8ul), 11 | "SubAuthorityCount" / Int8ul, 12 | "IdentifierAuthority" / Byte[6], 13 | "SubAuthority" / Array(lambda this: this.SubAuthorityCount, Int32ul) 14 | ) -------------------------------------------------------------------------------- /etl/parsers/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/airbus-cert/etl-parser/76b7c046866ce0469cd129ee3f7bb3799b34e271/etl/parsers/__init__.py -------------------------------------------------------------------------------- /etl/parsers/etw/Application_Addon_Event_Provider.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Application-Addon-Event-Provider 4 | GUID : a83fa99f-c356-4ded-9fd6-5a5eb8546d68 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("a83fa99f-c356-4ded-9fd6-5a5eb8546d68"), event_id=1, version=1) 13 | class Application_Addon_Event_Provider_1_1(Etw): 14 | pattern = Struct( 15 | "Application" / WString, 16 | "AddonName" / WString, 17 | "Publisher" / WString, 18 | "Version" / WString 19 | ) 20 | 21 | 22 | @declare(guid=guid("a83fa99f-c356-4ded-9fd6-5a5eb8546d68"), event_id=2, version=1) 23 | class Application_Addon_Event_Provider_2_1(Etw): 24 | pattern = Struct( 25 | "Application" / WString, 26 | "AddonName" / WString, 27 | "Publisher" / WString, 28 | "Version" / WString 29 | ) 30 | 31 | -------------------------------------------------------------------------------- /etl/parsers/etw/Application_Popup.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Application Popup 4 | GUID : 47bfa2b7-bd54-4fac-b70b-29021084ca8f 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("47bfa2b7-bd54-4fac-b70b-29021084ca8f"), event_id=26, version=0) 13 | class Application_Popup_26_0(Etw): 14 | pattern = Struct( 15 | "Caption" / WString, 16 | "Message" / WString 17 | ) 18 | 19 | -------------------------------------------------------------------------------- /etl/parsers/etw/Error_Instrument.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Error Instrument 4 | GUID : cd7cf0d0-02cc-4872-9b65-0dba0a90efe8 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("cd7cf0d0-02cc-4872-9b65-0dba0a90efe8"), event_id=1072, version=0) 13 | class Error_Instrument_1072_0(Etw): 14 | pattern = Struct( 15 | "ProcessName" / WString, 16 | "WindowTitle" / WString, 17 | "MsgCaption" / WString, 18 | "MsgText" / WString, 19 | "CallerModuleName" / WString, 20 | "BaseAddress" / Int64ul, 21 | "ImageSize" / Int32ul, 22 | "ReturnAddress" / Int64ul, 23 | "__binLength" / Int32ul, 24 | "binary" / Bytes(lambda this: this.__binLength) 25 | ) 26 | 27 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Antimalware_RTP.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Antimalware-RTP 4 | GUID : 8e92deef-5e17-413b-b927-59b2f06a3cfc 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("8e92deef-5e17-413b-b927-59b2f06a3cfc"), event_id=14, version=0) 13 | class Microsoft_Antimalware_RTP_14_0(Etw): 14 | pattern = Struct( 15 | "File" / WString 16 | ) 17 | 18 | 19 | @declare(guid=guid("8e92deef-5e17-413b-b927-59b2f06a3cfc"), event_id=15, version=0) 20 | class Microsoft_Antimalware_RTP_15_0(Etw): 21 | pattern = Struct( 22 | "File" / WString 23 | ) 24 | 25 | 26 | @declare(guid=guid("8e92deef-5e17-413b-b927-59b2f06a3cfc"), event_id=16, version=0) 27 | class Microsoft_Antimalware_RTP_16_0(Etw): 28 | pattern = Struct( 29 | "File" / WString 30 | ) 31 | 32 | 33 | @declare(guid=guid("8e92deef-5e17-413b-b927-59b2f06a3cfc"), event_id=17, version=0) 34 | class Microsoft_Antimalware_RTP_17_0(Etw): 35 | pattern = Struct( 36 | "File" / WString 37 | ) 38 | 39 | 40 | @declare(guid=guid("8e92deef-5e17-413b-b927-59b2f06a3cfc"), event_id=22, version=0) 41 | class Microsoft_Antimalware_RTP_22_0(Etw): 42 | pattern = Struct( 43 | "Description" / WString, 44 | "PreviousValue" / Int32ul, 45 | "IntendedValueOrHResult" / Int32ul, 46 | "LatestValue" / Int32ul 47 | ) 48 | 49 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Antimalware_Scan_Interface.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Antimalware-Scan-Interface 4 | GUID : 2a576b87-09a7-520e-c21a-4942f0271d67 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("2a576b87-09a7-520e-c21a-4942f0271d67"), event_id=1101, version=0) 13 | class Microsoft_Antimalware_Scan_Interface_1101_0(Etw): 14 | pattern = Struct( 15 | "session" / Int64ul, 16 | "scanStatus" / Int8ul, 17 | "scanResult" / Int32ul, 18 | "appname" / WString, 19 | "contentname" / WString, 20 | "contentsize" / Int32ul, 21 | "originalsize" / Int32ul, 22 | "content" / Bytes(lambda this: this.contentsize), 23 | "hash" / Bytes(16), 24 | "contentFiltered" / Int8ul 25 | ) 26 | 27 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_AppV_ServiceLog.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-AppV-ServiceLog 4 | GUID : 9cc69d1c-7917-4acd-8066-6bf8b63e551b 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("9cc69d1c-7917-4acd-8066-6bf8b63e551b"), event_id=1, version=0) 13 | class Microsoft_AppV_ServiceLog_1_0(Etw): 14 | pattern = Struct( 15 | "stringValue1" / WString 16 | ) 17 | 18 | 19 | @declare(guid=guid("9cc69d1c-7917-4acd-8066-6bf8b63e551b"), event_id=2, version=0) 20 | class Microsoft_AppV_ServiceLog_2_0(Etw): 21 | pattern = Struct( 22 | "WString1" / WString 23 | ) 24 | 25 | 26 | @declare(guid=guid("9cc69d1c-7917-4acd-8066-6bf8b63e551b"), event_id=3, version=0) 27 | class Microsoft_AppV_ServiceLog_3_0(Etw): 28 | pattern = Struct( 29 | "Message" / WString, 30 | "Function" / WString, 31 | "Line" / Int32ul 32 | ) 33 | 34 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Pef_WebProxy.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Pef-WebProxy 4 | GUID : 6ef4653a-71f9-4ad3-b093-61c38c9c299f 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("6ef4653a-71f9-4ad3-b093-61c38c9c299f"), event_id=1001, version=0) 13 | class Microsoft_Pef_WebProxy_1001_0(Etw): 14 | pattern = Struct( 15 | "SessionID" / Int32ul, 16 | "AccurateTimeStamp" / Int64ul, 17 | "OneIfRequest" / Int32ul, 18 | "PayloadLength" / Int32ul, 19 | "Payload" / Bytes(lambda this: this.PayloadLength) 20 | ) 21 | 22 | 23 | @declare(guid=guid("6ef4653a-71f9-4ad3-b093-61c38c9c299f"), event_id=2000, version=0) 24 | class Microsoft_Pef_WebProxy_2000_0(Etw): 25 | pattern = Struct( 26 | "ReassembledEventID" / Int16ul, 27 | "FragmentLength" / Int32ul, 28 | "Fragment" / Bytes(lambda this: this.FragmentLength) 29 | ) 30 | 31 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_User_Experience_Virtualization_Admin.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-User Experience Virtualization-Admin 4 | GUID : 61bc445e-7a8d-420e-ab36-9c7143881b98 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("61bc445e-7a8d-420e-ab36-9c7143881b98"), event_id=0, version=0) 13 | class Microsoft_User_Experience_Virtualization_Admin_0_0(Etw): 14 | pattern = Struct( 15 | "String" / WString 16 | ) 17 | 18 | 19 | @declare(guid=guid("61bc445e-7a8d-420e-ab36-9c7143881b98"), event_id=1, version=0) 20 | class Microsoft_User_Experience_Virtualization_Admin_1_0(Etw): 21 | pattern = Struct( 22 | "String" / WString, 23 | "Ulong" / Int64ul 24 | ) 25 | 26 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_User_Experience_Virtualization_IPC.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-User Experience Virtualization-IPC 4 | GUID : 21d79db0-8e03-41cd-9589-f3ef7001a92a 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("21d79db0-8e03-41cd-9589-f3ef7001a92a"), event_id=100, version=0) 13 | class Microsoft_User_Experience_Virtualization_IPC_100_0(Etw): 14 | pattern = Struct( 15 | "_String1" / WString 16 | ) 17 | 18 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_ASN1.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-ASN1 4 | GUID : d92ef8ac-99dd-4ab8-b91d-c6eba85f3755 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("d92ef8ac-99dd-4ab8-b91d-c6eba85f3755"), event_id=1, version=0) 13 | class Microsoft_Windows_ASN1_1_0(Etw): 14 | pattern = Struct( 15 | "Module" / WString, 16 | "PDU" / Int32ul, 17 | "Object" / CString, 18 | "Status" / Int32ul, 19 | "TotalEncodedLength" / Int32ul, 20 | "EncodedLength" / Int32ul, 21 | "Encoded" / Bytes(lambda this: this.EncodedLength) 22 | ) 23 | 24 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_ActionQueue.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-ActionQueue 4 | GUID : 0dd4d48e-2bbf-452f-a7ec-ba3dba8407ae 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("0dd4d48e-2bbf-452f-a7ec-ba3dba8407ae"), event_id=1001, version=0) 13 | class Microsoft_Windows_ActionQueue_1001_0(Etw): 14 | pattern = Struct( 15 | "QueueFile" / WString 16 | ) 17 | 18 | 19 | @declare(guid=guid("0dd4d48e-2bbf-452f-a7ec-ba3dba8407ae"), event_id=1002, version=0) 20 | class Microsoft_Windows_ActionQueue_1002_0(Etw): 21 | pattern = Struct( 22 | "ErrorCode" / Int32ul 23 | ) 24 | 25 | 26 | @declare(guid=guid("0dd4d48e-2bbf-452f-a7ec-ba3dba8407ae"), event_id=2001, version=0) 27 | class Microsoft_Windows_ActionQueue_2001_0(Etw): 28 | pattern = Struct( 29 | "ExecutableName" / CString, 30 | "Arguments" / CString, 31 | "Identity" / CString, 32 | "Pass" / CString 33 | ) 34 | 35 | 36 | @declare(guid=guid("0dd4d48e-2bbf-452f-a7ec-ba3dba8407ae"), event_id=2002, version=0) 37 | class Microsoft_Windows_ActionQueue_2002_0(Etw): 38 | pattern = Struct( 39 | "ErrorCode" / Int32ul 40 | ) 41 | 42 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_AllJoyn.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-AllJoyn 4 | GUID : 2ed299d2-2f6b-411d-8d15-f4cc6fde0c70 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("2ed299d2-2f6b-411d-8d15-f4cc6fde0c70"), event_id=1, version=0) 13 | class Microsoft_Windows_AllJoyn_1_0(Etw): 14 | pattern = Struct( 15 | "QStatus" / Int32ul, 16 | "Message" / CString, 17 | "Module" / CString, 18 | "File" / CString, 19 | "Line" / Int32ul 20 | ) 21 | 22 | 23 | @declare(guid=guid("2ed299d2-2f6b-411d-8d15-f4cc6fde0c70"), event_id=2, version=0) 24 | class Microsoft_Windows_AllJoyn_2_0(Etw): 25 | pattern = Struct( 26 | "QStatus" / Int32ul, 27 | "Message" / CString, 28 | "Module" / CString, 29 | "File" / CString, 30 | "Line" / Int32ul 31 | ) 32 | 33 | 34 | @declare(guid=guid("2ed299d2-2f6b-411d-8d15-f4cc6fde0c70"), event_id=3, version=0) 35 | class Microsoft_Windows_AllJoyn_3_0(Etw): 36 | pattern = Struct( 37 | "Message" / CString, 38 | "Module" / CString, 39 | "File" / CString, 40 | "Line" / Int32ul 41 | ) 42 | 43 | 44 | @declare(guid=guid("2ed299d2-2f6b-411d-8d15-f4cc6fde0c70"), event_id=4, version=0) 45 | class Microsoft_Windows_AllJoyn_4_0(Etw): 46 | pattern = Struct( 47 | "Message" / CString, 48 | "Module" / CString, 49 | "File" / CString, 50 | "Line" / Int32ul 51 | ) 52 | 53 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_AppSruProv.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-AppSruProv 4 | GUID : 0cc157b3-cf07-4fc2-91ee-31ac92e05fe1 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("0cc157b3-cf07-4fc2-91ee-31ac92e05fe1"), event_id=3000, version=0) 13 | class Microsoft_Windows_AppSruProv_3000_0(Etw): 14 | pattern = Struct( 15 | "AppId" / WString, 16 | "UserSid" / Sid, 17 | "FgCycles" / Int64ul, 18 | "BgCycles" / Int64ul, 19 | "FgClockTime" / Int64ul, 20 | "FgCtxSwitches" / Int32ul, 21 | "BgCtxSwitches" / Int32ul, 22 | "FgBytesRead" / Int64ul, 23 | "FgBytesWritten" / Int64ul, 24 | "FgNumReadOps" / Int32ul, 25 | "FgNumWriteOps" / Int32ul, 26 | "FgNumFlushOps" / Int32ul, 27 | "BgBytesRead" / Int64ul, 28 | "BgBytesWritten" / Int64ul, 29 | "BgNumReadOps" / Int32ul, 30 | "BgNumWriteOps" / Int32ul, 31 | "BgNumFlushOps" / Int32ul 32 | ) 33 | 34 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_ApplicationExperience_LookupServiceTrigger.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-ApplicationExperience-LookupServiceTrigger 4 | GUID : 18f4a5fd-fd3b-40a5-8fc2-e5d261c5d02e 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("18f4a5fd-fd3b-40a5-8fc2-e5d261c5d02e"), event_id=1, version=0) 13 | class Microsoft_Windows_ApplicationExperience_LookupServiceTrigger_1_0(Etw): 14 | pattern = Struct( 15 | "AeLookupServieTrigger" / Guid 16 | ) 17 | 18 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Audit_CVE.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Audit-CVE 4 | GUID : 85a62a0d-7e17-485f-9d4f-749a287193a6 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("85a62a0d-7e17-485f-9d4f-749a287193a6"), event_id=1, version=0) 13 | class Microsoft_Windows_Audit_CVE_1_0(Etw): 14 | pattern = Struct( 15 | "CVEID" / WString, 16 | "AdditionalDetails" / WString 17 | ) 18 | 19 | 20 | @declare(guid=guid("85a62a0d-7e17-485f-9d4f-749a287193a6"), event_id=2, version=0) 21 | class Microsoft_Windows_Audit_CVE_2_0(Etw): 22 | pattern = Struct( 23 | "CVEID" / WString, 24 | "AdditionalDetails" / WString 25 | ) 26 | 27 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_AuthenticationProvider.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-AuthenticationProvider 4 | GUID : dddc1d91-51a1-4a8d-95b5-350c4ee3d809 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("dddc1d91-51a1-4a8d-95b5-350c4ee3d809"), event_id=101, version=0) 13 | class Microsoft_Windows_AuthenticationProvider_101_0(Etw): 14 | pattern = Struct( 15 | "PackageName" / WString, 16 | "UserName" / WString, 17 | "DomainName" / WString, 18 | "ServerName" / WString, 19 | "ProtectedUser" / Int32ul, 20 | "ErrorCode" / Int32ul 21 | ) 22 | 23 | 24 | @declare(guid=guid("dddc1d91-51a1-4a8d-95b5-350c4ee3d809"), event_id=304, version=0) 25 | class Microsoft_Windows_AuthenticationProvider_304_0(Etw): 26 | pattern = Struct( 27 | "PackageName" / WString, 28 | "UserName" / WString, 29 | "DomainName" / WString, 30 | "ProtectedUser" / Int32ul 31 | ) 32 | 33 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_BTH_BTHUSB.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-BTH-BTHUSB 4 | GUID : 33693e1d-246a-471b-83be-3e75f47a832d 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("33693e1d-246a-471b-83be-3e75f47a832d"), event_id=1, version=0) 13 | class Microsoft_Windows_BTH_BTHUSB_1_0(Etw): 14 | pattern = Struct( 15 | "fid_BTHUSB_HC" / Int8sl, 16 | "fid_BTHUSB_HC_SELECTIVE_SUSPEND" / Int16sl, 17 | "fid_BTHUSB_HC_Pdo_Name" / WString 18 | ) 19 | 20 | 21 | @declare(guid=guid("33693e1d-246a-471b-83be-3e75f47a832d"), event_id=2, version=0) 22 | class Microsoft_Windows_BTH_BTHUSB_2_0(Etw): 23 | pattern = Struct( 24 | "BIP_Type" / Int8ul, 25 | "BIP_Length" / Int32ul 26 | ) 27 | 28 | 29 | @declare(guid=guid("33693e1d-246a-471b-83be-3e75f47a832d"), event_id=3, version=0) 30 | class Microsoft_Windows_BTH_BTHUSB_3_0(Etw): 31 | pattern = Struct( 32 | "BIP_Type" / Int8ul, 33 | "BIP_Length" / Int32ul 34 | ) 35 | 36 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_BfeTriggerProvider.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-BfeTriggerProvider 4 | GUID : 54732ee5-61ca-4727-9da1-10be5a4f773d 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("54732ee5-61ca-4727-9da1-10be5a4f773d"), event_id=1, version=0) 13 | class Microsoft_Windows_BfeTriggerProvider_1_0(Etw): 14 | pattern = Struct( 15 | "FirewallPortStatusChangeGuid" / Guid 16 | ) 17 | 18 | 19 | @declare(guid=guid("54732ee5-61ca-4727-9da1-10be5a4f773d"), event_id=2, version=0) 20 | class Microsoft_Windows_BfeTriggerProvider_2_0(Etw): 21 | pattern = Struct( 22 | "FirewallPortStatusChangeGuid" / Guid 23 | ) 24 | 25 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Bluetooth_BthLEPrepairing.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Bluetooth-BthLEPrepairing 4 | GUID : 4af188ac-e9c4-4c11-b07b-1fabc07dfeb2 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("4af188ac-e9c4-4c11-b07b-1fabc07dfeb2"), event_id=100, version=0) 13 | class Microsoft_Windows_Bluetooth_BthLEPrepairing_100_0(Etw): 14 | pattern = Struct( 15 | 16 | ) 17 | 18 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Bluetooth_Bthmini.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Bluetooth-Bthmini 4 | GUID : db25b328-a6f6-444f-9d97-a50e20217d16 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("db25b328-a6f6-444f-9d97-a50e20217d16"), event_id=200, version=0) 13 | class Microsoft_Windows_Bluetooth_Bthmini_200_0(Etw): 14 | pattern = Struct( 15 | "Major" / Int32ul, 16 | "Minor" / Int32ul, 17 | "Service" / Int32ul 18 | ) 19 | 20 | 21 | @declare(guid=guid("db25b328-a6f6-444f-9d97-a50e20217d16"), event_id=201, version=0) 22 | class Microsoft_Windows_Bluetooth_Bthmini_201_0(Etw): 23 | pattern = Struct( 24 | "ExpectedLengthMin" / Int32ul, 25 | "ExpectedLengthMax" / Int32ul, 26 | "ActualLength" / Int32ul 27 | ) 28 | 29 | 30 | @declare(guid=guid("db25b328-a6f6-444f-9d97-a50e20217d16"), event_id=202, version=0) 31 | class Microsoft_Windows_Bluetooth_Bthmini_202_0(Etw): 32 | pattern = Struct( 33 | "ExpectedLengthMin" / Int32ul, 34 | "ExpectedLengthMax" / Int32ul, 35 | "ActualLength" / Int32ul 36 | ) 37 | 38 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_BootUX.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-BootUX 4 | GUID : 67d781bd-cbd2-4bd2-ad1f-6152fb891246 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("67d781bd-cbd2-4bd2-ad1f-6152fb891246"), event_id=1004, version=0) 13 | class Microsoft_Windows_BootUX_1004_0(Etw): 14 | pattern = Struct( 15 | "UsingUSB" / Int8ul, 16 | "success" / Int8ul, 17 | "resultCode" / Int32ul 18 | ) 19 | 20 | 21 | @declare(guid=guid("67d781bd-cbd2-4bd2-ad1f-6152fb891246"), event_id=1005, version=0) 22 | class Microsoft_Windows_BootUX_1005_0(Etw): 23 | pattern = Struct( 24 | "programCounter" / Int64ul, 25 | "exceptionType" / Int32ul 26 | ) 27 | 28 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_BranchCacheClientEventProvider.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-BranchCacheClientEventProvider 4 | GUID : e837619c-a2a8-4689-833f-47b48ebd2442 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("e837619c-a2a8-4689-833f-47b48ebd2442"), event_id=10103, version=0) 13 | class Microsoft_Windows_BranchCacheClientEventProvider_10103_0(Etw): 14 | pattern = Struct( 15 | "ErrorCode" / Int32sl 16 | ) 17 | 18 | 19 | @declare(guid=guid("e837619c-a2a8-4689-833f-47b48ebd2442"), event_id=10105, version=0) 20 | class Microsoft_Windows_BranchCacheClientEventProvider_10105_0(Etw): 21 | pattern = Struct( 22 | "ErrorCode" / Int32sl 23 | ) 24 | 25 | 26 | @declare(guid=guid("e837619c-a2a8-4689-833f-47b48ebd2442"), event_id=10107, version=0) 27 | class Microsoft_Windows_BranchCacheClientEventProvider_10107_0(Etw): 28 | pattern = Struct( 29 | "ErrorCode" / Int32sl 30 | ) 31 | 32 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_CDROM.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-CDROM 4 | GUID : 9b6123dc-9af6-4430-80d7-7d36f054fb9f 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("9b6123dc-9af6-4430-80d7-7d36f054fb9f"), event_id=100, version=0) 13 | class Microsoft_Windows_CDROM_100_0(Etw): 14 | pattern = Struct( 15 | "DeviceName" / WString 16 | ) 17 | 18 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_COM.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-COM 4 | GUID : d4263c98-310c-4d97-ba39-b55354f08584 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("d4263c98-310c-4d97-ba39-b55354f08584"), event_id=1, version=0) 13 | class Microsoft_Windows_COM_1_0(Etw): 14 | pattern = Struct( 15 | "CLSID" / Guid 16 | ) 17 | 18 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_CertificationAuthorityClient_CertCli.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-CertificationAuthorityClient-CertCli 4 | GUID : 98bf1cd3-583e-4926-95ee-a61bf3f46470 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("98bf1cd3-583e-4926-95ee-a61bf3f46470"), event_id=10000, version=0) 13 | class Microsoft_Windows_CertificationAuthorityClient_CertCli_10000_0(Etw): 14 | pattern = Struct( 15 | "ServerURL" / WString, 16 | "FaultString" / WString 17 | ) 18 | 19 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_CmiSetup.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-CmiSetup 4 | GUID : 75ebc33e-0cc6-49da-8cd9-8903a5222aa0 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("75ebc33e-0cc6-49da-8cd9-8903a5222aa0"), event_id=1002, version=0) 13 | class Microsoft_Windows_CmiSetup_1002_0(Etw): 14 | pattern = Struct( 15 | "ErrorCode" / Int32ul 16 | ) 17 | 18 | 19 | @declare(guid=guid("75ebc33e-0cc6-49da-8cd9-8903a5222aa0"), event_id=2002, version=0) 20 | class Microsoft_Windows_CmiSetup_2002_0(Etw): 21 | pattern = Struct( 22 | "ErrorCode" / Int32ul 23 | ) 24 | 25 | 26 | @declare(guid=guid("75ebc33e-0cc6-49da-8cd9-8903a5222aa0"), event_id=3002, version=0) 27 | class Microsoft_Windows_CmiSetup_3002_0(Etw): 28 | pattern = Struct( 29 | "ErrorCode" / Int32ul 30 | ) 31 | 32 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_ComDlg32.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-ComDlg32 4 | GUID : 7f912b92-21ad-496e-b97a-88622a72bc42 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("7f912b92-21ad-496e-b97a-88622a72bc42"), event_id=40120, version=0) 13 | class Microsoft_Windows_ComDlg32_40120_0(Etw): 14 | pattern = Struct( 15 | "FamiliesAdded" / Int32ul 16 | ) 17 | 18 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Compat_Appraiser.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Compat-Appraiser 4 | GUID : 442c11c5-304b-45a4-ae73-dc2194c4e876 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("442c11c5-304b-45a4-ae73-dc2194c4e876"), event_id=1, version=0) 13 | class Microsoft_Windows_Compat_Appraiser_1_0(Etw): 14 | pattern = Struct( 15 | "SourceLine" / Int32ul, 16 | "SourceFile" / CString, 17 | "FunctionName" / CString, 18 | "Message" / CString 19 | ) 20 | 21 | 22 | @declare(guid=guid("442c11c5-304b-45a4-ae73-dc2194c4e876"), event_id=2, version=0) 23 | class Microsoft_Windows_Compat_Appraiser_2_0(Etw): 24 | pattern = Struct( 25 | "SourceLine" / Int32ul, 26 | "SourceFile" / CString, 27 | "FunctionName" / CString, 28 | "HResult" / Int32ul, 29 | "Message" / CString 30 | ) 31 | 32 | 33 | @declare(guid=guid("442c11c5-304b-45a4-ae73-dc2194c4e876"), event_id=3, version=0) 34 | class Microsoft_Windows_Compat_Appraiser_3_0(Etw): 35 | pattern = Struct( 36 | "Message" / CString 37 | ) 38 | 39 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Containers_BindFlt.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Containers-BindFlt 4 | GUID : fc4e8f51-7a04-4bab-8b91-6321416f72ab 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("fc4e8f51-7a04-4bab-8b91-6321416f72ab"), event_id=1, version=0) 13 | class Microsoft_Windows_Containers_BindFlt_1_0(Etw): 14 | pattern = Struct( 15 | "NTStatus" / Int32ul 16 | ) 17 | 18 | 19 | @declare(guid=guid("fc4e8f51-7a04-4bab-8b91-6321416f72ab"), event_id=3, version=0) 20 | class Microsoft_Windows_Containers_BindFlt_3_0(Etw): 21 | pattern = Struct( 22 | "NTStatus" / Int32ul, 23 | "VolumeNameLength" / Int16ul, 24 | "VolumeName" / Bytes(lambda this: this.VolumeNameLength) 25 | ) 26 | 27 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Containers_BindFlt_Mapping.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Containers-BindFlt-Mapping 4 | GUID : 8fe0dd83-1368-5786-3a82-f746c6f1dd62 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("8fe0dd83-1368-5786-3a82-f746c6f1dd62"), event_id=1, version=0) 13 | class Microsoft_Windows_Containers_BindFlt_Mapping_1_0(Etw): 14 | pattern = Struct( 15 | "SourceLength" / Int16ul, 16 | "Source" / Bytes(lambda this: this.SourceLength), 17 | "TargetLength" / Int16ul, 18 | "Target" / Bytes(lambda this: this.TargetLength) 19 | ) 20 | 21 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Containers_Wcifs.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Containers-Wcifs 4 | GUID : aec5c129-7c10-407d-be97-91a042c61aaa 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("aec5c129-7c10-407d-be97-91a042c61aaa"), event_id=1, version=0) 13 | class Microsoft_Windows_Containers_Wcifs_1_0(Etw): 14 | pattern = Struct( 15 | "NTStatus" / Int32ul 16 | ) 17 | 18 | 19 | @declare(guid=guid("aec5c129-7c10-407d-be97-91a042c61aaa"), event_id=3, version=0) 20 | class Microsoft_Windows_Containers_Wcifs_3_0(Etw): 21 | pattern = Struct( 22 | "NTStatus" / Int32ul, 23 | "VolumeNameLength" / Int16ul, 24 | "VolumeName" / Bytes(lambda this: this.VolumeNameLength) 25 | ) 26 | 27 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Containers_Wcifs_Mapping.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Containers-Wcifs-Mapping 4 | GUID : 0223f0a3-6383-5a7a-7bc7-04d4739e2e32 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("0223f0a3-6383-5a7a-7bc7-04d4739e2e32"), event_id=1, version=0) 13 | class Microsoft_Windows_Containers_Wcifs_Mapping_1_0(Etw): 14 | pattern = Struct( 15 | "SourceLength" / Int16ul, 16 | "Source" / Bytes(lambda this: this.SourceLength), 17 | "TargetLength" / Int16ul, 18 | "Target" / Bytes(lambda this: this.TargetLength) 19 | ) 20 | 21 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Containers_Wcnfs.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Containers-Wcnfs 4 | GUID : b99317e5-89b7-4c0d-abd1-6e705f7912dc 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("b99317e5-89b7-4c0d-abd1-6e705f7912dc"), event_id=1, version=0) 13 | class Microsoft_Windows_Containers_Wcnfs_1_0(Etw): 14 | pattern = Struct( 15 | "NTStatus" / Int32ul 16 | ) 17 | 18 | 19 | @declare(guid=guid("b99317e5-89b7-4c0d-abd1-6e705f7912dc"), event_id=3, version=0) 20 | class Microsoft_Windows_Containers_Wcnfs_3_0(Etw): 21 | pattern = Struct( 22 | "NTStatus" / Int32ul, 23 | "VolumeNameLength" / Int16ul, 24 | "VolumeName" / Bytes(lambda this: this.VolumeNameLength) 25 | ) 26 | 27 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_CoreSystem_InitMachineConfig.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-CoreSystem-InitMachineConfig 4 | GUID : 0b886108-1899-4d3a-9c0d-42d8fc4b9108 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("0b886108-1899-4d3a-9c0d-42d8fc4b9108"), event_id=1, version=0) 13 | class Microsoft_Windows_CoreSystem_InitMachineConfig_1_0(Etw): 14 | pattern = Struct( 15 | "evtErrorId" / Int64ul, 16 | "evtHiveNameLength" / Int16ul, 17 | "evtHiveName" / Bytes(lambda this: this.evtHiveNameLength), 18 | "evtStatus" / Int32ul, 19 | "evtAdditionalInfo" / Int64ul 20 | ) 21 | 22 | 23 | @declare(guid=guid("0b886108-1899-4d3a-9c0d-42d8fc4b9108"), event_id=2, version=0) 24 | class Microsoft_Windows_CoreSystem_InitMachineConfig_2_0(Etw): 25 | pattern = Struct( 26 | "evtHiveNameLength" / Int16ul, 27 | "evtHiveName" / Bytes(lambda this: this.evtHiveNameLength) 28 | ) 29 | 30 | 31 | @declare(guid=guid("0b886108-1899-4d3a-9c0d-42d8fc4b9108"), event_id=3, version=0) 32 | class Microsoft_Windows_CoreSystem_InitMachineConfig_3_0(Etw): 33 | pattern = Struct( 34 | "evtStatus" / Int32ul 35 | ) 36 | 37 | 38 | @declare(guid=guid("0b886108-1899-4d3a-9c0d-42d8fc4b9108"), event_id=4, version=0) 39 | class Microsoft_Windows_CoreSystem_InitMachineConfig_4_0(Etw): 40 | pattern = Struct( 41 | "evtStatus" / Int32ul 42 | ) 43 | 44 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_CoreSystem_NetProvision_JoinProviderOnline.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-CoreSystem-NetProvision-JoinProviderOnline 4 | GUID : 3629dd4d-d6f1-4302-a623-0768b51501c7 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("3629dd4d-d6f1-4302-a623-0768b51501c7"), event_id=4098, version=0) 13 | class Microsoft_Windows_CoreSystem_NetProvision_JoinProviderOnline_4098_0(Etw): 14 | pattern = Struct( 15 | "DomainName" / WString, 16 | "ComputerName" / WString 17 | ) 18 | 19 | 20 | @declare(guid=guid("3629dd4d-d6f1-4302-a623-0768b51501c7"), event_id=4099, version=0) 21 | class Microsoft_Windows_CoreSystem_NetProvision_JoinProviderOnline_4099_0(Etw): 22 | pattern = Struct( 23 | "DomainName" / WString, 24 | "ComputerName" / WString, 25 | "NetStatusCode" / Int32ul 26 | ) 27 | 28 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_CoreWindow.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-CoreWindow 4 | GUID : a3d95055-34cc-4e4a-b99f-ec88f5370495 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("a3d95055-34cc-4e4a-b99f-ec88f5370495"), event_id=1003, version=0) 13 | class Microsoft_Windows_CoreWindow_1003_0(Etw): 14 | pattern = Struct( 15 | "PointerId" / Int32ul 16 | ) 17 | 18 | 19 | @declare(guid=guid("a3d95055-34cc-4e4a-b99f-ec88f5370495"), event_id=1004, version=0) 20 | class Microsoft_Windows_CoreWindow_1004_0(Etw): 21 | pattern = Struct( 22 | "PointerId" / Int32ul 23 | ) 24 | 25 | 26 | @declare(guid=guid("a3d95055-34cc-4e4a-b99f-ec88f5370495"), event_id=1005, version=0) 27 | class Microsoft_Windows_CoreWindow_1005_0(Etw): 28 | pattern = Struct( 29 | "PointerId" / Int32ul 30 | ) 31 | 32 | 33 | @declare(guid=guid("a3d95055-34cc-4e4a-b99f-ec88f5370495"), event_id=1006, version=0) 34 | class Microsoft_Windows_CoreWindow_1006_0(Etw): 35 | pattern = Struct( 36 | "PointerId" / Int32ul 37 | ) 38 | 39 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_CorruptedFileRecovery_Client.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-CorruptedFileRecovery-Client 4 | GUID : ba093605-3909-4345-990b-26b746adee0a 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("ba093605-3909-4345-990b-26b746adee0a"), event_id=1, version=0) 13 | class Microsoft_Windows_CorruptedFileRecovery_Client_1_0(Etw): 14 | pattern = Struct( 15 | "FileName" / WString, 16 | "AppName" / WString, 17 | "ErrorCode" / Int32ul 18 | ) 19 | 20 | 21 | @declare(guid=guid("ba093605-3909-4345-990b-26b746adee0a"), event_id=2, version=0) 22 | class Microsoft_Windows_CorruptedFileRecovery_Client_2_0(Etw): 23 | pattern = Struct( 24 | "FileName" / WString, 25 | "AppName" / WString 26 | ) 27 | 28 | 29 | @declare(guid=guid("ba093605-3909-4345-990b-26b746adee0a"), event_id=3, version=0) 30 | class Microsoft_Windows_CorruptedFileRecovery_Client_3_0(Etw): 31 | pattern = Struct( 32 | "FileName" / WString, 33 | "AppName" / WString 34 | ) 35 | 36 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Crashdump.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Crashdump 4 | GUID : ecdaacfa-6fe9-477c-b5f0-85b76f8f50aa 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("ecdaacfa-6fe9-477c-b5f0-85b76f8f50aa"), event_id=1, version=1) 13 | class Microsoft_Windows_Crashdump_1_1(Etw): 14 | pattern = Struct( 15 | "ResumeCapable" / Int8ul, 16 | "ReasonCodes" / Int32ul 17 | ) 18 | 19 | 20 | @declare(guid=guid("ecdaacfa-6fe9-477c-b5f0-85b76f8f50aa"), event_id=2, version=1) 21 | class Microsoft_Windows_Crashdump_2_1(Etw): 22 | pattern = Struct( 23 | "Minimum" / Int32ul, 24 | "Maximum" / Int32ul 25 | ) 26 | 27 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Crypto_BCrypt.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Crypto-BCrypt 4 | GUID : c7e089ac-ba2a-11e0-9af7-68384824019b 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("c7e089ac-ba2a-11e0-9af7-68384824019b"), event_id=1, version=0) 13 | class Microsoft_Windows_Crypto_BCrypt_1_0(Etw): 14 | pattern = Struct( 15 | "ProviderName" / WString, 16 | "AlgorithmName" / WString, 17 | "dwFlags" / Int32ul, 18 | "Status" / Int32ul, 19 | "OperationType" / Int32ul 20 | ) 21 | 22 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Crypto_CNG.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Crypto-CNG 4 | GUID : e3e0e2f0-c9c5-11e0-8ab9-9ebc4824019b 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("e3e0e2f0-c9c5-11e0-8ab9-9ebc4824019b"), event_id=1, version=0) 13 | class Microsoft_Windows_Crypto_CNG_1_0(Etw): 14 | pattern = Struct( 15 | "ProviderName" / WString, 16 | "AlgorithmName" / WString, 17 | "dwFlags" / Int32ul, 18 | "Status" / Int32ul, 19 | "OperationType" / Int32ul 20 | ) 21 | 22 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_D3D10Level9.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-D3D10Level9 4 | GUID : 7e7d3382-023c-43cb-95d2-6f0ca6d70381 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("7e7d3382-023c-43cb-95d2-6f0ca6d70381"), event_id=1, version=0) 13 | class Microsoft_Windows_D3D10Level9_1_0(Etw): 14 | pattern = Struct( 15 | "D3D10Level9Resource" / Int64ul, 16 | "m_hDX9Resource" / Int64ul, 17 | "Usage" / Int32ul 18 | ) 19 | 20 | 21 | @declare(guid=guid("7e7d3382-023c-43cb-95d2-6f0ca6d70381"), event_id=2, version=0) 22 | class Microsoft_Windows_D3D10Level9_2_0(Etw): 23 | pattern = Struct( 24 | "D3D10Level9Resource" / Int64ul, 25 | "m_hDX9Resource" / Int64ul, 26 | "Usage" / Int32ul 27 | ) 28 | 29 | 30 | @declare(guid=guid("7e7d3382-023c-43cb-95d2-6f0ca6d70381"), event_id=3, version=0) 31 | class Microsoft_Windows_D3D10Level9_3_0(Etw): 32 | pattern = Struct( 33 | "D3D10Level9Resource" / Int64ul, 34 | "m_hDX9Resource" / Int64ul, 35 | "Usage" / Int32ul 36 | ) 37 | 38 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_DeliveryOptimization.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-DeliveryOptimization 4 | GUID : f8ad09ba-419c-5134-1750-270f4d0fb889 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("f8ad09ba-419c-5134-1750-270f4d0fb889"), event_id=0, version=0) 13 | class Microsoft_Windows_DeliveryOptimization_0_0(Etw): 14 | pattern = Struct( 15 | "policyName" / WString, 16 | "policyValue" / WString 17 | ) 18 | 19 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Deplorch.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Deplorch 4 | GUID : b9da9fe6-ae5f-4f3e-b2fa-8e623c11dc75 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("b9da9fe6-ae5f-4f3e-b2fa-8e623c11dc75"), event_id=1002, version=0) 13 | class Microsoft_Windows_Deplorch_1002_0(Etw): 14 | pattern = Struct( 15 | "ErrorCode" / Int32ul 16 | ) 17 | 18 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_DevMgmt_UefiCsp.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-DevMgmt-UefiCsp 4 | GUID : 739d66d8-76c4-4004-873f-169ae5c6eaca 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("739d66d8-76c4-4004-873f-169ae5c6eaca"), event_id=10, version=0) 13 | class Microsoft_Windows_DevMgmt_UefiCsp_10_0(Etw): 14 | pattern = Struct( 15 | "FunctionName" / WString 16 | ) 17 | 18 | 19 | @declare(guid=guid("739d66d8-76c4-4004-873f-169ae5c6eaca"), event_id=11, version=0) 20 | class Microsoft_Windows_DevMgmt_UefiCsp_11_0(Etw): 21 | pattern = Struct( 22 | "ErrorString" / WString, 23 | "ErrorCode" / Int32ul 24 | ) 25 | 26 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_DeviceConfidence.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-DeviceConfidence 4 | GUID : 1d5990c1-ec62-49f0-9e37-1f4db12db41e 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("1d5990c1-ec62-49f0-9e37-1f4db12db41e"), event_id=2000, version=0) 13 | class Microsoft_Windows_DeviceConfidence_2000_0(Etw): 14 | pattern = Struct( 15 | "packageSid" / WString, 16 | "capabilityName" / WString 17 | ) 18 | 19 | 20 | @declare(guid=guid("1d5990c1-ec62-49f0-9e37-1f4db12db41e"), event_id=2001, version=0) 21 | class Microsoft_Windows_DeviceConfidence_2001_0(Etw): 22 | pattern = Struct( 23 | "packageSid" / WString, 24 | "error" / Int32ul 25 | ) 26 | 27 | 28 | @declare(guid=guid("1d5990c1-ec62-49f0-9e37-1f4db12db41e"), event_id=2002, version=0) 29 | class Microsoft_Windows_DeviceConfidence_2002_0(Etw): 30 | pattern = Struct( 31 | "packageSid" / WString, 32 | "error" / Int32ul 33 | ) 34 | 35 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_DeviceSync.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-DeviceSync 4 | GUID : 09ec9687-d7ad-40ca-9c5e-78a04a5ae993 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("09ec9687-d7ad-40ca-9c5e-78a04a5ae993"), event_id=1001, version=0) 13 | class Microsoft_Windows_DeviceSync_1001_0(Etw): 14 | pattern = Struct( 15 | "Error_DUID" / Guid, 16 | "Error_Partnership" / Guid, 17 | "Error_Type" / Int8ul, 18 | "Error_HResult" / Int32sl, 19 | "Error_Time" / Int64ul, 20 | "nameLen" / Int32ul, 21 | "dataName" / Bytes(lambda this: this.nameLen), 22 | "descLen" / Int32ul, 23 | "dataDesc" / Bytes(lambda this: this.descLen), 24 | "detailLen" / Int32ul, 25 | "dataDetail" / Bytes(lambda this: this.detailLen), 26 | "Error_Link" / WString 27 | ) 28 | 29 | 30 | @declare(guid=guid("09ec9687-d7ad-40ca-9c5e-78a04a5ae993"), event_id=1002, version=0) 31 | class Microsoft_Windows_DeviceSync_1002_0(Etw): 32 | pattern = Struct( 33 | "Event_DUID" / Guid, 34 | "Event_Partnership" / Guid, 35 | "Event_Code" / Int8ul, 36 | "Event_Time" / Int64ul 37 | ) 38 | 39 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Diagnosis_WDI.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Diagnosis-WDI 4 | GUID : e01b1a7c-c5c9-4e67-99a9-5e85acfb2e10 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("e01b1a7c-c5c9-4e67-99a9-5e85acfb2e10"), event_id=140, version=0) 13 | class Microsoft_Windows_Diagnosis_WDI_140_0(Etw): 14 | pattern = Struct( 15 | "FileName" / WString, 16 | "FunctionName" / WString, 17 | "LineNumber" / Int32sl, 18 | "ErrorMessage" / WString 19 | ) 20 | 21 | 22 | @declare(guid=guid("e01b1a7c-c5c9-4e67-99a9-5e85acfb2e10"), event_id=5016, version=0) 23 | class Microsoft_Windows_Diagnosis_WDI_5016_0(Etw): 24 | pattern = Struct( 25 | "FileName" / CString, 26 | "Line" / Int32ul, 27 | "Address" / Int64ul, 28 | "Size" / Int64ul 29 | ) 30 | 31 | 32 | @declare(guid=guid("e01b1a7c-c5c9-4e67-99a9-5e85acfb2e10"), event_id=5017, version=0) 33 | class Microsoft_Windows_Diagnosis_WDI_5017_0(Etw): 34 | pattern = Struct( 35 | "FileName" / CString, 36 | "Line" / Int32ul, 37 | "Address" / Int64ul 38 | ) 39 | 40 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_DirectSound.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-DirectSound 4 | GUID : 8a93b54b-c75a-49b5-a5be-9060715b1a33 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("8a93b54b-c75a-49b5-a5be-9060715b1a33"), event_id=1, version=0) 13 | class Microsoft_Windows_DirectSound_1_0(Etw): 14 | pattern = Struct( 15 | "hr" / Int32ul, 16 | "hrString" / WString 17 | ) 18 | 19 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_DiskDiagnostic.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-DiskDiagnostic 4 | GUID : e670a5a2-ce74-4ab4-9347-61b815319f4c 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("e670a5a2-ce74-4ab4-9347-61b815319f4c"), event_id=1, version=0) 13 | class Microsoft_Windows_DiskDiagnostic_1_0(Etw): 14 | pattern = Struct( 15 | "DiskFriendlyName" / WString, 16 | "VolumeNames" / WString, 17 | "HardwareID" / WString 18 | ) 19 | 20 | 21 | @declare(guid=guid("e670a5a2-ce74-4ab4-9347-61b815319f4c"), event_id=4, version=0) 22 | class Microsoft_Windows_DiskDiagnostic_4_0(Etw): 23 | pattern = Struct( 24 | "ErrorCode" / Int32ul 25 | ) 26 | 27 | 28 | @declare(guid=guid("e670a5a2-ce74-4ab4-9347-61b815319f4c"), event_id=5, version=0) 29 | class Microsoft_Windows_DiskDiagnostic_5_0(Etw): 30 | pattern = Struct( 31 | "DiskFriendlyName" / WString, 32 | "VolumeNames" / WString, 33 | "HardwareID" / WString 34 | ) 35 | 36 | 37 | @declare(guid=guid("e670a5a2-ce74-4ab4-9347-61b815319f4c"), event_id=7, version=0) 38 | class Microsoft_Windows_DiskDiagnostic_7_0(Etw): 39 | pattern = Struct( 40 | "ErrorCode" / Int32ul 41 | ) 42 | 43 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_DiskDiagnosticResolver.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-DiskDiagnosticResolver 4 | GUID : 6b1ffe48-5b1e-4793-9f7f-ae926454499d 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("6b1ffe48-5b1e-4793-9f7f-ae926454499d"), event_id=7, version=0) 13 | class Microsoft_Windows_DiskDiagnosticResolver_7_0(Etw): 14 | pattern = Struct( 15 | "ErrorCode" / Int32ul 16 | ) 17 | 18 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_DomainJoinManagerTriggerProvider.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-DomainJoinManagerTriggerProvider 4 | GUID : 5b004607-1087-4f16-b10e-979685a8d131 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("5b004607-1087-4f16-b10e-979685a8d131"), event_id=1, version=0) 13 | class Microsoft_Windows_DomainJoinManagerTriggerProvider_1_0(Etw): 14 | pattern = Struct( 15 | "DomainMembershipChangeGuid" / Guid 16 | ) 17 | 18 | 19 | @declare(guid=guid("5b004607-1087-4f16-b10e-979685a8d131"), event_id=2, version=0) 20 | class Microsoft_Windows_DomainJoinManagerTriggerProvider_2_0(Etw): 21 | pattern = Struct( 22 | "DomainMembershipChangeGuid" / Guid 23 | ) 24 | 25 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_DxpTaskSyncProvider.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-DxpTaskSyncProvider 4 | GUID : 271c5228-c3fe-4e47-831f-48c3652ce5ac 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("271c5228-c3fe-4e47-831f-48c3652ce5ac"), event_id=330, version=0) 13 | class Microsoft_Windows_DxpTaskSyncProvider_330_0(Etw): 14 | pattern = Struct( 15 | "ContainerID" / Guid 16 | ) 17 | 18 | 19 | @declare(guid=guid("271c5228-c3fe-4e47-831f-48c3652ce5ac"), event_id=331, version=0) 20 | class Microsoft_Windows_DxpTaskSyncProvider_331_0(Etw): 21 | pattern = Struct( 22 | "ContainerID" / Guid 23 | ) 24 | 25 | 26 | @declare(guid=guid("271c5228-c3fe-4e47-831f-48c3652ce5ac"), event_id=332, version=0) 27 | class Microsoft_Windows_DxpTaskSyncProvider_332_0(Etw): 28 | pattern = Struct( 29 | "ContainerID" / Guid 30 | ) 31 | 32 | 33 | @declare(guid=guid("271c5228-c3fe-4e47-831f-48c3652ce5ac"), event_id=333, version=0) 34 | class Microsoft_Windows_DxpTaskSyncProvider_333_0(Etw): 35 | pattern = Struct( 36 | "ContainerID" / Guid 37 | ) 38 | 39 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_EDP_AppLearning.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-EDP-AppLearning 4 | GUID : 9803daa0-81ba-483a-986c-f0e395b9f8d1 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("9803daa0-81ba-483a-986c-f0e395b9f8d1"), event_id=401, version=0) 13 | class Microsoft_Windows_EDP_AppLearning_401_0(Etw): 14 | pattern = Struct( 15 | "ApplicationName" / WString, 16 | "Action" / Int32ul, 17 | "IdType" / Int32ul 18 | ) 19 | 20 | 21 | @declare(guid=guid("9803daa0-81ba-483a-986c-f0e395b9f8d1"), event_id=402, version=0) 22 | class Microsoft_Windows_EDP_AppLearning_402_0(Etw): 23 | pattern = Struct( 24 | "WebSite" / WString 25 | ) 26 | 27 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_EDP_Audit_Regular.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-EDP-Audit-Regular 4 | GUID : 50f99b2d-96d2-421f-be4c-222c4140da9f 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("50f99b2d-96d2-421f-be4c-222c4140da9f"), event_id=201, version=0) 13 | class Microsoft_Windows_EDP_Audit_Regular_201_0(Etw): 14 | pattern = Struct( 15 | "UserId" / Sid, 16 | "Policy" / WString, 17 | "Justification" / WString, 18 | "SourceEnterpriseId" / WString, 19 | "SourceAppName" / WString, 20 | "DestinationEnterpriseId" / WString, 21 | "DestinationAppName" / WString, 22 | "DataInfo" / WString 23 | ) 24 | 25 | 26 | @declare(guid=guid("50f99b2d-96d2-421f-be4c-222c4140da9f"), event_id=301, version=0) 27 | class Microsoft_Windows_EDP_Audit_Regular_301_0(Etw): 28 | pattern = Struct( 29 | "UserId" / Sid, 30 | "Policy" / WString, 31 | "Object" / WString, 32 | "Action" / Int32ul, 33 | "SourceName" / WString, 34 | "SourceEnterpriseId" / WString, 35 | "DestinationName" / WString, 36 | "DestinationEnterpriseId" / WString, 37 | "ApplicationName" / WString 38 | ) 39 | 40 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_EDP_Audit_TCB.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-EDP-Audit-TCB 4 | GUID : 287d59b6-79ba-4741-a08b-2fedeede6435 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("287d59b6-79ba-4741-a08b-2fedeede6435"), event_id=101, version=0) 13 | class Microsoft_Windows_EDP_Audit_TCB_101_0(Etw): 14 | pattern = Struct( 15 | "UserId" / Sid, 16 | "Policy" / WString, 17 | "Justification" / WString, 18 | "PreviousEnterpriseId" / WString, 19 | "FilePath" / WString 20 | ) 21 | 22 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_ELS_Hyphenation.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-ELS-Hyphenation 4 | GUID : 51aedb05-890b-4ade-8ba1-0ba14b8e8973 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("51aedb05-890b-4ade-8ba1-0ba14b8e8973"), event_id=11, version=0) 13 | class Microsoft_Windows_ELS_Hyphenation_11_0(Etw): 14 | pattern = Struct( 15 | "String" / WString 16 | ) 17 | 18 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_EapMethods_Sim.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-EapMethods-Sim 4 | GUID : 3d42a67d-9ce8-4284-b755-2550672b0ce0 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("3d42a67d-9ce8-4284-b755-2550672b0ce0"), event_id=100, version=0) 13 | class Microsoft_Windows_EapMethods_Sim_100_0(Etw): 14 | pattern = Struct( 15 | "MethodName" / WString, 16 | "ErrorCause" / WString 17 | ) 18 | 19 | 20 | @declare(guid=guid("3d42a67d-9ce8-4284-b755-2550672b0ce0"), event_id=101, version=0) 21 | class Microsoft_Windows_EapMethods_Sim_101_0(Etw): 22 | pattern = Struct( 23 | "MethodName" / WString, 24 | "ErrorCause" / WString 25 | ) 26 | 27 | 28 | @declare(guid=guid("3d42a67d-9ce8-4284-b755-2550672b0ce0"), event_id=102, version=0) 29 | class Microsoft_Windows_EapMethods_Sim_102_0(Etw): 30 | pattern = Struct( 31 | "MethodName" / WString, 32 | "ErrorCause" / WString 33 | ) 34 | 35 | 36 | @declare(guid=guid("3d42a67d-9ce8-4284-b755-2550672b0ce0"), event_id=103, version=0) 37 | class Microsoft_Windows_EapMethods_Sim_103_0(Etw): 38 | pattern = Struct( 39 | "MethodName" / WString 40 | ) 41 | 42 | 43 | @declare(guid=guid("3d42a67d-9ce8-4284-b755-2550672b0ce0"), event_id=104, version=0) 44 | class Microsoft_Windows_EapMethods_Sim_104_0(Etw): 45 | pattern = Struct( 46 | "MethodName" / WString 47 | ) 48 | 49 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_EapMethods_Ttls.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-EapMethods-Ttls 4 | GUID : d710d46c-235d-4798-ac20-9f83e1dcd557 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("d710d46c-235d-4798-ac20-9f83e1dcd557"), event_id=204, version=0) 13 | class Microsoft_Windows_EapMethods_Ttls_204_0(Etw): 14 | pattern = Struct( 15 | "CAThumbprint" / WString, 16 | "ServerName" / WString 17 | ) 18 | 19 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_EndpointTriggerProvider.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-EndpointTriggerProvider 4 | GUID : 92aab24d-d9a9-4a60-9f94-201fed3e3e88 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("92aab24d-d9a9-4a60-9f94-201fed3e3e88"), event_id=1, version=0) 13 | class Microsoft_Windows_EndpointTriggerProvider_1_0(Etw): 14 | pattern = Struct( 15 | "TriggerSubType" / WString, 16 | "TriggerData" / WString 17 | ) 18 | 19 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_EnergyEfficiencyWizard.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-EnergyEfficiencyWizard 4 | GUID : 1a772f65-be1e-4fc6-96bb-248e03fa60f5 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("1a772f65-be1e-4fc6-96bb-248e03fa60f5"), event_id=1, version=0) 13 | class Microsoft_Windows_EnergyEfficiencyWizard_1_0(Etw): 14 | pattern = Struct( 15 | "KernelFlags" / Int32ul 16 | ) 17 | 18 | 19 | @declare(guid=guid("1a772f65-be1e-4fc6-96bb-248e03fa60f5"), event_id=2, version=0) 20 | class Microsoft_Windows_EnergyEfficiencyWizard_2_0(Etw): 21 | pattern = Struct( 22 | "ProviderGUID" / Guid, 23 | "Rundown" / Int32ul 24 | ) 25 | 26 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_ErrorReportingConsole.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-ErrorReportingConsole 4 | GUID : 017247f2-7e96-11dc-8314-0800200c9a66 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("017247f2-7e96-11dc-8314-0800200c9a66"), event_id=103, version=0) 13 | class Microsoft_Windows_ErrorReportingConsole_103_0(Etw): 14 | pattern = Struct( 15 | "ResponseId" / Int32ul 16 | ) 17 | 18 | 19 | @declare(guid=guid("017247f2-7e96-11dc-8314-0800200c9a66"), event_id=104, version=0) 20 | class Microsoft_Windows_ErrorReportingConsole_104_0(Etw): 21 | pattern = Struct( 22 | "ResponseId" / Int32ul 23 | ) 24 | 25 | 26 | @declare(guid=guid("017247f2-7e96-11dc-8314-0800200c9a66"), event_id=105, version=0) 27 | class Microsoft_Windows_ErrorReportingConsole_105_0(Etw): 28 | pattern = Struct( 29 | "PageId" / Int32ul 30 | ) 31 | 32 | 33 | @declare(guid=guid("017247f2-7e96-11dc-8314-0800200c9a66"), event_id=106, version=0) 34 | class Microsoft_Windows_ErrorReportingConsole_106_0(Etw): 35 | pattern = Struct( 36 | "PageId" / Int32ul 37 | ) 38 | 39 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Fault_Tolerant_Heap.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Fault-Tolerant-Heap 4 | GUID : 6b93bf66-a922-4c11-a617-cf60d95c133d 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("6b93bf66-a922-4c11-a617-cf60d95c133d"), event_id=1003, version=0) 13 | class Microsoft_Windows_Fault_Tolerant_Heap_1003_0(Etw): 14 | pattern = Struct( 15 | "FthEnabledPID" / Int32ul, 16 | "FthEnabledProcessName" / WString, 17 | "FthEnabledProcessStartup" / Int64ul 18 | ) 19 | 20 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_FileHistory_EventListener.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-FileHistory-EventListener 4 | GUID : b447b4df-7780-11e0-ada3-18a90531a85a 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("b447b4df-7780-11e0-ada3-18a90531a85a"), event_id=106, version=0) 13 | class Microsoft_Windows_FileHistory_EventListener_106_0(Etw): 14 | pattern = Struct( 15 | "Path" / WString 16 | ) 17 | 18 | 19 | @declare(guid=guid("b447b4df-7780-11e0-ada3-18a90531a85a"), event_id=107, version=0) 20 | class Microsoft_Windows_FileHistory_EventListener_107_0(Etw): 21 | pattern = Struct( 22 | "Path" / WString, 23 | "Hr" / Int32ul 24 | ) 25 | 26 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_FileInfoMinifilter.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-FileInfoMinifilter 4 | GUID : a319d300-015c-48be-acdb-47746e154751 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("a319d300-015c-48be-acdb-47746e154751"), event_id=1, version=0) 13 | class Microsoft_Windows_FileInfoMinifilter_1_0(Etw): 14 | pattern = Struct( 15 | "FileObject" / Int64ul, 16 | "PathLength" / Int16ul, 17 | "Path" / Bytes(lambda this: this.PathLength) 18 | ) 19 | 20 | 21 | @declare(guid=guid("a319d300-015c-48be-acdb-47746e154751"), event_id=2, version=0) 22 | class Microsoft_Windows_FileInfoMinifilter_2_0(Etw): 23 | pattern = Struct( 24 | "FileObject" / Int64ul, 25 | "PathLength" / Int16ul, 26 | "Path" / Bytes(lambda this: this.PathLength) 27 | ) 28 | 29 | 30 | @declare(guid=guid("a319d300-015c-48be-acdb-47746e154751"), event_id=3, version=0) 31 | class Microsoft_Windows_FileInfoMinifilter_3_0(Etw): 32 | pattern = Struct( 33 | "FileObject" / Int64ul, 34 | "PathLength" / Int16ul, 35 | "Path" / Bytes(lambda this: this.PathLength) 36 | ) 37 | 38 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Firewall.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Firewall 4 | GUID : e595f735-b42a-494b-afcd-b68666945cd3 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("e595f735-b42a-494b-afcd-b68666945cd3"), event_id=6400, version=0) 13 | class Microsoft_Windows_Firewall_6400_0(Etw): 14 | pattern = Struct( 15 | "CallerProcessName" / WString, 16 | "ProcessId" / Int32ul, 17 | "Publisher" / WString 18 | ) 19 | 20 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_FunctionDiscoveryHost.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-FunctionDiscoveryHost 4 | GUID : 538cbbad-4877-4eb2-b26e-7caee8f0f8cb 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("538cbbad-4877-4eb2-b26e-7caee8f0f8cb"), event_id=1000, version=0) 13 | class Microsoft_Windows_FunctionDiscoveryHost_1000_0(Etw): 14 | pattern = Struct( 15 | "String" / WString, 16 | "HRESULT" / Int32ul, 17 | "Line" / Int32ul, 18 | "Filename" / CString 19 | ) 20 | 21 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_GPIOButtons.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-GPIOButtons 4 | GUID : e13ff11e-e989-4838-a9fa-38a4d13914cf 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("e13ff11e-e989-4838-a9fa-38a4d13914cf"), event_id=1, version=0) 13 | class Microsoft_Windows_GPIOButtons_1_0(Etw): 14 | pattern = Struct( 15 | "ConvertibleState" / Int32ul 16 | ) 17 | 18 | 19 | @declare(guid=guid("e13ff11e-e989-4838-a9fa-38a4d13914cf"), event_id=2, version=0) 20 | class Microsoft_Windows_GPIOButtons_2_0(Etw): 21 | pattern = Struct( 22 | "DockState" / Int32ul 23 | ) 24 | 25 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Graphics_Capture_Server.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Graphics-Capture-Server 4 | GUID : 7d0cbd25-390e-524d-8c1e-2a8e846055c0 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("7d0cbd25-390e-524d-8c1e-2a8e846055c0"), event_id=1, version=0) 13 | class Microsoft_Windows_Graphics_Capture_Server_1_0(Etw): 14 | pattern = Struct( 15 | "processId" / Int32ul 16 | ) 17 | 18 | 19 | @declare(guid=guid("7d0cbd25-390e-524d-8c1e-2a8e846055c0"), event_id=2, version=0) 20 | class Microsoft_Windows_Graphics_Capture_Server_2_0(Etw): 21 | pattern = Struct( 22 | "processId" / Int32ul 23 | ) 24 | 25 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Graphics_Printing.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Graphics-Printing 4 | GUID : e7aa32fb-77d0-477f-987d-7e83df1b7ed0 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("e7aa32fb-77d0-477f-987d-7e83df1b7ed0"), event_id=2, version=0) 13 | class Microsoft_Windows_Graphics_Printing_2_0(Etw): 14 | pattern = Struct( 15 | "HResult" / Int32ul 16 | ) 17 | 18 | 19 | @declare(guid=guid("e7aa32fb-77d0-477f-987d-7e83df1b7ed0"), event_id=4, version=0) 20 | class Microsoft_Windows_Graphics_Printing_4_0(Etw): 21 | pattern = Struct( 22 | "HResult" / Int32ul 23 | ) 24 | 25 | 26 | @declare(guid=guid("e7aa32fb-77d0-477f-987d-7e83df1b7ed0"), event_id=5, version=0) 27 | class Microsoft_Windows_Graphics_Printing_5_0(Etw): 28 | pattern = Struct( 29 | "Name" / WString 30 | ) 31 | 32 | 33 | @declare(guid=guid("e7aa32fb-77d0-477f-987d-7e83df1b7ed0"), event_id=6, version=0) 34 | class Microsoft_Windows_Graphics_Printing_6_0(Etw): 35 | pattern = Struct( 36 | "HResult" / Int32ul, 37 | "Name" / WString 38 | ) 39 | 40 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Graphics_Printing3D.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Graphics-Printing3D 4 | GUID : be967569-e3c8-425b-ad0e-4f2c790b1848 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("be967569-e3c8-425b-ad0e-4f2c790b1848"), event_id=2, version=0) 13 | class Microsoft_Windows_Graphics_Printing3D_2_0(Etw): 14 | pattern = Struct( 15 | "HResult" / Int32ul 16 | ) 17 | 18 | 19 | @declare(guid=guid("be967569-e3c8-425b-ad0e-4f2c790b1848"), event_id=4, version=0) 20 | class Microsoft_Windows_Graphics_Printing3D_4_0(Etw): 21 | pattern = Struct( 22 | "HResult" / Int32ul 23 | ) 24 | 25 | 26 | @declare(guid=guid("be967569-e3c8-425b-ad0e-4f2c790b1848"), event_id=5, version=0) 27 | class Microsoft_Windows_Graphics_Printing3D_5_0(Etw): 28 | pattern = Struct( 29 | "Name" / WString 30 | ) 31 | 32 | 33 | @declare(guid=guid("be967569-e3c8-425b-ad0e-4f2c790b1848"), event_id=6, version=0) 34 | class Microsoft_Windows_Graphics_Printing3D_6_0(Etw): 35 | pattern = Struct( 36 | "HResult" / Int32ul, 37 | "Name" / WString 38 | ) 39 | 40 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_GroupPolicyTriggerProvider.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-GroupPolicyTriggerProvider 4 | GUID : bd2f4252-5e1e-49fc-9a30-f3978ad89ee2 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("bd2f4252-5e1e-49fc-9a30-f3978ad89ee2"), event_id=1, version=0) 13 | class Microsoft_Windows_GroupPolicyTriggerProvider_1_0(Etw): 14 | pattern = Struct( 15 | "GPTriggerEventGuid" / Guid 16 | ) 17 | 18 | 19 | @declare(guid=guid("bd2f4252-5e1e-49fc-9a30-f3978ad89ee2"), event_id=2, version=0) 20 | class Microsoft_Windows_GroupPolicyTriggerProvider_2_0(Etw): 21 | pattern = Struct( 22 | "GPTriggerEventGuid" / Guid 23 | ) 24 | 25 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_HealthCenterCPL.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-HealthCenterCPL 4 | GUID : 959f1fac-7ca8-4ed1-89dc-cdfa7e093cb0 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("959f1fac-7ca8-4ed1-89dc-cdfa7e093cb0"), event_id=104, version=0) 13 | class Microsoft_Windows_HealthCenterCPL_104_0(Etw): 14 | pattern = Struct( 15 | "psz" / WString 16 | ) 17 | 18 | 19 | @declare(guid=guid("959f1fac-7ca8-4ed1-89dc-cdfa7e093cb0"), event_id=105, version=0) 20 | class Microsoft_Windows_HealthCenterCPL_105_0(Etw): 21 | pattern = Struct( 22 | "psz" / WString 23 | ) 24 | 25 | 26 | @declare(guid=guid("959f1fac-7ca8-4ed1-89dc-cdfa7e093cb0"), event_id=106, version=0) 27 | class Microsoft_Windows_HealthCenterCPL_106_0(Etw): 28 | pattern = Struct( 29 | "psz" / WString 30 | ) 31 | 32 | 33 | @declare(guid=guid("959f1fac-7ca8-4ed1-89dc-cdfa7e093cb0"), event_id=107, version=0) 34 | class Microsoft_Windows_HealthCenterCPL_107_0(Etw): 35 | pattern = Struct( 36 | "psz" / WString 37 | ) 38 | 39 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Heap_Snapshot.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Heap-Snapshot 4 | GUID : 901d2afa-4ff6-46d7-8d0e-53645e1a47f5 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("901d2afa-4ff6-46d7-8d0e-53645e1a47f5"), event_id=100, version=1) 13 | class Microsoft_Windows_Heap_Snapshot_100_1(Etw): 14 | pattern = Struct( 15 | "HeapSnapshotInstance" / Int32ul, 16 | "HeapSnapshotSequence" / Int32ul, 17 | "HeapSnapshotBufferLen" / Int32ul, 18 | "HeapSnapshotBuffer" / Bytes(lambda this: this.HeapSnapshotBufferLen) 19 | ) 20 | 21 | 22 | @declare(guid=guid("901d2afa-4ff6-46d7-8d0e-53645e1a47f5"), event_id=200, version=1) 23 | class Microsoft_Windows_Heap_Snapshot_200_1(Etw): 24 | pattern = Struct( 25 | "HeapSnapshotInstance" / Int32ul, 26 | "TotalData" / Int32ul 27 | ) 28 | 29 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_HomeGroup_ListenerService.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-HomeGroup-ListenerService 4 | GUID : af0a5a6d-e009-46d4-8867-42f2240f8a72 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("af0a5a6d-e009-46d4-8867-42f2240f8a72"), event_id=1000, version=0) 13 | class Microsoft_Windows_HomeGroup_ListenerService_1000_0(Etw): 14 | pattern = Struct( 15 | "Error" / WString, 16 | "Message" / WString 17 | ) 18 | 19 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_HttpLog.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-HttpLog 4 | GUID : c42a2738-2333-40a5-a32f-6acc36449dcc 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("c42a2738-2333-40a5-a32f-6acc36449dcc"), event_id=1, version=0) 13 | class Microsoft_Windows_HttpLog_1_0(Etw): 14 | pattern = Struct( 15 | "ServerSessionId" / Int64ul, 16 | "UrlGroupId" / Int64ul, 17 | "UrlContext" / Int64ul, 18 | "DateTime" / Int64ul, 19 | "RemoteAddrLength" / Int32ul, 20 | "RemoteAddr" / Bytes(lambda this: this.RemoteAddrLength), 21 | "LocalAddrLength" / Int32ul, 22 | "LocalAddr" / Bytes(lambda this: this.LocalAddrLength), 23 | "KernelCached" / Int32ul, 24 | "HttpMajorVer" / Int16ul, 25 | "HttpMinorVer" / Int16ul, 26 | "BytesSent" / Int64ul, 27 | "BytesReceived" / Int64ul, 28 | "TimeTaken" / Int64ul, 29 | "UserName" / WString, 30 | "Method" / CString, 31 | "UriStem" / WString, 32 | "UriQuery" / CString, 33 | "ProtocolStatus" / Int16ul, 34 | "ProtocolSubStatus" / Int16ul, 35 | "Win32Status" / Int32ul, 36 | "Host" / CString, 37 | "UserAgent" / CString, 38 | "Cookie" / CString, 39 | "Referer" / CString, 40 | "AppContext" / CString 41 | ) 42 | 43 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_IME_JPTIP.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-IME-JPTIP 4 | GUID : 8c8a69ad-cc89-481f-bbad-fd95b5006256 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("8c8a69ad-cc89-481f-bbad-fd95b5006256"), event_id=30, version=0) 13 | class Microsoft_Windows_IME_JPTIP_30_0(Etw): 14 | pattern = Struct( 15 | "Duration" / Int32ul, 16 | "IMEType" / Int32ul 17 | ) 18 | 19 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_IME_KRTIP.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-IME-KRTIP 4 | GUID : e013e74b-97f4-4e1c-a120-596e5629ecfe 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("e013e74b-97f4-4e1c-a120-596e5629ecfe"), event_id=10, version=0) 13 | class Microsoft_Windows_IME_KRTIP_10_0(Etw): 14 | pattern = Struct( 15 | "Duration" / Int32ul, 16 | "IMEType" / Int32ul 17 | ) 18 | 19 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_IME_TCTIP.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-IME-TCTIP 4 | GUID : d5268c02-6f51-436f-983b-74f2efbfaf3a 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("d5268c02-6f51-436f-983b-74f2efbfaf3a"), event_id=30, version=0) 13 | class Microsoft_Windows_IME_TCTIP_30_0(Etw): 14 | pattern = Struct( 15 | "Duration" / Int32ul, 16 | "IMEType" / Int32ul 17 | ) 18 | 19 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_IME_TIP.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-IME-TIP 4 | GUID : bdd4b92e-19ef-4497-9c4a-e10e7fd2e227 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("bdd4b92e-19ef-4497-9c4a-e10e7fd2e227"), event_id=142, version=0) 13 | class Microsoft_Windows_IME_TIP_142_0(Etw): 14 | pattern = Struct( 15 | "Duration" / Int32ul, 16 | "PreviousKey" / Int32ul, 17 | "CurrentKey" / Int32ul 18 | ) 19 | 20 | 21 | @declare(guid=guid("bdd4b92e-19ef-4497-9c4a-e10e7fd2e227"), event_id=143, version=0) 22 | class Microsoft_Windows_IME_TIP_143_0(Etw): 23 | pattern = Struct( 24 | "Duration" / Int32ul, 25 | "PreviousKey" / Int32ul, 26 | "CurrentKey" / Int32ul 27 | ) 28 | 29 | 30 | @declare(guid=guid("bdd4b92e-19ef-4497-9c4a-e10e7fd2e227"), event_id=144, version=0) 31 | class Microsoft_Windows_IME_TIP_144_0(Etw): 32 | pattern = Struct( 33 | "Duration" / Int32ul, 34 | "PreviousKey" / Int32ul, 35 | "CurrentKey" / Int32ul 36 | ) 37 | 38 | 39 | @declare(guid=guid("bdd4b92e-19ef-4497-9c4a-e10e7fd2e227"), event_id=145, version=0) 40 | class Microsoft_Windows_IME_TIP_145_0(Etw): 41 | pattern = Struct( 42 | "Duration" / Int32ul, 43 | "PreviousKey" / Int32ul, 44 | "CurrentKey" / Int32ul 45 | ) 46 | 47 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_IPNAT.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-IPNAT 4 | GUID : a67075c2-3e39-4109-b6cd-6d750058a732 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("a67075c2-3e39-4109-b6cd-6d750058a732"), event_id=2001, version=0) 13 | class Microsoft_Windows_IPNAT_2001_0(Etw): 14 | pattern = Struct( 15 | "_DebugString" / CString 16 | ) 17 | 18 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_IdleTriggerProvider.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-IdleTriggerProvider 4 | GUID : 9e03f75a-bcbe-428a-8f3c-d46f2a444935 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("9e03f75a-bcbe-428a-8f3c-d46f2a444935"), event_id=1, version=0) 13 | class Microsoft_Windows_IdleTriggerProvider_1_0(Etw): 14 | pattern = Struct( 15 | "IdleStatusGuid" / Guid 16 | ) 17 | 18 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Input_HIDCLASS.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Input-HIDCLASS 4 | GUID : 6465da78-e7a0-4f39-b084-8f53c7c30dc6 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("6465da78-e7a0-4f39-b084-8f53c7c30dc6"), event_id=3, version=0) 13 | class Microsoft_Windows_Input_HIDCLASS_3_0(Etw): 14 | pattern = Struct( 15 | "DeviceObject" / Int64ul, 16 | "VendorID" / Int16ul, 17 | "ProductID" / Int16ul, 18 | "VersionNumber" / Int16ul, 19 | "ReportDescriptorLength" / Int32ul, 20 | "ReportDescriptor" / Bytes(lambda this: this.ReportDescriptorLength) 21 | ) 22 | 23 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_IsolatedUserMode.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-IsolatedUserMode 4 | GUID : 73a33ab2-1966-4999-8add-868c41415269 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("73a33ab2-1966-4999-8add-868c41415269"), event_id=1, version=0) 13 | class Microsoft_Windows_IsolatedUserMode_1_0(Etw): 14 | pattern = Struct( 15 | "TrustletIdentity" / Int64ul, 16 | "NormalProcessId" / Int32ul, 17 | "Status" / Int32ul, 18 | "ImageName" / WString 19 | ) 20 | 21 | 22 | @declare(guid=guid("73a33ab2-1966-4999-8add-868c41415269"), event_id=2, version=0) 23 | class Microsoft_Windows_IsolatedUserMode_2_0(Etw): 24 | pattern = Struct( 25 | "TrustletIdentity" / Int64ul, 26 | "NormalProcessId" / Int32ul, 27 | "Status" / Int32ul 28 | ) 29 | 30 | 31 | @declare(guid=guid("73a33ab2-1966-4999-8add-868c41415269"), event_id=3, version=0) 32 | class Microsoft_Windows_IsolatedUserMode_3_0(Etw): 33 | pattern = Struct( 34 | "Status" / Int32ul, 35 | "Flags" / Int32ul 36 | ) 37 | 38 | 39 | @declare(guid=guid("73a33ab2-1966-4999-8add-868c41415269"), event_id=4, version=0) 40 | class Microsoft_Windows_IsolatedUserMode_4_0(Etw): 41 | pattern = Struct( 42 | "TrustletIdentity" / Int64ul, 43 | "NormalProcessId" / Int32ul, 44 | "Status" / Int32ul 45 | ) 46 | 47 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Kernel_LicensingSqm.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Kernel-LicensingSqm 4 | GUID : a0af438f-4431-41cb-a675-a265050ee947 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("a0af438f-4431-41cb-a675-a265050ee947"), event_id=6, version=0) 13 | class Microsoft_Windows_Kernel_LicensingSqm_6_0(Etw): 14 | pattern = Struct( 15 | "SqmType" / Int32ul, 16 | "SqmSessionGuid" / Guid, 17 | "SqmID" / Int32ul, 18 | "SqmDWORDDatapointValue" / Int32ul 19 | ) 20 | 21 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Kernel_PowerTrigger.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Kernel-PowerTrigger 4 | GUID : aa1f73e8-15fd-45d2-abfd-e7f64f78eb11 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("aa1f73e8-15fd-45d2-abfd-e7f64f78eb11"), event_id=1, version=0) 13 | class Microsoft_Windows_Kernel_PowerTrigger_1_0(Etw): 14 | pattern = Struct( 15 | "AoAc" / Int8ul 16 | ) 17 | 18 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Kernel_Tm_Trigger.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Kernel-Tm-Trigger 4 | GUID : ce20d1c3-a247-4c41-bcb8-3c7f52c8b805 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("ce20d1c3-a247-4c41-bcb8-3c7f52c8b805"), event_id=1, version=0) 13 | class Microsoft_Windows_Kernel_Tm_Trigger_1_0(Etw): 14 | pattern = Struct( 15 | "KtmTriggerSvcStartGuid" / Guid 16 | ) 17 | 18 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Kernel_XDV.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Kernel-XDV 4 | GUID : f029ac39-38f0-4a40-b7de-404d244004cb 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("f029ac39-38f0-4a40-b7de-404d244004cb"), event_id=3, version=0) 13 | class Microsoft_Windows_Kernel_XDV_3_0(Etw): 14 | pattern = Struct( 15 | "IRP_Address" / Int64ul, 16 | "IRP_Stack_Loc_Code" / Int32ul, 17 | "IRP_Parameters" / Int32ul, 18 | "Module" / WString, 19 | "UInt32_Event_Number" / Int32ul, 20 | "Address_Stack" / Int64ul 21 | ) 22 | 23 | 24 | @declare(guid=guid("f029ac39-38f0-4a40-b7de-404d244004cb"), event_id=4, version=0) 25 | class Microsoft_Windows_Kernel_XDV_4_0(Etw): 26 | pattern = Struct( 27 | "RuleId" / Int32ul, 28 | "ErrorMessage" / CString, 29 | "Module" / WString, 30 | "Irql" / Int8ul 31 | ) 32 | 33 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_KnownFolders.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-KnownFolders 4 | GUID : 8939299f-2315-4c5c-9b91-abb86aa0627d 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("8939299f-2315-4c5c-9b91-abb86aa0627d"), event_id=1000, version=0) 13 | class Microsoft_Windows_KnownFolders_1000_0(Etw): 14 | pattern = Struct( 15 | "hrError" / Int32ul, 16 | "FolderId" / Guid, 17 | "Path" / WString 18 | ) 19 | 20 | 21 | @declare(guid=guid("8939299f-2315-4c5c-9b91-abb86aa0627d"), event_id=1001, version=0) 22 | class Microsoft_Windows_KnownFolders_1001_0(Etw): 23 | pattern = Struct( 24 | "hrError" / Int32ul, 25 | "FolderId" / Guid, 26 | "Path" / WString 27 | ) 28 | 29 | 30 | @declare(guid=guid("8939299f-2315-4c5c-9b91-abb86aa0627d"), event_id=1002, version=0) 31 | class Microsoft_Windows_KnownFolders_1002_0(Etw): 32 | pattern = Struct( 33 | "hrError" / Int32ul, 34 | "FolderId" / Guid, 35 | "Path" / WString 36 | ) 37 | 38 | 39 | @declare(guid=guid("8939299f-2315-4c5c-9b91-abb86aa0627d"), event_id=1003, version=0) 40 | class Microsoft_Windows_KnownFolders_1003_0(Etw): 41 | pattern = Struct( 42 | "hrError" / Int32ul, 43 | "FolderId" / Guid, 44 | "Path" / WString 45 | ) 46 | 47 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_LanGPA.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-LanGPA 4 | GUID : cb070027-1534-4cf3-98ea-b9751f508376 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("cb070027-1534-4cf3-98ea-b9751f508376"), event_id=14001, version=0) 13 | class Microsoft_Windows_LanGPA_14001_0(Etw): 14 | pattern = Struct( 15 | "PolicyType" / Int32ul, 16 | "PolicyName" / WString, 17 | "PolicyNamePlaceholder" / Int32ul, 18 | "AutoConfigEnabled" / Int32ul, 19 | "Profileapplied" / Int32ul, 20 | "ReasonCode" / Int32ul 21 | ) 22 | 23 | 24 | @declare(guid=guid("cb070027-1534-4cf3-98ea-b9751f508376"), event_id=14003, version=0) 25 | class Microsoft_Windows_LanGPA_14003_0(Etw): 26 | pattern = Struct( 27 | "PolicyType" / Int32ul, 28 | "PolicyName" / WString, 29 | "PolicyNamePlaceholder" / WString, 30 | "ReasonCode" / Int32ul 31 | ) 32 | 33 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_MCCS_AccountsRT.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-MCCS-AccountsRT 4 | GUID : dd2743c6-1722-4674-9f6f-c80044c4232e 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("dd2743c6-1722-4674-9f6f-c80044c4232e"), event_id=1, version=0) 13 | class Microsoft_Windows_MCCS_AccountsRT_1_0(Etw): 14 | pattern = Struct( 15 | "P1_HResult" / Int32sl, 16 | "P2_String" / CString, 17 | "P3_UInt32" / Int32ul 18 | ) 19 | 20 | 21 | @declare(guid=guid("dd2743c6-1722-4674-9f6f-c80044c4232e"), event_id=2, version=0) 22 | class Microsoft_Windows_MCCS_AccountsRT_2_0(Etw): 23 | pattern = Struct( 24 | "P1_HResult" / Int32sl, 25 | "P2_String" / CString, 26 | "P3_UInt32" / Int32ul 27 | ) 28 | 29 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_MCCS_ActiveSyncCsp.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-MCCS-ActiveSyncCsp 4 | GUID : 602a0873-9bde-48b3-b6b7-277035293458 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("602a0873-9bde-48b3-b6b7-277035293458"), event_id=1, version=0) 13 | class Microsoft_Windows_MCCS_ActiveSyncCsp_1_0(Etw): 14 | pattern = Struct( 15 | "P1_HResult" / Int32sl, 16 | "P2_String" / CString, 17 | "P3_UInt32" / Int32ul 18 | ) 19 | 20 | 21 | @declare(guid=guid("602a0873-9bde-48b3-b6b7-277035293458"), event_id=2, version=0) 22 | class Microsoft_Windows_MCCS_ActiveSyncCsp_2_0(Etw): 23 | pattern = Struct( 24 | "P1_HResult" / Int32sl, 25 | "P2_String" / CString, 26 | "P3_UInt32" / Int32ul 27 | ) 28 | 29 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_MCCS_EngineShared.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-MCCS-EngineShared 4 | GUID : bf460fc6-45c5-4119-add3-e361a6e7d5ac 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("bf460fc6-45c5-4119-add3-e361a6e7d5ac"), event_id=1, version=0) 13 | class Microsoft_Windows_MCCS_EngineShared_1_0(Etw): 14 | pattern = Struct( 15 | "P1_HResult" / Int32sl, 16 | "P2_String" / CString, 17 | "P3_UInt32" / Int32ul 18 | ) 19 | 20 | 21 | @declare(guid=guid("bf460fc6-45c5-4119-add3-e361a6e7d5ac"), event_id=2, version=0) 22 | class Microsoft_Windows_MCCS_EngineShared_2_0(Etw): 23 | pattern = Struct( 24 | "P1_HResult" / Int32sl, 25 | "P2_String" / CString, 26 | "P3_UInt32" / Int32ul 27 | ) 28 | 29 | 30 | @declare(guid=guid("bf460fc6-45c5-4119-add3-e361a6e7d5ac"), event_id=3001, version=0) 31 | class Microsoft_Windows_MCCS_EngineShared_3001_0(Etw): 32 | pattern = Struct( 33 | "Prop_UnicodeString" / WString 34 | ) 35 | 36 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_MCCS_InternetMailCsp.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-MCCS-InternetMailCsp 4 | GUID : bec5e7a4-0527-42e8-8174-fabde799ad7f 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("bec5e7a4-0527-42e8-8174-fabde799ad7f"), event_id=1, version=0) 13 | class Microsoft_Windows_MCCS_InternetMailCsp_1_0(Etw): 14 | pattern = Struct( 15 | "P1_HResult" / Int32sl, 16 | "P2_String" / CString, 17 | "P3_UInt32" / Int32ul 18 | ) 19 | 20 | 21 | @declare(guid=guid("bec5e7a4-0527-42e8-8174-fabde799ad7f"), event_id=2, version=0) 22 | class Microsoft_Windows_MCCS_InternetMailCsp_2_0(Etw): 23 | pattern = Struct( 24 | "P1_HResult" / Int32sl, 25 | "P2_String" / CString, 26 | "P3_UInt32" / Int32ul 27 | ) 28 | 29 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_MemoryDiagnostics_Schedule.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-MemoryDiagnostics-Schedule 4 | GUID : 73e9c9de-a148-41f7-b1db-4da051fdc327 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("73e9c9de-a148-41f7-b1db-4da051fdc327"), event_id=1001, version=0) 13 | class Microsoft_Windows_MemoryDiagnostics_Schedule_1001_0(Etw): 14 | pattern = Struct( 15 | "LaunchType" / WString, 16 | "ScheduleType" / WString 17 | ) 18 | 19 | 20 | @declare(guid=guid("73e9c9de-a148-41f7-b1db-4da051fdc327"), event_id=1002, version=0) 21 | class Microsoft_Windows_MemoryDiagnostics_Schedule_1002_0(Etw): 22 | pattern = Struct( 23 | "LaunchType" / WString, 24 | "ScheduleType" / WString 25 | ) 26 | 27 | 28 | @declare(guid=guid("73e9c9de-a148-41f7-b1db-4da051fdc327"), event_id=1003, version=0) 29 | class Microsoft_Windows_MemoryDiagnostics_Schedule_1003_0(Etw): 30 | pattern = Struct( 31 | "LaunchType" / WString, 32 | "ScheduleType" / WString, 33 | "ErrorCode" / Int32ul 34 | ) 35 | 36 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Memory_Diagnostic_Task_Handler.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Memory-Diagnostic-Task-Handler 4 | GUID : babda89a-4d5e-48eb-af3d-e0e8410207c0 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("babda89a-4d5e-48eb-af3d-e0e8410207c0"), event_id=1001, version=0) 13 | class Microsoft_Windows_Memory_Diagnostic_Task_Handler_1001_0(Etw): 14 | pattern = Struct( 15 | "RemovedMemorySize" / Int64ul 16 | ) 17 | 18 | 19 | @declare(guid=guid("babda89a-4d5e-48eb-af3d-e0e8410207c0"), event_id=1003, version=0) 20 | class Microsoft_Windows_Memory_Diagnostic_Task_Handler_1003_0(Etw): 21 | pattern = Struct( 22 | "RemovedMemorySize" / Int64ul 23 | ) 24 | 25 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Mobile_Broadband_Experience_SmsApi.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Mobile-Broadband-Experience-SmsApi 4 | GUID : 0ff1c24b-7f05-45c0-abdc-3c8521be4f62 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("0ff1c24b-7f05-45c0-abdc-3c8521be4f62"), event_id=5001, version=0) 13 | class Microsoft_Windows_Mobile_Broadband_Experience_SmsApi_5001_0(Etw): 14 | pattern = Struct( 15 | "appId" / WString, 16 | "interfaceId" / WString 17 | ) 18 | 19 | 20 | @declare(guid=guid("0ff1c24b-7f05-45c0-abdc-3c8521be4f62"), event_id=5002, version=0) 21 | class Microsoft_Windows_Mobile_Broadband_Experience_SmsApi_5002_0(Etw): 22 | pattern = Struct( 23 | "appId" / WString, 24 | "interfaceId" / WString 25 | ) 26 | 27 | 28 | @declare(guid=guid("0ff1c24b-7f05-45c0-abdc-3c8521be4f62"), event_id=5003, version=0) 29 | class Microsoft_Windows_Mobile_Broadband_Experience_SmsApi_5003_0(Etw): 30 | pattern = Struct( 31 | "appId" / WString, 32 | "interfaceId" / WString 33 | ) 34 | 35 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_MountMgr.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-MountMgr 4 | GUID : e3bac9f8-27be-4823-8d7f-1cc320c05fa7 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("e3bac9f8-27be-4823-8d7f-1cc320c05fa7"), event_id=100, version=0) 13 | class Microsoft_Windows_MountMgr_100_0(Etw): 14 | pattern = Struct( 15 | "CVEId" / WString 16 | ) 17 | 18 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_NetworkBridge.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-NetworkBridge 4 | GUID : a67075c2-3e39-4109-b6cd-6d750058a731 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("a67075c2-3e39-4109-b6cd-6d750058a731"), event_id=2001, version=0) 13 | class Microsoft_Windows_NetworkBridge_2001_0(Etw): 14 | pattern = Struct( 15 | "_DebugString" / CString 16 | ) 17 | 18 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_NetworkManagerTriggerProvider.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-NetworkManagerTriggerProvider 4 | GUID : 9b307223-4e4d-4bf5-9be8-995cd8e7420b 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("9b307223-4e4d-4bf5-9be8-995cd8e7420b"), event_id=1, version=0) 13 | class Microsoft_Windows_NetworkManagerTriggerProvider_1_0(Etw): 14 | pattern = Struct( 15 | "NetworkChangeGuid" / Guid 16 | ) 17 | 18 | 19 | @declare(guid=guid("9b307223-4e4d-4bf5-9be8-995cd8e7420b"), event_id=2, version=0) 20 | class Microsoft_Windows_NetworkManagerTriggerProvider_2_0(Etw): 21 | pattern = Struct( 22 | "NetworkChangeGuid" / Guid 23 | ) 24 | 25 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_NetworkProfileTriggerProvider.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-NetworkProfileTriggerProvider 4 | GUID : fbcfac3f-8460-419f-8e48-1f0b49cdb85e 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("fbcfac3f-8460-419f-8e48-1f0b49cdb85e"), event_id=1, version=0) 13 | class Microsoft_Windows_NetworkProfileTriggerProvider_1_0(Etw): 14 | pattern = Struct( 15 | "ProfileChange" / WString 16 | ) 17 | 18 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_NetworkStatus.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-NetworkStatus 4 | GUID : 7868b0d4-1423-4681-afdf-27913575441e 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("7868b0d4-1423-4681-afdf-27913575441e"), event_id=8001, version=0) 13 | class Microsoft_Windows_NetworkStatus_8001_0(Etw): 14 | pattern = Struct( 15 | "NetworkStatus" / Int32ul 16 | ) 17 | 18 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Networking_Correlation.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Networking-Correlation 4 | GUID : 83ed54f0-4d48-4e45-b16e-726ffd1fa4af 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("83ed54f0-4d48-4e45-b16e-726ffd1fa4af"), event_id=60001, version=0) 13 | class Microsoft_Windows_Networking_Correlation_60001_0(Etw): 14 | pattern = Struct( 15 | "SourceProvider" / Guid, 16 | "Context" / Int32ul 17 | ) 18 | 19 | 20 | @declare(guid=guid("83ed54f0-4d48-4e45-b16e-726ffd1fa4af"), event_id=60002, version=0) 21 | class Microsoft_Windows_Networking_Correlation_60002_0(Etw): 22 | pattern = Struct( 23 | "SourceProvider" / Guid, 24 | "Context" / Int32ul 25 | ) 26 | 27 | 28 | @declare(guid=guid("83ed54f0-4d48-4e45-b16e-726ffd1fa4af"), event_id=60003, version=0) 29 | class Microsoft_Windows_Networking_Correlation_60003_0(Etw): 30 | pattern = Struct( 31 | "SourceProvider" / Guid, 32 | "Context" / Int32ul 33 | ) 34 | 35 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Ntfs_UBPM.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Ntfs-UBPM 4 | GUID : 8e6a5303-a4ce-498f-afdb-e03a8a82b077 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("8e6a5303-a4ce-498f-afdb-e03a8a82b077"), event_id=0, version=0) 13 | class Microsoft_Windows_Ntfs_UBPM_0_0(Etw): 14 | pattern = Struct( 15 | "SvSvcCmd" / WString 16 | ) 17 | 18 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_OLEACC.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-OLEACC 4 | GUID : 19d2c934-ee9b-49e5-aaeb-9cce721d2c65 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("19d2c934-ee9b-49e5-aaeb-9cce721d2c65"), event_id=1, version=0) 13 | class Microsoft_Windows_OLEACC_1_0(Etw): 14 | pattern = Struct( 15 | "Method" / WString, 16 | "Hresult" / Int32ul, 17 | "Details" / WString, 18 | "SourceHwnd" / WString, 19 | "Provider" / WString 20 | ) 21 | 22 | 23 | @declare(guid=guid("19d2c934-ee9b-49e5-aaeb-9cce721d2c65"), event_id=2, version=0) 24 | class Microsoft_Windows_OLEACC_2_0(Etw): 25 | pattern = Struct( 26 | "MethodIndex" / Int32ul, 27 | "Object" / Int64ul, 28 | "Parameter" / Int32sl 29 | ) 30 | 31 | 32 | @declare(guid=guid("19d2c934-ee9b-49e5-aaeb-9cce721d2c65"), event_id=3, version=0) 33 | class Microsoft_Windows_OLEACC_3_0(Etw): 34 | pattern = Struct( 35 | "MethodIndex" / Int32ul, 36 | "Object" / Int64ul, 37 | "Parameter" / Int32sl 38 | ) 39 | 40 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_OOBE_FirstLogonAnim.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-OOBE-FirstLogonAnim 4 | GUID : 2d4c0c5e-6704-493a-a44b-f5add4fc9283 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("2d4c0c5e-6704-493a-a44b-f5add4fc9283"), event_id=5005, version=0) 13 | class Microsoft_Windows_OOBE_FirstLogonAnim_5005_0(Etw): 14 | pattern = Struct( 15 | "fZDP" / Int8ul 16 | ) 17 | 18 | 19 | @declare(guid=guid("2d4c0c5e-6704-493a-a44b-f5add4fc9283"), event_id=5041, version=0) 20 | class Microsoft_Windows_OOBE_FirstLogonAnim_5041_0(Etw): 21 | pattern = Struct( 22 | "fOOBE" / Int8ul, 23 | "fExistingUser" / Int8ul, 24 | "fZDP" / Int8ul, 25 | "fExplorer" / Int8ul 26 | ) 27 | 28 | 29 | @declare(guid=guid("2d4c0c5e-6704-493a-a44b-f5add4fc9283"), event_id=5047, version=0) 30 | class Microsoft_Windows_OOBE_FirstLogonAnim_5047_0(Etw): 31 | pattern = Struct( 32 | "fExistingUser" / Int8ul, 33 | "fPostZDP" / Int8ul 34 | ) 35 | 36 | 37 | @declare(guid=guid("2d4c0c5e-6704-493a-a44b-f5add4fc9283"), event_id=5048, version=0) 38 | class Microsoft_Windows_OOBE_FirstLogonAnim_5048_0(Etw): 39 | pattern = Struct( 40 | "fExistingUserOrPostZDP" / Int8ul, 41 | "fZDP" / Int8ul, 42 | "fTouchDevice" / Int8ul, 43 | "fMouseDevice" / Int8ul 44 | ) 45 | 46 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_OOBE_Machine_Core.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-OOBE-Machine-Core 4 | GUID : ec276cde-2a17-473c-a010-2ff78d5426d2 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("ec276cde-2a17-473c-a010-2ff78d5426d2"), event_id=5004, version=0) 13 | class Microsoft_Windows_OOBE_Machine_Core_5004_0(Etw): 14 | pattern = Struct( 15 | "Service" / WString, 16 | "DWORD" / Int32ul, 17 | "Started" / Int8ul 18 | ) 19 | 20 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_OOBE_Machine_Plugins_Wireless.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-OOBE-Machine-Plugins-Wireless 4 | GUID : 0f352580-e9e2-46c2-8336-6ac66e986416 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("0f352580-e9e2-46c2-8336-6ac66e986416"), event_id=5111, version=0) 13 | class Microsoft_Windows_OOBE_Machine_Plugins_Wireless_5111_0(Etw): 14 | pattern = Struct( 15 | "DWORD" / Int32ul 16 | ) 17 | 18 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_OneBackup.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-OneBackup 4 | GUID : 72561cf0-c85c-4f78-9e8d-cba9093df62d 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("72561cf0-c85c-4f78-9e8d-cba9093df62d"), event_id=1000, version=0) 13 | class Microsoft_Windows_OneBackup_1000_0(Etw): 14 | pattern = Struct( 15 | "Message" / WString 16 | ) 17 | 18 | 19 | @declare(guid=guid("72561cf0-c85c-4f78-9e8d-cba9093df62d"), event_id=1001, version=0) 20 | class Microsoft_Windows_OneBackup_1001_0(Etw): 21 | pattern = Struct( 22 | "Message" / WString 23 | ) 24 | 25 | 26 | @declare(guid=guid("72561cf0-c85c-4f78-9e8d-cba9093df62d"), event_id=1002, version=0) 27 | class Microsoft_Windows_OneBackup_1002_0(Etw): 28 | pattern = Struct( 29 | "Message" / WString 30 | ) 31 | 32 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_PerfDisk.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-PerfDisk 4 | GUID : 7f9d83de-8abb-457f-98e8-4ad161449ecc 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("7f9d83de-8abb-457f-98e8-4ad161449ecc"), event_id=1000, version=1) 13 | class Microsoft_Windows_PerfDisk_1000_1(Etw): 14 | pattern = Struct( 15 | "NTSTATUS" / Int32ul 16 | ) 17 | 18 | 19 | @declare(guid=guid("7f9d83de-8abb-457f-98e8-4ad161449ecc"), event_id=2000, version=1) 20 | class Microsoft_Windows_PerfDisk_2000_1(Etw): 21 | pattern = Struct( 22 | "Win32Error" / Int32ul 23 | ) 24 | 25 | 26 | @declare(guid=guid("7f9d83de-8abb-457f-98e8-4ad161449ecc"), event_id=2001, version=1) 27 | class Microsoft_Windows_PerfDisk_2001_1(Etw): 28 | pattern = Struct( 29 | "Win32Error" / Int32ul 30 | ) 31 | 32 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_PrintService_USBMon.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-PrintService-USBMon 4 | GUID : 7f812073-b28d-4afc-9ced-b8010f914ef6 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("7f812073-b28d-4afc-9ced-b8010f914ef6"), event_id=1, version=0) 13 | class Microsoft_Windows_PrintService_USBMon_1_0(Etw): 14 | pattern = Struct( 15 | "PrinterName" / WString, 16 | "FilePath" / WString 17 | ) 18 | 19 | 20 | @declare(guid=guid("7f812073-b28d-4afc-9ced-b8010f914ef6"), event_id=2, version=0) 21 | class Microsoft_Windows_PrintService_USBMon_2_0(Etw): 22 | pattern = Struct( 23 | "PrinterName" / WString, 24 | "FilePath" / WString 25 | ) 26 | 27 | 28 | @declare(guid=guid("7f812073-b28d-4afc-9ced-b8010f914ef6"), event_id=11, version=0) 29 | class Microsoft_Windows_PrintService_USBMon_11_0(Etw): 30 | pattern = Struct( 31 | "HResult" / Int32ul, 32 | "ErrorText" / WString, 33 | "FailingLine" / Int32ul 34 | ) 35 | 36 | 37 | @declare(guid=guid("7f812073-b28d-4afc-9ced-b8010f914ef6"), event_id=12, version=0) 38 | class Microsoft_Windows_PrintService_USBMon_12_0(Etw): 39 | pattern = Struct( 40 | "HResult" / Int32ul, 41 | "ErrorText" / WString 42 | ) 43 | 44 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_ProcessExitMonitor.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-ProcessExitMonitor 4 | GUID : fd771d53-8492-4057-8e35-8c02813af49b 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("fd771d53-8492-4057-8e35-8c02813af49b"), event_id=3000, version=0) 13 | class Microsoft_Windows_ProcessExitMonitor_3000_0(Etw): 14 | pattern = Struct( 15 | "param1" / WString, 16 | "param2" / WString, 17 | "param3" / WString 18 | ) 19 | 20 | 21 | @declare(guid=guid("fd771d53-8492-4057-8e35-8c02813af49b"), event_id=3001, version=0) 22 | class Microsoft_Windows_ProcessExitMonitor_3001_0(Etw): 23 | pattern = Struct( 24 | "param1" / WString, 25 | "param2" / WString, 26 | "param3" / WString, 27 | "param4" / WString 28 | ) 29 | 30 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Processor_Aggregator.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Processor-Aggregator 4 | GUID : cba16cf2-2fab-49f8-89ae-894e718649e7 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("cba16cf2-2fab-49f8-89ae-894e718649e7"), event_id=1, version=0) 13 | class Microsoft_Windows_Processor_Aggregator_1_0(Etw): 14 | pattern = Struct( 15 | "NumProcessors" / Int32ul 16 | ) 17 | 18 | 19 | @declare(guid=guid("cba16cf2-2fab-49f8-89ae-894e718649e7"), event_id=2, version=0) 20 | class Microsoft_Windows_Processor_Aggregator_2_0(Etw): 21 | pattern = Struct( 22 | "Requested" / Int32ul, 23 | "Acknowledged" / Int32ul, 24 | "IsSuccess" / Int8ul 25 | ) 26 | 27 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_RPCSS.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-RPCSS 4 | GUID : d8975f88-7ddb-4ed0-91bf-3adf48c48e0c 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("d8975f88-7ddb-4ed0-91bf-3adf48c48e0c"), event_id=1, version=1) 13 | class Microsoft_Windows_RPCSS_1_1(Etw): 14 | pattern = Struct( 15 | "DetectionLocation" / Int16ul, 16 | "Status" / Int32ul, 17 | "AdditionalData1" / Int32ul, 18 | "AdditionalData2" / Int32ul 19 | ) 20 | 21 | 22 | @declare(guid=guid("d8975f88-7ddb-4ed0-91bf-3adf48c48e0c"), event_id=2, version=1) 23 | class Microsoft_Windows_RPCSS_2_1(Etw): 24 | pattern = Struct( 25 | "InterfaceUUID" / Guid, 26 | "ObjectUUID" / Guid, 27 | "Protocol" / CString, 28 | "EndPoint" / CString 29 | ) 30 | 31 | 32 | @declare(guid=guid("d8975f88-7ddb-4ed0-91bf-3adf48c48e0c"), event_id=3, version=1) 33 | class Microsoft_Windows_RPCSS_3_1(Etw): 34 | pattern = Struct( 35 | "InterfaceUUID" / Guid, 36 | "ObjectUUID" / Guid, 37 | "Protocol" / CString, 38 | "EndPoint" / CString 39 | ) 40 | 41 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_RPC_FirewallManager.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-RPC-FirewallManager 4 | GUID : f997cd11-0fc9-4ab4-acba-bc742a4c0dd3 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("f997cd11-0fc9-4ab4-acba-bc742a4c0dd3"), event_id=2, version=0) 13 | class Microsoft_Windows_RPC_FirewallManager_2_0(Etw): 14 | pattern = Struct( 15 | "FilterKey" / WString, 16 | "ErrorStatus" / WString 17 | ) 18 | 19 | 20 | @declare(guid=guid("f997cd11-0fc9-4ab4-acba-bc742a4c0dd3"), event_id=3, version=0) 21 | class Microsoft_Windows_RPC_FirewallManager_3_0(Etw): 22 | pattern = Struct( 23 | "FilterKey" / WString, 24 | "ErrorStatus" / WString 25 | ) 26 | 27 | 28 | @declare(guid=guid("f997cd11-0fc9-4ab4-acba-bc742a4c0dd3"), event_id=4, version=0) 29 | class Microsoft_Windows_RPC_FirewallManager_4_0(Etw): 30 | pattern = Struct( 31 | "FilterKey" / WString, 32 | "ErrorStatus" / WString 33 | ) 34 | 35 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_RPC_Proxy_LBS.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-RPC-Proxy-LBS 4 | GUID : 272a979b-34b5-48ec-94f5-7225a59c85a0 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("272a979b-34b5-48ec-94f5-7225a59c85a0"), event_id=1, version=1) 13 | class Microsoft_Windows_RPC_Proxy_LBS_1_1(Etw): 14 | pattern = Struct( 15 | "UserName" / WString 16 | ) 17 | 18 | 19 | @declare(guid=guid("272a979b-34b5-48ec-94f5-7225a59c85a0"), event_id=2, version=1) 20 | class Microsoft_Windows_RPC_Proxy_LBS_2_1(Etw): 21 | pattern = Struct( 22 | "ServerName" / WString, 23 | "Status" / Int32ul 24 | ) 25 | 26 | 27 | @declare(guid=guid("272a979b-34b5-48ec-94f5-7225a59c85a0"), event_id=3, version=1) 28 | class Microsoft_Windows_RPC_Proxy_LBS_3_1(Etw): 29 | pattern = Struct( 30 | "UserName" / WString, 31 | "ServerList" / WString 32 | ) 33 | 34 | 35 | @declare(guid=guid("272a979b-34b5-48ec-94f5-7225a59c85a0"), event_id=4, version=1) 36 | class Microsoft_Windows_RPC_Proxy_LBS_4_1(Etw): 37 | pattern = Struct( 38 | "ServerName" / WString 39 | ) 40 | 41 | 42 | @declare(guid=guid("272a979b-34b5-48ec-94f5-7225a59c85a0"), event_id=5, version=1) 43 | class Microsoft_Windows_RPC_Proxy_LBS_5_1(Etw): 44 | pattern = Struct( 45 | "ServerName" / WString 46 | ) 47 | 48 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_RasServer.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-RasServer 4 | GUID : 29d13147-1c2e-48ec-9994-e29dfe496eb3 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("29d13147-1c2e-48ec-9994-e29dfe496eb3"), event_id=50010, version=0) 13 | class Microsoft_Windows_RasServer_50010_0(Etw): 14 | pattern = Struct( 15 | "param1" / WString, 16 | "param2" / WString 17 | ) 18 | 19 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Ras_NdisWanPacketCapture.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Ras-NdisWanPacketCapture 4 | GUID : d84521f7-2235-4237-a7c0-14e3a9676286 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("d84521f7-2235-4237-a7c0-14e3a9676286"), event_id=5001, version=0) 13 | class Microsoft_Windows_Ras_NdisWanPacketCapture_5001_0(Etw): 14 | pattern = Struct( 15 | "RoutingDomainID" / WString, 16 | "RRASUserName" / WString, 17 | "FragmentSize" / Int32ul, 18 | "Fragment" / Bytes(lambda this: this.FragmentSize) 19 | ) 20 | 21 | 22 | @declare(guid=guid("d84521f7-2235-4237-a7c0-14e3a9676286"), event_id=5002, version=0) 23 | class Microsoft_Windows_Ras_NdisWanPacketCapture_5002_0(Etw): 24 | pattern = Struct( 25 | "RoutingDomainID" / WString, 26 | "RRASUserName" / WString, 27 | "FragmentSize" / Int32ul, 28 | "Fragment" / Bytes(lambda this: this.FragmentSize) 29 | ) 30 | 31 | 32 | @declare(guid=guid("d84521f7-2235-4237-a7c0-14e3a9676286"), event_id=5003, version=0) 33 | class Microsoft_Windows_Ras_NdisWanPacketCapture_5003_0(Etw): 34 | pattern = Struct( 35 | "param1" / WString 36 | ) 37 | 38 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_RemoteDesktopServices_RemoteFX_Synth3dvsc.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc 4 | GUID : 3903d5b9-988d-4c31-9ccd-4022f96703f0 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("3903d5b9-988d-4c31-9ccd-4022f96703f0"), event_id=4, version=0) 13 | class Microsoft_Windows_RemoteDesktopServices_RemoteFX_Synth3dvsc_4_0(Etw): 14 | pattern = Struct( 15 | "MajorVersion" / Int8ul, 16 | "MinorVersion" / Int8ul 17 | ) 18 | 19 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_RemoteDesktopServices_SessionServices.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-RemoteDesktopServices-SessionServices 4 | GUID : f1394de0-32c7-4a76-a6de-b245e48f4615 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("f1394de0-32c7-4a76-a6de-b245e48f4615"), event_id=1, version=0) 13 | class Microsoft_Windows_RemoteDesktopServices_SessionServices_1_0(Etw): 14 | pattern = Struct( 15 | "NumMonitors" / Int32ul 16 | ) 17 | 18 | 19 | @declare(guid=guid("f1394de0-32c7-4a76-a6de-b245e48f4615"), event_id=2, version=0) 20 | class Microsoft_Windows_RemoteDesktopServices_SessionServices_2_0(Etw): 21 | pattern = Struct( 22 | "ErrorCode" / Int32ul 23 | ) 24 | 25 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_ResetEng_Trace.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-ResetEng-Trace 4 | GUID : 7fa514b5-a023-4b62-a6ab-2946a483e065 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("7fa514b5-a023-4b62-a6ab-2946a483e065"), event_id=10, version=0) 13 | class Microsoft_Windows_ResetEng_Trace_10_0(Etw): 14 | pattern = Struct( 15 | "OnlineUi" / Int8ul, 16 | "PageId" / Int32ul 17 | ) 18 | 19 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_RetailDemo.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-RetailDemo 4 | GUID : d3f29eda-805d-428a-9902-b259b937f84b 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("d3f29eda-805d-428a-9902-b259b937f84b"), event_id=200, version=0) 13 | class Microsoft_Windows_RetailDemo_200_0(Etw): 14 | pattern = Struct( 15 | "ErrorState" / CString, 16 | "ErrorPhase" / CString, 17 | "HRESULT" / Int32ul 18 | ) 19 | 20 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Runtime_Graphics.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Runtime-Graphics 4 | GUID : fa5cf675-72eb-49e2-b447-de5552faff1c 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("fa5cf675-72eb-49e2-b447-de5552faff1c"), event_id=1, version=0) 13 | class Microsoft_Windows_Runtime_Graphics_1_0(Etw): 14 | pattern = Struct( 15 | "WnfStateNameData0" / Int32ul, 16 | "WnfStateNameData1" / Int32ul 17 | ) 18 | 19 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_SCPNP.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-SCPNP 4 | GUID : 9f650c63-9409-453c-a652-83d7185a2e83 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("9f650c63-9409-453c-a652-83d7185a2e83"), event_id=1000, version=0) 13 | class Microsoft_Windows_SCPNP_1000_0(Etw): 14 | pattern = Struct( 15 | "ReaderName" / WString, 16 | "ErrorCode" / Int32ul 17 | ) 18 | 19 | 20 | @declare(guid=guid("9f650c63-9409-453c-a652-83d7185a2e83"), event_id=1001, version=0) 21 | class Microsoft_Windows_SCPNP_1001_0(Etw): 22 | pattern = Struct( 23 | "ReaderName" / WString, 24 | "FriendlyName" / WString 25 | ) 26 | 27 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Search_ProtocolHandlers.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Search-ProtocolHandlers 4 | GUID : dab065a9-620f-45ba-b5d6-d6bb8efedee9 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("dab065a9-620f-45ba-b5d6-d6bb8efedee9"), event_id=58, version=0) 13 | class Microsoft_Windows_Search_ProtocolHandlers_58_0(Etw): 14 | pattern = Struct( 15 | "Description" / WString 16 | ) 17 | 18 | 19 | @declare(guid=guid("dab065a9-620f-45ba-b5d6-d6bb8efedee9"), event_id=62, version=0) 20 | class Microsoft_Windows_Search_ProtocolHandlers_62_0(Etw): 21 | pattern = Struct( 22 | "Description" / WString 23 | ) 24 | 25 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Security_Adminless.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Security-Adminless 4 | GUID : ea216962-877b-5b73-f7c5-8aef5375959e 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("ea216962-877b-5b73-f7c5-8aef5375959e"), event_id=1, version=0) 13 | class Microsoft_Windows_Security_Adminless_1_0(Etw): 14 | pattern = Struct( 15 | "FailureTime" / Int64ul, 16 | "StackHash" / Int32ul 17 | ) 18 | 19 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Security_ExchangeActiveSyncProvisioning.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Security-ExchangeActiveSyncProvisioning 4 | GUID : 9249d0d0-f034-402f-a29b-92fa8853d9f3 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("9249d0d0-f034-402f-a29b-92fa8853d9f3"), event_id=1, version=0) 13 | class Microsoft_Windows_Security_ExchangeActiveSyncProvisioning_1_0(Etw): 14 | pattern = Struct( 15 | "DllPath" / WString 16 | ) 17 | 18 | 19 | @declare(guid=guid("9249d0d0-f034-402f-a29b-92fa8853d9f3"), event_id=2, version=0) 20 | class Microsoft_Windows_Security_ExchangeActiveSyncProvisioning_2_0(Etw): 21 | pattern = Struct( 22 | "DllPath" / WString 23 | ) 24 | 25 | 26 | @declare(guid=guid("9249d0d0-f034-402f-a29b-92fa8853d9f3"), event_id=101, version=0) 27 | class Microsoft_Windows_Security_ExchangeActiveSyncProvisioning_101_0(Etw): 28 | pattern = Struct( 29 | "TimeSpent" / Int32ul 30 | ) 31 | 32 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Security_LessPrivilegedAppContainer.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Security-LessPrivilegedAppContainer 4 | GUID : 45eec9e5-4a1b-5446-7ad8-a4ab1313c437 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("45eec9e5-4a1b-5446-7ad8-a4ab1313c437"), event_id=1, version=0) 13 | class Microsoft_Windows_Security_LessPrivilegedAppContainer_1_0(Etw): 14 | pattern = Struct( 15 | "FailureTime" / Int64ul, 16 | "StackHash" / Int32ul 17 | ) 18 | 19 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Security_SPP_UX_GenuineCenter_Logging.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging 4 | GUID : fb829150-cd7d-44c3-af5b-711a3c31cedc 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("fb829150-cd7d-44c3-af5b-711a3c31cedc"), event_id=200, version=0) 13 | class Microsoft_Windows_Security_SPP_UX_GenuineCenter_Logging_200_0(Etw): 14 | pattern = Struct( 15 | "shKernelCacheValues" / WString 16 | ) 17 | 18 | 19 | @declare(guid=guid("fb829150-cd7d-44c3-af5b-711a3c31cedc"), event_id=201, version=0) 20 | class Microsoft_Windows_Security_SPP_UX_GenuineCenter_Logging_201_0(Etw): 21 | pattern = Struct( 22 | "shErrorCode" / WString 23 | ) 24 | 25 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Security_SPP_UX_Notifications.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Security-SPP-UX-Notifications 4 | GUID : c4efc9bb-2570-4821-8923-1bad317d2d4b 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("c4efc9bb-2570-4821-8923-1bad317d2d4b"), event_id=100, version=0) 13 | class Microsoft_Windows_Security_SPP_UX_Notifications_100_0(Etw): 14 | pattern = Struct( 15 | "hc_stateid" / Int32ul 16 | ) 17 | 18 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Security_UserConsentVerifier.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Security-UserConsentVerifier 4 | GUID : 40783728-8921-45d0-b231-919037b4b4fd 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("40783728-8921-45d0-b231-919037b4b4fd"), event_id=100, version=0) 13 | class Microsoft_Windows_Security_UserConsentVerifier_100_0(Etw): 14 | pattern = Struct( 15 | "AppName" / WString, 16 | "AppMessage" / WString 17 | ) 18 | 19 | 20 | @declare(guid=guid("40783728-8921-45d0-b231-919037b4b4fd"), event_id=101, version=0) 21 | class Microsoft_Windows_Security_UserConsentVerifier_101_0(Etw): 22 | pattern = Struct( 23 | "AppName" / WString, 24 | "AppMessage" / WString, 25 | "VerificationResult" / Int32ul 26 | ) 27 | 28 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_ServiceReportingApi.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-ServiceReportingApi 4 | GUID : 606a6a38-70ec-4309-b3a3-82ff86f73329 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("606a6a38-70ec-4309-b3a3-82ff86f73329"), event_id=1, version=0) 13 | class Microsoft_Windows_ServiceReportingApi_1_0(Etw): 14 | pattern = Struct( 15 | "FileName" / WString, 16 | "FunctionName" / WString, 17 | "LineNumber" / Int32sl, 18 | "DebugMessage" / WString 19 | ) 20 | 21 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_ServiceTriggerPerfEventProvider.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-ServiceTriggerPerfEventProvider 4 | GUID : 6545939f-3398-411a-88b7-6a8914b8cec7 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("6545939f-3398-411a-88b7-6a8914b8cec7"), event_id=1, version=0) 13 | class Microsoft_Windows_ServiceTriggerPerfEventProvider_1_0(Etw): 14 | pattern = Struct( 15 | "TriggerSubType" / WString, 16 | "TriggerData" / WString 17 | ) 18 | 19 | 20 | @declare(guid=guid("6545939f-3398-411a-88b7-6a8914b8cec7"), event_id=2, version=0) 21 | class Microsoft_Windows_ServiceTriggerPerfEventProvider_2_0(Etw): 22 | pattern = Struct( 23 | "TriggerSubType" / WString, 24 | "TriggerData" / WString 25 | ) 26 | 27 | 28 | @declare(guid=guid("6545939f-3398-411a-88b7-6a8914b8cec7"), event_id=3, version=0) 29 | class Microsoft_Windows_ServiceTriggerPerfEventProvider_3_0(Etw): 30 | pattern = Struct( 31 | "TriggerSubType" / WString, 32 | "TriggerData" / WString 33 | ) 34 | 35 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Services.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Services 4 | GUID : 0063715b-eeda-4007-9429-ad526f62696e 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("0063715b-eeda-4007-9429-ad526f62696e"), event_id=103, version=0) 13 | class Microsoft_Windows_Services_103_0(Etw): 14 | pattern = Struct( 15 | "GroupName" / WString 16 | ) 17 | 18 | 19 | @declare(guid=guid("0063715b-eeda-4007-9429-ad526f62696e"), event_id=104, version=0) 20 | class Microsoft_Windows_Services_104_0(Etw): 21 | pattern = Struct( 22 | "GroupName" / WString 23 | ) 24 | 25 | 26 | @declare(guid=guid("0063715b-eeda-4007-9429-ad526f62696e"), event_id=105, version=0) 27 | class Microsoft_Windows_Services_105_0(Etw): 28 | pattern = Struct( 29 | "ExecutionPhase" / Int32ul, 30 | "CurrentState" / Int32ul, 31 | "StartType" / Int32ul, 32 | "PID" / Int32ul, 33 | "ServiceName" / WString, 34 | "ImageName" / WString 35 | ) 36 | 37 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Services_Svchost.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Services-Svchost 4 | GUID : 06184c97-5201-480e-92af-3a3626c5b140 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("06184c97-5201-480e-92af-3a3626c5b140"), event_id=101, version=0) 13 | class Microsoft_Windows_Services_Svchost_101_0(Etw): 14 | pattern = Struct( 15 | "ServiceName" / WString 16 | ) 17 | 18 | 19 | @declare(guid=guid("06184c97-5201-480e-92af-3a3626c5b140"), event_id=102, version=0) 20 | class Microsoft_Windows_Services_Svchost_102_0(Etw): 21 | pattern = Struct( 22 | "ServiceName" / WString 23 | ) 24 | 25 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_SetupQueue.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-SetupQueue 4 | GUID : a615acb9-d5a4-4738-b561-1df301d207f8 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("a615acb9-d5a4-4738-b561-1df301d207f8"), event_id=1001, version=0) 13 | class Microsoft_Windows_SetupQueue_1001_0(Etw): 14 | pattern = Struct( 15 | "Command" / WString 16 | ) 17 | 18 | 19 | @declare(guid=guid("a615acb9-d5a4-4738-b561-1df301d207f8"), event_id=1002, version=0) 20 | class Microsoft_Windows_SetupQueue_1002_0(Etw): 21 | pattern = Struct( 22 | "ErrorCode" / Int32ul 23 | ) 24 | 25 | 26 | @declare(guid=guid("a615acb9-d5a4-4738-b561-1df301d207f8"), event_id=1003, version=0) 27 | class Microsoft_Windows_SetupQueue_1003_0(Etw): 28 | pattern = Struct( 29 | "ErrorCode" / Int32ul 30 | ) 31 | 32 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Shell_ConnectedAccountState.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Shell-ConnectedAccountState 4 | GUID : 6df57621-e7e4-410f-a7e9-e43eeb61b11f 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("6df57621-e7e4-410f-a7e9-e43eeb61b11f"), event_id=100, version=0) 13 | class Microsoft_Windows_Shell_ConnectedAccountState_100_0(Etw): 14 | pattern = Struct( 15 | "hc_stateid" / Int32ul 16 | ) 17 | 18 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Shell_OpenWith.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Shell-OpenWith 4 | GUID : 11bd2a68-77ff-4991-9658-f451f2eb6ce1 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("11bd2a68-77ff-4991-9658-f451f2eb6ce1"), event_id=103, version=0) 13 | class Microsoft_Windows_Shell_OpenWith_103_0(Etw): 14 | pattern = Struct( 15 | "Target" / WString, 16 | "TargetIsURL" / Int8ul 17 | ) 18 | 19 | 20 | @declare(guid=guid("11bd2a68-77ff-4991-9658-f451f2eb6ce1"), event_id=104, version=0) 21 | class Microsoft_Windows_Shell_OpenWith_104_0(Etw): 22 | pattern = Struct( 23 | "HRESULT" / Int32ul 24 | ) 25 | 26 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_SmartCard_Audit.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-SmartCard-Audit 4 | GUID : 09ac07b9-6ac9-43bc-a50f-58419a797c69 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("09ac07b9-6ac9-43bc-a50f-58419a797c69"), event_id=100, version=0) 13 | class Microsoft_Windows_SmartCard_Audit_100_0(Etw): 14 | pattern = Struct( 15 | "Process" / WString, 16 | "ProcessId" / Int32ul 17 | ) 18 | 19 | 20 | @declare(guid=guid("09ac07b9-6ac9-43bc-a50f-58419a797c69"), event_id=101, version=0) 21 | class Microsoft_Windows_SmartCard_Audit_101_0(Etw): 22 | pattern = Struct( 23 | "Process" / WString, 24 | "ProcessId" / Int32ul 25 | ) 26 | 27 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_SmartCard_DeviceEnum.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-SmartCard-DeviceEnum 4 | GUID : aaeac398-3028-487c-9586-44eacad03637 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("aaeac398-3028-487c-9586-44eacad03637"), event_id=99, version=0) 13 | class Microsoft_Windows_SmartCard_DeviceEnum_99_0(Etw): 14 | pattern = Struct( 15 | "InstancePath" / WString, 16 | "ErrorCode" / Int32sl 17 | ) 18 | 19 | 20 | @declare(guid=guid("aaeac398-3028-487c-9586-44eacad03637"), event_id=100, version=0) 21 | class Microsoft_Windows_SmartCard_DeviceEnum_100_0(Etw): 22 | pattern = Struct( 23 | "InstancePath" / WString, 24 | "ErrorCode" / Int32sl 25 | ) 26 | 27 | 28 | @declare(guid=guid("aaeac398-3028-487c-9586-44eacad03637"), event_id=101, version=0) 29 | class Microsoft_Windows_SmartCard_DeviceEnum_101_0(Etw): 30 | pattern = Struct( 31 | "InstancePath" / WString, 32 | "SessionId" / Int32ul 33 | ) 34 | 35 | 36 | @declare(guid=guid("aaeac398-3028-487c-9586-44eacad03637"), event_id=102, version=0) 37 | class Microsoft_Windows_SmartCard_DeviceEnum_102_0(Etw): 38 | pattern = Struct( 39 | "InstancePath" / WString, 40 | "SessionId" / Int32ul 41 | ) 42 | 43 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Smartcard_Trigger.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Smartcard-Trigger 4 | GUID : aedd909f-41c6-401a-9e41-dfc33006af5d 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("aedd909f-41c6-401a-9e41-dfc33006af5d"), event_id=1000, version=0) 13 | class Microsoft_Windows_Smartcard_Trigger_1000_0(Etw): 14 | pattern = Struct( 15 | "ScDeviceEnumGuid" / Guid 16 | ) 17 | 18 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_SmbWmiProvider.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-SmbWmiProvider 4 | GUID : 50b9e206-9d55-4092-92e8-f157a8235799 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("50b9e206-9d55-4092-92e8-f157a8235799"), event_id=0, version=0) 13 | class Microsoft_Windows_SmbWmiProvider_0_0(Etw): 14 | pattern = Struct( 15 | "FunctionName" / WString, 16 | "MiError" / Int32ul, 17 | "Win32Error" / Int32ul 18 | ) 19 | 20 | 21 | @declare(guid=guid("50b9e206-9d55-4092-92e8-f157a8235799"), event_id=1, version=0) 22 | class Microsoft_Windows_SmbWmiProvider_1_0(Etw): 23 | pattern = Struct( 24 | "Message" / WString 25 | ) 26 | 27 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Speech_TTS.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Speech-TTS 4 | GUID : 74dcc47a-846e-4c98-9e2c-80043ed82b15 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("74dcc47a-846e-4c98-9e2c-80043ed82b15"), event_id=1, version=0) 13 | class Microsoft_Windows_Speech_TTS_1_0(Etw): 14 | pattern = Struct( 15 | "Instance" / Int64ul 16 | ) 17 | 18 | 19 | @declare(guid=guid("74dcc47a-846e-4c98-9e2c-80043ed82b15"), event_id=2, version=0) 20 | class Microsoft_Windows_Speech_TTS_2_0(Etw): 21 | pattern = Struct( 22 | "Instance" / Int64ul 23 | ) 24 | 25 | 26 | @declare(guid=guid("74dcc47a-846e-4c98-9e2c-80043ed82b15"), event_id=3, version=0) 27 | class Microsoft_Windows_Speech_TTS_3_0(Etw): 28 | pattern = Struct( 29 | "Instance" / Int64ul 30 | ) 31 | 32 | 33 | @declare(guid=guid("74dcc47a-846e-4c98-9e2c-80043ed82b15"), event_id=4, version=0) 34 | class Microsoft_Windows_Speech_TTS_4_0(Etw): 35 | pattern = Struct( 36 | "Instance" / Int64ul 37 | ) 38 | 39 | 40 | @declare(guid=guid("74dcc47a-846e-4c98-9e2c-80043ed82b15"), event_id=5, version=0) 41 | class Microsoft_Windows_Speech_TTS_5_0(Etw): 42 | pattern = Struct( 43 | "Instance" / Int64ul 44 | ) 45 | 46 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Speech_UserExperience.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Speech-UserExperience 4 | GUID : 13480a22-d79f-4334-9d32-aa239398ad3c 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("13480a22-d79f-4334-9d32-aa239398ad3c"), event_id=68, version=0) 13 | class Microsoft_Windows_Speech_UserExperience_68_0(Etw): 14 | pattern = Struct( 15 | "State" / Int32ul 16 | ) 17 | 18 | 19 | @declare(guid=guid("13480a22-d79f-4334-9d32-aa239398ad3c"), event_id=69, version=0) 20 | class Microsoft_Windows_Speech_UserExperience_69_0(Etw): 21 | pattern = Struct( 22 | "State" / Int32ul 23 | ) 24 | 25 | 26 | @declare(guid=guid("13480a22-d79f-4334-9d32-aa239398ad3c"), event_id=123, version=0) 27 | class Microsoft_Windows_Speech_UserExperience_123_0(Etw): 28 | pattern = Struct( 29 | "ElementsExamined" / Int32ul, 30 | "ElementsAdded" / Int32ul, 31 | "CrossProcCalls" / Int32ul 32 | ) 33 | 34 | 35 | @declare(guid=guid("13480a22-d79f-4334-9d32-aa239398ad3c"), event_id=141, version=0) 36 | class Microsoft_Windows_Speech_UserExperience_141_0(Etw): 37 | pattern = Struct( 38 | "Count" / Int32ul, 39 | "Index" / Int32ul, 40 | "Item" / WString 41 | ) 42 | 43 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_SpellChecker.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-SpellChecker 4 | GUID : b2fcd41f-9a40-4150-8c92-b224b7d8c8aa 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("b2fcd41f-9a40-4150-8c92-b224b7d8c8aa"), event_id=1, version=0) 13 | class Microsoft_Windows_SpellChecker_1_0(Etw): 14 | pattern = Struct( 15 | "WordlistType" / Int32ul 16 | ) 17 | 18 | 19 | @declare(guid=guid("b2fcd41f-9a40-4150-8c92-b224b7d8c8aa"), event_id=2, version=0) 20 | class Microsoft_Windows_SpellChecker_2_0(Etw): 21 | pattern = Struct( 22 | "WordlistType" / Int32ul 23 | ) 24 | 25 | 26 | @declare(guid=guid("b2fcd41f-9a40-4150-8c92-b224b7d8c8aa"), event_id=33, version=0) 27 | class Microsoft_Windows_SpellChecker_33_0(Etw): 28 | pattern = Struct( 29 | "First" / WString, 30 | "Second" / WString, 31 | "hr" / Int32sl 32 | ) 33 | 34 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Spellchecking_Host.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Spellchecking-Host 4 | GUID : 1bda2ab1-bbc1-4acb-a849-c0ef2b249672 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("1bda2ab1-bbc1-4acb-a849-c0ef2b249672"), event_id=0, version=0) 13 | class Microsoft_Windows_Spellchecking_Host_0_0(Etw): 14 | pattern = Struct( 15 | "clsid" / Guid, 16 | "hresult" / Int32ul 17 | ) 18 | 19 | 20 | @declare(guid=guid("1bda2ab1-bbc1-4acb-a849-c0ef2b249672"), event_id=1, version=0) 21 | class Microsoft_Windows_Spellchecking_Host_1_0(Etw): 22 | pattern = Struct( 23 | "string" / WString, 24 | "hresult" / Int32ul 25 | ) 26 | 27 | 28 | @declare(guid=guid("1bda2ab1-bbc1-4acb-a849-c0ef2b249672"), event_id=2, version=0) 29 | class Microsoft_Windows_Spellchecking_Host_2_0(Etw): 30 | pattern = Struct( 31 | "Wordlist" / Int32ul, 32 | "String" / WString, 33 | "Hresult" / Int32ul 34 | ) 35 | 36 | 37 | @declare(guid=guid("1bda2ab1-bbc1-4acb-a849-c0ef2b249672"), event_id=3, version=0) 38 | class Microsoft_Windows_Spellchecking_Host_3_0(Etw): 39 | pattern = Struct( 40 | "Wordlist" / Int32ul 41 | ) 42 | 43 | 44 | @declare(guid=guid("1bda2ab1-bbc1-4acb-a849-c0ef2b249672"), event_id=4, version=0) 45 | class Microsoft_Windows_Spellchecking_Host_4_0(Etw): 46 | pattern = Struct( 47 | "Wordlist" / Int32ul 48 | ) 49 | 50 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_StartLmhosts.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-StartLmhosts 4 | GUID : 2d7904d8-5c90-4209-ba6a-4c08f409934c 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("2d7904d8-5c90-4209-ba6a-4c08f409934c"), event_id=1, version=0) 13 | class Microsoft_Windows_StartLmhosts_1_0(Etw): 14 | pattern = Struct( 15 | "StartLmHostTrigger" / Guid 16 | ) 17 | 18 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_StorageManagement_WSP_FS.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-StorageManagement-WSP-FS 4 | GUID : 435f8e4b-8cc4-430e-9796-28cae4976576 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("435f8e4b-8cc4-430e-9796-28cae4976576"), event_id=8448, version=0) 13 | class Microsoft_Windows_StorageManagement_WSP_FS_8448_0(Etw): 14 | pattern = Struct( 15 | "Parameter1" / WString 16 | ) 17 | 18 | 19 | @declare(guid=guid("435f8e4b-8cc4-430e-9796-28cae4976576"), event_id=8449, version=0) 20 | class Microsoft_Windows_StorageManagement_WSP_FS_8449_0(Etw): 21 | pattern = Struct( 22 | "Parameter1" / WString 23 | ) 24 | 25 | 26 | @declare(guid=guid("435f8e4b-8cc4-430e-9796-28cae4976576"), event_id=8450, version=0) 27 | class Microsoft_Windows_StorageManagement_WSP_FS_8450_0(Etw): 28 | pattern = Struct( 29 | "Parameter1" / WString 30 | ) 31 | 32 | 33 | @declare(guid=guid("435f8e4b-8cc4-430e-9796-28cae4976576"), event_id=8451, version=0) 34 | class Microsoft_Windows_StorageManagement_WSP_FS_8451_0(Etw): 35 | pattern = Struct( 36 | "Parameter1" / WString 37 | ) 38 | 39 | 40 | @declare(guid=guid("435f8e4b-8cc4-430e-9796-28cae4976576"), event_id=8452, version=0) 41 | class Microsoft_Windows_StorageManagement_WSP_FS_8452_0(Etw): 42 | pattern = Struct( 43 | "Parameter1" / WString 44 | ) 45 | 46 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_StorageManagement_WSP_Health.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-StorageManagement-WSP-Health 4 | GUID : b1f01d1a-ae3a-4940-81ee-ddccbad380ef 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("b1f01d1a-ae3a-4940-81ee-ddccbad380ef"), event_id=8448, version=0) 13 | class Microsoft_Windows_StorageManagement_WSP_Health_8448_0(Etw): 14 | pattern = Struct( 15 | "Parameter1" / WString 16 | ) 17 | 18 | 19 | @declare(guid=guid("b1f01d1a-ae3a-4940-81ee-ddccbad380ef"), event_id=8449, version=0) 20 | class Microsoft_Windows_StorageManagement_WSP_Health_8449_0(Etw): 21 | pattern = Struct( 22 | "Parameter1" / WString 23 | ) 24 | 25 | 26 | @declare(guid=guid("b1f01d1a-ae3a-4940-81ee-ddccbad380ef"), event_id=8450, version=0) 27 | class Microsoft_Windows_StorageManagement_WSP_Health_8450_0(Etw): 28 | pattern = Struct( 29 | "Parameter1" / WString 30 | ) 31 | 32 | 33 | @declare(guid=guid("b1f01d1a-ae3a-4940-81ee-ddccbad380ef"), event_id=8451, version=0) 34 | class Microsoft_Windows_StorageManagement_WSP_Health_8451_0(Etw): 35 | pattern = Struct( 36 | "Parameter1" / WString 37 | ) 38 | 39 | 40 | @declare(guid=guid("b1f01d1a-ae3a-4940-81ee-ddccbad380ef"), event_id=8452, version=0) 41 | class Microsoft_Windows_StorageManagement_WSP_Health_8452_0(Etw): 42 | pattern = Struct( 43 | "Parameter1" / WString 44 | ) 45 | 46 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_StorageManagement_WSP_Host.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-StorageManagement-WSP-Host 4 | GUID : 595f33ea-d4af-4f4d-b4dd-9dacdd17fc6e 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("595f33ea-d4af-4f4d-b4dd-9dacdd17fc6e"), event_id=1000, version=0) 13 | class Microsoft_Windows_StorageManagement_WSP_Host_1000_0(Etw): 14 | pattern = Struct( 15 | "ProviderName" / WString, 16 | "ProviderDLL" / WString, 17 | "ErrorCode" / Int32ul, 18 | "LoadPhase" / Int32ul 19 | ) 20 | 21 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_StorageSpaces_ManagementAgent.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-StorageSpaces-ManagementAgent 4 | GUID : aa4c798d-d91b-4b07-a013-787f5803d6fc 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("aa4c798d-d91b-4b07-a013-787f5803d6fc"), event_id=100, version=0) 13 | class Microsoft_Windows_StorageSpaces_ManagementAgent_100_0(Etw): 14 | pattern = Struct( 15 | "hc_stateid" / Int32ul 16 | ) 17 | 18 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_StorageSpaces_SpaceManager.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-StorageSpaces-SpaceManager 4 | GUID : 69c8ca7e-1adf-472b-ba4c-a0485986b9f6 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("69c8ca7e-1adf-472b-ba4c-a0485986b9f6"), event_id=100, version=0) 13 | class Microsoft_Windows_StorageSpaces_SpaceManager_100_0(Etw): 14 | pattern = Struct( 15 | "Type" / Int32ul, 16 | "Tag" / Int32ul 17 | ) 18 | 19 | 20 | @declare(guid=guid("69c8ca7e-1adf-472b-ba4c-a0485986b9f6"), event_id=101, version=0) 21 | class Microsoft_Windows_StorageSpaces_SpaceManager_101_0(Etw): 22 | pattern = Struct( 23 | "Type" / Int32ul, 24 | "Tag" / Int32ul, 25 | "KernelModeStatus" / Int32ul, 26 | "UserModeStatus" / Int32ul 27 | ) 28 | 29 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Subsys_Csr.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Subsys-Csr 4 | GUID : e8316a2d-0d94-4f52-85dd-1e15b66c5891 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("e8316a2d-0d94-4f52-85dd-1e15b66c5891"), event_id=3, version=0) 13 | class Microsoft_Windows_Subsys_Csr_3_0(Etw): 14 | pattern = Struct( 15 | "ProcessId" / Int32ul, 16 | "Level" / Int32ul, 17 | "Flags" / Int32ul 18 | ) 19 | 20 | 21 | @declare(guid=guid("e8316a2d-0d94-4f52-85dd-1e15b66c5891"), event_id=4, version=0) 22 | class Microsoft_Windows_Subsys_Csr_4_0(Etw): 23 | pattern = Struct( 24 | "Status" / Int32ul 25 | ) 26 | 27 | 28 | @declare(guid=guid("e8316a2d-0d94-4f52-85dd-1e15b66c5891"), event_id=4, version=1) 29 | class Microsoft_Windows_Subsys_Csr_4_1(Etw): 30 | pattern = Struct( 31 | "Status" / Int32ul, 32 | "ProcessId" / Int32ul 33 | ) 34 | 35 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_TZSync.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-TZSync 4 | GUID : 3527cb55-1298-49d4-ab94-1243db0fcaff 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("3527cb55-1298-49d4-ab94-1243db0fcaff"), event_id=7, version=0) 13 | class Microsoft_Windows_TZSync_7_0(Etw): 14 | pattern = Struct( 15 | "TimeZoneId" / WString 16 | ) 17 | 18 | 19 | @declare(guid=guid("3527cb55-1298-49d4-ab94-1243db0fcaff"), event_id=8, version=0) 20 | class Microsoft_Windows_TZSync_8_0(Etw): 21 | pattern = Struct( 22 | "TimeZoneId" / WString 23 | ) 24 | 25 | 26 | @declare(guid=guid("3527cb55-1298-49d4-ab94-1243db0fcaff"), event_id=10, version=0) 27 | class Microsoft_Windows_TZSync_10_0(Etw): 28 | pattern = Struct( 29 | "TimeZoneId" / WString 30 | ) 31 | 32 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_TZUtil.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-TZUtil 4 | GUID : 2d318b91-e6e7-4c46-bd04-bfe6db412cf9 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("2d318b91-e6e7-4c46-bd04-bfe6db412cf9"), event_id=1004, version=0) 13 | class Microsoft_Windows_TZUtil_1004_0(Etw): 14 | pattern = Struct( 15 | "TimeZone" / WString, 16 | "ErrorCode" / Int32ul, 17 | "ErrorMessage" / WString 18 | ) 19 | 20 | 21 | @declare(guid=guid("2d318b91-e6e7-4c46-bd04-bfe6db412cf9"), event_id=1005, version=0) 22 | class Microsoft_Windows_TZUtil_1005_0(Etw): 23 | pattern = Struct( 24 | "TimeZone" / WString, 25 | "ErrorCode" / Int32ul 26 | ) 27 | 28 | 29 | @declare(guid=guid("2d318b91-e6e7-4c46-bd04-bfe6db412cf9"), event_id=1006, version=0) 30 | class Microsoft_Windows_TZUtil_1006_0(Etw): 31 | pattern = Struct( 32 | "TimeZone" / WString, 33 | "ErrorCode" / Int32ul 34 | ) 35 | 36 | 37 | @declare(guid=guid("2d318b91-e6e7-4c46-bd04-bfe6db412cf9"), event_id=1007, version=0) 38 | class Microsoft_Windows_TZUtil_1007_0(Etw): 39 | pattern = Struct( 40 | "TimeZone" / WString, 41 | "ErrorCode" / Int32ul 42 | ) 43 | 44 | 45 | @declare(guid=guid("2d318b91-e6e7-4c46-bd04-bfe6db412cf9"), event_id=20001, version=0) 46 | class Microsoft_Windows_TZUtil_20001_0(Etw): 47 | pattern = Struct( 48 | "TimeZone" / WString 49 | ) 50 | 51 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Tethering_Station.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Tethering-Station 4 | GUID : 585cab4f-9351-436e-9d99-dc4b41a20de0 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("585cab4f-9351-436e-9d99-dc4b41a20de0"), event_id=1001, version=0) 13 | class Microsoft_Windows_Tethering_Station_1001_0(Etw): 14 | pattern = Struct( 15 | "WlanInterfaceGuid" / Guid 16 | ) 17 | 18 | 19 | @declare(guid=guid("585cab4f-9351-436e-9d99-dc4b41a20de0"), event_id=1002, version=0) 20 | class Microsoft_Windows_Tethering_Station_1002_0(Etw): 21 | pattern = Struct( 22 | "WlanInterfaceGuid" / Guid, 23 | "Scenario" / Int32ul, 24 | "Result" / Int32ul 25 | ) 26 | 27 | 28 | @declare(guid=guid("585cab4f-9351-436e-9d99-dc4b41a20de0"), event_id=1003, version=0) 29 | class Microsoft_Windows_Tethering_Station_1003_0(Etw): 30 | pattern = Struct( 31 | "WlanInterfaceGuid" / Guid 32 | ) 33 | 34 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_TimeBroker.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-TimeBroker 4 | GUID : 0657adc1-9ae8-4e18-932d-e6079cda5ab3 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("0657adc1-9ae8-4e18-932d-e6079cda5ab3"), event_id=1, version=1) 13 | class Microsoft_Windows_TimeBroker_1_1(Etw): 14 | pattern = Struct( 15 | "BrokeredEventId" / Guid, 16 | "OldState" / Int32ul, 17 | "NewState" / Int32ul 18 | ) 19 | 20 | 21 | @declare(guid=guid("0657adc1-9ae8-4e18-932d-e6079cda5ab3"), event_id=2, version=1) 22 | class Microsoft_Windows_TimeBroker_2_1(Etw): 23 | pattern = Struct( 24 | "BrokeredEventId" / Guid, 25 | "StartTime" / Int64ul, 26 | "EndTime" / Int64ul 27 | ) 28 | 29 | 30 | @declare(guid=guid("0657adc1-9ae8-4e18-932d-e6079cda5ab3"), event_id=3, version=1) 31 | class Microsoft_Windows_TimeBroker_3_1(Etw): 32 | pattern = Struct( 33 | "BrokeredEventId" / Guid, 34 | "EventType" / Int32ul, 35 | "Status" / Int32ul 36 | ) 37 | 38 | 39 | @declare(guid=guid("0657adc1-9ae8-4e18-932d-e6079cda5ab3"), event_id=4, version=1) 40 | class Microsoft_Windows_TimeBroker_4_1(Etw): 41 | pattern = Struct( 42 | "BrokeredEventId" / Guid, 43 | "Status" / Int32ul 44 | ) 45 | 46 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_TriggerEmulatorProvider.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-TriggerEmulatorProvider 4 | GUID : f230d19a-5d93-47d9-a83f-53829edfb8df 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("f230d19a-5d93-47d9-a83f-53829edfb8df"), event_id=1, version=0) 13 | class Microsoft_Windows_TriggerEmulatorProvider_1_0(Etw): 14 | pattern = Struct( 15 | "ConsumerName" / WString, 16 | "NamedValues" / WString 17 | ) 18 | 19 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Troubleshooting_Recommended.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Troubleshooting-Recommended 4 | GUID : 4969de67-439c-516f-f805-a82a4f905730 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("4969de67-439c-516f-f805-a82a4f905730"), event_id=1, version=0) 13 | class Microsoft_Windows_Troubleshooting_Recommended_1_0(Etw): 14 | pattern = Struct( 15 | "Title" / WString, 16 | "LearnMoreURL" / WString, 17 | "Type" / WString 18 | ) 19 | 20 | 21 | @declare(guid=guid("4969de67-439c-516f-f805-a82a4f905730"), event_id=101, version=0) 22 | class Microsoft_Windows_Troubleshooting_Recommended_101_0(Etw): 23 | pattern = Struct( 24 | "Title" / WString, 25 | "LearnMoreURL" / WString, 26 | "Type" / WString 27 | ) 28 | 29 | 30 | @declare(guid=guid("4969de67-439c-516f-f805-a82a4f905730"), event_id=102, version=0) 31 | class Microsoft_Windows_Troubleshooting_Recommended_102_0(Etw): 32 | pattern = Struct( 33 | "Title" / WString, 34 | "ErrorCode" / Int32ul, 35 | "LearnMoreURL" / WString, 36 | "Type" / WString 37 | ) 38 | 39 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_UIRibbon.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-UIRibbon 4 | GUID : 87d476fe-1a0f-4370-b785-60b028019693 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("87d476fe-1a0f-4370-b785-60b028019693"), event_id=25, version=0) 13 | class Microsoft_Windows_UIRibbon_25_0(Etw): 14 | pattern = Struct( 15 | "tcid" / Int32sl, 16 | "tcidParent" / Int32sl, 17 | "extraInfo" / Int32sl, 18 | "actionType" / Int32sl, 19 | "wasPressed" / Int8ul, 20 | "gallerySelect" / Int8ul, 21 | "gallery" / Int32sl 22 | ) 23 | 24 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_UserDataAccess_CEMAPI.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-UserDataAccess-CEMAPI 4 | GUID : 83a9277a-d2fc-4b34-bf81-8ceb4407824f 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("83a9277a-d2fc-4b34-bf81-8ceb4407824f"), event_id=1, version=0) 13 | class Microsoft_Windows_UserDataAccess_CEMAPI_1_0(Etw): 14 | pattern = Struct( 15 | "P1_HResult" / Int32sl, 16 | "P2_String" / CString, 17 | "P3_UInt32" / Int32ul 18 | ) 19 | 20 | 21 | @declare(guid=guid("83a9277a-d2fc-4b34-bf81-8ceb4407824f"), event_id=2, version=0) 22 | class Microsoft_Windows_UserDataAccess_CEMAPI_2_0(Etw): 23 | pattern = Struct( 24 | "P1_HResult" / Int32sl, 25 | "P2_String" / CString, 26 | "P3_UInt32" / Int32ul 27 | ) 28 | 29 | 30 | @declare(guid=guid("83a9277a-d2fc-4b34-bf81-8ceb4407824f"), event_id=3, version=0) 31 | class Microsoft_Windows_UserDataAccess_CEMAPI_3_0(Etw): 32 | pattern = Struct( 33 | "Message" / Int64ul 34 | ) 35 | 36 | 37 | @declare(guid=guid("83a9277a-d2fc-4b34-bf81-8ceb4407824f"), event_id=4803, version=0) 38 | class Microsoft_Windows_UserDataAccess_CEMAPI_4803_0(Etw): 39 | pattern = Struct( 40 | "Prop_Hex_UInt32" / Int32ul 41 | ) 42 | 43 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_User_Diagnostic.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-User-Diagnostic 4 | GUID : 305fc87b-002a-5e26-d297-60223012ca9c 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("305fc87b-002a-5e26-d297-60223012ca9c"), event_id=1, version=0) 13 | class Microsoft_Windows_User_Diagnostic_1_0(Etw): 14 | pattern = Struct( 15 | "ErrorCode" / Int32ul 16 | ) 17 | 18 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_VWiFi.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-VWiFi 4 | GUID : 314b2b0d-81ee-4474-b6e0-c2aaec0ddbde 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("314b2b0d-81ee-4474-b6e0-c2aaec0ddbde"), event_id=25001, version=0) 13 | class Microsoft_Windows_VWiFi_25001_0(Etw): 14 | pattern = Struct( 15 | "IfGuid" / Guid, 16 | "FriendlyName" / WString 17 | ) 18 | 19 | 20 | @declare(guid=guid("314b2b0d-81ee-4474-b6e0-c2aaec0ddbde"), event_id=25002, version=0) 21 | class Microsoft_Windows_VWiFi_25002_0(Etw): 22 | pattern = Struct( 23 | "IfGuid" / Guid, 24 | "FriendlyName" / WString 25 | ) 26 | 27 | 28 | @declare(guid=guid("314b2b0d-81ee-4474-b6e0-c2aaec0ddbde"), event_id=25003, version=0) 29 | class Microsoft_Windows_VWiFi_25003_0(Etw): 30 | pattern = Struct( 31 | "IfGuid" / Guid, 32 | "FriendlyName" / WString, 33 | "VIfGuid" / Guid 34 | ) 35 | 36 | 37 | @declare(guid=guid("314b2b0d-81ee-4474-b6e0-c2aaec0ddbde"), event_id=25004, version=0) 38 | class Microsoft_Windows_VWiFi_25004_0(Etw): 39 | pattern = Struct( 40 | "IfGuid" / Guid, 41 | "FriendlyName" / WString, 42 | "VIfGuid" / Guid 43 | ) 44 | 45 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Video_For_Windows.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Video-For-Windows 4 | GUID : 712abb2d-d806-4b42-9682-26da01d8b307 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("712abb2d-d806-4b42-9682-26da01d8b307"), event_id=1, version=0) 13 | class Microsoft_Windows_Video_For_Windows_1_0(Etw): 14 | pattern = Struct( 15 | "ApplicationName" / WString, 16 | "FileName" / WString, 17 | "ContentType" / WString 18 | ) 19 | 20 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Volume.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Volume 4 | GUID : 9f7b5df4-b902-48bc-bc94-95068c6c7d26 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("9f7b5df4-b902-48bc-bc94-95068c6c7d26"), event_id=1001, version=0) 13 | class Microsoft_Windows_Volume_1001_0(Etw): 14 | pattern = Struct( 15 | "Id" / Guid, 16 | "DiskNumber" / Int32ul, 17 | "DiskOffset" / Int64ul, 18 | "ControlCode" / Int32ul 19 | ) 20 | 21 | 22 | @declare(guid=guid("9f7b5df4-b902-48bc-bc94-95068c6c7d26"), event_id=1002, version=0) 23 | class Microsoft_Windows_Volume_1002_0(Etw): 24 | pattern = Struct( 25 | "Id" / Guid, 26 | "DiskNumber" / Int32ul, 27 | "DiskOffset" / Int64ul, 28 | "ControlCode" / Int32ul, 29 | "Status" / Int32ul 30 | ) 31 | 32 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_WCN_Config_Registrar_Secure.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-WCN-Config-Registrar-Secure 4 | GUID : c100becc-d33a-4a4b-bf23-bbef4663d017 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("c100becc-d33a-4a4b-bf23-bbef4663d017"), event_id=9000, version=0) 13 | class Microsoft_Windows_WCN_Config_Registrar_Secure_9000_0(Etw): 14 | pattern = Struct( 15 | "MessageGuid" / Guid, 16 | "MessageBlobLength" / Int16ul, 17 | "MessageBlob" / Bytes(lambda this: this.MessageBlobLength) 18 | ) 19 | 20 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_WEPHOSTSVC.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-WEPHOSTSVC 4 | GUID : d5f7235b-48e2-4e9c-92fe-0e4950aba9e8 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("d5f7235b-48e2-4e9c-92fe-0e4950aba9e8"), event_id=1, version=0) 13 | class Microsoft_Windows_WEPHOSTSVC_1_0(Etw): 14 | pattern = Struct( 15 | "ErrorCode" / Int32ul 16 | ) 17 | 18 | 19 | @declare(guid=guid("d5f7235b-48e2-4e9c-92fe-0e4950aba9e8"), event_id=2, version=0) 20 | class Microsoft_Windows_WEPHOSTSVC_2_0(Etw): 21 | pattern = Struct( 22 | "ErrorCode" / Int32ul 23 | ) 24 | 25 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_WER_SystemErrorReporting.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-WER-SystemErrorReporting 4 | GUID : abce23e7-de45-4366-8631-84fa6c525952 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("abce23e7-de45-4366-8631-84fa6c525952"), event_id=1000, version=0) 13 | class Microsoft_Windows_WER_SystemErrorReporting_1000_0(Etw): 14 | pattern = Struct( 15 | "param1" / WString 16 | ) 17 | 18 | 19 | @declare(guid=guid("abce23e7-de45-4366-8631-84fa6c525952"), event_id=1001, version=0) 20 | class Microsoft_Windows_WER_SystemErrorReporting_1001_0(Etw): 21 | pattern = Struct( 22 | "param1" / WString, 23 | "param2" / WString, 24 | "param3" / WString 25 | ) 26 | 27 | 28 | @declare(guid=guid("abce23e7-de45-4366-8631-84fa6c525952"), event_id=1018, version=0) 29 | class Microsoft_Windows_WER_SystemErrorReporting_1018_0(Etw): 30 | pattern = Struct( 31 | "param1" / WString, 32 | "param2" / WString 33 | ) 34 | 35 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_WLGPA.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-WLGPA 4 | GUID : 46098845-8a94-442d-9095-366a6bcfefa9 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("46098845-8a94-442d-9095-366a6bcfefa9"), event_id=14001, version=0) 13 | class Microsoft_Windows_WLGPA_14001_0(Etw): 14 | pattern = Struct( 15 | "PolicyType" / Int32ul, 16 | "PolicyName" / WString, 17 | "PolicyNamePlaceholder" / Int32ul, 18 | "AutoConfigEnabled" / Int32ul, 19 | "ShowDeniednetworks" / Int32ul, 20 | "Profilesapplied" / WString, 21 | "Profilesappliedplaceholder" / Int32ul, 22 | "Profilesnotapplied" / WString, 23 | "Profilesnotappliedplaceholder" / Int32ul 24 | ) 25 | 26 | 27 | @declare(guid=guid("46098845-8a94-442d-9095-366a6bcfefa9"), event_id=14003, version=0) 28 | class Microsoft_Windows_WLGPA_14003_0(Etw): 29 | pattern = Struct( 30 | "PolicyType" / Int32ul, 31 | "PolicyName" / WString, 32 | "PolicyNamePlaceholder" / WString, 33 | "ReasonCode" / Int32ul 34 | ) 35 | 36 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_WMI.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-WMI 4 | GUID : 1edeee53-0afe-4609-b846-d8c0b2075b1f 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("1edeee53-0afe-4609-b846-d8c0b2075b1f"), event_id=67, version=0) 13 | class Microsoft_Windows_WMI_67_0(Etw): 14 | pattern = Struct( 15 | "BackupFile" / WString 16 | ) 17 | 18 | 19 | @declare(guid=guid("1edeee53-0afe-4609-b846-d8c0b2075b1f"), event_id=68, version=0) 20 | class Microsoft_Windows_WMI_68_0(Etw): 21 | pattern = Struct( 22 | "BackupFile" / WString, 23 | "Error" / WString 24 | ) 25 | 26 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_WPD_API.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-WPD-API 4 | GUID : 31569dcf-9c6f-4b8e-843a-b7c1cc7ffcba 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("31569dcf-9c6f-4b8e-843a-b7c1cc7ffcba"), event_id=100, version=0) 13 | class Microsoft_Windows_WPD_API_100_0(Etw): 14 | pattern = Struct( 15 | "WpdAPICommandCategoryGUID" / Guid, 16 | "WpdAPICommandID" / Int32ul, 17 | "WpdSerializedData_Length" / Int32ul, 18 | "WpdSerializedData_Buffer" / Bytes(lambda this: this.WpdSerializedData_Length) 19 | ) 20 | 21 | 22 | @declare(guid=guid("31569dcf-9c6f-4b8e-843a-b7c1cc7ffcba"), event_id=101, version=0) 23 | class Microsoft_Windows_WPD_API_101_0(Etw): 24 | pattern = Struct( 25 | "WpdAPICommandCategoryGUID" / Guid, 26 | "WpdAPICommandID" / Int32ul, 27 | "WPDAPIOPerationHR" / Int32ul, 28 | "WpdSerializedData_Length" / Int32ul, 29 | "WpdSerializedData_Buffer" / Bytes(lambda this: this.WpdSerializedData_Length) 30 | ) 31 | 32 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_WWAN_CFE.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-WWAN-CFE 4 | GUID : 71c993b8-1e28-4543-9886-fb219b63fdb3 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("71c993b8-1e28-4543-9886-fb219b63fdb3"), event_id=12, version=0) 13 | class Microsoft_Windows_WWAN_CFE_12_0(Etw): 14 | pattern = Struct( 15 | "Manufacture" / WString, 16 | "Model" / WString, 17 | "FirmwareVersion" / WString, 18 | "ErrorCode" / Int32ul 19 | ) 20 | 21 | 22 | @declare(guid=guid("71c993b8-1e28-4543-9886-fb219b63fdb3"), event_id=15, version=0) 23 | class Microsoft_Windows_WWAN_CFE_15_0(Etw): 24 | pattern = Struct( 25 | "ProviderName" / WString 26 | ) 27 | 28 | 29 | @declare(guid=guid("71c993b8-1e28-4543-9886-fb219b63fdb3"), event_id=16, version=0) 30 | class Microsoft_Windows_WWAN_CFE_16_0(Etw): 31 | pattern = Struct( 32 | "Manufacture" / WString, 33 | "Model" / WString, 34 | "FirmwareVersion" / WString, 35 | "ErrorCode" / Int32ul 36 | ) 37 | 38 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_WWAN_MM_EVENTS.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-WWAN-MM-EVENTS 4 | GUID : 7839bb2a-2ea3-4eca-a00f-b558ba678bec 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("7839bb2a-2ea3-4eca-a00f-b558ba678bec"), event_id=1004, version=0) 13 | class Microsoft_Windows_WWAN_MM_EVENTS_1004_0(Etw): 14 | pattern = Struct( 15 | "InterfaceGuid" / Guid, 16 | "ErrorCode" / Int32ul, 17 | "Location" / Int32ul, 18 | "Context" / Int32ul 19 | ) 20 | 21 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_WebcamExperience.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-WebcamExperience 4 | GUID : 9e12ceb1-e3ff-46ad-a0aa-11738b122d20 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("9e12ceb1-e3ff-46ad-a0aa-11738b122d20"), event_id=111, version=0) 13 | class Microsoft_Windows_WebcamExperience_111_0(Etw): 14 | pattern = Struct( 15 | "HR" / Int32ul 16 | ) 17 | 18 | 19 | @declare(guid=guid("9e12ceb1-e3ff-46ad-a0aa-11738b122d20"), event_id=112, version=0) 20 | class Microsoft_Windows_WebcamExperience_112_0(Etw): 21 | pattern = Struct( 22 | "PageMode" / Int32ul 23 | ) 24 | 25 | 26 | @declare(guid=guid("9e12ceb1-e3ff-46ad-a0aa-11738b122d20"), event_id=113, version=0) 27 | class Microsoft_Windows_WebcamExperience_113_0(Etw): 28 | pattern = Struct( 29 | "PageMode" / Int32ul 30 | ) 31 | 32 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_WebdavClient_LookupServiceTrigger.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-WebdavClient-LookupServiceTrigger 4 | GUID : 22b6d684-fa63-4578-87c9-effcbe6643c7 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("22b6d684-fa63-4578-87c9-effcbe6643c7"), event_id=1, version=0) 13 | class Microsoft_Windows_WebdavClient_LookupServiceTrigger_1_0(Etw): 14 | pattern = Struct( 15 | "WebclntLookupServieTrigger" / Guid 16 | ) 17 | 18 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Websocket_Protocol_Component.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Websocket-Protocol-Component 4 | GUID : cba5f63c-e2cf-4b36-8305-bde1311924fc 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("cba5f63c-e2cf-4b36-8305-bde1311924fc"), event_id=1, version=0) 13 | class Microsoft_Windows_Websocket_Protocol_Component_1_0(Etw): 14 | pattern = Struct( 15 | "TraceMessage" / WString, 16 | "Error" / Int32ul 17 | ) 18 | 19 | 20 | @declare(guid=guid("cba5f63c-e2cf-4b36-8305-bde1311924fc"), event_id=2, version=0) 21 | class Microsoft_Windows_Websocket_Protocol_Component_2_0(Etw): 22 | pattern = Struct( 23 | "Id" / Int32ul, 24 | "OperationType" / Int32ul 25 | ) 26 | 27 | 28 | @declare(guid=guid("cba5f63c-e2cf-4b36-8305-bde1311924fc"), event_id=3, version=0) 29 | class Microsoft_Windows_Websocket_Protocol_Component_3_0(Etw): 30 | pattern = Struct( 31 | "Id" / Int32ul, 32 | "ActionType" / Int32ul 33 | ) 34 | 35 | 36 | @declare(guid=guid("cba5f63c-e2cf-4b36-8305-bde1311924fc"), event_id=4, version=0) 37 | class Microsoft_Windows_Websocket_Protocol_Component_4_0(Etw): 38 | pattern = Struct( 39 | "Id" / Int32ul 40 | ) 41 | 42 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_WinINet_Config.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-WinINet-Config 4 | GUID : 5402e5ea-1bdd-4390-82be-e108f1e634f5 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("5402e5ea-1bdd-4390-82be-e108f1e634f5"), event_id=5600, version=0) 13 | class Microsoft_Windows_WinINet_Config_5600_0(Etw): 14 | pattern = Struct( 15 | "fAutoDetect" / Int8ul, 16 | "pwszAutoConfigUrl" / WString, 17 | "pwszProxy" / WString, 18 | "pwszProxyBypass" / WString 19 | ) 20 | 21 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_WinRT_Error.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-WinRT-Error 4 | GUID : a86f8471-c31d-4fbc-a035-665d06047b03 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("a86f8471-c31d-4fbc-a035-665d06047b03"), event_id=1, version=0) 13 | class Microsoft_Windows_WinRT_Error_1_0(Etw): 14 | pattern = Struct( 15 | "HRESULT" / Int32sl, 16 | "ErrorMesage" / WString 17 | ) 18 | 19 | 20 | @declare(guid=guid("a86f8471-c31d-4fbc-a035-665d06047b03"), event_id=2, version=0) 21 | class Microsoft_Windows_WinRT_Error_2_0(Etw): 22 | pattern = Struct( 23 | "HRESULT" / Int32sl, 24 | "ErrorMesage" / WString, 25 | "LanguageErrorPointer" / Int64ul 26 | ) 27 | 28 | 29 | @declare(guid=guid("a86f8471-c31d-4fbc-a035-665d06047b03"), event_id=3, version=0) 30 | class Microsoft_Windows_WinRT_Error_3_0(Etw): 31 | pattern = Struct( 32 | "OriginalHRESULT" / Int32sl, 33 | "NewHRESULT" / Int32sl, 34 | "ErrorMesage" / WString 35 | ) 36 | 37 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_WindowsBackup.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-WindowsBackup 4 | GUID : 01979c6a-42fa-414c-b8aa-eee2c8202018 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("01979c6a-42fa-414c-b8aa-eee2c8202018"), event_id=100, version=0) 13 | class Microsoft_Windows_WindowsBackup_100_0(Etw): 14 | pattern = Struct( 15 | "hc_stateid" / Int32ul, 16 | "pwszTimeStamp" / WString 17 | ) 18 | 19 | 20 | @declare(guid=guid("01979c6a-42fa-414c-b8aa-eee2c8202018"), event_id=101, version=0) 21 | class Microsoft_Windows_WindowsBackup_101_0(Etw): 22 | pattern = Struct( 23 | "hc_stateid" / Int32ul 24 | ) 25 | 26 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_WindowsToGo_StartupOptions.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-WindowsToGo-StartupOptions 4 | GUID : 2e6cb42e-161d-413b-a6c1-84ca4c1e5890 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("2e6cb42e-161d-413b-a6c1-84ca4c1e5890"), event_id=8193, version=0) 13 | class Microsoft_Windows_WindowsToGo_StartupOptions_8193_0(Etw): 14 | pattern = Struct( 15 | "State" / Int32ul 16 | ) 17 | 18 | 19 | @declare(guid=guid("2e6cb42e-161d-413b-a6c1-84ca4c1e5890"), event_id=8194, version=0) 20 | class Microsoft_Windows_WindowsToGo_StartupOptions_8194_0(Etw): 21 | pattern = Struct( 22 | "ErrorCode" / Int32ul 23 | ) 24 | 25 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Winsock_SQM.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Winsock-SQM 4 | GUID : 093da50c-0bb9-4d7d-b95c-3bb9fcda5ee8 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("093da50c-0bb9-4d7d-b95c-3bb9fcda5ee8"), event_id=5, version=0) 13 | class Microsoft_Windows_Winsock_SQM_5_0(Etw): 14 | pattern = Struct( 15 | "SqmType" / Int32ul, 16 | "SqmSessionGuid" / Guid, 17 | "SqmID" / Int32ul, 18 | "SqmDWORDDatapointValue" / Int32ul 19 | ) 20 | 21 | 22 | @declare(guid=guid("093da50c-0bb9-4d7d-b95c-3bb9fcda5ee8"), event_id=10, version=0) 23 | class Microsoft_Windows_Winsock_SQM_10_0(Etw): 24 | pattern = Struct( 25 | "SqmType" / Int32ul, 26 | "SqmSessionGuid" / Guid, 27 | "SqmID" / Int32ul, 28 | "SqmStringDatapointValue" / WString 29 | ) 30 | 31 | 32 | @declare(guid=guid("093da50c-0bb9-4d7d-b95c-3bb9fcda5ee8"), event_id=11, version=0) 33 | class Microsoft_Windows_Winsock_SQM_11_0(Etw): 34 | pattern = Struct( 35 | "SqmType" / Int32ul, 36 | "SqmSessionGuid" / Guid, 37 | "SqmID" / Int32ul, 38 | "SqmStreamRowLength" / Int32ul, 39 | "SqmStreamRow" / Int16sl 40 | ) 41 | 42 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_Winsock_WS2HELP.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-Winsock-WS2HELP 4 | GUID : d5c25f9a-4d47-493e-9184-40dd397a004d 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("d5c25f9a-4d47-493e-9184-40dd397a004d"), event_id=1, version=0) 13 | class Microsoft_Windows_Winsock_WS2HELP_1_0(Etw): 14 | pattern = Struct( 15 | "LSPName" / WString, 16 | "Catalog" / Int32ul, 17 | "Installer" / CString, 18 | "GUID" / Guid, 19 | "Category" / Int32ul 20 | ) 21 | 22 | 23 | @declare(guid=guid("d5c25f9a-4d47-493e-9184-40dd397a004d"), event_id=2, version=0) 24 | class Microsoft_Windows_Winsock_WS2HELP_2_0(Etw): 25 | pattern = Struct( 26 | "LSPName" / WString, 27 | "Catalog" / Int32ul, 28 | "Installer" / CString, 29 | "GUID" / Guid, 30 | "Category" / Int32ul 31 | ) 32 | 33 | 34 | @declare(guid=guid("d5c25f9a-4d47-493e-9184-40dd397a004d"), event_id=3, version=0) 35 | class Microsoft_Windows_Winsock_WS2HELP_3_0(Etw): 36 | pattern = Struct( 37 | "LSPName" / WString, 38 | "Catalog" / Int32ul, 39 | "Installer" / CString, 40 | "GUID" / Guid, 41 | "Category" / Int32ul 42 | ) 43 | 44 | 45 | @declare(guid=guid("d5c25f9a-4d47-493e-9184-40dd397a004d"), event_id=4, version=0) 46 | class Microsoft_Windows_Winsock_WS2HELP_4_0(Etw): 47 | pattern = Struct( 48 | "Catalog" / Int32ul 49 | ) 50 | 51 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_XWizards.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-XWizards 4 | GUID : 777ba8fe-2498-4875-933a-3067de883070 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("777ba8fe-2498-4875-933a-3067de883070"), event_id=81, version=0) 13 | class Microsoft_Windows_XWizards_81_0(Etw): 14 | pattern = Struct( 15 | "Caption" / WString, 16 | "Text" / WString 17 | ) 18 | 19 | 20 | @declare(guid=guid("777ba8fe-2498-4875-933a-3067de883070"), event_id=82, version=0) 21 | class Microsoft_Windows_XWizards_82_0(Etw): 22 | pattern = Struct( 23 | "Caption" / WString, 24 | "Text" / WString 25 | ) 26 | 27 | 28 | @declare(guid=guid("777ba8fe-2498-4875-933a-3067de883070"), event_id=83, version=0) 29 | class Microsoft_Windows_XWizards_83_0(Etw): 30 | pattern = Struct( 31 | "Caption" / WString, 32 | "Text" / WString 33 | ) 34 | 35 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_osk.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-osk 4 | GUID : 4f768be8-9c69-4bbc-87fc-95291d3f9d0c 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("4f768be8-9c69-4bbc-87fc-95291d3f9d0c"), event_id=9, version=0) 13 | class Microsoft_Windows_osk_9_0(Etw): 14 | pattern = Struct( 15 | "tcid" / Int32sl 16 | ) 17 | 18 | 19 | @declare(guid=guid("4f768be8-9c69-4bbc-87fc-95291d3f9d0c"), event_id=13, version=0) 20 | class Microsoft_Windows_osk_13_0(Etw): 21 | pattern = Struct( 22 | "tcid" / Int32sl 23 | ) 24 | 25 | 26 | @declare(guid=guid("4f768be8-9c69-4bbc-87fc-95291d3f9d0c"), event_id=15, version=0) 27 | class Microsoft_Windows_osk_15_0(Etw): 28 | pattern = Struct( 29 | "tcid" / Int32sl 30 | ) 31 | 32 | 33 | @declare(guid=guid("4f768be8-9c69-4bbc-87fc-95291d3f9d0c"), event_id=17, version=0) 34 | class Microsoft_Windows_osk_17_0(Etw): 35 | pattern = Struct( 36 | "tcid" / Int32sl 37 | ) 38 | 39 | 40 | @declare(guid=guid("4f768be8-9c69-4bbc-87fc-95291d3f9d0c"), event_id=19, version=0) 41 | class Microsoft_Windows_osk_19_0(Etw): 42 | pattern = Struct( 43 | "tcid" / Int32sl 44 | ) 45 | 46 | -------------------------------------------------------------------------------- /etl/parsers/etw/Microsoft_Windows_stobject.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Microsoft-Windows-stobject 4 | GUID : 86133982-63d7-4741-928e-ef1349b80219 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("86133982-63d7-4741-928e-ef1349b80219"), event_id=142, version=0) 13 | class Microsoft_Windows_stobject_142_0(Etw): 14 | pattern = Struct( 15 | "BatteryDrainRate" / Int32sl, 16 | "CurrentBatteryPercent" / Int32ul, 17 | "TimeSinceLastLogged" / Int32ul, 18 | "FullChargeCapacity" / Int32ul, 19 | "ChargeCapacityRatio" / Int32ul, 20 | "BatteryDrainInfoFlags" / Int32ul 21 | ) 22 | 23 | 24 | @declare(guid=guid("86133982-63d7-4741-928e-ef1349b80219"), event_id=302, version=0) 25 | class Microsoft_Windows_stobject_302_0(Etw): 26 | pattern = Struct( 27 | "guid" / Guid 28 | ) 29 | 30 | 31 | @declare(guid=guid("86133982-63d7-4741-928e-ef1349b80219"), event_id=303, version=0) 32 | class Microsoft_Windows_stobject_303_0(Etw): 33 | pattern = Struct( 34 | "guid" / Guid 35 | ) 36 | 37 | 38 | @declare(guid=guid("86133982-63d7-4741-928e-ef1349b80219"), event_id=304, version=0) 39 | class Microsoft_Windows_stobject_304_0(Etw): 40 | pattern = Struct( 41 | "guid" / Guid 42 | ) 43 | 44 | -------------------------------------------------------------------------------- /etl/parsers/etw/NetJoin.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | NetJoin 4 | GUID : 9741fd4e-3757-479f-a3c6-fc49f6d5edd0 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("9741fd4e-3757-479f-a3c6-fc49f6d5edd0"), event_id=4096, version=0) 13 | class NetJoin_4096_0(Etw): 14 | pattern = Struct( 15 | "DomainName" / WString, 16 | "ComputerName" / WString 17 | ) 18 | 19 | 20 | @declare(guid=guid("9741fd4e-3757-479f-a3c6-fc49f6d5edd0"), event_id=4097, version=0) 21 | class NetJoin_4097_0(Etw): 22 | pattern = Struct( 23 | "DomainName" / WString, 24 | "ComputerName" / WString, 25 | "NetStatusCode" / Int32ul 26 | ) 27 | 28 | -------------------------------------------------------------------------------- /etl/parsers/etw/OpenSSH.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | OpenSSH 4 | GUID : c4b57d35-0636-4bc3-a262-370f249f9802 5 | """ 6 | from construct import Int8sl, Int8ul, Int16ul, Int16sl, Int32sl, Int32ul, Int64sl, Int64ul, Bytes, Double, Float32l, Struct 7 | from etl.utils import WString, CString, SystemTime, Guid 8 | from etl.dtyp import Sid 9 | from etl.parsers.etw.core import Etw, declare, guid 10 | 11 | 12 | @declare(guid=guid("c4b57d35-0636-4bc3-a262-370f249f9802"), event_id=1, version=0) 13 | class OpenSSH_1_0(Etw): 14 | pattern = Struct( 15 | "process" / WString, 16 | "payload" / WString 17 | ) 18 | 19 | 20 | @declare(guid=guid("c4b57d35-0636-4bc3-a262-370f249f9802"), event_id=2, version=0) 21 | class OpenSSH_2_0(Etw): 22 | pattern = Struct( 23 | "process" / WString, 24 | "payload" / WString 25 | ) 26 | 27 | 28 | @declare(guid=guid("c4b57d35-0636-4bc3-a262-370f249f9802"), event_id=3, version=0) 29 | class OpenSSH_3_0(Etw): 30 | pattern = Struct( 31 | "process" / WString, 32 | "payload" / WString 33 | ) 34 | 35 | 36 | @declare(guid=guid("c4b57d35-0636-4bc3-a262-370f249f9802"), event_id=4, version=0) 37 | class OpenSSH_4_0(Etw): 38 | pattern = Struct( 39 | "process" / WString, 40 | "payload" / WString 41 | ) 42 | 43 | 44 | @declare(guid=guid("c4b57d35-0636-4bc3-a262-370f249f9802"), event_id=6, version=0) 45 | class OpenSSH_6_0(Etw): 46 | pattern = Struct( 47 | "process" / WString, 48 | "payload" / WString 49 | ) 50 | 51 | -------------------------------------------------------------------------------- /etl/parsers/kernel/__init__.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | from etl.parsers.kernel.header import EventTraceHeader, Header_Extension_TypeGroup 3 | from etl.parsers.kernel.file import FileIo_V2_Name 4 | from etl.parsers.kernel.image import HyperCallPage, ImageLoad, KernelImageBase 5 | from etl.parsers.kernel.io import DiskIo_TypeGroup1 6 | from etl.parsers.kernel.process import Process_Defunct_TypeGroup1, Process_V3_TypeGroup1, Process_V4_TypeGroup1, ImageLoad as ImageLoadProcess, Process_Terminate_TypeGroup1 7 | from etl.parsers.kernel.thread import Thread_V2_TypeGroup1, Thread_TypeGroup1, CompCS 8 | 9 | __all__ = [ 10 | EventTraceHeader, 11 | Header_Extension_TypeGroup, 12 | FileIo_V2_Name, 13 | HyperCallPage, 14 | ImageLoad, 15 | KernelImageBase, 16 | DiskIo_TypeGroup1, 17 | Process_Defunct_TypeGroup1, 18 | Process_V3_TypeGroup1, 19 | Process_V4_TypeGroup1, 20 | ImageLoadProcess, 21 | Process_Terminate_TypeGroup1, 22 | Thread_V2_TypeGroup1, 23 | Thread_TypeGroup1, 24 | CompCS 25 | ] 26 | -------------------------------------------------------------------------------- /etl/parsers/kernel/file.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | from construct import Struct, Int64ul, RepeatUntil, Byte 3 | 4 | from etl.parsers.kernel.core import declare, Mof 5 | from etl.utils import WString 6 | from etl.wmi import EventTraceGroup 7 | 8 | 9 | @declare(group=EventTraceGroup.EVENT_TRACE_GROUP_FILE, version=2, event_types=[0, 32, 35, 36]) 10 | class FileIo_V2_Name(Mof): 11 | """ 12 | File Name 13 | 0 : Name 14 | 32: FileCreate 15 | 35: FileDelete 16 | 36: FileRundown 17 | """ 18 | pattern = Struct( 19 | "FileObject" / Int64ul, 20 | "FileName" / WString 21 | ) 22 | 23 | def get_file_name(self) -> str: 24 | """ 25 | :return: Associate filename 26 | """ 27 | return bytearray(self.source.FileName.string[:-2]).decode("utf-16le") 28 | -------------------------------------------------------------------------------- /etl/perf.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | """ 4 | Use as MOF container 5 | It use by kernel logger to send event but more concise than in system trace format 6 | But add timestamp of the event 7 | This an event driven log but without some of meta infos 8 | """ 9 | 10 | from construct import Struct, Enum, Int64ul, Bytes, Int8ul, Container 11 | 12 | from etl.parsers.kernel.core import Mof, build_mof 13 | from etl.wmi import WmiTracePacket, wmi_trace_marker 14 | 15 | PerfInfoTraceMarker = Enum( 16 | Int8ul, 17 | PERFINFO_TRACE_MARKER_32=0x10, 18 | PERFINFO_TRACE_MARKER_64=0x11 19 | ) 20 | 21 | PerfInfoTraceRecord = Struct( 22 | "marker" / wmi_trace_marker(PerfInfoTraceMarker), 23 | "header" / WmiTracePacket, 24 | "timestamp" / Int64ul, 25 | "mof_data" / Bytes(lambda this: this.header.size - 16) 26 | ) 27 | 28 | 29 | class PerfInfo: 30 | """ 31 | A PerfInfo log from Windows Kernel 32 | """ 33 | def __init__(self, source: Container): 34 | self.source = source 35 | 36 | def get_timestamp(self) -> int: 37 | """ 38 | :return: Timestamp associated with this event 39 | """ 40 | return self.source.timestamp 41 | 42 | def get_mof(self) -> Mof: 43 | """ 44 | This function try to build mof structure for PerfInfo 45 | MOF structure is a common way to send infos from kernel 46 | :return: 47 | """ 48 | return build_mof(self.source.header.group, self.source.marker.version, self.source.header.type, self.source.mof_data) 49 | 50 | -------------------------------------------------------------------------------- /tests/example/AMSITrace.etl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/airbus-cert/etl-parser/76b7c046866ce0469cd129ee3f7bb3799b34e271/tests/example/AMSITrace.etl -------------------------------------------------------------------------------- /tests/example/BootPerfDiagLogger.etl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/airbus-cert/etl-parser/76b7c046866ce0469cd129ee3f7bb3799b34e271/tests/example/BootPerfDiagLogger.etl -------------------------------------------------------------------------------- /tests/example/NetTrace.etl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/airbus-cert/etl-parser/76b7c046866ce0469cd129ee3f7bb3799b34e271/tests/example/NetTrace.etl -------------------------------------------------------------------------------- /tests/example/ShutdownPerfDiagLogger.etl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/airbus-cert/etl-parser/76b7c046866ce0469cd129ee3f7bb3799b34e271/tests/example/ShutdownPerfDiagLogger.etl -------------------------------------------------------------------------------- /tests/example/lxcore_kernel.etl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/airbus-cert/etl-parser/76b7c046866ce0469cd129ee3f7bb3799b34e271/tests/example/lxcore_kernel.etl -------------------------------------------------------------------------------- /tests/test_guid_parser.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import unittest 3 | 4 | from etl.parsers.etw.core import guid, Guid 5 | 6 | 7 | class GuidParser(unittest.TestCase): 8 | """ 9 | Test the Global Unique Identifier parser 10 | """ 11 | def test_guid_parser(self): 12 | a = guid("2ed6006e-4729-4609-b423-3ee7bcd678ef") 13 | b = Guid(785776750, 18217, 17929, [180, 35, 62, 231, 188, 214, 120, 239]) 14 | self.assertEqual(a, b) 15 | -------------------------------------------------------------------------------- /tests/test_mof_header_parser.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | import unittest 4 | 5 | from etl.parsers.kernel.core import build_mof 6 | from etl.parsers.kernel.header import Header_Extension_TypeGroup 7 | from etl.wmi import EventTraceGroup 8 | 9 | 10 | class TestMofHeaderParser(unittest.TestCase): 11 | def test_header_extension_typegroup_type32(self): 12 | payload = b'\x07\x03\x00\x00\x04\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00F\x00\x00\x00' 13 | mof = build_mof(EventTraceGroup.EVENT_TRACE_GROUP_HEADER, 2, 32, payload) 14 | self.assertIsInstance(mof, Header_Extension_TypeGroup) 15 | -------------------------------------------------------------------------------- /tests/test_utils.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | import unittest 4 | from construct import Enum, Int8ul, CheckError 5 | from etl.utils import check_enum 6 | 7 | 8 | class TestUtilsModule(unittest.TestCase): 9 | """ 10 | Test all functions presents in the utils module 11 | """ 12 | def test_check_enum_ok(self): 13 | """ 14 | Test check enum function with valid value 15 | """ 16 | enum = Enum( 17 | Int8ul, 18 | VAL_1=0x01, 19 | VAL_2=0x02 20 | ) 21 | check_enum(enum).parse(b"\x01") 22 | 23 | def test_check_enum_ko(self): 24 | """ 25 | Test check enum with invalid value 26 | """ 27 | enum = Enum( 28 | Int8ul, 29 | VAL_1=0x01, 30 | VAL_2=0x02 31 | ) 32 | self.assertRaises(CheckError, check_enum(enum).parse, b"\x03") 33 | --------------------------------------------------------------------------------