ETW Consumer
UsermodeEvent Tracing for Windows consumer for capturing usermode events.
Overview
ETW (Event Tracing for Windows) is a high-performance event tracing mechanism built into Windows. DioIPS subscribes to specific ETW providers to capture events that complement kernel-level monitoring.
Subscribed Providers
| Provider | Events |
|---|---|
| Microsoft-Windows-PowerShell | Script block logging, command execution |
| Microsoft-Windows-DotNETRuntime | Assembly loading, JIT compilation |
| Microsoft-Windows-Kernel-Process | Process start/stop (usermode view) |
| Microsoft-Windows-DNS-Client | DNS query events |
PowerShell Events
PowerShell script block logging captures the actual script content:
- • Script blocks — Full script content before execution
- • Commands — Individual cmdlet invocations
- • Modules — Module loading events
- • Obfuscation — Deobfuscated script content
.NET Runtime Events
Monitor .NET assembly loading for fileless malware detection:
- • Assembly load — DLL loaded into CLR
- • Assembly name — Full assembly name
- • Load context — How the assembly was loaded
- • In-memory loading — Detect reflection-based loading
Captured Information
- • Timestamp — Event time with high precision
- • Process — PID and process name
- • Provider — Which ETW provider
- • Event ID — Specific event type
- • Payload — Event-specific data
UI Features
- • ETW tab — View all ETW events
- • Provider filter — Filter by ETW provider
- • Script view — Expand to see full script content
- • Process filter — Focus on specific process
Usage
- Start the DioIPS application
- ETW consumer starts automatically
- Navigate to the ETW tab
- Run PowerShell or .NET applications to see events
- Use filters to focus on specific providers