A Windows kernel-mode ETW (Event Tracing for Windows) real-time consumer driver. Subscribes to manifest-based ETW providers from kernel mode, decodes event payloads using the binary instrumentation manifest (WEVT_TEMPLATE / CRIM), and prints decoded fields to the kernel debugger.

This is a research/fun project. In production, ETW events should be consumed from user mode via the documented ProcessTrace / OpenTrace APIs. Kernel-mode consumption requires using undocumented syscalls, spawning a minimal process for shared-memory buffer hosting, and manifest parsing.

• Creates a minimal process to satisfy ETW's user-mode address validation (EtwpRealtimeConnect is doing some ProbeForWrite calls on buffer pointers)
• Starts an ETW real-time trace session via ZwTraceControl
• Enables the Microsoft-Windows-Kernel-Process and Microsoft-Windows-Threat-Intelligence providers
• Spawns a consumer thread that drains event buffers
• Loads provider schemas from DLL manifests at runtim
• Prints every field to the kernel debugger via DbgPrintEx

Requires:

• Visual Studio 2019 with the WDK installed https://learn.microsoft.com/en-us/windows-hardware/drivers/download-the-wdk

MSBuild etwkm.vcxproj /p:Configuration=Debug /p:Platform=x64

• Windows 11 24H2 (build 26100) only

This driver uses undocumented Windows internals that may change without notice. It is not intended for production use. The ETW buffer processing, CRIM manifest parsing were extracted from sechost.dll and tdh.dll (see source attributions in code comments).

For production ETW consumption, use the documented user-mode APIs:

• OpenTrace / ProcessTrace
• TdhGetEventInformation for event decoding

see LICENSE.