Proof of concept tool that monitors kernel events (image loads, process creation, thread creation) and identifies anomalous absences in corresponding ETW telemetry. When system activity occurs without expected ETW events, IE ETW Patching.