ETWhat is a Windows utility that determines whether Event Tracing for Windows (ETW) providers operate in kernel mode or user mode. It analyzes the actual system registration data to make accurate determinations without relying on hardcoded lists or heuristics.

• Single Provider Analysis: Check individual ETW providers by GUID
• Batch Processing: Process multiple providers from JSON files
• Table Output: Clean, formatted table display with detection methods
• OS-Based Detection: Uses actual Windows registry and configuration data
• Flexible GUID Input: Accepts GUIDs with or without curly braces
• Detection Method Tracking: Shows exactly how each determination was made

• Windows operating system
• Go 1.19 or later

git clone <repository-url>
cd ETWhat
go mod init ETWhat
go get golang.org/x/sys/windows
go build -o ETWhat.exe

# With curly braces
.\ETWhat.exe "{F4E1897C-BB5D-5668-F1D8-040F4D8DD344}"

# Without curly braces  
.\ETWhat.exe "F4E1897C-BB5D-5668-F1D8-040F4D8DD344"

.\ETWhat.exe -json providers.json

[
  {
    "providerGuid": "f4e1897c-bb5d-5668-f1d8-040f4d8dd344",
    "name": "Microsoft-Windows-Threat-Intelligence"
  },
  {
    "providerGuid": "{2f07e2ee-15db-40f1-90ef-9d7ba282188a}",
    "name": "Microsoft-Windows-TCPIP"
  }
]

Provider GUID: {F4E1897C-BB5D-5668-F1D8-040F4D8DD344}
Provider Name: Microsoft-Windows-Threat-Intelligence
Schema Source: XML (0)
Detection Method: MANIFEST_KERNEL
Provider Type: KERNEL MODE

GUID                                    NAME                                    TYPE    SCHEMA  METHOD
----                                    ----                                    ----    ------  ------
{F4E1897C-BB5D-5668-F1D8-040F4D8DD344}  Microsoft-Windows-Threat-Intelligence  KERNEL  XML     MANIFEST_KERNEL
{16C6501A-FF2D-46EA-868D-8F96CB0CB52D}  Microsoft-Windows-SEC                   KERNEL  XML     KERNEL_AUTOLOG
{2F07E2EE-15DB-40F1-90EF-9D7BA282188A}  Microsoft-Windows-TCPIP                 USER    XML     MANIFEST_USER
{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}  Microsoft-Windows-DNS-Client            USER    XML     MANIFEST_USER

Summary: 4 total providers (2 kernel, 2 user)

ETWhat uses a multi-layered approach to determine provider types by analyzing actual Windows system configuration:

• Location: HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\*
• Process: Dynamically enumerates all autologger sessions and checks if the provider is registered
• Kernel Sessions: EventLog-System, EventLog-Security, Kernel Logger, NT Kernel Logger, etc.
• User Sessions: EventLog-Application, ReadyBoot, etc.
• Reliability: Very High - Direct indication of intended usage

• Location: HKLM\SYSTEM\CurrentControlSet\Services\EventLog\*
• Process: Checks if provider is registered as an event source
• System/Security Logs: Indicates kernel mode operation
• Application Log: Indicates user mode operation
• Reliability: High - Shows where events are logged

• Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\*
• Process: Examines provider manifest registration and resource files
• Kernel Indicators:
  • Resource files in system32, drivers directories
  • References to ntoskrnl, win32k, fltmgr
  • Provider names containing "kernel", "security-auditing", "threat-intelligence"
• Reliability: Medium-High - Based on implementation location

• Location: HKLM\SOFTWARE\Microsoft\WBEM\Providers\*
• Process: Checks WMI provider and CLSID registrations
• Indication: Typically user mode
• Reliability: Medium - WMI can be used by both modes

1. Query TdhEnumerateProviders() → Get provider name and schema source
2. Check Autologger Registration → Most reliable method
3. Check Event Log Registration → High confidence indicator  
4. Check Manifest Registration → Analyze resource files and names
5. Check WMI Registration → Fallback method
6. Default to USER mode → Conservative approach

• Uses golang.org/x/sys/windows/registry for safe registry access
• Dynamically discovers autologger sessions rather than hardcoding
• Handles both GUID and provider name-based registrations

• Uses TdhEnumerateProviders() from tdh.dll to get official provider information
• Parses provider enumeration structures to extract names and schema sources
• Validates provider existence before analysis

• Gracefully handles missing providers in JSON batch mode
• Provides detailed error messages for invalid GUIDs
• Continues processing on individual failures

• Security Auditing: Microsoft-Windows-Security-Auditing
• Threat Intelligence: Microsoft-Windows-Threat-Intelligence
• Filter Manager: Microsoft-Windows-FilterManager
• Win32k: Microsoft-Windows-Win32k
• Kernel APIs: Microsoft-Windows-Kernel-*

• Network Services: Microsoft-Windows-TCPIP, Microsoft-Windows-DNS-Client
• Applications: Microsoft-Windows-DotNETRuntime
• User Services: Microsoft-Windows-PowerShell

• Requires Windows operating system
• Some providers may not be registered if not currently active
• Detection accuracy depends on proper system configuration
• May require elevated privileges for some registry access